openldap-technical

openldap-technical@openldap.org

16 participants
9696 discussions

how to change attribute display order
by Winanjaya - CBN 16 Jan '08

16 Jan '08

Dear All, How do I change attribute display order? ..(ie. sn, cn to cn, sn) .. pls advise thanks & regards Winanjaya *********************** Our outgoing mail has been scanned by MSS. ***********-***********

3 2

Subtree renames and memberOf handling
by Andrew Bartlett 16 Jan '08

16 Jan '08

I perhaps should have flagged this earlier, but I wanted to actually have the test to prove it. It appears that subtree renames and the memberOf plugin are not handled correctly. That is: I create cn=ldaptestuser4,cn=ldaptestcontainer,DC=samba,DC=example,DC=com I add it to a group: dn: cn=ldaptestgroup2,cn=users,DC=samba,DC=example,DC=com changetype: modify add: member member: cn=ldaptestuser4,cn=ldaptestcontainer,DC=samba,DC=example,DC=com Then I rename the container CN=ldaptestcontainer,DC=samba,DC=example,DC=com into CN=ldaptestcontainer2,DC=samba,DC=example,DC=com However, when I search: [abartlet@naomi source]$ bin/ldbsearch -H st/dc/private/sam.ldb "cn=ldaptestgroup2" # record 1 dn: CN=ldaptestgroup2,CN=Users,DC=samba,DC=example,DC=com member: cn=ldaptestuser,cn=useRs,dc=samba,dc=example,dc=com member: cn=ldaptestcomputer,cn=computers,dc=samba,dc=example,dc=com member: cn=ldaptestuser2,cn=users,dc=samba,dc=example,dc=com member: cn=ldaptestuser4,cn=ldaptestcontainer,dc=samba,dc=example,dc=com [abartlet@naomi source]$ bin/ldbsearch -H st/dc/private/sam.ldb "cn=ldaptestuser4" # record 1 dn: CN=ldaptestuser4,CN=ldaptestcontainer2,DC=samba,DC=example,DC=com cn: ldaptestuser4 memberOf: cn=ldaptestgroup2,cn=users,dc=samba,dc=example,dc=com The 'member' attribute on the group is wrong, most likely because such a subtree rename would never cause the memberOf module to fire and notice that this needs updating. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

3 14

memberOf hidden?
by Andrew Bartlett 16 Jan '08

16 Jan '08

One of the odd things I've noticed since moving to OpenLDAP managing memberOf is that memberOf is a hidden attribute by default. Is that because it is treated as operational (due to being managed by the module)? I can un-hide it for Samba (I have code that adds a list of attributes to any query for *), but I just wanted to check there wasn't a more elegant way to do it. Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

4 19

LDAP and oracle
by florian.engelmann＠bt.com 16 Jan '08

16 Jan '08

Hi, We just migrated our unix/linux accounts to LDAP. We decided to migrate every user account that can login (except root) to LDAP. Now we have heavy load on our LDAP systems and I think this is because we also migrated the oracle users that are running our oracle databases. This is because the oracle admins log on the systems using the user the database is running with. I do not know that much about oracle but is it mandatory to administrate an oracle database with the same user? Does it make sense to migrate systemusers to ldap? Florian Engelmann

2 3

sles 10 synchronize 2 ldapservers
by bakkerru 15 Jan '08

15 Jan '08

Question: How can i sychronize the users and groups of 2 ldap servers. 1 is setup as pdc with samba and openldap (SLES10) domain "off.company.nl" and the other is our mailserver installed with ldap and openexchange (SLES9.3) domain mail.company.nl. how can i sync the users between both. The mailserver is in a DMZ. thanks in advantage Ruurd

4 3

objectIdentifier Macros?
by Gavin Henry 15 Jan '08

15 Jan '08

Evening all, Are OID Macros specific to slapd? Thanks. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

