Hi List!
I got a little bit off topic problem, but I hope you can help me about it. We got an LDAP directory, with many names. We got some same CNs for instance: John Smiths. The only difference is between the 2 names is the e-mail address. How can I modify one of them? ldapmodify request DN, but our enviroment DN seems to be DN: CN=John Smiths. How can I include the e-mail address to the DN?
Any help appreciated.
Yours, K.T.
Kós Tamás wrote:
I got a little bit off topic problem, but I hope you can help me about it. We got an LDAP directory, with many names. We got some same CNs for instance: John Smiths. The only difference is between the 2 names is the e-mail address. How can I modify one of them? ldapmodify request DN, but our enviroment DN seems to be DN: CN=John Smiths. How can I include the e-mail address to the DN?
You can use either just attribute 'mail' as characteristic attribute for forming the RDN.
mail=jsmiths,<..rest of DN..> mail=johnsmiths,<..rest of DN..>
Or you could use so-called multi-valued RDNs:
cn=John Smiths+mail=jsmiths,<..rest of DN..> cn=John Smiths+mail=johnsmiths,<..rest of DN..>
As you can see , and + and some other chars are special in DN string representation so you have to escape them (see RFC 4514).
Ciao, Michael.
Yesterday I tried importing a large ldif file into my ldap server via phpldapadmin and everything got hosed during the import.
I tried deleting the db.* and *.bdb and log.* files so I could start over and tried importing the ldif file from the command line. Yikes! I don't think that was a good idea! Now, anytime I try to start the ldap server and run any kind of command, I get:
ldap_bind: Can't contact LDAP server (-1)
I read a little about using tools to recover the database, but since I already deleted the .bdb files, I think I am out of luck there. Is my only hope to re-install the server? Does anyone know why this happens?
Thanks so much for all of your help, Kristen
-- Kristen Walker
Digital Media Resources Developer Instructional Media Services Santa Barbara County Education Office 4400 Cathedral Oaks Road P.O. Box 6307 Santa Barbara, CA 93160-6307 (805)964-4711 ext. 5244/FAX (805)683-3597 kwalker@sbceo.org http://www.sbceoportal.org
On 8/14/08 8:18 AM, "Michael Ströder" michael@stroeder.com wrote:
Kós Tamás wrote:
I got a little bit off topic problem, but I hope you can help me about it. We got an LDAP directory, with many names. We got some same CNs for instance: John Smiths. The only difference is between the 2 names is the e-mail address. How can I modify one of them? ldapmodify request DN, but our enviroment DN seems to be DN: CN=John Smiths. How can I include the e-mail address to the DN?
You can use either just attribute 'mail' as characteristic attribute for forming the RDN.
mail=jsmiths,<..rest of DN..> mail=johnsmiths,<..rest of DN..>
Or you could use so-called multi-valued RDNs:
cn=John Smiths+mail=jsmiths,<..rest of DN..> cn=John Smiths+mail=johnsmiths,<..rest of DN..>
As you can see , and + and some other chars are special in DN string representation so you have to escape them (see RFC 4514).
Ciao, Michael.
Kristen Walker wrote:
Now, anytime I try to start the ldap server and run any kind of command, I get:
ldap_bind: Can't contact LDAP server (-1)
Try to start the server from the command-line with -d 65535 and look in the debug log output why it fails during starting up.
Ciao, Michael.
On Thu, Aug 14, 2008 at 05:18:02PM +0200, Michael Ströder wrote:
You can use either just attribute 'mail' as characteristic attribute for forming the RDN.
mail=jsmiths,<..rest of DN..> mail=johnsmiths,<..rest of DN..>
Or you could use so-called multi-valued RDNs:
cn=John Smiths+mail=jsmiths,<..rest of DN..> cn=John Smiths+mail=johnsmiths,<..rest of DN..>
Another approach is to use some attribute that is unique and is not ever going to change. The easiest way to be sure of this is to make up a value and put it in 'uniqueIdentifier'. That way you do not have problems with clashes and you never have to rename entries.
Andrew
Hi again!
