migrating from shadowAccount to password policy overlays

We are in the midst of migrating from `shadowAccount` objects to the password policy overlay. Everything seems to be working so far, but I have been unable to migrate the data from `shadowLastChange` to `pwdChangedTime`. In particular, once I have the desired value for `pwdChangedTime`, I don't

Re: migrating from shadowAccount to password policy overlays

Jonathon Anderson wrote: We are in the midst of migrating from `shadowAccount` objects to the password policy overlay. Everything seems to be working so far, but I have been unable to migrate the data from `shadowLastChange` to `pwdChangedTime`. In particular, once I have the desired value for

Re: Password Policy pwdFailureTime count limits?

Jeffrey Crawford wrote: Hello Everyone, I'm having trouble enforcing our password policy for login attempts within a particular time frame. After looking into the issue a little further it seems to stem from the fact that the operational attribute pwdFailureTime can only resolve time down to

Re: View or filter based on ldaps://FQDN

Ronie Gilberto Henrich wrote: Hello, I need to be able to restrict ldap ou's access based on the ldaps://FQDN used to query the ldap server. Let say I have the following in my ldap server: ou=domain ou=raincoatcompany.com ou=umbrellacompany.com Considering that both

Re: View or filter based on ldaps://FQDN

Can't SNI support be added? -- Erwann. Le 14 janv. 2012 13:08, Howard Chu h...@symas.com a écrit : Ronie Gilberto Henrich wrote: Hello, I need to be able to restrict ldap ou's access based on the ldaps://FQDN used to query the ldap server. Let say I have the following in my ldap server:

Re: View or filter based on ldaps://FQDN

Erwann Abalea wrote: Can't SNI support be added? Perhaps. It depends on which version of TLS library is being used. -- Erwann. Le 14 janv. 2012 13:08, Howard Chu h...@symas.com mailto:h...@symas.com a écrit : Ronie Gilberto Henrich wrote: Hello, I need to be able to restrict

Re: View or filter based on ldaps://FQDN

A quick addition: SNI was defined to solve a problem not encountered with LDAP (name virtual hosting on a unique IP address). It also requires the client to be cooperative and announce the desired hostname in an extension (Server Name Indication) during TLS negotiation. Not supporting it in an

Re: View or filter based on ldaps://FQDN

Howard Chu wrote: Ronie Gilberto Henrich wrote: Hello, I need to be able to restrict ldap ou's access based on the ldaps://FQDN used to query the ldap server. Let say I have the following in my ldap server: ou=domain ou=raincoatcompany.com ou=umbrellacompany.com Considering

Re: View or filter based on ldaps://FQDN

Is it possible to allow access to a specific dn only by a specific client IP address? ie: access to dn.exact=ou=domain,ou=raincoatcompany.com by clientIP=200.200.0.117 read Yes. See peername who clause in slapd.access(5). p.

Re: View or filter based on ldaps://FQDN

Ronie Gilberto Henrich wrote: Is it possible to allow access to a specific dn only by a specific client IP address? ie: access to dn.exact=ou=domain,ou=raincoatcompany.com by clientIP=200.200.0.117 read See the man page slapd.access(5), especially peername[.peernamestyle]=peername.

Re: what is the pretty function and the validate function in OpenLDAP?

Tianyin Xu writes: I'm trying to understand the internal workflow of the attribute type checking and syntax validation in OpenLDAP. See the comments in servers/slapd/schema_init.c, in git master or in OpenLDAP 2.4.24 or later. -- Hallvard