Re: help SSL on Openldap and java
Thanks for replying. I was a bit occupied, so I could not back soon. Going by your mail, I went through the certificate generation process again. What I found is that for some reason, the cacert.pem file(which is the certificate for the CA) shows the following - X509v3 extensions: X509v3 Basic Constraints: CA:FALSE I am attaching the steps I followed and the certificate files generated as per the tutorial http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2. Shouldn't the above field be CA:true? Also, how do I make sure that the flag that you mentioned below gets set to SSL server. Thanks, Sirisha. On Fri, May 28, 2010 at 11:44 PM, Brett @Google brett.maxfi...@gmail.comwrote: On Fri, May 28, 2010 at 9:39 AM, s g sirisha@gmail.com wrote: javax.naming.CommunicationException: simple bind failed: vcheung-181.lab..net:636 [Root exception is javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: Netscape cert type does not permit use for SSL server] at com.sun.jndi.ldap.LdapClient.authenticate(LdapClient.java:197) at com.sun.jndi.ldap.LdapCtx.connect(LdapCtx.java:2658) at com.sun.jndi.ldap.LdapCtx.init(LdapCtx.java:287) You probably have your certs round the wrong way. The server cert (on the ldap server) should have 'SSL Server' usage flag the client cert (on the ldap client) should have 'SSL Client' usage flag. The usage flags are embedded when you make the csr (certificate request) which will then usually be reflected in the generated certificate, unless your CA overrides them. Do a openssl x509 -in cert file -noout -text to compare the two certificates. Cheers Brett [r...@vcheung-181 nextca]# /usr/local/ssl/misc/CA.sh -newca CA certificate filename (or enter to create) Making CA certificate ... Generating a 1024 bit RSA private key ...++ ...++ writing new private key to './demoCA/private/./cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:SantaClara Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Inc Organizational Unit Name (eg, section) []:MyCompany Unit Common Name (eg, YOUR name) []:vcheung-181.lab..net Email Address []:sirish1...@yahoo.com Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []:secret An optional company name []: Using configuration from /usr/local/ssl/openssl.cnf Enter pass phrase for ./demoCA/private/./cakey.pem:secret Check that the request matches the signature Signature ok Certificate Details: Serial Number: 0 (0x0) Validity Not Before: Jun 9 20:15:18 2010 GMT Not After : Jun 8 20:15:18 2013 GMT Subject: countryName = US stateOrProvinceName = California organizationName = MyCompany Inc organizationalUnitName= MyCompany Unit commonName= vcheung-181.lab..net emailAddress = x...@yahoo.com X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 X509v3 Authority Key Identifier: keyid:F2:5D:25:AD:F0:46:95:71:CB:3C:DD:88:D9:77:A2:79:AC:A1:4B:57 Certificate is to be certified until Jun 8 20:15:18 2013 GMT (1095 days) Write out database with 1 new entries Data Base Updated [r...@vcheung-181 nextca]# [r...@vcheung-181 nextca]# openssl req -newkey rsa:1024 -nodes -keyout newreq.pem -out newreq.pem Generating a 1024 bit RSA private key .++ ...++ writing new private key to 'newreq.pem' - You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. - Country Name (2 letter code) [AU]:US State or Province Name (full name) [Some-State]:California Locality Name (eg, city) []:SantaClara Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompany Inc Organizational Unit Name (eg, section) []:MyCompany Unit Common Name (eg,
Communicate from php/apache to openLDAP over LDAPS
Hi I'm writing from france cuz i'm having a big problem with apache and ldap. let me explain : I would like to make an Apache server communicate in php with en openLDAP server (both servers are under win srv 2003), using LDAPS protocol. In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self signed certificates with openSSL. I got 3 files: cacert.pem srvLDAP.pem srvLDAP.key I configured my slapd.con file and ldap.conf fil (openLDAP side) like this: slapd.conf TLSCertificateFile ./ssl/srvLDAP.pem TLSCertificateKeyFile ./ssl/srvLDAP.key TLSCACertificateFile./ssl/cacert.pem ldap.conf BASEma branche URI ldaps://srvLDAP/ TLS_CACERT ./ssl/cacert.pem TLS_REQCERT demand I launched my openLDAP service, and checked ldaps protocol was okay, using this command : C:\Program Files\OpenLDAPldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/ Now I would like, from the remote apache server, communicate with the openLDAP server using [b]LDAPS[/b] Protocol. Here is my simplified PHP code h2LDAP OPENLDAP LDAPS/h2 ?php $host=ldaps://srvldap; $port=636; $ds=ldap_connect($host,$port); ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3); $r=ldap_bind($ds,cn=admin,o=exemple,dc=fr,pass ); $sr=ldap_search($ds,o=exemplec,dc=fr,(objectClass=maclasse )); $info=ldap_get_entries($ds,$sr); print $info[count]. enregistrements trouvés.; ? I get this errror: Unable to bind to server: Can't contact LDAP server I know i have to configure certificates in the Apache server configuration, I tried to to this according several internet ressources but didn't succeed. I also read this link [URL= http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm]Here[/URL] which is a french link which speak about an ldap.con and ldaprc files to put in the apache server. I did it but nothing happened. Well, i'm lost in all this stuff, that is why i'm asking for help to configure my servers to use ldaps with php. Do you have information that could help me ? I thank you in advance
Re: help SSL on Openldap and java
s g sirisha@gmail.com writes: Thanks for replying. I was a bit occupied, so I could not back soon. Going by your mail, I went through the certificate generation process again. What I found is that for some reason, the cacert.pem file (which is the certificate for the CA) shows the following - X509v3 extensions: X509v3 Basic Constraints: CA:FALSE I am attaching the steps I followed and the certificate files generated as per the tutorial http://www.openldap.org/pub/ksoper/OpenLDAP_TLS.html#4.2. Did you read the note on top of this paper? Shouldn't the above field be CA:true? Also, how do I make sure that the flag that you mentioned below gets set to SSL server. edit openssl.cnf accordingly, or use tinyCA to create a certificate chain http://tinyca.sm-zone.net/index.html -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: smbk5pwd: ldappassword hangs
2010/6/7 Marco Göbel marco.goe...@zurk.org: Same problem as i figured out: in the last two weeks i am testing the combination Heimdal+OpenLdap+Samba and the smbk5pwd overlay. I compiled the stable OpenLdap and Heimdal release successfully and combined it with Samba. The error is nearly the same as described above. Only when i am changing the password over Kerberos (via pam or kpasswd) the password changes will done to the samba password (for userPassword i use the {K5KEY} entry as described in smbk5pwd). Try the ldappasswd with verbose output, you may see that the command tries over and over to change the password... No, not exactly. I only get this output from ldappasswd: Enter LDAP Password: ldap_initialize( DEFAULT ) -- Frank Van Damme A: Because it destroys the flow of the conversation. Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mailing lists or on Usenet?
Re: smbk5pwd: ldappassword hangs
2010/6/7 Quanah Gibson-Mount qua...@zimbra.com: --On Monday, June 07, 2010 11:56 AM +0200 Frank Van Damme What version of OpenLDAP are you using? You've failed to mention that anywhere. 2.4.11 (Debian 5.0). -- Frank Van Damme A: Because it destroys the flow of the conversation. Q: Why is it bad? A: No, it's bad. Q: Should I top post in replies to mailing lists or on Usenet?