This is the output of the command:
xxx:~/ldap # ldapmodify -xv -h xxx.xx.hu -D "CN=xx,OU=xx,O=xx" -w password -f ./gipsz_giro.ldif ldap_initialize( ldap://lx3.cnw.hu ) add usercertificate;binary: NOT ASCII (1384 bytes) modifying entry "uid=gjakab,CN=Gipsz Jakab" modify complete ldap_modify: No such object (32)
Ldif file:
lx3:~/ldap # cat ./gipsz_giro.ldif version: 1
dn: uid=gjakab,CN=Gipsz Jakab changetype: modify add:usercertificate usercertificate;binary:: <certificate>
The entrys of the directory is synchronised from an other directory. We haven't got Organization or Organizational unit..
Thanks for any help.
Ciao, Tamas
2008/8/14 Andrew Findlay andrew.findlay@skills-1st.co.uk:
On Thu, Aug 14, 2008 at 05:18:02PM +0200, Michael Ströder wrote:
You can use either just attribute 'mail' as characteristic attribute for forming the RDN.
mail=jsmiths,<..rest of DN..> mail=johnsmiths,<..rest of DN..>
Or you could use so-called multi-valued RDNs:
cn=John Smiths+mail=jsmiths,<..rest of DN..> cn=John Smiths+mail=johnsmiths,<..rest of DN..>
Another approach is to use some attribute that is unique and is not ever going to change. The easiest way to be sure of this is to make up a value and put it in 'uniqueIdentifier'. That way you do not have problems with clashes and you never have to rename entries.
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
Kós Tamás wrote:
This is the output of the command:
xxx:~/ldap # ldapmodify -xv -h xxx.xx.hu -D "CN=xx,OU=xx,O=xx" -w password -f ./gipsz_giro.ldif ldap_initialize( ldap://lx3.cnw.hu ) add usercertificate;binary: NOT ASCII (1384 bytes) modifying entry "uid=gjakab,CN=Gipsz Jakab" modify complete ldap_modify: No such object (32)
Ldif file:
dn: uid=gjakab,CN=Gipsz Jakab
This simply means the entry uid=gjakab,CN=Gipsz Jakab does not exist.
Frankly judging from your questions so far you should probably do some basic reading about LDAP and its data and functional model. It does not make much sense to teach you all this here on the mailing list stumbling from one improperly described issue to another.
Ciao, Michael.
This simply means the entry uid=gjakab,CN=Gipsz Jakab does not exist.
Frankly judging from your questions so far you should probably do some basic reading about LDAP and its data and functional model. It does not make much sense to teach you all this here on the mailing list stumbling from one improperly described issue to another.
Ciao, Michael.
Thanks for your kindly advice, Micheal. The problem is the user is exists. I would like to know why can not find him the query...
Command: ldapsearch -xv -h <server> -D "<authentication>" -w xxxx uid=gjakab
Answer:
ldap_initialize( ldap://lx3.cnw.hu ) filter: uid=gjakab requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: uid=gjakab # requesting: ALL #
# Gipsz Jakab dn: CN=Gipsz Jakab cn: Gipsz Jakab mail: gipsz.jakab@xxx.net usercertificate;binary:: xxxxx uDheQEPv/j9elUR1YxvNfA== displayname: Gipsz Jakab objectclass: dominoPerson objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: top mailsystem: 1 messagestorage: 1 encryptincomingmail: 0 roamcleansetting: 0 roamcleanper: 1 availablefordirsync: 1 checkpassword: 0 passwordchangeinterval: 0 passwordgraceperiod: 0 sn: Gipsz Jakab uid: gjakab roaminguser: 0 httppasswordchangedate: 20080624100633Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
So, the user is exists. How can I use its e-mail address for modifying this or another user?
Sorry for the inconvenience.
Kós Tamás wrote:
This simply means the entry uid=gjakab,CN=Gipsz Jakab does not exist.
Frankly judging from your questions so far you should probably do some basic reading about LDAP and its data and functional model. It does not make much sense to teach you all this here on the mailing list stumbling from one improperly described issue to another.
Thanks for your kindly advice, Micheal. The problem is the user is exists. I would like to know why can not find him the query...
Command: ldapsearch -xv -h <server> -D "<authentication>" -w xxxx uid=gjakab
"uid=gjakab,CN=Gipsz Jakab" does not exist.
# Gipsz Jakab dn: CN=Gipsz Jakab
Is this the full DN? So it's simply "CN=Gipsz Jakab".
objectclass: dominoPerson
Hmm, since this is Domino/LDAP I'd expect to see the Domino domain name in the DN above.
So, the user is exists.
But not with DN "uid=gjakab,CN=Gipsz Jakab".
