krb5.keytab, mech_list: GSSAPI, pwcheck_method: saslauthd,
> saslauthd_path: /run/saslauthd/mux.
You should create a service principal i.e. a ldap principal.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
/GSSAPI authentication started
SASL username: die...@avci.de
SASL data security layer installed.
[...]
ldapwhoami -Y external -H ldapi:///
SASL/EXTERNAL authentication started
SASL username:
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08
Am Wed, 22 Dec 2021 14:27:37 +0100
schrieb Stefan Kania :
> Am 22.12.21 um 13:18 schrieb Dieter Klünter:
> > /* OpenLDAP SASL options */
> > [...]
> > /* OpenLDAP GSSAPI options */
> > #define LDAP_OPT_X_GSSAPI_DO_NOT_FREE_CONTEXT 0x6200
> > #define LDAP_OP
Am Wed, 22 Dec 2021 12:49:54 +0100
schrieb Dieter Klünter :
> Am Wed, 22 Dec 2021 11:38:32 +0100
> schrieb Stefan Kania :
>
> > Am 22.12.21 um 10:31 schrieb Stefan Kania:
> > > either it's still a configuration problem, or it's missing. If
> > > it's a con
Am Wed, 22 Dec 2021 12:49:54 +0100
schrieb Dieter Klünter :
> Am Wed, 22 Dec 2021 11:38:32 +0100
> schrieb Stefan Kania :
>
> > Am 22.12.21 um 10:31 schrieb Stefan Kania:
> > > either it's still a configuration problem, or it's missing. If
> > > it's a con
e-local
> --enable-spasswd --disable-sql --prefix=/opt/openldap-current
> --with-sasl=yes
> --
> Still no gssapi :-(. Did I miss something here?
[...]
You probabely missed the header files, check /usr/include/gssapi/
and /usr/include/krb5/
and probabely some more.
-Dieter
Am Sat, 18 Dec 2021 07:28:16 +0100
schrieb Dieter Klünter :
> Am Fri, 17 Dec 2021 16:34:41 +0100
> schrieb Stefan Kania :
>
> > Hello to all,
> >
> > I'm trying to get GSSAPI authentication running with the
> > symas-packages. I generated a ldap.keytab file a
RB5_KTNAME="/path/to/ldap.keytab
> -
> but it's not working.
/etc/sasl2/slapd.conf
mech_list: gssapi digest-md5 cram-md5 external
keytab: /etc/openldap/ldap.keytab
/etc/ldap.conf
KRB5_KTNAME=/etc/openldap/krb5.keytab
SASL_MECH GSSAPI
SASL_REALM My.SASL.REALM
-Dieter
--
Diete
he following
> error-message: -
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: @(#) $OpenLDAP: slapd 2.5.5
> (Jun 5 2021 14:07:21) $
>
> root@ldap25-p01:/opt/openldap-2.5.5/servers/slapd
> Jun 05 15:24:52 ldap25-p01 slapd[16210]: olcPasswordHash: value #0:
> sch
?
>
> yes. Make sure that you have back_mdb moduleloaded as well if it's
> built as a module. You do have to export your DB via slapcat and then
> reimport with slapadd as well.
In order to check for static built-in modules run ./slapd -VVV
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Fri, 23 Apr 2021 10:20:28 +0200
schrieb Dieter Klünter :
> Am Thu, 22 Apr 2021 09:56:42 -0700
> schrieb Quanah Gibson-Mount :
>
> > This is a testing call for OpenLDAP 2.5 Release Candidate (OpenLDAP
> > 2.5.4) Depending on the results, this may be the only testing cal
ke[2]: *** [Makefile:301: mdb-yes] Fehler 1
make[2]: Verzeichnis
„/home/dieter/work/openldap-OPENLDAP_REL_ENG_2_5/tests“ wird verlassen
make[1]: *** [Makefile:287: test] Fehler 2 make[1]: Verzeichnis
„/home/dieter/work/openldap-OPENLDAP_REL_ENG_2_5/tests“ wird verlassen
make: *** [Makefile:299: test] Fehler 2
-Diet
Am Wed, 7 Apr 2021 10:56:09 +
schrieb Клеусов Владимир Сергеевич :
> Hi
> Please tell me how (if possible) to authenticate in OpenLDAP not by
> cn but by the mail attribute ?
Try this one:
authz-regexp "uid=(.*),cn=.*,cn=auth"
"ldap:///cn=example,cn=com??sub?mail=$
by * break
>
> I couldn't figure it out :-( If it is possible could someone please
> write a short example
[...]
You may consider sets,
access to dn:xxx
by set.regex=xxx
https://www.openldap.org/faq/data/cache/1133.html
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
G
se of posixgroup depends on your requirements.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
then memberOf attribute appear
>
> *ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf*
> # udraz, Users, example.com
> dn: uid=udraz,ou=Users,dc=example,dc=com
> memberOf: cn=developers,ou=Users,dc=example,dc=com
>
> Would you please help me how to solve
On 24.07.20 00:02, Quanah Gibson-Mount wrote:
This is the first testing call for OpenLDAP 2.4.51. Depending on the
results, this may be the only testing call.
Generally, get the code for RE24:
d in
sasl2/slapd.conf
this ldap.keytabs are readable by slapd and owned by slapd user and
group.
ldap/raspi3.fritz@fritz.box
ldap/pink.fritz@fritz.box
ldap/indiana.fritz@fritz.box
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ols, and heimdal
gss-api and kerberos tools.
Please check the sasl2 configuration path for slapd.conf.
https://www.cyrusimap.org/sasl/sasl/faqs/openldap-sasl-gssapi.html
While some distributions change this path to /etc/sasl2/slapd.conf, or
/etc/ldap/sasl2/slapd.conf, sasl refers to /usr/lib/sasl2/slapd.conf
This slapd.conf must be readable by slapd.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
pages on slapd.conf(5), slapd-mdb(5), slapd-meta(5), and
read on Transport Layer Security (TLS)
In order order to verify the host certificate of host dc001.example.com
you should provide and configure the certification authority (CA) that
signed the host certificate.
The configuration of a ucdata path is obsolete.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Tue, 14 Apr 2020 16:26:20 +0200
schrieb Dieter Klünter :
> Am Mon, 13 Apr 2020 10:34:36 -0700
> schrieb Hannah Chenh :
>
> > Hello,
> >
> > I have a question related to rootdn and password policy.
> >
> > I understand that the rootdn can by
lapo-ppolicy(5) read on pwdPolicy objectclass, and
pwdPolicySubentry.
Create a policy subtree und add all users policy objects to this
subtree.
-Dieter
---
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
but project is almost dead and does not have
> all that I need.
openldapjs
https://github.com/6labs/openldapjs.git
perl Net::LDAP
python-ldap
https://stroeder.com/software.html
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Thu, 19 Mar 2020 08:57:11 +0100
schrieb "Ulrich Windl" :
> >>> Dieter Klünter schrieb am 18.03.2020 um
> >>> 19:57 in
> Nachricht
> <30206_1584557842_5e726f12_30206_1570_1_20200318195706.1d992...@pink.fritz.box>:
>
> > Am Wed, 18 Mar
dify operation on atribute
olcLogLevel.
With regard to journald I advice to define filters, see man
journalctl(1).
If syslog is a requirement, change to rsyslog. Don't make use of
logstash!
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Thu, 5 Mar 2020 18:15:41 +0100
schrieb Clément OUDOT :
> Le 05/03/2020 à 10:10, Dieter Klünter a écrit :
> > Am Wed, 04 Mar 2020 13:36:08 +
> > schrieb Manuela Mandache :
> >
> >> Hello all,
> >>
> >> We have a directory running
Am Thu, 05 Mar 2020 12:22:28 +0100
schrieb "Ulrich Windl" :
> >>> Dieter Klünter schrieb am 05.03.2020 um
> >>> 10:10 in
> Nachricht
> <25580_1583399661_5e60c2ec_25580_1796_1_20200305101027.4c15a...@pink.fritz.box>:
>
> > Am Wed,
eation is rather handy... Using pwdMustChange would be
> difficult, we have a lot of client apps which would be forced to
> check and probably adapt their authentication procedures.
[...]
