Hi,
I've the following configuration in my OpenLDAP :
1. dn: cn=stats.mysite.fr,ou=Group,dc=mysite,dc=fr 2. cn: stats.mysite.fr 3. objectClass: top 4. objectClass: groupOfNames 5. description: VirtualHost stats.mysite.fr 6. member: uid=user_authorized,ou=People,dc=mysite,dc=fr 7. member: uid=USER,ou=People,dc=mysite,dc=fr 8.
9.
10. dn: uid=USER,ou=People,dc=mysite,dc=fr 11. objectClass: top 12. objectClass: person 13. objectClass: inetOrgPerson 14. objectClass: organizationalPerson 15. objectClass: posixAccount 16. objectClass: shadowAccount 17. uid: USER 18. cn: USER P. 19. sn: USER P. 20. shadowMax: 99999 21. shadowWarning: 7 22. mail: USER@google.eu 23. loginShell: /bin/bash 24. uidNumber: 10007 25. gidNumber: 10007 26. homeDirectory: /home/ldap_users/USER 27. gecos: ,,,
and I'm wondering how to create a filter to match only members of a given Group in order to use it with Apache2 or others ...
The difficulty for me is to obtain the posixAccount object and not the Group one.
Thanks in advance Rémi
On 03/10/2009 01:21, Remi Ferrand wrote:
Hi,
I've the following configuration in my OpenLDAP :
dn: cn=stats.mysite.fr,ou=Group,dc=mysite,dc=fr 2. cn: stats.mysite.fr 3. objectClass: top 4. objectClass: groupOfNames 5. description: VirtualHost stats.mysite.fr 6. member: uid=user_authorized,ou=People,dc=mysite,dc=fr 7. member: uid=USER,ou=People,dc=mysite,dc=fr 8. 9. 10. dn: uid=USER,ou=People,dc=mysite,dc=fr 11. objectClass: top 12. objectClass: person 13. objectClass: inetOrgPerson 14. objectClass: organizationalPerson 15. objectClass: posixAccount 16. objectClass: shadowAccount 17. uid: USER 18. cn: USER P. 19. sn: USER P. 20. shadowMax: 99999 21. shadowWarning: 7 22. mail: USER@google.eu 23. loginShell: /bin/bash 24. uidNumber: 10007 25. gidNumber: 10007 26. homeDirectory: /home/ldap_users/USER 27. gecos: ,,,
and I'm wondering how to create a filter to match only members of a given Group in order to use it with Apache2 or others ...
The difficulty for me is to obtain the posixAccount object and not the Group one.
You can't return account objects from a search based on groups, whatever the filter. Not with one LDAP search, anyway.
Most LDAP clients can check whether an entry is a member of a group. Apache's LDAP auth[nz] module does it too, see: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup
Regards, Jonathan
Jonathan Clarke a écrit :
On 03/10/2009 01:21, Remi Ferrand wrote:
Hi,
I've the following configuration in my OpenLDAP :
dn: cn=stats.mysite.fr,ou=Group,dc=mysite,dc=fr 2. cn: stats.mysite.fr 3. objectClass: top 4. objectClass: groupOfNames 5. description: VirtualHost stats.mysite.fr 6. member: uid=user_authorized,ou=People,dc=mysite,dc=fr 7. member: uid=USER,ou=People,dc=mysite,dc=fr 8. 9. 10. dn: uid=USER,ou=People,dc=mysite,dc=fr 11. objectClass: top 12. objectClass: person 13. objectClass: inetOrgPerson 14. objectClass: organizationalPerson 15. objectClass: posixAccount 16. objectClass: shadowAccount 17. uid: USER 18. cn: USER P. 19. sn: USER P. 20. shadowMax: 99999 21. shadowWarning: 7 22. mail: USER@google.eu 23. loginShell: /bin/bash 24. uidNumber: 10007 25. gidNumber: 10007 26. homeDirectory: /home/ldap_users/USER 27. gecos: ,,,
and I'm wondering how to create a filter to match only members of a given Group in order to use it with Apache2 or others ...
The difficulty for me is to obtain the posixAccount object and not the Group one.
You can't return account objects from a search based on groups, whatever the filter. Not with one LDAP search, anyway.
Most LDAP clients can check whether an entry is a member of a group. Apache's LDAP auth[nz] module does it too, see: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup
Regards, Jonathan
Thanks Jonathan,
Too bad Dovecot is not able to check membership of a username ... My Apache2 configuration is already based on what you sent me and works very well ;)
I guess that my last possibility for this to work with Dovecot is to add a "member" field in every "objectClass= posixAccount" and to use a search filter as : (&(objectClass=posixAccount)(member=MY_GROUP_DN))
Thanks again Rémi
On 05/10/2009 14:15, Remi Ferrand wrote:
Jonathan Clarke a écrit :
On 03/10/2009 01:21, Remi Ferrand wrote:
Hi,
I've the following configuration in my OpenLDAP :
dn: cn=stats.mysite.fr,ou=Group,dc=mysite,dc=fr 2. cn: stats.mysite.fr 3. objectClass: top 4. objectClass: groupOfNames 5. description: VirtualHost stats.mysite.fr 6. member: uid=user_authorized,ou=People,dc=mysite,dc=fr 7. member: uid=USER,ou=People,dc=mysite,dc=fr 8. 9. 10. dn: uid=USER,ou=People,dc=mysite,dc=fr 11. objectClass: top 12. objectClass: person 13. objectClass: inetOrgPerson 14. objectClass: organizationalPerson 15. objectClass: posixAccount 16. objectClass: shadowAccount 17. uid: USER 18. cn: USER P. 19. sn: USER P. 20. shadowMax: 99999 21. shadowWarning: 7 22. mail: USER@google.eu 23. loginShell: /bin/bash 24. uidNumber: 10007 25. gidNumber: 10007 26. homeDirectory: /home/ldap_users/USER 27. gecos: ,,,
and I'm wondering how to create a filter to match only members of a given Group in order to use it with Apache2 or others ...
The difficulty for me is to obtain the posixAccount object and not the Group one.
You can't return account objects from a search based on groups, whatever the filter. Not with one LDAP search, anyway.
Most LDAP clients can check whether an entry is a member of a group. Apache's LDAP auth[nz] module does it too, see: http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html#reqgroup
Regards, Jonathan
Thanks Jonathan,
Too bad Dovecot is not able to check membership of a username ... My Apache2 configuration is already based on what you sent me and works very well ;)
I guess that my last possibility for this to work with Dovecot is to add a "member" field in every "objectClass= posixAccount" and to use a search filter as : (&(objectClass=posixAccount)(member=MY_GROUP_DN))
The "memberof" overlay included in OpenLDAP can do that automatically for you: see slapo-memberof(5).
Regards, Jonathan
Hi people i am having problems with this:
Someone knows the solution for this problem?
[root@SRVDC01 ~]# slapd -d 256 @(#) $OpenLDAP: slapd 2.3.43 (Jan 21 2009 03:53:11) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.43/openlda p-2.3.43/build-servers/servers/slapd daemon: bind(7) failed errno=98 (Address already in use) daemon: bind(7) failed errno=98 (Address already in use) slapd stopped. connections_destroy: nothing to destroy.
Regards
--On Tuesday, October 06, 2009 12:41 AM -0300 "Dominguez, Gaston Matias" gdominguez@eling.com.ar wrote:
Hi people i am having problems with this:
Someone knows the solution for this problem?
[root@SRVDC01 ~]# slapd -d 256 @(#) $OpenLDAP: slapd 2.3.43 (Jan 21 2009 03:53:11) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.43/open lda p-2.3.43/build-servers/servers/slapd daemon: bind(7) failed errno=98 (Address already in use) daemon: bind(7) failed errno=98 (Address already in use) slapd stopped. connections_destroy: nothing to destroy.
That would indicate there is already a process listening to port 389 on your server, or it is being blocked from binding to that address.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
On 06/10/2009 05:41, Dominguez, Gaston Matias wrote:
Hi people i am having problems with this:
Someone knows the solution for this problem?
[root@SRVDC01 ~]# slapd -d 256 @(#) $OpenLDAP: slapd 2.3.43 (Jan 21 2009 03:53:11) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.43/openlda p-2.3.43/build-servers/servers/slapd daemon: bind(7) failed errno=98 (Address already in use) daemon: bind(7) failed errno=98 (Address already in use) slapd stopped. connections_destroy: nothing to destroy.
Looks like another program is already listening on the default port: 389. Do you have another slapd already running as a daemon?
Jonathan
Dominguez, Gaston Matias wrote:
Hi people i am having problems with this:
Someone knows the solution for this problem?
[root@SRVDC01 ~]# slapd -d 256 @(#) $OpenLDAP: slapd 2.3.43 (Jan 21 2009 03:53:11) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.43/openlda p-2.3.43/build-servers/servers/slapd daemon: bind(7) failed errno=98 (Address already in use) daemon: bind(7) failed errno=98 (Address already in use) slapd stopped. connections_destroy: nothing to destroy.
As the error message says, the address(es) to which you are trying to bind to the slapd process is already in use.
You either have a slapd running already, or something else is using the IP address and/or TCP ports that your LDAP server wants to use.
People i found this but i don't know how to stop IPV6.
[root@SRVDC01 ~]# lsof -i :389 COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME xfs 2244 xfs 3u IPv4 6166 TCP SRVDC01:51891->SRVDC01:ldap (CLOSE_WAIT) slapd 2822 ldap 7u IPv6 9900 TCP *:ldap (LISTEN) slapd 2822 ldap 8u IPv4 9901 TCP *:ldap (LISTEN) [root@SRVDC01 ~]#
Someone knows if i must to disable IPV6 on /etc/sysctl ?
Regards.
-----Mensaje original----- De: Bjørn Ruberg [mailto:bjorn@ruberg.no] Enviado el: Lunes, 05 de Octubre de 2009 02:49 p.m. Para: 'OpenLDAP Technical' CC: Dominguez, Gaston Matias Asunto: Re: Problem with slapd
Dominguez, Gaston Matias wrote:
Hi people i am having problems with this:
Someone knows the solution for this problem?
[root@SRVDC01 ~]# slapd -d 256 @(#) $OpenLDAP: slapd 2.3.43 (Jan 21 2009 03:53:11) $
mockbuild@builder16.centos.org:/builddir/build/BUILD/openldap-2.3.43/openlda
p-2.3.43/build-servers/servers/slapd daemon: bind(7) failed errno=98 (Address already in use) daemon: bind(7) failed errno=98 (Address already in use) slapd stopped. connections_destroy: nothing to destroy.
As the error message says, the address(es) to which you are trying to bind to the slapd process is already in use.
You either have a slapd running already, or something else is using the IP address and/or TCP ports that your LDAP server wants to use.
openldap-technical@openldap.org
-
Bjørn Ruberg -
Dominguez, Gaston Matias -
Jonathan Clarke -
Quanah Gibson-Mount -
Remi Ferrand