How can I use its e-mail address for modifying this or another user?
Sorry, I don't understand what you really want to achieve. If you want to rename the user entry "CN=Gipsz Jakab" to "uid=gjakab,CN=Gipsz Jakab" you have to send a rename (aka modrdn) request to the server. But IIRC in Domino/LDAP the DN is derived from the hierarchical Notes name. So I doubt you can simply rename the entry via LDAP. You have to test that.
Maybe you should rather try to experiment with a decent GUI LDAP client which guides you which input is needed for an operation.
Ciao, Michael.
Command: ldapsearch -xv -h <server> -D "<authentication>" -w xxxx uid=gjakab
"uid=gjakab,CN=Gipsz Jakab" does not exist.
# Gipsz Jakab dn: CN=Gipsz Jakab
Is this the full DN? So it's simply "CN=Gipsz Jakab".
Yes, this is the full DN, because the person not registered to Domino directory, just added to the secondary directory.
objectclass: dominoPerson
Hmm, since this is Domino/LDAP I'd expect to see the Domino domain name in the DN above.
You couldn't see, you can see the answer is described above.
So, the user is exists.
But not with DN "uid=gjakab,CN=Gipsz Jakab".
How can I use its e-mail address for modifying this or another user?
Sorry, I don't understand what you really want to achieve. If you want to rename the user entry "CN=Gipsz Jakab" to "uid=gjakab,CN=Gipsz Jakab" you have to send a rename (aka modrdn) request to the server. But IIRC in Domino/LDAP the DN is derived from the hierarchical Notes name. So I doubt you can simply rename the entry via LDAP. You have to test that.
I want to achieve achieve two things. Extend DN (if possible) to mail+cn attributes to use ldapmodify to add certificate for the user. We don't have hierarchical names.
Maybe you should rather try to experiment with a decent GUI LDAP client which guides you which input is needed for an operation.
Thanks, I will try the jXplorer.
Ciao, Michael.
Best regards, Tamás
Kós Tamás wrote:
I want to achieve achieve two things. Extend DN (if possible) to mail+cn attributes
Try ldapmodrdn command-line tool: ldapmodrdn [options] "CN=Gipsz Jakab" "CN=Gipsz Jakab+mail=user@domain"
Not sure whether Domino/LDAP allows multi-valued RDNs though.
to use ldapmodify to add certificate for the user.
Use ldapmodify with LDIF like this:
------------------------ snip ------------------------ dn: CN=Gipsz Jakab changetype: modify add: userCertificate;binary userCertificate;binary:: [..base64-encoded binary DER data of certificate..] -
------------------------ snip ------------------------
Ciao, Michael.
2008/8/21 Michael Ströder michael@stroeder.com:
Kós Tamás wrote:
I want to achieve achieve two things. Extend DN (if possible) to mail+cn attributes
Try ldapmodrdn command-line tool: ldapmodrdn [options] "CN=Gipsz Jakab" "CN=Gipsz Jakab+mail=user@domain"
OK, thanks I will try it, but I'm afraid it will ruins the card authentication...
Not sure whether Domino/LDAP allows multi-valued RDNs though.
to use ldapmodify to add certificate for the user.
Use ldapmodify with LDIF like this:
------------------------ snip ------------------------ dn: CN=Gipsz Jakab changetype: modify add: userCertificate;binary userCertificate;binary:: [..base64-encoded binary DER data of certificate..]
------------------------ snip ------------------------
I tried it, but we could have more Gipsz Jakab, so that I want to use mail or uid attributes..
Best regards, Tamás
Ciao, Michael.
Kós Tamás wrote:
2008/8/21 Michael Ströder michael@stroeder.com:
Kós Tamás wrote:
I want to achieve achieve two things. Extend DN (if possible) to mail+cn attributes
Try ldapmodrdn command-line tool: ldapmodrdn [options] "CN=Gipsz Jakab" "CN=Gipsz Jakab+mail=user@domain"
OK, thanks I will try it, but I'm afraid it will ruins the card authentication...
If you have X.509 certs issued and the subject-DNs MUST match the user's entry DN then you have more to think about in your infrastructure.
to use ldapmodify to add certificate for the user.
Use ldapmodify with LDIF like this:
------------------------ snip ------------------------ dn: CN=Gipsz Jakab changetype: modify add: userCertificate;binary userCertificate;binary:: [..base64-encoded binary DER data of certificate..]
