--On Wednesday, November 26, 2014 12:13 PM +0100 Onno van der Straaten onno.van.der.straaten@gmail.com wrote:
And....another one. Amazing. So hard to understand the OpenLDAP interface. Might just as well have been in Chinese.
$ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f olc_password_hash.ldif -W ldap_initialize( ldap://zimbra.onknows.com:389 ) Enter LDAP Password: replace olcPasswordHash: {SSHA} modifying entry "olcDatabase={-1}frontend,cn=config" modify complete
So the "modify complete" sort of suggestive of some kind of success completion or change applied. One would think. No.
The olcPasswordHash was "modified complete" to have exact same value as before. Sort of expected OpenLDAP to be "unwilling to perform", which often it is. Not now. It just is "willing to ignore". Almost human.
Your list of complaints so far:
a) You told OpenLDAP to load a file that didn't exist b) You modified a file, by hand, where the first comment in the file is: # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. c) In doing (b), you failed to preserve proper file permissions d) You failed to use the correct tools for doing what you wanted to do, after you broke the configuration (slapcat/slapadd)
I'm not really sure what to make of your above complaint. It seems you are saying you think it is an error for ldap to replace a value with itself? All LDAP servers will do that with a replace operation.
I.e., there is significant user error present here, and you got yourself into a bad spot, and made it worse via your own actions. A lack of understanding how to use a piece of software does not indicate the software itself is flawed. I will agree that it takes some time to learn how to work with LDAP in general, regardless of it is OpenLDAP, 389, Apache DS, etc. It may indeed be best in your case, to have a graphical UI hiding the grisly details from you, since those details are apparently causing significant challenge in your case. However, in the long run, it pays off significantly to understand the technology you're attempting to use.
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
There are a number of really good clients to help with the issues you’re having. ldapvi[0] is a pretty simple client that lets you edit ldap objects in vi and commit the differences. Apache Directory Studio[1] is a more heavyweight, feature-complete client built on top of eclipse.
I really recommend you use one of these, it will make your life easier, as you seem to be making a lot of basic mistakes. If you get used to modifying your config in this way, you will learn to appreciate being able to make config changes without restarting slapd, and being able to replicate configuration between servers.
I found the olc config backend challenging when I first used it, but now I would not go back to the config file-based format.
[0]: http://www.lichteblau.com/ldapvi/ [1]: http://directory.apache.org/studio/
On Nov 26, 2014, at 12:55 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Wednesday, November 26, 2014 12:13 PM +0100 Onno van der Straaten onno.van.der.straaten@gmail.com wrote:
And....another one. Amazing. So hard to understand the OpenLDAP interface. Might just as well have been in Chinese.
$ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f olc_password_hash.ldif -W ldap_initialize( ldap://zimbra.onknows.com:389 ) Enter LDAP Password: replace olcPasswordHash: {SSHA} modifying entry "olcDatabase={-1}frontend,cn=config" modify complete
So the "modify complete" sort of suggestive of some kind of success completion or change applied. One would think. No.
The olcPasswordHash was "modified complete" to have exact same value as before. Sort of expected OpenLDAP to be "unwilling to perform", which often it is. Not now. It just is "willing to ignore". Almost human.
Your list of complaints so far:
a) You told OpenLDAP to load a file that didn't exist b) You modified a file, by hand, where the first comment in the file is: # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. c) In doing (b), you failed to preserve proper file permissions d) You failed to use the correct tools for doing what you wanted to do, after you broke the configuration (slapcat/slapadd)
I'm not really sure what to make of your above complaint. It seems you are saying you think it is an error for ldap to replace a value with itself? All LDAP servers will do that with a replace operation.
I.e., there is significant user error present here, and you got yourself into a bad spot, and made it worse via your own actions. A lack of understanding how to use a piece of software does not indicate the software itself is flawed. I will agree that it takes some time to learn how to work with LDAP in general, regardless of it is OpenLDAP, 389, Apache DS, etc. It may indeed be best in your case, to have a graphical UI hiding the grisly details from you, since those details are apparently causing significant challenge in your case. However, in the long run, it pays off significantly to understand the technology you're attempting to use.
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
On 30/11/2014 02:33, Arroyo, David wrote:
There are a number of really good clients to help with the issues you’re having. ldapvi[0] is a pretty simple client that lets you edit ldap objects in vi and commit the differences. Apache Directory Studio[1] is a more heavyweight, feature-complete client built on top of eclipse.
Sorry to butt in, but the apache studio works with openldap too? I was under the impression it was just for ApacheDS. If it works with openldap I might give it a shot as it has been rather sticky with the other tools I've tried.
