3:54 a.m.
Hi!
As stated some time ago the SUSE Linux Enterprise Server 15 (SLES15) switched from
OpenLDAP to 389 Directory Server.
Trying the latter, I see that it still works with BDB (4.8), and setup is easy. It also
seems to have modern features like these:
\n+Entry cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added
However I wonder if it's possible to integrate a 389DS (ns-slapd,
http://www.port389.org/) into an OpenLDAP multi-master configuration. Definitely one
cannot sync the configuration section, because it's too different.
For example the ACL Syntax looks like this:
(targetattr="carLicense || description || displayName || facsimileTelephoneNumber ||
homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile ||
pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod
|| preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st ||
street || telephoneNumber || telexNumber || title || userCertificate || userPassword ||
userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self
write for common attributes"; allow (write) userdn="ldap:///self";)
Regards,
Ulrich
8:16 p.m.
389 DS is nowadays supporting the syncrepl protocol, so in theory it
_might_ work but I have not tried it.
The real question is why would anyone want to use BDB in 2018 when MDB
has already been around for more than a few years?
On Tue, Aug 21, 2018 at 11:09 PM Ulrich Windl
<Ulrich.Windl(a)rz.uni-regensburg.de> wrote:
Hi!
As stated some time ago the SUSE Linux Enterprise Server 15 (SLES15) switched from
OpenLDAP to 389 Directory Server.
Trying the latter, I see that it still works with BDB (4.8), and setup is easy. It also
seems to have modern features like these:
\n+Entry cn=SSHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SSHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SSHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SHA384,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=SHA512,cn=Password Storage Schemes,cn=plugins,cn=config is added
\n+Entry cn=PBKDF2_SHA256,cn=Password Storage Schemes,cn=plugins,cn=config is added
However I wonder if it's possible to integrate a 389DS (ns-slapd,
http://www.port389.org/) into an OpenLDAP multi-master configuration. Definitely one
cannot sync the configuration section, because it's too different.
For example the ACL Syntax looks like this:
(targetattr="carLicense || description || displayName || facsimileTelephoneNumber ||
homePhone || homePostalAddress || initials || jpegPhoto || labeledURI || mail || mobile ||
pager || photo || postOfficeBox || postalAddress || postalCode || preferredDeliveryMethod
|| preferredLanguage || registeredAddress || roomNumber || secretary || seeAlso || st ||
street || telephoneNumber || telexNumber || title || userCertificate || userPassword ||
userSMIMECertificate || x500UniqueIdentifier")(version 3.0; acl "Enable self
write for common attributes"; allow (write) userdn="ldap:///self";)
Regards,
Ulrich
9:13 a.m.
On 2018-08-20 12:54, Ulrich Windl wrote:
However I wonder if it's possible to integrate a 389DS
(ns-slapd,
http://www.port389.org/) into an OpenLDAP multi-master configuration.
Even if you get syncrepl working you will get into trouble because
schema checking in 389-DS is not as strict as with OpenLDAP. Which means
a client can write data to 389-DS which is rejected in OpenLDAP. IMO
this lack of schema-checking is also one of the main reasons not to use
389-DS.
Ciao, Michael.
7:39 p.m.
You won't necessarily get into trouble.
1. just because schema controls are not as strict does not
automatically mean that clients will enter non-compliant data
2. syncrepl schemachecking=off allows you to do what you want, in any case
Those are the facts. Leading newbies to behave according to how you
think they should behave is not objective.
On Thu, Aug 23, 2018 at 7:16 PM Michael Ströder <michael(a)stroeder.com> wrote:
On 2018-08-20 12:54, Ulrich Windl wrote:
> However I wonder if it's possible to integrate a 389DS (ns-slapd,
> http://www.port389.org/) into an OpenLDAP multi-master configuration.
Even if you get syncrepl working you will get into trouble because
schema checking in 389-DS is not as strict as with OpenLDAP. Which means
a client can write data to 389-DS which is rejected in OpenLDAP. IMO
this lack of schema-checking is also one of the main reasons not to use
389-DS.
Ciao, Michael.
10:14 p.m.
On 2018-08-25 04:39, MJ J wrote:
You won't necessarily get into trouble.
1. just because schema controls are not as strict does not
automatically mean that clients will enter non-compliant data
Practice shows that there will very likely be non-compliant data because
people implementing various in-house LDAP clients simply do not know
better.
Ciao, Michael.
1862
days inactive
1867
days old
openldap-technical@openldap.org
4 comments
3 participants
participants (3)
-
Michael Ströder -
MJ J -
Ulrich Windl