The password attribute value must be set by a password modify exented
operation in order to set password policy
Am Sun, 9 Feb 2020 12:28:53 +
schrieb Howard Chu :
> Dieter Klünter wrote:
> > Hi,
> >
> > The manual pages ldapsearch(1) et.al. describe ldapuri abbriviation
> > as -H and ldaphost abbriviation -h. Both, ldapuri and ldpaphost
> > description might be of
(3
ldapsearch -YGSSAPI -H 2001:16b8:c115:9f00:44ff:f15b:11d1:e620 -b "" -s
base +. Just for verification one may use ipv6 address ::1
The question is: must ldapuri contain a hostname, or would a
hostaddress be sufficient. While ldaphost accepts hostname and
hostaddress?
-Dieter
gt;
> Peter
[...]
If authz-regexp is set correctly, it should be:
ldapwhoami -YEXTERNAL-H ldapi:///
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
die...@dkluenter.de (Dieter Klünter) writes:
> Quanah Gibson-Mount writes:
>
>> --On Monday, December 23, 2019 10:19 PM +0100 Dieter Klünter
>> wrote:
>>
>>> /usr/bin/ldapwhoami -Y gssapi -H ldap://indiana.example.com
>>> SASL/GSSAPI authentication sta
Quanah Gibson-Mount writes:
> --On Monday, December 23, 2019 10:19 PM +0100 Dieter Klünter
> wrote:
>
>> /usr/bin/ldapwhoami -Y gssapi -H ldap://indiana.example.com
>> SASL/GSSAPI authentication started
>> SASL username: die...@example.com
>> SASL SSF: 256
>
Dieter Klünter writes:
> Am Fri, 20 Dec 2019 20:54:13 +0100
> schrieb Stefan Kania :
>
>> Hello,
>>
>> I try to do the authentication in LDAP via Kerberos. The
>> Kerberos-Database is in LDAP, no problem, I can login to the system
>> as a normal u
riginal DN from the user not the
> dn:*,cn=gssapi,cn=auth. So I put into my configuration:
[...]
I face the same problem with OpenIndiana. To my experience it's only
GSSAPI, DIGEST-MD5 and CRAM-MD5 work as expected. But I must admit, it
is only on Solaris not on Linux.
-Dieter
--
Dieter Klünter
r | organizational_unit.description
> > sel_expr_u |
> > from_tbls | organizational_unit
> > join_where |
> > add_proc | UPDATE organizational_unit SET description=? WHERE
> > id=? delete_proc | SELECT 1 FROM organizational_unit WHERE ou = ?
> > AND ID=? param_order | 3
> > expect_return | 0
> >
> >
> > Can someone shed some light on what's wrong here?
I am missing the odbinst.ini and odbc.ini files. Did you include
unixodbc module in /etc/unixodbc?
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
y suspicion and see if
> any one else has been able to get a UPN-based bind to work through
> OpenLDAP.
>
> For reference my slapd.conf configuration is below:
[...]
slapd requires part of AD schemas in order to operate back-ldap
properly. Thus write a private schema, providing required
g to force the IT guys' hand and
> add extra vars..
>
> I've scouted the openldap mailing list as well for answers but there
> is a plethora of no replies and some replies that somewhat matches
> what I'm trying to do...
>
> Any guidance would be super appreciated
>
Create
r too generic)
No, it is not possible to split ldap-result-code, but you may consider
a password policy, which provides some information on the result of a
slapo-ppolicy(5) operation.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
as quick start
> clearly doesn't work in my default install of OpenLDAP on CentOS 7)
That is most likely because of MOZNSS in a OpenSSL envirement or vice
versa.
> And how can I start SLAPD without encryption?
Just disable TLS in slapd.conf and ldap.conf
{...]
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
in the first one or split/move it to be checked later.
>
> I assume you also know and use the slapacl tool (and loglevel acl) to
> test with? Does it show any additional information that might be
> helpful in diagnosing the issue?
With regard to 'set' here is some basic information.
http://www.openldap.org/faq/data/cache/1133.html
http://www.openldap.org/faq/data/cache/1134.html
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
apd.service" and "journalctl -xe" for details.
Run slapd in debug mode in order to identitfy the culprit.
usr/sbin/slapd -h "ldap:///; -u ldap -g ldap -F
/etc/openldap/slapd.d -f /etc/openldap/slapd.conf -d 256
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Sun, 21 Jul 2019 22:50:35 +0200
schrieb Michael Ströder :
> On 7/21/19 10:10 PM, Dieter Klünter wrote:
> > Am Sun, 21 Jul 2019 17:27:53 +0200
> > schrieb danielle lampert :
> >> the ldapsearch man page (
> >> https://www.openldap.org/software//man.cgi?
el*.