Re: Multi master replication
Hi, Now i have changed the rid of one of my server, now both servers have unique rid and sid. After changing the rid i have deleted and db and replicated from the other. Now when i change the password of the user it says successfully changed. But when i try to login with that password i was not able to login. Below is my log files Jun 10 18:25:16 mails slapd[30896]: slap_queue_csn: queing 0xb67cdbf2 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: slap_graduate_commit_csn: removing 0x9e513a0 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncprov_sendresp: to=001, cookie=rid=001,sid=001,csn=20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: do_syncrep2: cookie=rid=000,sid=002,csn=20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncrepl_entry: rid=000 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Jun 10 18:25:16 mails slapd[30896]: dn_callback : entries have identical CSN uid=user,ou=People,dc=example,dc=com 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncrepl_entry: rid=000 be_search (0) Jun 10 18:25:16 mails slapd[30896]: syncrepl_entry: rid=000 uid=titus,ou=People,dc=avasarala,dc=com Jun 10 18:25:16 mails slapd[30896]: slap_queue_csn: queing 0x9f92c48 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncrepl_entry: rid=000 entry unchanged, ignored (uid=titus,ou=People,dc=avasarala,dc=com) Jun 10 18:25:16 mails slapd[30896]: slap_graduate_commit_csn: removing 0x9f93d68 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: slap_queue_csn: queing 0x9f92c48 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncprov_matchops: skipping original sid 001 Jun 10 18:25:16 mails slapd[30896]: slap_graduate_commit_csn: removing 0x9f94880 20100610125516.236254Z#00#001#00 Can you please help me why i was not able to login with the new password. Hey buddy, havn't you seen some time around here. I compared your slapd config to one of my own and to this one: https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html (see down at LDAP Replication) From that point I see you're using the same rid for both servers, so both servers are in the ldap way are the same and that's a problem because the both DBs have to be unique even if they hold the same data. Please consider to change the rid on one of your servers and repeat the step to replicate the database. Maybe rid=000 to rid=001. Bye. On Thu, Jun 10, 2010 at 13:06, Aravind Divakaran aravind.divaka...@yukthi.com wrote: Hi I have deleted the db from one server and synced the db from the other. Now my contextCSN is same on both the system. But still in my log files it showing Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 be_search (0) Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 uid=user,ou=People,dc=example,dc=com Jun 10 16:32:42 mails slapd[23253]: slap_queue_csn: queing 0xa200128 20100610110242.236793Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 entry unchanged, ignored (uid=user,ou=People,dc=example,dc=com) Jun 10 16:32:42 mails slapd[23253]: slap_graduate_commit_csn: removing 0xa212db0 20100610110242.236793Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: slap_queue_csn: queing 0xa200128 20100610110242.236793Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncprov_matchops: skipping original sid 001 Jun 10 16:32:42 mails slapd[23253]: slap_graduate_commit_csn: removing 0xa202b60 20100610110242.236793Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: do_syncrep2: cookie=rid=000,sid=002,csn=20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Jun 10 16:32:42 mails slapd[23253]: dn_callback : new entry is older than ours uid=user,ou=People,dc=example,dc=com ours 20100610110242.266299Z#00#001#00, new 20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 be_search (0) Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 uid=user,ou=People,dc=example,dc=com Jun 10 16:32:42 mails slapd[23253]: slap_queue_csn: queing 0xa1fde80 20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 entry unchanged, ignored (uid=user,ou=People,dc=example,dc=com) Jun 10 16:32:42 mails slapd[23253]: slap_graduate_commit_csn: removing 0xa1f8920 20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: slap_queue_csn: queing 0xa1fde80 20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncprov_matchops: skipping original sid 001 Jun 10 16:32:42 mails slapd[23253]: slap_graduate_commit_csn: removing 0xa212e88 20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]:
Re: Communicate from php/apache to openLDAP over LDAPS
