openldap-technical

openldap-technical@openldap.org

13 participants
9794 discussions

n-way multi provider set up and mdb_copy
by paul.jc＠yahoo.com 08 Apr '21

08 Apr '21

Hello, I am setting up n-way multi-provider replication. Should we expect a full sync when we setup sync for the first time on a new provider? Can we load a backup data.mdb file first and have deltasync run from there to prevent a full sync (i.e. to save time)? What is the expected behavior/best practice? Also, I have some questions around mdb_copy. Is there any concern using the -c flag for compacting the data.mdb file to be used for restore (or new n-way provider if that works)? I notice the compacted file is smaller on disk than the original data.mdb (due to the removed freed pages). I assume the data sets are still the same? Are there tools to compare the two? And last question, I am using mdb_copy to create a backup but standard linux cp to put the new file into /var/lib/ldap/data.mdb. Will this cause any issues or is it recommended to use mdb_copy to also move the data.mdb file into place? Thanks! Paul

3 3

Migration from OpenLDAP to Oracle Directory Servers (OUD or ODSEE)
by borabaysal＠borabaysal.com 08 Apr '21

08 Apr '21

Hi, I was wondering if anyone has successfully made schema and data migration from OpenLDAP (current version: openldap-2.4.49) to OUD (Oracle Unified Directory 11g) or ODSEE (Oracle Directory Server Enterprise Edition 11g). We are trying to make Zimbra servers (currently using OpenLDAP directory on each server Zimbra installed) use a centralized MMR-enabled OUD environment. But we couldn't find any migration documentation on that. Thanks, -Bora

4 8

hide attribute with specific value only
by Chris Leung 08 Apr '21

08 Apr '21

Dear all, Is it possible to hide a attribute for a specific value only? e.g., dn: ...... objectClass: ... attr1: A attr1: B E.g., I would like to hide the 'attr1: A' for some DNs binding, but, 'attr1: B' should be visible for the client. Chris

2 1

Trust your own (Domain Controller's) CA cert with ldapsearch/openldap
by Wiebe Cazemier 08 Apr '21

08 Apr '21

Hi, I'm having difficulty making tools like ldapsearch accept SSL certificates signed by a Windows domain controller, even when the trust chain seems good. The problem extends to PHP, which uses openldap (PHP debug logging shows the exact same errors). We manually trusted the CA certifcate of the domain controller: cp -v /tmp/PDC02CA.crt /usr/local/share/ca-certificates update-ca-certificates OpenSSL approves it (it doesn't aprove without the previous step): # openssl verify -verify_hostname PDC01.city.cmpny.local /tmp/PDC01.city.cmpny.local.crt /tmp/PDC01.city.cmpny.local.crt: OK And: openssl s_client -verify_hostname PDC01.city.cmpny.local -connect PDC01.city.cmpny.local:3269 CONNECTED(00000005) depth=1 DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA verify return:1 depth=0 verify return:1 --- Certificate chain 0 s: i:DC = local, DC = cmpny, DC = city, CN = city-PDC02-CA But ldapsearch just will not approve it: $ ldapsearch -d1 -H ldaps://PDC01.city.cmpny.local:3269 ldap_url_parse_ext(ldaps://PDC01.city.cmpny.local:3269) ldap_create ldap_url_parse_ext(ldaps://PDC01.city.cmpny.local:3269/??base) [..snip...] ldap_connect_to_host: TCP PDC01.city.cmpny.local:3269 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 10.105.10.10:3269 ldap_pvt_connect: fd: 3 tm: -1 async: 0 attempting to connect: connect success TLS: peer cert untrusted or revoked (0x102) TLS: can't connect: (unknown error code). ldap_msgfree ldap_err2string ldap_sasl_interactive_bind_s: Can't contact LDAP server (-1) additional info: (unknown error code) Running 'strace' shows '/etc/ssl/certs/ca-certificates.crt' is properly read. Doing all the standard tricks with 'LDAPTLS_CACERT, TLS_CACERT', pointing directly to '/tmp/PDC02CA.crt', editing '/etc/ldap/ldap.conf' with all possible permutations. Nothing works, except 'TLS_REQCERT never'. Other certificates are accepted when testing public servers. They are just https, but for SSL tests that doesn't matter. Like: ldapsearch -d1 -H ldaps://www.google.com:443 Or ldapsearch -d1 -H ldaps://www.amazon.co.uk:443 The latter only has the correct domain name in the 'subject alternate name', not the common name. I theorized that maybe the SAN was a cause, but this test result, and [1], show that should work fine. If I deliberately try to create a hostname mismatch, it says: 'TLS: hostname (blabla.com) does not match common name in certificate (www.amazon.co.uk)'. Very different from my 'peer cert untrusted or revoked'. Could this be a bug (in GnuTLS)? Versions: ldapsearch: @(#) $OpenLDAP: ldapsearch (Ubuntu) (Feb 18 2021 14:22:42) Ubuntu: 18.04.5 LTS libgnutls30: 3.5.18-1ubuntu1.4 Regards, Wiebe [1] https://www.openldap.org/lists/openldap-technical/201310/msg00167.html

1 0

Authentication by the mail attribute
by Клеусов Владимир Сергеевич 07 Apr '21

07 Apr '21

Hi Please tell me how (if possible) to authenticate in OpenLDAP not by cn but by the mail attribute ?

3 3

Replacing the server during replication
by Клеусов Владимир Сергеевич 06 Apr '21

06 Apr '21

Hi, I have multi-master replication configured. https://pastebin.com/vYKsa9VY I want to replace ldap3. Please tell me how to do this ? I mean, how does the new server synchronize the current ldap database?

4 11

RE: [EXT]:Re: Openldap client is not populating GID name instead of it just getting GID with empty Group name
by Quanah Gibson-Mount 06 Apr '21

06 Apr '21

--On Monday, April 5, 2021 2:37 PM +0000 "Ballem, Narayanan" <Narayanan.Ballem(a)Staples.com> wrote: > Quanah, > > Good Morning !!! > > On Last weekend , finally migration went fine . > > I have modified loglevel to stats and increased slapd file descriptor to > 8192 which resolve the issue. Looks like in RHEL7 somehow with value 2k > it's not working where as it's used to work in RHEL6. > > It's bit interesting , No errors reported with ulimit issues in the logs. Glad to hear it! :) Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

is there a standard way to store social media handle?
by Zhang 05 Apr '21

05 Apr '21

Hi. I was certain that I could find this in the archives but failed. What's the recommended way to extend inetOrgPerson to include twitter handle, facebook ID and other social media contact points? There doesn't seem to be OID defined for these attributes. Thanks

1 0

OpenLDAP and CBT
by pankovdv＠skbkontur.ru 05 Apr '21

05 Apr '21

Hello everyone! Does openldap support CBT (Channel Binding Tokens)?

1 0

Simulating/inducing server errors to test client application
by varun mittal 05 Apr '21

05 Apr '21

Is there any easy way of mocking errors(network timeout, search time limit exceeded etc.) from OpenLDAP server to test if client exception are being handled properly ?

2 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical