openldap-technical

openldap-technical@openldap.org

21 participants
9802 discussions

About set LDAP passwd expires
by Gary Jsz 14 Nov '11

14 Nov '11

Hi,All I want set my ldap user's password expires in linux server. how can to do? or the LDAP service read the linux system's /etc/login.defs file? Thanks.

4 4

biometric authentication
by Chris Lee 14 Nov '11

14 Nov '11

Dear all, I am a newbie to OpenLDAP. I would like to know whether OpenLDAP can interface with other authentication method. For example, finger print authentication. Thanks in advance for all your help. Best regards, Chris

4 4

MDB distribution
by Brett ＠Google 14 Nov '11

14 Nov '11

On Mon, Nov 14, 2011 at 3:20 PM, Howard Chu <hyc(a)symas.com> wrote: > Brett @Google wrote: > > Sorry for the "fuzzy" logic :P, but : >> >> My thoughts for no: >> >> 1. The name will affect only the name of the backend module, which is >> logically a unit under the scope of openldap (and all backends share a >> prefix), it can't exist by itself. >> > > This point is false; libmdb builds on its own and is intended for use in > more than just OpenLDAP. (I already spelled this out in my LDAPCon > presentation...) I've ported SQLite to use it, for example, and I will be > porting it to Cyrus SASL (sasldb), Heimdal, and various other miscellaneous > stuff that comes along. The API is fully documented in Doxygen, and part of > the reason I went to that trouble was to ensure that other programmers > could use it easily. Mmm. That sounds interesting. I have only just read your LDAPCon presentation, i have been away. Will the source for mmdb library itself eventually live separately somewhere, or just bundled with ldap ? Cheers Brett -- *The only thing that interferes with my learning is my education.* * Albert Einstein*

2 1

Re: MDB name
by Brett ＠Google 14 Nov '11

14 Nov '11

FDB (fast db?) - off the top of my head, seems unique enough On Sun, Nov 13, 2011 at 5:17 PM, Howard Chu <hyc(a)symas.com> wrote: > What's in a name... Apparently "MDB" is already a well-known suffix for > Microsoft Access database files. "mdb" is also the name of a debugger tool > in Solaris. To avoid confusion with those unrelated items, it might be a > good idea to rename our MDB to something else. Now, before the next > OpenLDAP release is published. Comments? > -- *The only thing that interferes with my learning is my education.* * Albert Einstein*

3 4

Re: ACL using Group
by Rakesh Aggarwal 11 Nov '11

11 Nov '11

That was just an example I wrote while writing the email. Actual one does have a "by". The ACLs parse without warning (except the catch-all where dn=*). This is the real one in my slapd config: access to dn.regex="^[^,]+,ou=resources,(ou=[^,]+,ou=MyNs,dc=MyCompany,dc=com)$" attrs="entry,@MyResourceClasss" by group/groupOfNames/member.expand="cn=admins,ou=groups,$1" +w continue by * break Thanks -Rakesh On Fri, Nov 11, 2011 at 11:58 AM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Friday, November 11, 2011 11:40 AM -0800 Rakesh Aggarwal < > rakesh.aggarwal(a)gmail.com> wrote: > > >> Hi folks! >> >> I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio >> as the client on a different machine. >> >> I am having issues trying to setup ACL using Group. The only non-standard >> aspect in my schema design is that the groups container is located in a >> organization specific sub-tree of DIT and not under DIT root, e.g. >> >> access to dn.subtree="ou=resources,ou=**dept1,ou=ns1,dc=example,dc=** >> com" >> attrs = "entry,@myResourceClass" >> group.exact="cn=myadmin,ou=**groups,ou=dept1,ou=ns1,dc=**example,dc=com" >> write continue >> by * break >> >> access to * by * read >> > > What you pasted is not a valid ACL statement. I expect it to fail. You > may want to try adding the word "by" in front of "group.exact". > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