I really recommend you use one of these, it will make your life easier, as you seem to be making a lot of basic mistakes. If you get used to modifying your config in this way, you will learn to appreciate being able to make config changes without restarting slapd, and being able to replicate configuration between servers.
I found the olc config backend challenging when I first used it, but now I would not go back to the config file-based format.
On Nov 26, 2014, at 12:55 PM, Quanah Gibson-Mount quanah@zimbra.com wrote:
--On Wednesday, November 26, 2014 12:13 PM +0100 Onno van der Straaten onno.van.der.straaten@gmail.com wrote:
And....another one. Amazing. So hard to understand the OpenLDAP interface. Might just as well have been in Chinese.
$ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f olc_password_hash.ldif -W ldap_initialize( ldap://zimbra.onknows.com:389 ) Enter LDAP Password: replace olcPasswordHash: {SSHA} modifying entry "olcDatabase={-1}frontend,cn=config" modify complete
So the "modify complete" sort of suggestive of some kind of success completion or change applied. One would think. No.
The olcPasswordHash was "modified complete" to have exact same value as before. Sort of expected OpenLDAP to be "unwilling to perform", which often it is. Not now. It just is "willing to ignore". Almost human.
Your list of complaints so far:
a) You told OpenLDAP to load a file that didn't exist b) You modified a file, by hand, where the first comment in the file is: # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. c) In doing (b), you failed to preserve proper file permissions d) You failed to use the correct tools for doing what you wanted to do, after you broke the configuration (slapcat/slapadd)
I'm not really sure what to make of your above complaint. It seems you are saying you think it is an error for ldap to replace a value with itself? All LDAP servers will do that with a replace operation.
I.e., there is significant user error present here, and you got yourself into a bad spot, and made it worse via your own actions. A lack of understanding how to use a piece of software does not indicate the software itself is flawed. I will agree that it takes some time to learn how to work with LDAP in general, regardless of it is OpenLDAP, 389, Apache DS, etc. It may indeed be best in your case, to have a graphical UI hiding the grisly details from you, since those details are apparently causing significant challenge in your case. However, in the long run, it pays off significantly to understand the technology you're attempting to use.
--Quanah
--
Quanah Gibson-Mount Server Architect Zimbra, Inc.
Zimbra :: the leader in open source messaging and collaboration
On 30/11/2014 7:55 πμ, Da Rock wrote:
Sorry to butt in, but the apache studio works with openldap too? I was under the impression it was just for ApacheDS. If it works with openldap I might give it a shot as it has been rather sticky with the other tools I've tried.
ApacheDS works, but I have had problems of misbehavior with cn=config in the past (it has spoiled my config for unidentified reasons). Yet, I have not recently (in the last one and a half year) used it.
I am regularly using JXplorer (http://jxplorer.org/) both for DIT and config editing and I am pretty satisfied with it.
All the best, Nick
Hi,
On Sun, 30 Nov 2014, Nick Milas wrote:
On 30/11/2014 7:55 πμ, Da Rock wrote:
Sorry to butt in, but the apache studio works with openldap too? I was under the impression it was just for ApacheDS. If it works with openldap I might give it a shot as it has been rather sticky with the other tools I've tried.
ApacheDS works, but I have had problems of misbehavior with cn=config in the past (it has spoiled my config for unidentified reasons). Yet, I have not recently (in the last one and a half year) used it.
I am regularly using JXplorer (http://jxplorer.org/) both for DIT and config editing and I am pretty satisfied with it.
it has been mentioned before. I very much enjoy the simplicity of ldapvi for cn=config.
Greetings Christian
I have fallen in love with phpLdapAdmin. It does everything I could want and more. I am running it in on load balanced apache servers with sasl auth. My http kerberos ticket (from mod_auth_kerb) authenticates me and the sasl gives me the access to the DIT I am allowed. cn=config works with no issues once configured properly. I can also change icons used to make the environment look nicer On Nov 30, 2014 7:12 AM, "Christian Kratzer" ck-lists@cksoft.de wrote:
Hi,
On Sun, 30 Nov 2014, Nick Milas wrote:
On 30/11/2014 7:55 πμ, Da Rock wrote:
Sorry to butt in, but the apache studio works with openldap too? I was
under the impression it was just for ApacheDS. If it works with openldap I might give it a shot as it has been rather sticky with the other tools I've tried.
ApacheDS works, but I have had problems of misbehavior with cn=config in the past (it has spoiled my config for unidentified reasons). Yet, I have not recently (in the last one and a half year) used it.