2 4

update with perl
by alois blasbichler 15 Jan '08

15 Jan '08

Hello list We use openldap 2.3.39. I want to add with a perl-script to all my users this attributes : objectClass: orcluser orclpassword: xxxxxxxxx I dont now how do that with a script. Actually my users haves this objectClasses : objectClass: top objectClass: hordePerson objectClass: shadowAccount objectClass: posixAccount objectClass: person objectClass: inetOrgPerson objectClass: SuSEeMailObject objectClass: sambaSamAccount I defined an : objectclass ( 1.1.2.881.881.555.666 NAME 'inetorcluser' DESC 'inetorcluser' SUP ( inetOrgPerson $ orcluser ) STRUCTURAL ) And so when i with an ldap-browser export an user, then after deleting this user i add in the ldif-datei the followings attributes: objectClass: inetorcluser objectClass: orcluser orclpassword: xxxxxxxxx then i can import this user fine. That for one user is ok but for a lot of users how can i do that - i tried with perl - but without success. Thanks in advanced for any help. luis

3 3

Silly details like CN= v cn=
by Andrew Bartlett 13 Jan '08

13 Jan '08

I've been working on making Samba4 pass it's testsuite with OpenLDAP as a backend. One of my tests does what no LDAP client should do - it applies a case sensitive comparison of the returned DN, compared with what we expect and get from AD. For example, we search for cn=ldaptestmachine and then ensure we get: CN=ldaptestmachine,CN=Users,DC=samba,DC=example,DC=com OpenLDAP returns cn=ldaptestmachine,cn=users,dc=samba,dc=example,dc=com which I'm sure is perfectly valid, but if I can write a bodgy script with case sensitive comparisons, so can an admin or sloppy app. Working in the windows space makes me like to eliminate differences where I can. Can the case of the attribute names (CN and DC) in that DN be made to be UPPER case easily? (Alternately I'll write a filter module on the Samba4 side to do that). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

4 11

Chain authentication bind configuration
by Dave Stoll 13 Jan '08

13 Jan '08

Hello - I seem to have run into a bit of a roadblock with my configuration. I am trying to build an OpenLDAP server which uses ref: entries to chain to two other LDAP servers for user authorization. I have been able to get everything working fine so long as I allow anonymous binding on the servers referenced from OpenLDAP. Unfortunately, the security folks are requesting the OpenLDAP server to force bind credentials for the particular ldap uri. >From man slapd-ldap(5) I see the following: acl-bind ... This identity is by no means implicitly used by the proxy when the client connects anonymously. The idassert-bind feature, instead, in some cases can be crafted to implement that behavior, which is intrinsically unsafe and should be used with extreme care. This directive obsoletes acl-authcDN, and acl- passwd. ... Unfortunately, I¹m having a bit of difficulty finding any documentation supporting the ability to implicitly use a particular bindDN and simple authentication password, regardless of whether the query is anonymous or authenticated. Any help would be welcome. Cheers, Dave -- Dave Stoll echo mac | sed 's/^/dave.stoll(a)/;s/$/.com/'

2 6

NOOP and case change renames
by Andrew Bartlett 10 Jan '08

10 Jan '08

I'm up against my next challenge in the great challenge of Samba4 and OpenLDAP. As metioned on openldap-devel, I've hit up against renaming DNs onto themselves. For example, I previously mentioned cn=ldaptestuser2,cn=users,DC=samba,DC=example,DC=com into cn=ldaptestuser3,cn=users,DC=samba,DC=example,DC=com This should become: dn: cn=ldaptestuser2,cn=users,DC=samba,DC=example,DC=com changetype: modrdn newrdn: cn=ldaptestuser2 deleteoldrdn: 1 > RFC 4511 states that a modify DN operation must fail with the > entryAlreadyExists result code if there was already an entry with that > name. However, a broad interpretation would recognize that such a > modify DN operation is going to be a no-op and simply ignore it. The > specific case doesn't seem to be explicitly dealt with in RFC 4511. I've written a module to cause this to never reach the DB, but my next test (which AD also permits) is: cn=ldaptestuser3,cn=users,DC=samba,DC=example,DC=com into cn=ldaptestUSER3,cn=users,DC=samba,DC=example,DC=com So it seems I need some backend help. Is there another way I should be handling case changes in a DN, or could/should the DB be modified to allow these operations? (These tests arose because a user tried to do exactly this from the windows management tools, and we also failed to allow it in ldb). Thanks, Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.

2 5

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical