JNDI + Openldap
Hello! First sorry if i'm posting in the wrong place, my question is really about JNDI, but I decided to post here also if anyone knows. I'm having trouble using bind() to insert a user in ldap. Every time I enter, it goes with the type default, think like a Java object, when actually i want to enter it as normal ldap user, with a few more fields, etc.. I realized that those users who are already in ldap, listing them is uid = user1, uid = user2, and when I insert it becomes cn = test1, cn = test2, with fewer fields that other type. What I would do was to insert a user with those fields that user to uid = user1 has. I'll post how I'm doing: If something is wrong, feel free to say! Thanks! Attribute cn = new BasicAttribute( cn, test ); Attribute gidNumber = new BasicAttribute( gidNumber, 999 ); Attribute homeDirectory = new BasicAttribute( homeDirectory, /home/users/test ); Attribute javaContainer = new BasicAttribute( javaContainer ); javaContainer.add( new BasicAttribute( cn, test ) ); Attribute objectClass = new BasicAttribute( objectClass ); objectClass.add( top ); objectClass.add( person ); objectClass.add( organizationalPerson ); objectClass.add( inetOrgPerson ); objectClass.add( posixAccount ); objectClass.add( shadowAccount ); objectClass.add( sambaSamAccount ); objectClass.add( user ); Attribute sambaSID = new BasicAttribute( sambaSID, S-1-5-21-450180999-1854538958-2124921490-61212 ); Attribute sn = new BasicAttribute( sn, test ); Attribute uidNumber = new BasicAttribute( uidNumber, 4566 ); Attribute userName = new BasicAttribute( uid, test ); Attribute userPassword = new BasicAttribute( userPassword, test123 ); Attributes entry = new BasicAttributes(); entry.put( cn ); entry.put( gidNumber ); entry.put( homeDirectory ); entry.put( javaContainer ); entry.put( objectClass ); entry.put( sambaSID ); entry.put( sn ); entry.put( uidNumber ); entry.put( userName ); entry.put( userPassword ); try{ ctx.bind( cn=test,ou=Users, entry ); } catch( Exception e ){ e.printStackTrace(); }
indirect autofs maps on LDAP
Hi List, How many levels of indirection can I use in the autofs maps? For example, can I have a setup like this? /net |-- /server1 |-- /foo with a map defined as below: dn: ou=auto.master,ou=automount,dc=example,dc=org objectClass: top objectClass: automountMap ou: auto.master dn: cn=/net,ou=auto.master,ou=automount,dc=example,dc=org objectClass: automount objectClass: top cn: /net automountInformation: ldap:ou=auto.net,ou=automount,dc=example,dc=org -- timeout=7200 --ghost dn: ou=auto.net,ou=automount,dc=example,dc=org objectClass: automountMap ou: auto.net dn: cn=server1,ou=auto.net,ou=automount,dc=example,dc=org objectClass: automount cn: server1 automountInformation: ldap:ou=server1,ou=automount,dc=example,dc=org dn: ou=server1,ou=automount,dc=example,dc=org objectClass: automountMap ou: server1 dn: cn=server1,ou=server1,ou=cmc,ou=automount,dc=example,dc=org objectClass: automount cn: server1 automountInformation: - fstype=nfs,hard,intr,rsize=8192,wsize=8192,nfsvers=3,proto=tcp server1:/data/foo I went ahead and created this setup, but haven't been able to get it to work. Just wondering if this is allowed in autofs-ldap or if my ldap map syntax is somehow incorrect. Thanks, - Khosrow
Re: How to configure overlay unique in cn=config
On Thursday, 14 October 2010 21:23:05 Benjamin Griese wrote: Hey buddy, if you use Apache Directory Studio amongst other things for configuring overlays, it automatically gets you the right dependencies if you choose for example OC olcUnique, you need also need to have OC olcOverlay and so on, ADS automatically sets it for you in a wizard like process. Doing that without that tool was really a PITA, especially if are not that familiar with the whole package of different types of classes and schema dependencies. Give it a try, ADS made my life as LDAP-Admin a whole lot of easier. Unfortunately, I don't think there is any way to know (over LDAP) whether the unique module is built-in, compiled as a module, or not compiled at all, so I don't believe ADS can help in this situation ... [...] After playing a lot, I've found that it works only when both module and overlay is configured in files in /etc/ldap/slap.d/... (I'm using slapd 2.4.23, from Debian/Sid) For now it is enough for me, because I don't want to dynamically set uniqueness, but anyway documentation is not clear how it should be. Regards, Buchan
Re: How to configure overlay unique in cn=config
Buchan Milne wrote: On Thursday, 14 October 2010 21:23:05 Benjamin Griese wrote: Hey buddy, if you use Apache Directory Studio amongst other things for configuring overlays, it automatically gets you the right dependencies if you choose for example OC olcUnique, you need also need to have OC olcOverlay and so on, ADS automatically sets it for you in a wizard like process. Doing that without that tool was really a PITA, especially if are not that familiar with the whole package of different types of classes and schema dependencies. Give it a try, ADS made my life as LDAP-Admin a whole lot of easier. Unfortunately, I don't think there is any way to know (over LDAP) whether the unique module is built-in, compiled as a module, or not compiled at all, so I don't believe ADS can help in this situation ... The Samba folks were complaining about this ambiguity a while back. Which is why we recommended that they just always issue the moduleload statements. They will be ignored/no-op'd if the module was already built in. Likewise, the default modulepath is always compiled in, so there's no need to set it unless you're loading a custom module of your own from some other location. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Error 18: Solaris 10 Native LDAP-Client
Hello guys, I got a problem while pulling information with the native ldap client on my various solaris 10 machines from anĀ openldap2-2.4.23-116.1 Maybe someone has any ideas, because I am on the end of mine. I don't know what to do in the further steps to solve the problem. the important information are below. thanks for your help. kind regards, benjamin. = on the solaris box: solaris profile pulled from DIT, runs absolutly fine, but is maybe not perfect for openldap # ldapclient list NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de NS_LDAP_BINDPASSWD= secret NS_LDAP_SERVERS= ldap01 ldap02 NS_LDAP_SEARCH_BASEDN= dc=example,dc=de NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 60 NS_LDAP_PROFILE= solaris_profile NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= shadow: ou=people,dc=example,dc=de?sub NS_LDAP_BIND_TIME= 10 NS_LDAP_OBJECTCLASSMAP= group:posixGroup=posixGroup NS_LDAP_OBJECTCLASSMAP= passwd:posixAccount=posixAccount NS_LDAP_OBJECTCLASSMAP= sudoers:sudoRole=sudoRole # ldaplist passwd ldaplist: Object not found (LDAP ERROR (18): Inappropriate matching.) getent passwd/group dont show anything, but strangely, single id username show the user information I was expecting. on sles11sp1/openldap2-2.4.23-116.1 (http://download.opensuse.org/repositories/network:/ldap:/OpenLDAP:/RE24/SLE_11_SP1/) thats what I see in the logs on the openldap-server, right after typing ldaplist passwd on the solaris box Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 fd=22 ACCEPT from IP=10.0.0.1:45604 (IP=0.0.0.0:389) Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 BIND dn=cn=proxyuser,ou=system,ou=people,dc=example,dc=de method=128 Oct 15 14:37:33 examplehost slapd[8339]: = bdb_entry_get: found entry: cn=proxyuser,ou=system,ou=people,dc=example,dc=de Oct 15 14:37:33 examplehost slapd[8339]: = bdb_entry_get: found entry: cn=default,ou=pwdpolicy,dc=example,dc=de Oct 15 14:37:33 examplehost slapd[8339]: = access_allowed: result not in cache (userPassword) Oct 15 14:37:33 examplehost slapd[8339]: = access_allowed: auth access to cn=proxyuser,ou=system,ou=people,dc=example,dc=de userPassword requested Oct 15 14:37:33 examplehost slapd[8339]: = acl_get: [1] attr userPassword Oct 15 14:37:33 examplehost slapd[8339]: = acl_mask: access to entry cn=proxyuser,ou=system,ou=people,dc=example,dc=de, attr