I am regularly using JXplorer (http://jxplorer.org/) both for DIT and config editing and I am pretty satisfied with it.
it has been mentioned before. I very much enjoy the simplicity of ldapvi for cn=config.
Greetings Christian
-- Christian Kratzer CK Software GmbH Email: ck@cksoft.de Wildberger Weg 24/2 Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer Web: http://www.cksoft.de/
On 30/11/2014 5:30 μμ, brendan kearney wrote:
I have fallen in love with phpLdapAdmin.
We are using phpLDAPAdmin on a daily basis as well, but not for cn=config (only for the DIT).
Unfortunately, phpLDAPAdmin has a very slow development process, if it has not stalled completely; last release was two years old. Moreover, all versions of the 1.2.x branch do not work properly with non-latin strings, whereas 1.1.x versions did even if there was no official support for language tags (RFC 3966)!! So, all 1.2.x versions are useless for admins/users who want to use non-latin strings as attribute values.
As some phpldapadmin user had earlier commented at sourceforge (these comments have vanished for some reason!), the last well-working version was 1.1.0.7. I can confirm this statement! We are using this version as well (it is not accessible from the Internet, to avoid any security issues).
If anyone knows anything about the status of phpldapadmin project, I would be very interested to be informed.
To me it looks like a dead project, I am afraid. See, for example, issue handling: http://dev.phpldapadmin.org/pla/issues/open
I hope I am wrong, because IMHO it's still the most user-friendly web GUI for LDAP!
Nick
On Sun, 2014-11-30 at 19:38 +0200, Nick Milas wrote:
On 30/11/2014 5:30 μμ, brendan kearney wrote:
I have fallen in love with phpLdapAdmin.
We are using phpLDAPAdmin on a daily basis as well, but not for cn=config (only for the DIT).
Unfortunately, phpLDAPAdmin has a very slow development process, if it has not stalled completely; last release was two years old. Moreover, all versions of the 1.2.x branch do not work properly with non-latin strings, whereas 1.1.x versions did even if there was no official support for language tags (RFC 3966)!! So, all 1.2.x versions are useless for admins/users who want to use non-latin strings as attribute values.
As some phpldapadmin user had earlier commented at sourceforge (these comments have vanished for some reason!), the last well-working version was 1.1.0.7. I can confirm this statement! We are using this version as well (it is not accessible from the Internet, to avoid any security issues).
If anyone knows anything about the status of phpldapadmin project, I would be very interested to be informed.
To me it looks like a dead project, I am afraid. See, for example, issue handling: http://dev.phpldapadmin.org/pla/issues/open
I hope I am wrong, because IMHO it's still the most user-friendly web GUI for LDAP!
Nick
they have moved their issue tracker to GitHub. https://github.com/leenooks/phpldapadmin/issues
Nick Milas nick@eurobjects.com schrieb am 30.11.2014 um 18:38 in
Nachricht 547B55F8.6030706@eurobjects.com:
On 30/11/2014 5:30 μμ, brendan kearney wrote:
I have fallen in love with phpLdapAdmin.
We are using phpLDAPAdmin on a daily basis as well, but not for cn=config (only for the DIT).
Unfortunately, phpLDAPAdmin has a very slow development process, if it has not stalled completely; last release was two years old. Moreover,
Just the fact that there are no updates in two years doesn't mean the software is obsolete; maybe it's just bug-free ;-)
Regards, Ulrich
"Arroyo, David" droyo@aqwari.net schrieb am 29.11.2014 um 17:33 in
Nachricht FC532239-EF48-464A-B188-1E1908DB577E@aqwari.net:
There are a number of really good clients to help with the issues you’re having. ldapvi[0] is a pretty simple client that lets you edit ldap objects in vi and commit the differences. Apache Directory Studio[1] is a more heavyweight, feature-complete client built on top of eclipse.
I really recommend you use one of these, it will make your life easier, as you seem to be making a lot of basic mistakes. If you get used to modifying your config in this way, you will learn to appreciate being able to make config changes without restarting slapd, and being able to replicate configuration between servers.
[...]
Personally I think the advice is good for users managing a directory, but the administrator of a directory server should be able to use the baic tools, just in case you messed up config so that you cannot connect to the server any more...
openldap-technical@openldap.org
-
Arroyo, David -
brendan kearney -
Brendan Kearney
-
Christian Kratzer -
Da Rock -
Nick Milas -
Quanah Gibson-Mount -
Ulrich Windl