------------------------ snip ------------------------
I tried it, but we could have more Gipsz Jakab, so that I want to use mail or uid attributes..
Yes, this was just an example. dn: can be followed by any valid DN.
I vaguely remember that Domino/LDAP can contain entries like
dn: CN=Gipsz Jakab,uid=blurb
for the same user entry. But this violates LDAPv3 standard.
Ciao, Michael.
2008/8/14 Michael Ströder michael@stroeder.com:
Kós Tamás wrote:
I got a little bit off topic problem, but I hope you can help me about it. We got an LDAP directory, with many names. We got some same CNs for instance: John Smiths. The only difference is between the 2 names is the e-mail address. How can I modify one of them? ldapmodify request DN, but our enviroment DN seems to be DN: CN=John Smiths. How can I include the e-mail address to the DN?
You can use either just attribute 'mail' as characteristic attribute for forming the RDN.
mail=jsmiths,<..rest of DN..> mail=johnsmiths,<..rest of DN..>
Or you could use so-called multi-valued RDNs:
cn=John Smiths+mail=jsmiths,<..rest of DN..> cn=John Smiths+mail=johnsmiths,<..rest of DN..>
As you can see , and + and some other chars are special in DN string representation so you have to escape them (see RFC 4514).
Ciao, Michael.
Hi!
Thank for your help. I tried to search with this command: ldapsearch -xv -h host.somewhere.net -D "CN=jsmiths,O=ACME" -w password mail=jsmiths@moewhere.net+CN=John\ Smiths Nothing found... This persons don't have O or DC attributes. Can I ask you to give me some examples for searches and to modify people by mail and CN attributes.
Cioa, Tamas
On Fri, Aug 15, 2008 at 10:41:54AM +0200, Kós Tamás wrote:
I got a little bit off topic problem, but I hope you can help me about it. We got an LDAP directory, with many names. We got some same CNs for instance: John Smiths. The only difference is between the 2 names is the e-mail address. How can I modify one of them? ldapmodify request DN, but our enviroment DN seems to be DN: CN=John Smiths. How can I include the e-mail address to the DN?
Thank for your help. I tried to search with this command: ldapsearch -xv -h host.somewhere.net -D "CN=jsmiths,O=ACME" -w password mail=jsmiths@moewhere.net+CN=John\ Smiths Nothing found...
Ah - we have some confusion here. Michael and I both replied to your first message assuming that you wanted to add new entries for two people with the same name. I now think that you are trying to find and modify an existing entry.
If you already have two people in the directory who have the same name then they must have different DNs. It does not matter what those DNs are - we just need to find them. It looks as if the mail address is the best way to select the one you want so the search should look something like this:
ldapsearch -x -h host.somewhere.net -D "CN=jsmiths,O=ACME" \ -w password -b O=ACME mail=jsmiths@moewhere.net
Note that I am assuming that there really is a user with DN "CN=jsmiths,O=ACME". If not, you will get an "Invalid credentials" error. In many directories you do not need to specify the DN and password as they allow anonymous users to search and read.
Note also that I have supplied a base for the search with the -b flag. If you do not do this you will get a "No such object" error. The base object must exist.
This persons don't have O or DC attributes. Can I ask you to give me some examples for searches and to modify people by mail and CN attributes.
Get the search working first, to find the DN of the entry. To modify the entry using command-line tools you will need to write a small LDIF file. Let us assume that you want to add a phone number to CN=jsmiths,O=ACME:
dn: CN=jsmiths,O=ACME changetype: modify add: telephonenumber telephonenumber: +1 234 567 890
(the file should end with a blank line).
Now the command will be:
ldapmodify -x -h host.somewhere.net -D "CN=jsmiths,O=ACME" \ -w password -f FILENAME
This assumes that the user "CN=jsmiths,O=ACME" is allowed to modify their own entry.
You may find it easier to do this sort of job using a GUI tool. Why not try jXplorer?
Andrew
2008/8/15 Andrew Findlay andrew.findlay@skills-1st.co.uk:
On Fri, Aug 15, 2008 at 10:41:54AM +0200, Kós Tamás wrote:
I got a little bit off topic problem, but I hope you can help me about it. We got an LDAP directory, with many names. We got some same CNs for instance: John Smiths. The only difference is between the 2 names is the e-mail address. How can I modify one of them? ldapmodify request DN, but our enviroment DN seems to be DN: CN=John Smiths. How can I include the e-mail address to the DN?