ACL using Group
by Rakesh Aggarwal 11 Nov '11

11 Nov '11

Hi folks! I am using OpenLdap 2.4.23 on RedHat, and using Apache Directory Studio as the client on a different machine. I am having issues trying to setup ACL using Group. The only non-standard aspect in my schema design is that the groups container is located in a organization specific sub-tree of DIT and not under DIT root, e.g. * access to dn.subtree="ou=resources,ou=dept1,ou=ns1,dc=example,dc=com" attrs = "entry,@myResourceClass" group.exact="cn=myadmin,ou=groups,ou=dept1,ou=ns1,dc=example,dc=com" write continue by * break* *access to * by * read* I am logging in with a user who is a member to this group but not getting the desired write access to the entry. Is the location of the group entries in DIT really matter for ACL to work? Thanks -Rakesh

2 1

Setting userPassword and pwdChangedTime together with Relax Rules Control
by Michael Ströder 11 Nov '11

11 Nov '11

HI! I've implemented a sync job which has to also sync passwords with a password modification timestamp from an Oracle DB to OpenLDAP. There's a latency in this password sync so the exact password modification timestamp has to be copied from the source DB to attribute pwdChangedTime in OpenLDAP. Setting the pwdChangedTime alone with the Relax Rules control is no problem. But when the add or modify request also contains the userPassword attribute slapo-ppolicy also wants to add a (later) value for pwdChangedTime and this results in: Constraint violation: attribute 'pwdChangedTime' cannot have multiple values Any chance to achieve this in a single add/modify request? I think this scenario is not so unusual in the real world. So slapo-ppolicy should not generate 'pwdChangedTime' if it's already in the write request in case of Relax Rules control enabled. Ciao, Michael.

2 1

Re: Help needed chaining to active directory for authentication - not quite there yet
by Gabriella Turek 10 Nov '11