Jérémy ESCOLANO wrote: I tried to put host=srvLDAP but it still doesn't work Actually the problem is configuring my APACHE server to make it considerate theses certificate. I know there is a ldap.conf in the openLDAP directory (on openLDAP server) where to have to put : TLS_CACERT ./ssl2/cacert.cer TLS_REQCERT demand but how can we specify it on apache server ? Ask on an Apache forum. Thanks 2010/6/10 Thierry Lacoste laco...@u-pec.fr mailto:laco...@u-pec.fr Seems to me that the $host variable is incorrect : should be $host=srvLDAP HTH, Thierry On 10 juin 10, at 10:57, Jérémy ESCOLANO wrote: Hi I'm writing from france cuz i'm having a big problem with apache and ldap. let me explain : I would like to make an Apache server communicate in php with en openLDAP server (both servers are under win srv 2003), using LDAPS protocol. In order to activate LDAPS on my openLDAP srv (srvLDAP), I created self signed certificates with openSSL. I got 3 files: cacert.pem srvLDAP.pem srvLDAP.key I configured my slapd.con file and ldap.conf fil (openLDAP side) like this: slapd.conf TLSCertificateFile ./ssl/srvLDAP.pem TLSCertificateKeyFile ./ssl/srvLDAP.key TLSCACertificateFile./ssl/cacert.pem ldap.conf BASE ma branche URI ldaps://srvLDAP/ TLS_CACERT ./ssl/cacert.pem TLS_REQCERT demand I launched my openLDAP service, and checked ldaps protocol was okay, using this command : C:\Program Files\OpenLDAPldapsearch -b o=exemple,dc=fr -s sub -x -w pass-D cn=admin,o=exemple,dc=fr -H ldaps://srvLDAP/ Now I would like, from the remote apache server, communicate with the openLDAP server using [b]LDAPS[/b] Protocol. Here is my simplified PHP code h2LDAP OPENLDAP LDAPS/h2 ?php $host=ldaps://srvldap; $port=636; $ds=ldap_connect($host,$port); ldap_set_option($ds,LDAP_OPT_PROTOCOL_VERSION,3); $r=ldap_bind($ds,cn=admin,o=exemple,dc=fr,pass ); $sr=ldap_search($ds,o=exemplec,dc=fr,(objectClass=maclasse )); $info=ldap_get_entries($ds,$sr); print $info[count]. enregistrements trouvés.; ? I get this errror: Unable to bind to server: Can't contact LDAP server I know i have to configure certificates in the Apache server configuration, I tried to to this according several internet ressources but didn't succeed. I also read this link [URL=http://forum.hardware.fr/hfr/OSAlternatifs/Logiciels-2/certificats-securisee-connexion-sujet_65365_1.htm]Here[/URL] which is a french link which speak about an ldap.con and ldaprc files to put in the apache server. I did it but nothing happened. Well, i'm lost in all this stuff, that is why i'm asking for help to configure my servers to use ldaps with php. Do you have information that could help me ? I thank you in advance -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: Multi master replication
Hi, I have no clue what the problem is in your configuration. Did you really started with a blank backend database (bdb/hdb)? Did you read about the differences of replication type RefreshOnly or RefreshAndPersist? Try to avoid changing replication settings while both hosts are replicating, this could have a strange impact on your database. Bye and good luck. On Thu, Jun 10, 2010 at 14:58, Aravind Divakaran aravind.divaka...@yukthi.com wrote: Hi, Now i have changed the rid of one of my server, now both servers have unique rid and sid. After changing the rid i have deleted and db and replicated from the other. Now when i change the password of the user it says successfully changed. But when i try to login with that password i was not able to login. Below is my log files Jun 10 18:25:16 mails slapd[30896]: slap_queue_csn: queing 0xb67cdbf2 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: slap_graduate_commit_csn: removing 0x9e513a0 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncprov_sendresp: to=001, cookie=rid=001,sid=001,csn=20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: do_syncrep2: cookie=rid=000,sid=002,csn=20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncrepl_entry: rid=000 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Jun 10 18:25:16 mails slapd[30896]: dn_callback : entries have identical CSN uid=user,ou=People,dc=example,dc=com 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncrepl_entry: rid=000 be_search (0) Jun 10 18:25:16 mails slapd[30896]: syncrepl_entry: rid=000 uid=titus,ou=People,dc=avasarala,dc=com Jun 10 18:25:16 mails slapd[30896]: slap_queue_csn: queing 0x9f92c48 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncrepl_entry: rid=000 entry unchanged, ignored (uid=titus,ou=People,dc=avasarala,dc=com) Jun 10 18:25:16 mails slapd[30896]: slap_graduate_commit_csn: removing 0x9f93d68 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: slap_queue_csn: queing 0x9f92c48 20100610125516.236254Z#00#001#00 Jun 10 18:25:16 mails slapd[30896]: syncprov_matchops: skipping original sid 001 Jun 10 18:25:16 mails slapd[30896]: slap_graduate_commit_csn: removing 0x9f94880 20100610125516.236254Z#00#001#00 Can you please help me why i was not able to login with the new password. Hey buddy, havn't you seen some time around here. I compared your slapd config to one of my own and to this one: https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html (see down at LDAP Replication) From that point I see you're using the same rid for both servers, so both servers are in the ldap way are the same and that's a problem because the both DBs have to be unique even if they hold the same data. Please consider to change the rid on one of your servers and repeat the step to replicate the database. Maybe rid=000 to rid=001. Bye. On Thu, Jun 10, 2010 at 13:06, Aravind Divakaran aravind.divaka...