userPassword requested Oct 15 14:37:33 examplehost slapd[8339]: = acl_mask: to value by , (=0) Oct 15 14:37:33 examplehost slapd[8339]: = check a_dn_pat: cn=ldapadm,dc=example,dc=de Oct 15 14:37:33 examplehost slapd[8339]: = check a_dn_pat: cn=proxyuser,ou=system,ou=people,dc=example,dc=de ## just for testing purpose Oct 15 14:37:33 examplehost slapd[8339]: = check a_dn_pat: anonymous Oct 15 14:37:33 examplehost slapd[8339]: = acl_mask: [3] applying auth(=xd) (stop) Oct 15 14:37:33 examplehost slapd[8339]: = acl_mask: [3] mask: auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: = slap_access_allowed: auth access granted by auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: = access_allowed: auth access granted by auth(=xd) Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 BIND dn=cn=proxyuser,ou=system,ou=people,dc=example,dc=de mech=SIMPLE ssf=0 Oct 15 14:37:33 examplehost slapd[8339]: = bdb_entry_get: found entry: cn=proxyuser,ou=system,ou=people,dc=example,dc=de Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=0 RESULT tag=97 err=0 text= Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=1 SEARCH RESULT tag=101 err=18 nentries=0 text=serverSort control: No ordering rule Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=1 do_search: get_ctrls failed Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 op=2 UNBIND Oct 15 14:37:33 examplehost slapd[8339]: conn=1160 fd=22 closed that seems to be a problem with a supportedControl of the ldap-server which the solaris ldap client is unable to handle, because the local openldap-client in the sles-server has absolutly no problem binding and getting infos. is this kind of offtopic for this list? http://publib.boulder.ibm.com/infocenter/tivihelp/v2r1/index.jsp?topic=/com.ibm.IBMDS.doc_5.2/admin_gd368.htm says 18 LDAP_INAPPROPRIATE_MATCHING Inappropriate matchingFilter type not supported for the specified attribute. but I don't know what to do this seems kind of related to this problem, maybe its the same: http://markmail.org/message/dgtk3rpihvkqndqx#query:serverSort%20control%3A%20No%20ordering%20rule+page:2+mid:y4wsxfbqdwtreerp+state:results -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
Re: slapcat command removes nssov overlay socket
Sounds like you should submit an ITS. Done with some new information. ITS #6676 -- Regards, Sergei Butakov
Re: Error 18: Solaris 10 Native LDAP-Client
Hi Benjamin, It looks like your LDAP client is asking the server to return ordered results from looking at this line: tag=101 err=18 nentries=0 text=serverSort control: No ordering rule You may want to take a look at the server-side sorting overlay (slapo-sssvlv) and/or the value sorting overlay (slapo-valsort) and see if activating them on the server will fix your problems. -- Diego Lima http://www.diegolima.org
Re: JNDI + Openldap
--On Thursday, October 14, 2010 8:34 AM -0300 Vitor Braga vitor.leitebr...@gmail.com wrote: Hello! First sorry if i'm posting in the wrong place, my question is really about JNDI, but I decided to post here also if anyone knows. I would advise you to use a better API than JNDI, it will make your life a lot easier, and help you avoid a number of known issues with JNDI. You may want to look at http://www.unboundid.com/products/ldapsdk/ --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration
Re: JNDI + Openldap
Very interesting Quanah. Thanks for the suggestion! On Fri, Oct 15, 2010 at 3:07 PM, Quanah Gibson-Mount qua...@zimbra.comwrote: --On Thursday, October 14, 2010 8:34 AM -0300 Vitor Braga vitor.leitebr...@gmail.com wrote: Hello! First sorry if i'm posting in the wrong place, my question is really about JNDI, but I decided to post here also if anyone knows. I would advise you to use a better API than JNDI, it will make your life a lot easier, and help you avoid a number of known issues with JNDI. You may want to look at http://www.unboundid.com/products/ldapsdk/ --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc Zimbra :: the leader in open source messaging and collaboration