openldap-technical

openldap-technical@openldap.org

5 participants
9899 discussions

Re: one user access all databases
by Buchan Milne 22 Mar '11

22 Mar '11

On Tuesday, 22 March 2011 12:12:53 Hendrik van der Ploeg wrote: > ok thanks, > > But how can I set the user in a seperate database to have access to a > different database? > > Use a separate local database with a suitable backend (e.g. hdb or bdb). Any "local" DN can appear in access control statements for any other database. Here is one example (allowing "local" users in dc=ranger,dc=dnsalias,dc=com access to cn=config) [bgmilne@tiger ~]$ ldapsearch -Q -LLL -b cn=config "(olcDatabase=config)" olcAccess dn: olcDatabase={0}config,cn=config olcAccess: {0}to * by group="cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsa lias,dc=com" ssf=112 write olcAccess: {1}to * by * none [bgmilne@tiger ~]$ ldapwhoami -Q dn:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com [bgmilne@tiger ~]$ ldapcompare -Q 'cn=LDAP Admins,ou=System Groups,dc=ranger,dc=dnsalias,dc=com' member:uid=bgmilne,ou=people,dc=ranger,dc=dnsalias,dc=com TRUE (BTW, please keep replies on-list, and while we're at it, try avoid unnecessary top-posting) Regards, Buchan

2 3

Re: one user access all databases
by Hendrik van der Ploeg 22 Mar '11

22 Mar '11

ok thanks, But how can I set the user in a seperate database to have access to a different database? Regards, Hendrik > On Tue, 22 Mar 2011 12:07:54 +0200 (SAST), Buchan Milne > <bgmilne(a)staff.telkomsa.net> wrote: >> ----- "Hendrik van der Ploeg" <hvdploeg(a)competa.com> wrote: >> >>> Hello, >>> >>> Can I add 1 user in cn=config so that it can access all the >>> underlying >>> databases? (olcdatabase={1}bdb, olcdatabase={2}bdb etc. >> >> cn=config is not for hosting entries for DUA clients, just as the > 'mysql' >> database is not for hosting tables for RDBMS client applications. >> >>> The reason for this is that I use ldap-meta which connects to a LDAP >>> server with multiple databases in it. >>> >>> dc=0001,dc=domain,dc=nl >>> dc=0002,dc=domain,dc=nl >>> dc=0003,dc=domain,dc=nl >>> >>> I use "idassert-bind" at the ldap-meta server to set a different >>> username. >>> But in this situation I need to add an extra username for every >>> database in >>> slapd.conf >>> >>> Is there a possibility to use a global user which can access all the >>> databases? >> >> Use a separate local database with a suitable backend (e.g. hdb or bdb). >> >> Regards, >> Buchan -- Hendrik van der Ploeg Competa IT ( http://www.competa.com ) Verrijn Stuartlaan 20 2288 EL Rijswijk the Netherlands Phone: +31(0)704277555 Fax: +31(0)704277554

1 0

Re: one user access all databases
by Buchan Milne 22 Mar '11

22 Mar '11

----- "Hendrik van der Ploeg" <hvdploeg(a)competa.com> wrote: > Hello, > > Can I add 1 user in cn=config so that it can access all the > underlying > databases? (olcdatabase={1}bdb, olcdatabase={2}bdb etc. cn=config is not for hosting entries for DUA clients, just as the 'mysql' database is not for hosting tables for RDBMS client applications. > The reason for this is that I use ldap-meta which connects to a LDAP > server with multiple databases in it. > > dc=0001,dc=domain,dc=nl > dc=0002,dc=domain,dc=nl > dc=0003,dc=domain,dc=nl > > I use "idassert-bind" at the ldap-meta server to set a different > username. > But in this situation I need to add an extra username for every > database in > slapd.conf > > Is there a possibility to use a global user which can access all the > databases? Use a separate local database with a suitable backend (e.g. hdb or bdb). Regards, Buchan

1 0

one user access all databases
by Hendrik van der Ploeg 22 Mar '11

22 Mar '11

Hello, Can I add 1 user in cn=config so that it can access all the underlying databases? (olcdatabase={1}bdb, olcdatabase={2}bdb etc. The reason for this is that I use ldap-meta which connects to a LDAP server with multiple databases in it. dc=0001,dc=domain,dc=nl dc=0002,dc=domain,dc=nl dc=0003,dc=domain,dc=nl I use "idassert-bind" at the ldap-meta server to set a different username. But in this situation I need to add an extra username for every database in slapd.conf Is there a possibility to use a global user which can access all the databases? Thanks in advance Regards, Hendrik The Netherlands