10 Nov '11

Hello, One thing that stopped working since I introduced the new directives which fixed the authentication problem is being able to peruse the directories using Apache Directory Studio. I can still see the AD branches but when I try to look at them I get an error which in the server logs is reported as res_errno: 1, res_error: <000004DC: LdapErr: DSID-0C0906E8, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v1db1>, res_matched: <> ldap_free_request (origid 2, msgid 2) So I must still be missing something in my configuration. Thanx Gaby >On 09/11/11 19:34 +0000, Gabriella Turek wrote: >>Hi Dan, >> >>The way I got it to work (by pure chance mind you , I just happened on a >>blog entry somewhere) was to add this entry to the slapd.config file: >> >> >># Configure slapd-ldap back end to connect to AD >>database ldap >>suffix "ou=user accounts,dc=niwa,dc=local" >>subordinate >>rebind-as-user >>uri "ldap://aucwdfp01.niwa.local:389" >>chase-referrals yes >> >>Nowhere in any documentation did I see this mentioned, and yet it worked >>immediately, >>So I don't know what to think. >>Gaby >> >> >> >> >>On 10/11/11 6:37 AM, "Dan White" <dwhite(a)olp.net> wrote: >> >>>On 07/11/11 21:57 +0000, Gabriella Turek wrote: >>>>Hello, I've set up an openLDAP server (2.4.23) which chains to an >>>>Active Directory (2008). I can successfully search for users, it will >>>>find them in Active Directory if they are not in openLDAP, but I >>>>cannot >>>>authenticate the Active Directory users. >>>>The error is "Invalid credentials (49)" >>>>Everything is currently configured with clear text >>>>ldapSearch works fine when pointed directly to the Active Directory. >>>> >>>>The chaining configuration in the slapd.conf is: >>>> >>>>overlay chain >>>>chain-uri ldap://aucwdfp01.niwa.local:389 >>>>chain-rebind-as-user TRUE >>>>chain-idassert-bind bindmethod="simple" >>>> binddn="cn=SDT Tester,ou=NIWA Staff >>>>Accounts,ou=User Accounts, dc=niwa,dc=local" >>>> credentials=xxxxxxx >>>> mode="self" >>>> flags=non-prescriptive >>>>chain-return-error TRUE >>> >>>Does mode="none" work? If my reading of slapd-ldap(5) is correct, with >>>any >>>config other than 'none', slapd will attempt to assert the proxyAuthz >>>control. >>> >>>I checked our local AD server (2003) and it does not appear to support >>>that >>>control: >>> >>>ldapsearch -LLL -x -H ldap://<AD.ip> -s "base" -b "" supportedControl >>>dn: >>>supportedControl: 1.2.840.113556.1.4.319 >>>supportedControl: 1.2.840.113556.1.4.801 >>>supportedControl: 1.2.840.113556.1.4.473 >>>supportedControl: 1.2.840.113556.1.4.528 >>>supportedControl: 1.2.840.113556.1.4.417 >>>supportedControl: 1.2.840.113556.1.4.619 >>>supportedControl: 1.2.840.113556.1.4.841 >>>supportedControl: 1.2.840.113556.1.4.529 >>>supportedControl: 1.2.840.113556.1.4.805 >>>supportedControl: 1.2.840.113556.1.4.521 >>>supportedControl: 1.2.840.113556.1.4.970 >>>supportedControl: 1.2.840.113556.1.4.1338 >>>supportedControl: 1.2.840.113556.1.4.474 >>>supportedControl: 1.2.840.113556.1.4.1339 >>>supportedControl: 1.2.840.113556.1.4.1340 >>>supportedControl: 1.2.840.113556.1.4.1413 >>>supportedControl: 2.16.840.1.113730.3.4.9 >>>supportedControl: 2.16.840.1.113730.3.4.10 >>>supportedControl: 1.2.840.113556.1.4.1504 >>>supportedControl: 1.2.840.113556.1.4.1852 >>>supportedControl: 1.2.840.113556.1.4.802 >>>supportedControl: 1.2.840.113556.1.4.1907 >>>supportedControl: 1.2.840.113556.1.4.1948 >>> >>> >>>proxyAuthz control == 2.16.840.1.113730.3.4.18 (RFC 4370) >>> >>>-- >>>Dan White >> >> > >-- >Dan White >BTC Broadband >Ph 918.366.0248 (direct) main: (918)366-8000 >Fax 918.366.6610 email: dwhite(a)olp.net >http://www.btcbroadband.com

1 0

proxy authentication
by LALOT Dominique 10 Nov '11

10 Nov '11

Hello, We would like to setup a kind of replica. We don't want to replicate some attributes like userpassword, lmpassword, ntpassword. How can we configure the replica to proxy the authentication somewhere else. Is there a way to do that via an overlay or something else? Thanks Dom -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot

3 2

Searches causing disk writes
by Adam Wale 10 Nov '11

10 Nov '11

Hi, I'm observing an issue where a large number of searches against an openldap server results in a large amount of disk writes occurring. I have 10 hosts performing the same workload, the hosts are running slapd 2.4.21 under Ubuntu Lucid. If I stop searching against one of the hosts I see disk write activity from that host drop dramatically. I initially noticed the high write activity in the VMware stats for the hosts and have used iostat on the hosts to gather further info. The hosts being searched are slaves in a slurpd replication environment; they do not have replication logging enabled, the directory is using a hdb backend. Over a 5 minute period the average disk write activity is 8517KB/s when being searched, and 41KB/s when not being searched; over the same time period the average disk read activity is 8KB/s. When performing searches against a host an average workload is 300 searches/second, average entry size is 450bytes, and average entries returned is 30. The hosts have plenty of free RAM and are not using any swap. I have disabled the monitor backend but haven't seen much of an improvement by doing this, given the monitor database is instantiated at startup is this stored in memory? (if not, why not make that an option?) Does anyone have any ideas as to why reading from the directory would be causing disk writes at such a high rate? Thanks, Adam

7 10

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical