9:55 a.m.
--On Wednesday, November 26, 2014 12:13 PM +0100 Onno van der Straaten
<onno.van.der.straaten(a)gmail.com> wrote:
And....another one. Amazing. So hard to understand the OpenLDAP
interface. Might just as well have been in Chinese.
$ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f
olc_password_hash.ldif -W
ldap_initialize( ldap://zimbra.onknows.com:389 )
Enter LDAP Password:
replace olcPasswordHash:
{SSHA}
modifying entry "olcDatabase={-1}frontend,cn=config"
modify complete
So the "modify complete" sort of suggestive of some kind of success
completion or change applied. One would think. No.
The olcPasswordHash was "modified complete" to have exact same value as
before. Sort of expected OpenLDAP to be "unwilling to perform", which
often it is. Not now. It just is "willing to ignore". Almost human.
Your list of complaints so far:
a) You told OpenLDAP to load a file that didn't exist
b) You modified a file, by hand, where the first comment in the file is:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
c) In doing (b), you failed to preserve proper file permissions
d) You failed to use the correct tools for doing what you wanted to do,
after you broke the configuration (slapcat/slapadd)
I'm not really sure what to make of your above complaint. It seems you are
saying you think it is an error for ldap to replace a value with itself?
All LDAP servers will do that with a replace operation.
I.e., there is significant user error present here, and you got yourself
into a bad spot, and made it worse via your own actions. A lack of
understanding how to use a piece of software does not indicate the software
itself is flawed. I will agree that it takes some time to learn how to
work with LDAP in general, regardless of it is OpenLDAP, 389, Apache DS,
etc. It may indeed be best in your case, to have a graphical UI hiding the
grisly details from you, since those details are apparently causing
significant challenge in your case. However, in the long run, it pays off
significantly to understand the technology you're attempting to use.
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8:33 a.m.
New subject: OpenLDAP incroyable!
There are a number of really good clients to help with the issues
you’re having. ldapvi[0] is a pretty simple client that lets you
edit ldap objects in vi and commit the differences. Apache Directory
Studio[1] is a more heavyweight, feature-complete client built on
top of eclipse.
I really recommend you use one of these, it will make your life
easier, as you seem to be making a lot of basic mistakes. If you
get used to modifying your config in this way, you will learn to
appreciate being able to make config changes without restarting
slapd, and being able to replicate configuration between servers.
I found the olc config backend challenging when I first used it,
but now I would not go back to the config file-based format.
[0]: http://www.lichteblau.com/ldapvi/
[1]: http://directory.apache.org/studio/
On Nov 26, 2014, at 12:55 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
--On Wednesday, November 26, 2014 12:13 PM +0100 Onno van der
Straaten <onno.van.der.straaten(a)gmail.com> wrote:
>
> And....another one. Amazing. So hard to understand the OpenLDAP
> interface. Might just as well have been in Chinese.
>
>
>
> $ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f
> olc_password_hash.ldif -W
> ldap_initialize( ldap://zimbra.onknows.com:389 )
> Enter LDAP Password:
> replace olcPasswordHash:
> {SSHA}
> modifying entry "olcDatabase={-1}frontend,cn=config"
> modify complete
>
>
> So the "modify complete" sort of suggestive of some kind of success
> completion or change applied. One would think. No.
>
>
> The olcPasswordHash was "modified complete" to have exact same value as
> before. Sort of expected OpenLDAP to be "unwilling to perform", which
> often it is. Not now. It just is "willing to ignore". Almost human.
Your list of complaints so far:
a) You told OpenLDAP to load a file that didn't exist
b) You modified a file, by hand, where the first comment in the file is:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
c) In doing (b), you failed to preserve proper file permissions
d) You failed to use the correct tools for doing what you wanted to do, after you broke
the configuration (slapcat/slapadd)
I'm not really sure what to make of your above complaint. It seems you are saying
you think it is an error for ldap to replace a value with itself? All LDAP servers will do
that with a replace operation.
I.e., there is significant user error present here, and you got yourself into a bad spot,
and made it worse via your own actions. A lack of understanding how to use a piece of
software does not indicate the software itself is flawed. I will agree that it takes some
time to learn how to work with LDAP in general, regardless of it is OpenLDAP, 389, Apache
DS, etc. It may indeed be best in your case, to have a graphical UI hiding the grisly
details from you, since those details are apparently causing significant challenge in your
case. However, in the long run, it pays off significantly to understand the technology
you're attempting to use.
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9:55 p.m.
New subject: OpenLDAP incroyable!
On 30/11/2014 02:33, Arroyo, David wrote:
There are a number of really good clients to help with the issues
you’re having. ldapvi[0] is a pretty simple client that lets you
edit ldap objects in vi and commit the differences. Apache Directory
Studio[1] is a more heavyweight, feature-complete client built on
top of eclipse.
Sorry to butt in, but the apache studio works with openldap too? I
was
under the impression it was just for ApacheDS. If it works with openldap
I might give it a shot as it has been rather sticky with the other tools
I've tried.
I really recommend you use one of these, it will make your life
easier, as you seem to be making a lot of basic mistakes. If you
get used to modifying your config in this way, you will learn to
appreciate being able to make config changes without restarting
slapd, and being able to replicate configuration between servers.
I found the olc config backend challenging when I first used it,
but now I would not go back to the config file-based format.
[0]: http://www.lichteblau.com/ldapvi/
[1]: http://directory.apache.org/studio/
On Nov 26, 2014, at 12:55 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Wednesday, November 26, 2014 12:13 PM +0100 Onno van der Straaten
<onno.van.der.straaten(a)gmail.com> wrote:
>
>> And....another one. Amazing. So hard to understand the OpenLDAP
>> interface. Might just as well have been in Chinese.
>>
>>
>>
>> $ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f
>> olc_password_hash.ldif -W
>> ldap_initialize( ldap://zimbra.onknows.com:389 )
>> Enter LDAP Password:
>> replace olcPasswordHash:
>> {SSHA}
>> modifying entry "olcDatabase={-1}frontend,cn=config"
>> modify complete
>>
>>
>> So the "modify complete" sort of suggestive of some kind of success
>> completion or change applied. One would think. No.
>>
>>
>> The olcPasswordHash was "modified complete" to have exact same value
as
>> before. Sort of expected OpenLDAP to be "unwilling to perform", which
>> often it is. Not now. It just is "willing to ignore". Almost human.
> Your list of complaints so far:
>
> a) You told OpenLDAP to load a file that didn't exist
> b) You modified a file, by hand, where the first comment in the file is:
> # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
> c) In doing (b), you failed to preserve proper file permissions
> d) You failed to use the correct tools for doing what you wanted to do, after you
broke the configuration (slapcat/slapadd)
>
> I'm not really sure what to make of your above complaint. It seems you are
saying you think it is an error for ldap to replace a value with itself? All LDAP servers
will do that with a replace operation.
>
> I.e., there is significant user error present here, and you got yourself into a bad
spot, and made it worse via your own actions. A lack of understanding how to use a piece
of software does not indicate the software itself is flawed. I will agree that it takes
some time to learn how to work with LDAP in general, regardless of it is OpenLDAP, 389,
Apache DS, etc. It may indeed be best in your case, to have a graphical UI hiding the
grisly details from you, since those details are apparently causing significant challenge
in your case. However, in the long run, it pays off significantly to understand the
technology you're attempting to use.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
2:05 a.m.
New subject: OpenLDAP incroyable!
On 30/11/2014 7:55 πμ, Da Rock wrote:
Sorry to butt in, but the apache studio works with openldap too? I
was
under the impression it was just for ApacheDS. If it works with
openldap I might give it a shot as it has been rather sticky with the
other tools I've tried.
ApacheDS works, but I have had problems of misbehavior with cn=config in
the past (it has spoiled my config for unidentified reasons). Yet, I
have not recently (in the last one and a half year) used it.
I am regularly using JXplorer (http://jxplorer.org/) both for DIT and
config editing and I am pretty satisfied with it.
All the best,
Nick
4:11 a.m.
New subject: OpenLDAP incroyable!
Hi,
On Sun, 30 Nov 2014, Nick Milas wrote:
On 30/11/2014 7:55 πμ, Da Rock wrote:
> Sorry to butt in, but the apache studio works with openldap too? I was
> under the impression it was just for ApacheDS. If it works with openldap I
> might give it a shot as it has been rather sticky with the other tools I've
> tried.
ApacheDS works, but I have had problems of misbehavior with cn=config in the
past (it has spoiled my config for unidentified reasons). Yet, I have not
recently (in the last one and a half year) used it.
I am regularly using JXplorer (http://jxplorer.org/) both for DIT and config
editing and I am pretty satisfied with it.
it has been mentioned before. I very much enjoy the simplicity of ldapvi for cn=config.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
7:30 a.m.
New subject: OpenLDAP incroyable!
I have fallen in love with phpLdapAdmin. It does everything I could want
and more. I am running it in on load balanced apache servers with sasl
auth. My http kerberos ticket (from mod_auth_kerb) authenticates me and
the sasl gives me the access to the DIT I am allowed. cn=config works with
no issues once configured properly. I can also change icons used to make
the environment look nicer
On Nov 30, 2014 7:12 AM, "Christian Kratzer" <ck-lists(a)cksoft.de> wrote:
Hi,
On Sun, 30 Nov 2014, Nick Milas wrote:
On 30/11/2014 7:55 πμ, Da Rock wrote:
>
> Sorry to butt in, but the apache studio works with openldap too? I was
>> under the impression it was just for ApacheDS. If it works with openldap I
>> might give it a shot as it has been rather sticky with the other tools I've
>> tried.
>>
>
> ApacheDS works, but I have had problems of misbehavior with cn=config in
> the past (it has spoiled my config for unidentified reasons). Yet, I have
> not recently (in the last one and a half year) used it.
>
> I am regularly using JXplorer (http://jxplorer.org/) both for DIT and
> config editing and I am pretty satisfied with it.
>
it has been mentioned before. I very much enjoy the simplicity of ldapvi
for cn=config.