>
>
> Where can I find the debuglevel values and their meaning ?
RFC4511, Section 4.1.9. Result Message
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Quanah Gibson-Mount writes:
> --On Wednesday, July 17, 2019 6:46 PM +0200 Dieter Klünter
> wrote:
>
>> Hi,
>> I am testing OpenLDAP-2.4.44 on OpenIndiana-Hipster. I have configured
>> two back-mdb databases.For some strange reason a data.mdb and a bdb
>> l
17 16:57 log.01
After a restart slapd cannot read the data.mdb anymore.
-Dieter
--
Dieter Klünter | Directory Service
http://sys4.de
53°37'09,95"N
10°08'02,42"E
underlying database. slapcat(8) the hdb database into a file and
slapadd(8) the file into a mdb backend.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ges both to
> rsyslog and stderr when I use the '*-d*' option of slapd. For
> information, the latencies were due to a DNS resolution problem. In
> detached mode, ie, without the '*-d*' option, messages are redirected
> to /dev/null.
>
> *$ grep -B 1 dup2 libraries/liblutil/detach.c*
> /* redirect stdin, stdout, stderr
> to /dev/null */ dup2( sd, STDIN_FILENO );
> dup2( sd, STDOUT_FILENO );
> dup2( sd, STDERR_FILENO );
>
>
> For debugging purpose, I want to be able to switch back and forth
> from "stats" to "stats trace" log levels, which is not possible when
> slapd starts in background. Is there any way to to this ?
ldapmodify is your friend. Modify cn=config, olcLogLevel.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Tue, 26 Feb 2019 09:18:09 -0800
schrieb N6Ghost :
> On 2/26/2019 12:07 AM, Dieter Klünter wrote:
> > Am Mon, 25 Feb 2019 13:34:45 -0800
> > schrieb N6Ghost :
> >
> >> hi all,
> >>
> >> I am trying to setup an openldap proxy to AD
tandard attribute types, which openldap does not
provide. Include AD schema files into slapd.
RFC-4513 requires sasl for strong binds, if your AD is setup as KDC you
may include openldap services as kerberos host and service pricipals.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
hing
like
./slapd -d acl -h ldap://:9007/ and further options.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Tue, 29 Jan 2019 09:12:56 +0100
schrieb Hallvard Breien Furuseth :
> On 1/28/19 10:35 PM, Dieter Klünter wrote:
> > authz-regexp
> > "gidNumber=0\+uidNumber=0,cn=peercred,cn=external,cn=auth"
> > "cn=config"
>
> Probably something swallows
k anymore.
Any ideas?
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
#
> loglevel0
Did you read slapo-pcache(5) ?
For debugging use debug level pcache.
Try something like:
database ldap
...
overlay pcache
pcache mdb 5000 2 500 3600
pcacheAttrset 0 uid gid
pcacheTemplate (uid=) 0 10
Am Tue, 8 Jan 2019 15:15:39 -0500
schrieb vad...@gmail.com:
> On Tue, Jan 8, 2019 at 3:27 AM Dieter Klünter
> wrote:
>
> > Am Mon, 7 Jan 2019 16:18:36 -0500
> > schrieb vad...@gmail.com:
> >
> > > I am using openldap proxy today with ldap backend.
>
/krb5-latest/doc/admin/conf_ldap.html
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ment (22)
> slapd stopped.
> connections_destroy: nothing to destroy.
[...]
The errors are BerkeleyDB based, bdb has been deprecated. don't use it.
Do not expect support on 15 years old source code versions.
If you want to run openldap on solaris, try openIndiana, which
provides openldap-2.4.46.
-Diete
, read bash(1) on ulimit.
The reason most likely is too many filesystem I/O's requested, bad
search filter design, too many operations on the same index database,
etc.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
fr" write
> by * none
>
>
> # 6) All the tree
> access to *
> by dn.exact="cn=root,dc=fr" write
> by dn.subtree="ou=Comptes Admin,dc=fr" read
> by dn.exact="cn=Synchro,ou=Comptes Admin,dc=fr" read
> by self none
>
::LDAP::Control::SyncRequest i built a script that
monitors modifications to the database.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
es Clients,dc=fr" read
> by * none
access to dn.base=dc=fr
attrs=entry,children,contextCSN read
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
the
> entry? The only way I found was to use slapd -c, but
If you have a log database with sufficient old data and matching
timestamps and csn's it might be possible. But a slapcat and slapdadd
would be easier.