Thank for your help. I tried to search with this command: ldapsearch -xv -h host.somewhere.net -D "CN=jsmiths,O=ACME" -w password mail=jsmiths@moewhere.net+CN=John\ Smiths Nothing found...
Ah - we have some confusion here. Michael and I both replied to your first message assuming that you wanted to add new entries for two people with the same name. I now think that you are trying to find and modify an existing entry.
If you already have two people in the directory who have the same name then they must have different DNs. It does not matter what those DNs are - we just need to find them. It looks as if the mail address is the best way to select the one you want so the search should look something like this:
ldapsearch -x -h host.somewhere.net -D "CN=jsmiths,O=ACME" \ -w password -b O=ACME mail=jsmiths@moewhere.netNote that I am assuming that there really is a user with DN "CN=jsmiths,O=ACME". If not, you will get an "Invalid credentials" error. In many directories you do not need to specify the DN and password as they allow anonymous users to search and read.
Note also that I have supplied a base for the search with the -b flag. If you do not do this you will get a "No such object" error. The base object must exist.
This persons don't have O or DC attributes. Can I ask you to give me some examples for searches and to modify people by mail and CN attributes.
Get the search working first, to find the DN of the entry. To modify the entry using command-line tools you will need to write a small LDIF file. Let us assume that you want to add a phone number to CN=jsmiths,O=ACME:
dn: CN=jsmiths,O=ACME changetype: modify add: telephonenumber telephonenumber: +1 234 567 890
(the file should end with a blank line).
Now the command will be:
ldapmodify -x -h host.somewhere.net -D "CN=jsmiths,O=ACME" \ -w password -f FILENAME
This assumes that the user "CN=jsmiths,O=ACME" is allowed to modify their own entry.
You may find it easier to do this sort of job using a GUI tool. Why not try jXplorer?
Andrew
| From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 |
Hi!
For information a search output:
xxx:~/ldap # ldapsearch -xv -h xxx.xxx.xx -D "CN=xxx,OU=xxx,O=xxx" -w xxxxxx uid=gjakab2 ldap_initialize( ldap://xxx.xxx.xxx ) filter: uid=gjakab2 requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <> with scope subtree # filter: uid=gjakab2 # requesting: ALL #
# Gipsz Jakab dn: CN=Gipsz Jakab cn: Gipsz Jakab mail: gjakab@xxx.xxx displayname: Gipsz Jakab objectclass: dominoPerson objectclass: inetOrgPerson objectclass: organizationalPerson objectclass: person objectclass: top mailsystem: 1 messagestorage: 1 encryptincomingmail: 0 roamcleansetting: 0 roamcleanper: 1 availablefordirsync: 1 checkpassword: 0 passwordchangeinterval: 0 passwordgraceperiod: 0 o: masik sn: Gipsz Jakab uid: gjakab2 roaminguser: 0 httppasswordchangedate: 20080624100633Z
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1 xxx:~/ldap #
Kós Tamás wrote:
For information a search output: [..] # Gipsz Jakab dn: CN=Gipsz Jakab cn: Gipsz Jakab mail: gjakab@xxx.xxx displayname: Gipsz Jakab objectclass: dominoPerson
So this is Domino/LDAP? Domino/LDAP returns DNs for entries based on the Notes hierachical name (1:1 mapping).
Could you please elaborate what your problem is?
Ciao, Michael.
2008/8/15 Michael Ströder michael@stroeder.com:
Kós Tamás wrote:
For information a search output: [..] # Gipsz Jakab dn: CN=Gipsz Jakab cn: Gipsz Jakab mail: gjakab@xxx.xxx displayname: Gipsz Jakab objectclass: dominoPerson
So this is Domino/LDAP? Domino/LDAP returns DNs for entries based on the Notes hierachical name (1:1 mapping).
Could you please elaborate what your problem is?
Ciao, Michael.
Yeah, this is (Domino/LDAP). We got a secondary directory (dirass) distributed by LDAP. The entries in the secondary directory contains those attributes what you could see my previous mail. Our (my) problem is, to modify already added entries, which could has same name (CN). The users in the secondary directory not registered, synchronized from an other.
Thanks for your help!
Ciao, Tamas.
openldap-technical@openldap.org
-
Andrew Findlay -
Kristen Walker -
Kós Tamás -
Michael Ströder