Hi!
I found out why I never was successful with cn=monitor: By default '*'
attributes show almost nothing; you'll have to use '+' attributes (in my
version at least).
I'm not very happy with the decision, because you'll get the truely operational
attributes also. If the whole subtree
It is not related to your problem, but considering your acl, the
userpassword (and shadowlastchange) of the cn=sync user won't be
replicated. If this behaviour is not intended, you should refer to the
openldap admin guide http://www.openldap.org/doc/admin24/access-control.html
On the MAIN
Am Wed, 27 Nov 2013 09:09:35 +0100
schrieb Ulrich Windl ulrich.wi...@rz.uni-regensburg.de:
Hi!
I found out why I never was successful with cn=monitor: By default
'*' attributes show almost nothing; you'll have to use '+' attributes
(in my version at least). I'm not very happy with the
Hi All,
The LDAP directory services in our product uses ldap_search_ext_s for
synchronous search.
Now,my intension is to specify a timeout in this API,so that in case if the
server does not respond within the timelimit,the operation should be terminated.
I tried specifying time out for the
Hello,
I'm testing the dynlist overlay on OpenLDAP 2.4.38 because i have a static
group of around 10K uniqueMember. I want to have now a equivalent group with
dynlist.
I have configured my overlay dynlist like this :
dn: olcOverlay={2}dynlist,olcDatabase={1}bdb,cn=config
objectClass:
Am Wed, 27 Nov 2013 09:09:35 +0100
schrieb Ulrich Windl ulrich.wi...@rz.uni-regensburg.de:
Hi!
I found out why I never was successful with cn=monitor: By default
'*' attributes show almost nothing; you'll have to use '+' attributes
(in my version at least). I'm not very happy with the
2013/11/27 POISSON Frédéric frederic.pois...@admin.gmessaging.net:
Hello,
I'm testing the dynlist overlay on OpenLDAP 2.4.38 because i have a static
group of around 10K uniqueMember. I want to have now a equivalent group with
dynlist.
I have configured my overlay dynlist like this :
dn:
Am Wed, 27 Nov 2013 10:46:40 +0100
schrieb POISSON Frédéric frederic.pois...@admin.gmessaging.net:
Hello,
I'm testing the dynlist overlay on OpenLDAP 2.4.38 because i have a
static group of around 10K uniqueMember. I want to have now a
equivalent group with dynlist.
I have configured my
Hello,
Thanks Clement for your response and blog for valsort usage
(http://coudot.blogs.linagora.com/index.php/post/2013/01/07/Astuce-OpenLDAP-%3A-Des-groupes-dynamiques-Jamais-sans-tri-des-valeurs-!).
Dieter i didn't mention my search filter because i take the same
base/scope/filter that i
Howard,
I understand what you are saying. It would of been nice if a generalized
account locking method was included in the ppolicy or a similar overlay was
available like other LDAP server implementations provide. But so be it. As
others have suggested, I can spoof the same result, with
Viviano, Brad wrote:
I understand what you are saying. It would of been nice if a generalized
account locking method was included in the ppolicy or a similar overlay was
available like other LDAP server implementations provide.
It's very easy to lock accounts (or whatever entries) by ACLs.
Dieter Klünterdie...@dkluenter.de schrieb am 27.11.2013 um 10:34 in
Nachricht
20131127103401.4123c...@pink.avci.de:
Am Wed, 27 Nov 2013 09:09:35 +0100
schrieb Ulrich Windl ulrich.wi...@rz.uni-regensburg.de:
Hi!
I found out why I never was successful with cn=monitor: By default
'*'
POISSON Frédéricfrederic.pois...@admin.gmessaging.net schrieb am
27.11.2013
um 10:46 in Nachricht 3fd84a3867972521.5295c...@admin.gmessaging.net:
Hello,
I'm testing the dynlist overlay on OpenLDAP 2.4.38 because i have a static
group of around 10K uniqueMember. I want to have now a
Dieter Klünterdie...@dkluenter.de schrieb am 27.11.2013 um 11:15 in
Nachricht
20131127111527.0e561...@pink.avci.de:
Am Wed, 27 Nov 2013 09:09:35 +0100
schrieb Ulrich Windl ulrich.wi...@rz.uni-regensburg.de:
Hi!