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
that.
[...]
slappasswd(8) provides some information on password hashing and salting.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
abase, load the
database file by slapadd(8), slaptest(8) will create a config
database.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
>
>
>
> 2018-08-08 19:20 GMT+02:00 Dieter Klünter :
>
> > Am Wed, 8 Aug 2018 15:19:23 +0200
> > schrieb Arianna Milazzo :
> >
> > > Ok, I understand that it isn't supported, but at the moment I
> > > can't try other solutions.
> &
1466.115.121.1.12' "
"EQUALITY distinguishedNameMatch "
"USAGE dSAOperation "
"NO-USER-MODIFICATION "
)
do you have defined any table for this sort of operational attributes.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ap(5) database attached to a
slapd-relay(5) database, relaying subtree from server B.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
a
stable release. The initial release for 2.4 series is OpenLDAP 2.4.6
Release (2007/10/31)
If you face problems you must update to the current release 2.4.46
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N,
10°08'02,42"E
environment. Off-site office don`t have
> public ip. And it is better for me to have this ldap instance
> read-only.
You may consider the experimental aci model instead of stadard acl
model, as defined in slapd.access(5)
http://www.openldap.org/faq/data/cache/634.html
-Dieter
--
Diete
owwnership of slapd.conf and bdb database files is not appropriate.
In addition you may check the database with BerkeleyDB tools, i.e.
db_stat.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
should get acquainted with RFC4512
https://www.rfc-editor.org/pdfrfc/rfc4512.txt.pdf
and X.500
https://www.itu.int/rec/T-REC-X.500/en
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
> for it?
RFC 4511 and 4513 are quite clear about this. While start TLS is defined
in RFC 2830, there is no formal specification for ldaps, furthermore
read on ldaps in /etc/services.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ter LDAP Password:
> deleting entry "reqStart=20180509102412.00Z,BASEDN"
> ldap_delete: Invalid DN syntax (34)
> additional info: invalid DN
>
> Is there a way to force the deletion or temporary disable the schema
> check?
It seems that $BASEDN is not a vali
e an TOTP
https://blog.sys4.de/totp-time-based-one-time-password-authentication-en.html
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
the OU alias, with all children?
Objectclasses aliasedObjectName and organizationalUnit are both
structural Objectclasses, try to add auxiliary object classes, or
create your own classes. Some documentation include extensibleObject
class, but this would create additional security questions.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
gt; and here:
> https://github.com/openldap/openldap/tree/master/servers/slapd/back-sql/rdbms_depend
[...]
>
> 2018-04-30 10:21 GMT+02:00 Dieter Klünter <die...@dkluenter.de>:
>
> > Am Thu, 26 Apr 2018 18:48:00 +0200
> > schrieb Arianna Milazzo <aria...@ariannamicroc
-rwm(5)
something like:
database ldap
suffix dc=test,dc=ca
...
database relay
suffix dc=test,dc=example,dc=com
relay dc=test,dc=ca
overlay rw
rwm-suffixmassage "dc=test,dc=example,dc=com" "dc=test,dc=ca"
subordinate
database mdb
suffix dc=example,dc=com
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
u maintain a slapd.conf file oder a slapd.d database?
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
under MIT-Licence and is available at
https://github.com/6labs/openldapjs
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
tCSN dn: dc=domain,dc=com This is the replication configuration
> in node1 (is the same in node 2 excepting the rid and the hostname:
you may search for all operational attributes of the base entry.
ldapsearch -x -H ldaps:// -b dc=domain,dc=com -s base +
-Dieter
--
Dieter Klünter | Systembera
f write by anonymous auth
> by * non e
> olcAccess: {3}to attrs=shadowLastChange by self write by * read
> olcAccess: {4}to * by users read
>
>
> I'm quite new to this kind of setup, is this something to be expected?
> Is there a way to bind directly on the replicated branch?
Run slapd(8) in debug mode acl. Note debuging is not equal to loging!
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
/ssl/private/hkuwildcardcacert.key
> olcTLSCRLCheck: none
> olcTLSVerifyClient: never
> olcToolThreads: 2
>
> I'll leave the rest PM, except for:
>
> dn: olcDatabase={0}config,cn=config,cn=slave
> objectClass: olcDatabaseConfig
> objectClass: olcConfig
> obj
he above RFC as a
> template for one formalizing port 636, so it's finally a documented
> standard.
We have had discussed this topic some 10 years ago, at that time Kurt
had some concerns with regard to ldaps and port 636. Unfortunately I
can't remember details.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
root@lupin:/tmp/buildd/openldap-2.4.31/debian/build/servers/slapd
>
> Is an update sufficient?
>
> Thank you for your answers,
> Cédric Couralet
>
The attribute type organizationIdentifier (2.5.4.97) has been introduced
in X.520 only in 2012. It has not been made it's way into LD
meters)?
This presentation might give you some hints
https://www.slideshare.net/ldapcon/benchmarks-on-ldap-directories
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
y few minutes.
>
> Does everyone typically send all of local4 to a file or only filter
> out for example warning and above?
What type of logs are you referring to? Is this berkeleyDB log or
syslog?
If syslog, just modify slapd loglevel to you liking.
-Dieter
--
Dieter Klünter | Systemb
ses have to be unique in regard to both
> fields, which means an address that is used in either of them cannot
> be used in any other of them. Is that possible?
slapo-unique(5) plus slapo-constraint(5)
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
)
>
> I now defined an independend "cty":
>
> attributetype ( 1.3.6.1.4.1.10624.1.50
> NAME 'cty'
> DESC 'country'
> EQUALITY caseIgnoreIA5Match
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
>
> It works, but I have no idea
nd out why operation 11 results in 0 entries.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
EL" inserted.
>
> The documentaion talks about loglevel in slapd.conf, but I am not
> using slapd.conf...
I am not talking about logging and loglevel, I am talkling about
debugging and debug level.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
t;cn=3DManager,dc=3Ddeepsoft,dc=3Dcom" read by *
> > > none
> > [...]
> >
> > You may run slapd in debugging mode 128.
>
> How do I do that using the "new" configuration method in
> /etc/openldap/slapd.d?
>
> I added:
>
> logLevel: 128
>
> to the end of /etc/openldap/slapd.d/cn=config.ldif
>
> But it does not like it:
[...]
man slapd(8),
$(EXECDIR)/slapd -h ldap:/// -F $(CONFIGDIR)/slapd.d -u $USER -g
$GROUP -d 128
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
t; and in /etc/openldap/slapd.d/cn\=config/olcDatabase\={1}monitor.ldif:
>
> olcAccess: {0}to * by
> dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth"
> read by dn.base="cn=Manager,dc=deepsoft,dc=com" read by * none
[...]
You may run slapd in debugging mode 128.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
>
> > I very well remember the shocked/laughing faces of (parts of) the
> > audience right after I switched to the slide containing this at
> > first surely suicidal seeming ACL.
> >
> > Forget about it. It's sufficient to keep in mind that the future
> > lies in cn=config. ;-)
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Tue, 5 Sep 2017 05:33:55 +
schrieb ping-shin ching <ping...@hotmail.com>:
> Hi Folks,
>
>
> When does the logpurge (for accesslog) run? Can we control the time
> this process runs?
You can control purging, see man slapo-accesslog(5)
-Dieter
--
Dieter Klünter
>
> Please let me know if you need any more information.
[...]
your atribute value of postalAddress seems not to be conforming to
rfc-4517, section 3.3.28.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
hed. The search does not combine both databases. How can I do it?
You may consider to glue both databases to a single namingContext by
declaring "dc=bsi,dc=test,dc=com" as subordinate database, see man
slapd.conf(5). But this requires a single rootDN.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
executing slapcat command.
The referenced log files document the database transactions and are
vital for database operations. You may read on db_config tools and how
to manage transaction logs. For more information see
http://www.openldap.org/faq/data/cache/1072.html
http://www.openldap.org/faq/data
entication and
authorization via ldap, you may go ahead.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
at to hear the
> opinion of an expert on this, thank you very much :)
Indeed, a compare operation requires less time and server load than a
search operation. In order to reduce server load you may search the
monitor backend base object.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
s ok,
> with no errors ou warnings... Regards
man slapd(8), run slapd in debugging mode.
--Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
1 - 100 of 488 matches
Mail list logo