@yukthi.com wrote: Hi I have deleted the db from one server and synced the db from the other. Now my contextCSN is same on both the system. But still in my log files it showing Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 be_search (0) Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 uid=user,ou=People,dc=example,dc=com Jun 10 16:32:42 mails slapd[23253]: slap_queue_csn: queing 0xa200128 20100610110242.236793Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 entry unchanged, ignored (uid=user,ou=People,dc=example,dc=com) Jun 10 16:32:42 mails slapd[23253]: slap_graduate_commit_csn: removing 0xa212db0 20100610110242.236793Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: slap_queue_csn: queing 0xa200128 20100610110242.236793Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncprov_matchops: skipping original sid 001 Jun 10 16:32:42 mails slapd[23253]: slap_graduate_commit_csn: removing 0xa202b60 20100610110242.236793Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: do_syncrep2: cookie=rid=000,sid=002,csn=20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) Jun 10 16:32:42 mails slapd[23253]: dn_callback : new entry is older than ours uid=user,ou=People,dc=example,dc=com ours 20100610110242.266299Z#00#001#00, new 20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 be_search (0) Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry: rid=000 uid=user,ou=People,dc=example,dc=com Jun 10 16:32:42 mails slapd[23253]: slap_queue_csn: queing 0xa1fde80 20100610110242.255828Z#00#001#00 Jun 10 16:32:42 mails slapd[23253]: syncrepl_entry:
Re: smbk5pwd: ldappassword hangs
--On Thursday, June 10, 2010 1:36 PM +0200 Frank Van Damme frank.vanda...@gmail.com wrote: 2010/6/7 Quanah Gibson-Mount qua...@zimbra.com: --On Monday, June 07, 2010 11:56 AM +0200 Frank Van Damme What version of OpenLDAP are you using? You've failed to mention that anywhere. 2.4.11 (Debian 5.0). There have been multiple fixes to smbk5pwd since that release. Plus hundreds of fixes elsewhere in the software. I would highly advise you to upgrade to a current release, and most specifically to build OpenLDAP with OpenSSL rather than GnuTLS. Once you've done that, then see if you continue to have issues. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
RE: User restriction
On Mon, 7 Jun 2010, Stuart Cherrington wrote: [given] dn: cn=access,ou=auth,dc=ldn,dc=sw,dc=com objectClass: groupOfNames objectClass: top cn: access member: uid=stuart,ou=people,dc=ldn,dc=sw,dc=com member: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com member: uid=rpratt,ou=people,dc=ldn,dc=sw,dc=com member: uid=jason,ou=people,dc=ldn,dc=sw,dc=com member: uid=pstuart,ou=people,dc=ldn,dc=sw,dc=com member: uid=pfield,ou=people,dc=ldn,dc=sw,dc=com member: uid=nereelot,ou=people,dc=ldn,dc=sw,dc=com member: uid=scolebro,ou=people,dc=ldn,dc=sw,dc=com member: uid=bpower,ou=people,dc=ldn,dc=sw,dc=com member: uid=ihunt,ou=people,dc=ldn,dc=sw,dc=com member: uid=emoreton,ou=people,dc=ldn,dc=sw,dc=com member: uid=lcable,ou=people,dc=ldn,dc=sw,dc=com member: uid=pmurray,ou=people,dc=ldn,dc=sw,dc=com [running] ldapcompare2.4 -v -x -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w ou=auth,dc=ldn,dc=sw,dc=com member:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com [outputs] Compare Result: No such attribute (16) Yes. Don't compare against ou=auth,dc=ldn,dc=sw,dc=com, compare against cn=access,ou=auth,dc=ldn,dc=sw,dc=com in your ldapcompare2.4 command.
Re: User restriction
Adam Hough a...@gradientzero.com writes: On Mon, Jun 7, 2010 at 4:44 AM, Stuart Cherrington stuart_cherring...@hotmail.co.uk wrote: [...] ldapsearch -x -b 'ou=auth,dc=ldn,dc=sw,dc=com' -h 10.2.250.15 -D cn= proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xx [...] This search is done with default scope, which is subtree. dn: cn=access,ou=auth,dc=ldn,dc=sw,dc=com objectClass: groupOfNames objectClass: top cn: access member: uid=stuart,ou=people,dc=ldn,dc=sw,dc=com [...] You can clearly see the first Member line is myself. If I now try: ldapcompare2.4 -v -x -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc= sw,dc=com -w ou=auth,dc=ldn,dc=sw,dc=com member:uid=stuart,ou= people,dc=ldn,dc=sw,dc=com [...] A ldapcompare is done one the base DN. please compare those two DN's: ou=auth,dc=ldn,dc=sw;dc=com cn=access,ou=auth,dc=ldn,dc=sw,dc=com -Dieter - -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6