I found out why I never was successful with cn=monitor: By default
'*'
POISSON Frédéricfrederic.pois...@admin.gmessaging.net schrieb am
27.11.2013
um 13:31 in Nachricht 3640fb146a534ff3.5295f...@admin.gmessaging.net:
Hello,
Thanks Clement for your response and blog for valsort usage
Hello,
Le 27/11/13, Ulrich Windl ulrich.wi...@rz.uni-regensburg.de a écrit :
POISSON Frédéricfrederic.pois...@admin.gmessaging.net schrieb am
27.11.2013
um 10:46 in Nachricht 3fd84a3867972521.5295c...@admin.gmessaging.net:
Hello,
I'm testing the dynlist overlay on OpenLDAP 2.4.38
2013/11/18 OpenLDAP Project proj...@openldap.org:
OpenLDAP 2.4.38 is now available for download as detailed on our download
page:
http://www.openldap.org/software/download/
Hi,
I am happy to inform you that LDAP Tool Box packages are now available
for OpenLDAP 2.4.38 (see
Adjusting ACL's seems like overkill for this situation and I have to work
within the bounds of what sssd offers. sssd doesn't have a native check for
pwdAccountLockedTime when it does ppolicy based checking, the code just isn't
there. sssd for LDAP auth does support a True/False check for
Ulrich Windl wrote:
BTW: I noticed that there is no schema for entryCSN neither...
See doc/drafts/draft-chu-ldap-csn-xx.txt
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP
Ulrich Windl wrote:
Dieter Klünterdie...@dkluenter.de schrieb am 27.11.2013 um 11:15 in
In fact spaces in a commonName attribute value are in accordance with
X.520 practice.
Hi!
I believe that, but when printed two spaces look very similar to one space,
and as I guess every space is
Altere a linha abaixo no servidor master do OpenLDAP. Aqui funcionou.
modulepath syncprov
2013/11/27 Esteban Pereira esteban.pere...@gepsit.fr
It is not related to your problem, but considering your acl, the
userpassword (and shadowlastchange) of the cn=sync user won't be
replicated. If
Howard Chu wrote:
Ulrich Windl wrote:
BTW: I noticed that there is no schema for entryCSN neither...
See doc/drafts/draft-chu-ldap-csn-xx.txt
This is one of those things a generic LDAP client has to be prepared to handle
with some fall-back mechanism.
You can enable this hidden experimental
Viviano, Brad wrote:
Adjusting ACL's seems like overkill for this situation and I have to work
within the bounds of what sssd offers. sssd doesn't have a native check for
pwdAccountLockedTime when it does ppolicy based checking, the code just isn't
there. sssd for LDAP auth does support a
Viviano, Brad wrote:
Adjusting ACL's seems like overkill for this situation and I have to work
within the bounds of what sssd offers.
I'm doing this with sssd and it's definitely not overkill
= there's no valid excuse to not learn about ACLs
And it does not only work for applications/clients
Viviano, Brad wrote:
Howard,
I don't see your point.
Clearly.
I'm not debating a user providing a password or
not.
I'm discussing how to inform the client that an account is locked. Slapd
already knows the account for DN=x is locked because the user provided an
invalid password too many
Unfortunately for me, I am in a situation where I have to trust PAM and not
LDAP and don't have the luxury of binding for each user login. I have to
support SSH public keys or software we rely on doesn't work, commercial
software I have no option but to use. So yes, I trust PAM to know how to
Viviano, Brad wrote:
I can't foresee a time I would want a user to just disappear entirely from
a system because their password is locked. I don't want locked users to be
invisible, I want them to be locked so they can't login.
Gee, can't you read about ACLs *before* responding like that.
On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote:
So, I need a reliable way to lock an account that can handle both methods.
I haven't followed the thread closely, but if I understand
you correctly: You want to disable/lock an account, without
hiding it from ls etc?
As in, making sure the user
I have a configuration somewhat similar to the one below and the ACLs
seem to be applied using the non-rewritten DN which causes the self
specifier to never match.
We are in the process of configuring a more secure LDAP server with
stricter ACLs and extra security checks without affecting
29 matches
Mail list logo