Greetings
Christian
--
Christian Kratzer CK Software GmbH
Email: ck(a)cksoft.de Wildberger Weg 24/2
Phone: +49 7032 893 997 - 0 D-71126 Gaeufelden
Fax: +49 7032 893 997 - 9 HRB 245288, Amtsgericht Stuttgart
Mobile: +49 171 1947 843 Geschaeftsfuehrer: Christian Kratzer
Web: http://www.cksoft.de/
9:38 a.m.
New subject: OpenLDAP incroyable!
On 30/11/2014 5:30 μμ, brendan kearney wrote:
I have fallen in love with phpLdapAdmin.
We are using phpLDAPAdmin on a daily basis as well, but not for
cn=config (only for the DIT).
Unfortunately, phpLDAPAdmin has a very slow development process, if it
has not stalled completely; last release was two years old. Moreover,
all versions of the 1.2.x branch do not work properly with non-latin
strings, whereas 1.1.x versions did even if there was no official
support for language tags (RFC 3966)!! So, all 1.2.x versions are
useless for admins/users who want to use non-latin strings as attribute
values.
As some phpldapadmin user had earlier commented at sourceforge (these
comments have vanished for some reason!), the last well-working version
was 1.1.0.7. I can confirm this statement! We are using this version as
well (it is not accessible from the Internet, to avoid any security issues).
If anyone knows anything about the status of phpldapadmin project, I
would be very interested to be informed.
To me it looks like a dead project, I am afraid. See, for example, issue
handling: http://dev.phpldapadmin.org/pla/issues/open
I hope I am wrong, because IMHO it's still the most user-friendly web
GUI for LDAP!
Nick
10:08 a.m.
New subject: OpenLDAP incroyable!
On Sun, 2014-11-30 at 19:38 +0200, Nick Milas wrote:
On 30/11/2014 5:30 μμ, brendan kearney wrote:
> I have fallen in love with phpLdapAdmin.
We are using phpLDAPAdmin on a daily basis as well, but not for
cn=config (only for the DIT).
Unfortunately, phpLDAPAdmin has a very slow development process, if it
has not stalled completely; last release was two years old. Moreover,
all versions of the 1.2.x branch do not work properly with non-latin
strings, whereas 1.1.x versions did even if there was no official
support for language tags (RFC 3966)!! So, all 1.2.x versions are
useless for admins/users who want to use non-latin strings as attribute
values.
As some phpldapadmin user had earlier commented at sourceforge (these
comments have vanished for some reason!), the last well-working version
was 1.1.0.7. I can confirm this statement! We are using this version as
well (it is not accessible from the Internet, to avoid any security issues).
If anyone knows anything about the status of phpldapadmin project, I
would be very interested to be informed.
To me it looks like a dead project, I am afraid. See, for example, issue
handling: http://dev.phpldapadmin.org/pla/issues/open
I hope I am wrong, because IMHO it's still the most user-friendly web
GUI for LDAP!
Nick
they have moved their issue tracker to GitHub.
https://github.com/leenooks/phpldapadmin/issues
12:26 a.m.
New subject: Antw: Re: OpenLDAP incroyable!
>> Nick Milas <nick(a)eurobjects.com> schrieb am 30.11.2014
um 18:38 in
Nachricht
<547B55F8.6030706(a)eurobjects.com>:
On 30/11/2014 5:30 μμ, brendan kearney wrote:
> I have fallen in love with phpLdapAdmin.
We are using phpLDAPAdmin on a daily basis as well, but not for
cn=config (only for the DIT).
Unfortunately, phpLDAPAdmin has a very slow development process, if it
has not stalled completely; last release was two years old. Moreover,
Just the fact that there are no updates in two years doesn't mean the software
is obsolete; maybe it's just bug-free ;-)
Regards,
Ulrich
11:31 p.m.
New subject: Antw: Re: OpenLDAP incroyable!
>> "Arroyo, David" <droyo(a)aqwari.net> schrieb am
29.11.2014 um 17:33 in
Nachricht
<FC532239-EF48-464A-B188-1E1908DB577E(a)aqwari.net>:
There are a number of really good clients to help with the issues
you’re having. ldapvi[0] is a pretty simple client that lets you
edit ldap objects in vi and commit the differences. Apache Directory
Studio[1] is a more heavyweight, feature-complete client built on
top of eclipse.
I really recommend you use one of these, it will make your life
easier, as you seem to be making a lot of basic mistakes. If you
get used to modifying your config in this way, you will learn to
appreciate being able to make config changes without restarting
slapd, and being able to replicate configuration between servers.
[...]
Personally I think the advice is good for users managing a directory, but the
administrator of a directory server should be able to use the baic tools, just
in case you messed up config so that you cannot connect to the server any
more...
3286
days inactive
3291
days old
openldap-technical@openldap.org
9 comments
8 participants
participants (8)
-
Arroyo, David -
brendan kearney -
Brendan Kearney
-
Christian Kratzer -
Da Rock -
Nick Milas -
Quanah Gibson-Mount -
Ulrich Windl