1 0

OpenLDAP Memory Usage
by Diego Lima 22 Mar '11

22 Mar '11

Hello all, I'm experiencing some problems with some OpenLDAP servers: the slapd process seems to always use more memory, eventually reaching a point where it has consumed all the available server memory and is killed by the OOM killer. The servers have 32gb of memory plus 32gb of swap space and are running Debian Lenny (with kernel 2.6.26-2-amd64), and we have compiled OpenLDAP 2.4.23 from source, and we're using Berkeley DB 4.6. The servers are dedicated to running OpenLDAP, so they don't have other processes that use a significant amount of memory. This is a relatively high-volume environment, with 4 servers running with mirrormode to enable multi-master replication. The current database size is about 900mb. Is there any setting that could limit this memory usage? I don't feel this is "normal" considering our DB size and cache sizes. These are my slapd.conf and DB_CONFIG files: --------------------------------- slapd.conf --------------------------------- disallow bind_anon require authc #== Schemas snipped == pidfile /usr/local/openldap/var/run/slapd.pid argsfile /usr/local/openldap/var/run/slapd.args loglevel 16640 modulepath /usr/local/openldap/lib/ldap/ moduleload back_bdb moduleload ppolicy moduleload syncprov threads 8 database config rootdn "cn=admin,cn=config" rootpw {SSHA}PASS database monitor rootdn "cn=admin,cn=monitor" rootpw {SSHA}PASS database bdb suffix "dc=corpldap,dc=mycompany" rootdn "cn=admin,dc=corpldap,dc=mycompany" rootpw {SSHA}PASS directory /usr/local/openldap/var/corpldap-mycompany-data overlay ppolicy overlay syncprov ppolicy_hash_cleartext syncprov-checkpoint 100 10 syncprov-sessionlog 100 monitoring on lastmod on checkpoint 512 10 cachesize 200000 idlcachesize 600000 #== Indexes and ACLs snipped == serverid 1 syncrepl rid=002 provider="ldap://server02:389" searchbase="dc=corpldap,dc=mycompany" type="refreshAndPersist" retry="30 10 60 15 600 +" bindmethod=simple binddn="cn=repuser3,ou=replica,dc=corpldap,dc=mycompany" credentials="PASSWORD" #== other syncrepl entries snipped mirrormode on --------------------------------- DB_CONFIG --------------------------------- set_lg_max 10485760 set_lg_regionmax 1048576 set_lg_bsize 2097152 set_lg_dir /var/ldap/corpldap-mycompany-log set_flags DB_LOG_AUTOREMOVE set_cachesize 0 2073741824 0 set_lk_max_objects 5000 set_lk_max_locks 5000 set_lk_max_lockers 5000 -- Diego Lima http://www.diegolima.org

4 6

DSEE to OpenLDAP
by adam＠spoontech.biz 21 Mar '11

21 Mar '11

Hi, I have currently been given the task of migrating our current LDAP environment from Sun DSEE (6.3.1) to OpenLDAP. I have done some research on this topic, and suspect its not a trivial task, and am hoping for some pointers/advise from anyone that may have attempted this in the past... I'm not sure that replication between the two is an option (although would love it if it was :), so I have looked into exporting the current DSEE environment to a LDIF, and attempted to then import it into openldap (using slapadd), but ran into a few issues... The issue I'm currently stuck on is getting the data in the LDIF into a format that can be imported using slapadd. Currently, I have issues with automounts, pwdReset attribs etc etc... Any help would be appreciated. Cheers,

7 7

Fw: Trying to start Slapd, bad conf file.
by Noel Akins 21 Mar '11

21 Mar '11

Hi, When I try to start slapd I get a failed message saying the config file is bad. What I have below is what was uncommented in slapd.conf as it came in the package. I installed Openldap via yum on my 1and1 VPS which has CentOS. It would seem that the Openldap package for CentOS puts things in different places then in other distributions, and it also seems that this conf file is a bit more complex then what I see in introductory material on LDAP/Openldap, which isn't helping me to learn this. I'm wanting to use ldap to authenticate users on a website, and to ultimately use Shibboleth to federate logins (which requires ldap). I'm new to this and I'm not sure what the problem is with this file. One thing I wanted to ask was since I'm looking to use ldap for website authentication, do I need these schema's? I know I can create a local schema which I think is what I need to do for my purpose. If you have any suggestions or can point out what is wrong here, I would greatly appreciate it. Thank you. ######################################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/nis.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args database bdb suffix "dc=<mydomain>,dc=<org>" rootdn "cn=XXXXXX,dc=<mydomain>,dc=<org>" rootpw xxxxxxx directory /var/lib/ldap # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub

2 1

syncrepl consumer with several providers, is it working?
by LALOT Dominique 21 Mar '11

21 Mar '11

Hello, I'm a little bit worried about that mail and the fact that our setup is getting out of sync sometimes. http://www.openldap.org/lists/openldap-software/200505/msg00324.html versions: the providers are all 2.4. The consumer is 2.4.23, some providers 2.4.21 one 2.4.11 And our setup is not stable, we get out of sync, it's a matter of days/weeks. So, is this working? Should we prefer a relay, then replicate from the relay. What is the right solution? Is there a simple way to force replication whithout deleting the database? Should I replicate to 4 databases and create refererals, then replicate the whole tree to another consumer? Thanks in advance for any advice Dom Our configuration on the fusion consumer: database bdb suffix "dc=fr" syncrepl rid=010 provider=ldap://ldapmaitre.univ-xx.fr/ type=refreshAndPersist searchbase="dc=univ-xx,dc=fr" retry="60 10 300 +" scope=sub filter="(objectClass=*)" attrs="*,modifytimestamp,modifiersName,createTimestamp,creatorsName" schemachecking=off bindmethod=simple syncrepl rid=011 provider=ldap://ldapmaitre.univ-yy.fr/ type=refreshAndPersist searchbase="dc=univ-yy,dc=fr" retry="60 10 300 +" scope=sub filter="(objectClass=*)" attrs="*,modifytimestamp,modifiersName,createTimestamp,creatorsName" schemachecking=off bindmethod=simple syncrepl rid=012 provider=ldap://annuaire.univ-zz.fr/ type=refreshAndPersist searchbase="dc=univ-zz,dc=fr" retry="60 10 300 +" scope=sub filter="(objectClass=*)" attrs="*,modifytimestamp,modifiersName,createTimestamp,creatorsName" schemachecking=off bindmethod=simple syncrepl rid=013 provider=ldap://annuaire-maitre.univ-ww.fr/ type=refreshAndPersist searchbase="dc=univ-ww,dc=fr" retry="60 10 300 +" scope=sub filter="(objectClass=*)" attrs="*,modifytimestamp,modifiersName,createTimestamp,creatorsName" schemachecking=off bindmethod=simple -- Dominique LALOT Ingénieur Systèmes et Réseaux http://annuaire.univmed.fr/showuser.php?uid=lalot

3 4

how ldap works replicating AD?
by Lumeng Lim 21 Mar '11

21 Mar '11

am new to this but is familiar with the purpose of ldap. I just can't visualize how it works. What we would want to happen is have linux desktops to authenticate with a linux server to be able to gain access to network resources. currently. We have linux server with samba as PDC and windows clients that connect to network shared resourced. Users just login via the "domain" and network drives are mapped. When server is unavailable (in cases of laptops) user just logs in and work with the local resources We would like to have the same thing going with linux desktops and laptops. With LDAP how is this implemented? Hope someone can help us visualize so we know what softwares and configurations should be done in the side of both the server and the clients.

2 1

Re: Error code 65 - invalid structural object class chain (groupOfUniqueNames/posixGroup)]
by Casey Jordan 20 Mar '11

20 Mar '11

Quanah, Thanks for the quick reply. I understand this, however the tutorial I am following seems to require it: http://demo.exist-db.org/exist/ldap-security.xml They say "Each group is represented by a single entry under the groupDN as a union of RFC 2307 posixGroup and RFC 2256 groupOfUniqueNames." If this is indeed a requirement for these systems to talk to each other do I have any other options? Thanks, Casey On Fri, Mar 18, 2011 at 4:57 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Friday, March 18, 2011 4:16 PM -0400 Casey Jordan < > casey.jordan(a)jorsek.com> wrote: > > Hi group, >> >> I am trying to import an ldif and I keep getting this error which has me >> totally stumped: >> > > An LDAP object may only have one structural objectClass. You've provided > two. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- -- Casey Jordan easyDITA a product of Jorsek LLC "CaseyDJordan" on LinkedIn, Twitter & Facebook Cell (585) 348 7399 Office (585) 239 6060 easydita.com This message is intended only for the use of the Addressee(s) and may contain information that is privileged, confidential, and/or exempt from disclosure under applicable law. If you are not the intended recipient, please be advised that any disclosure copying, distribution, or use of the information contained herein is prohibited. If you have received this communication in error, please destroy all copies of the message, whether in electronic or hard copy format, as well as attachments, and immediately contact the sender by replying to this e-mail or by phone. Thank you.

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical