I wrote:
Have you done something as root, so root owns some of the
database files but you try to run slapd as another user (with -u)?
If so, fix the file permsisions and then avoid working as root.
Sorry, I mean file ownerships. Though it could be file or
directory permissions too, come to
Nick Milas wrote:
Let me re-phrase: Can we express the following three statements using
ONE ACL statement? I haven't been able to find a solution.
access to dn.subtree=ou=people,dc=example,dc=com
filter=(ou=dept1) attrs=attr1,attr2
by
On Mon, 26 Mar 2012 17:04:23 +0200, stefano stefano.mal...@gmail.com
wrote:
the situation is worse.
now, trying to run an ldapsearch i have the message can't contact
LDAP server.
on syslog the last lines are:
(...)
Have you done something as root, so root owns some of the
database files
On Wed, 21 Mar 2012 22:32:33 -0400, b...@bitrate.net wrote:
i'd amend that process slightly:
Not quite there yet...
Make a habit of always running the slap tools as the user group
slapd runs as, so you'll never screw up file ownerships for slapd.
I.e. slapd -u ldap vs su ldap -c
Gaurav Gugnani wrote:
Actually, i want to know - how to scale out once you reach the
limits to run openLdap in one single box?
You said some million of records. That's nowhere near OpenLDAP's
limits, nor near the multi-terabyte databases you mention, unless your
LDAP entries are quite large -
On Mon, 12 Mar 2012 18:30:11 +0100, Emmanuel Lécharny wrote:
Le 3/12/12 6:04 PM, Hallvard Breien Furuseth a écrit :
For now I suggest we always use 5 bytes when the length exceeds some
threshold. This is valid in BER and in LDAP's somewhat restricted
BER,
but not valid DER. (...)
Whoops,
On Tue, 28 Feb 2012 18:46:10 -0500, Qiang Xu q...@lexmark.com wrote:
The complete code is quite long. But the essential parts are here.
After these options are set, it goes with
ldap_start_tls_s(ldapHandle, NULL, NULL) and
ldap_sasl_bind(ldapHandle, username, LDAP_SASL_SIMPLE,
password_ber,
On Wed, 15 Feb 2012 13:38:17 +0200, Szilard Gyorgy
szil...@gyorgy.net wrote:
ldapcompare -D uid=testuser,ou=Users,dc=domain,dc=net -w test
uid=testuser,ou=Users,dc=domain,dc=net -v userPassword:test
Why are you using compare at all? The server already checked
the password when it accepted
On Wed, 15 Feb 2012 16:35:38 +0200, Szilard Gyorgy wrote:
Hi Hallvard
I use the compare tool just for testing
The problem is when I try to login to my Cisco router (using ldap) I
got compare false error message.
After that I tested the same password with this tool and I got the
same result.
On Thu, 09 Feb 2012 12:54:27 -0800, Quanah Gibson-Mount
qua...@zimbra.com wrote:
The only officially supported backup method with OpenLDAP is slapcat.
Everything else, you do at your own risk.
The admin guide disagrees with you. Chapter 19 describes incremental
backup by copying first the
On Thu, 09 Feb 2012 14:36:20 -0800, Howard Chu h...@symas.com wrote:
Hallvard B Furuseth wrote:
The only officially supported backup method with OpenLDAP is
slapcat.
Everything else, you do at your own risk.
The admin guide disagrees with you. Chapter 19 describes
incremental
backup
I wrote:
On Thu, 09 Feb 2012 14:36:20 -0800, Howard Chu h...@symas.com wrote:
Chapter 19 is obviously a work-in-progress, transferred over from
the
FAQ-o-Matic.
Presumably because backup has previously only been described in
the FAQ-o-Matic. But I'm pretty sure this has been the documented
On Thu, 02 Feb 2012 11:19:30 -0800, Quanah Gibson-Mount
qua...@zimbra.com wrote:
--On Thursday, February 02, 2012 10:46 AM +0100 Emmanuel Lecharny
elecha...@gmail.com wrote:
emmanuel-lecharnys-MacBook-Pro:openldap-git elecharny$ git archive
--format=tar
I wrote:
As for git archive --remote=git://git.openldap.org/openldap.git,
man git-daemon says this requires 'git config daemon.uploadarch
true'.
Requires it on the daemon side, that is.
--
Hallvard
On Sun, 29 Jan 2012 14:55:10 +0100, Mattias Andersson
matt...@centaurix.com wrote:
conn=1000 op=1: back-relay for DN=dc=example,dc=com would call
self.
That may be because of 'subordinate'. Does it still work if you
remove it? If not, maybe it helps to use glue instead, as described
in
I wrote:
Andreas Rudat writes:
(...)
so if that is correct, then I think acl 1 isnt needed?
(...) Probably. (...)
Whoops, I meant that's probably right: Not needed.
--
Hallvard
Adam Wale writes:
I'm observing an issue where a large number of searches against an
openldap server results in a large amount of disk writes occurring.
Maybe you have set a high loglevel in slapd.conf, or you are using the
slapd '-d' argument.
Loglevel is what gets logged to syslog. Default
Flack, Simon writes:
Has anyone tried creating an index in openldap to speed-up inequality
searches ( eg of the form modifyTimestamp=20111025162408Z ) on the
modifytimestamp or createtimestamp attributes ?
If so, what type of index did you create,
I haven't tried recently, but use an 'eq'
Johan Jakus writes:
And, in the new version, I can no longer use :
AttributeName* attName = op-oq_search.rs_attrs;
int iAtt;
for( iAtt=0; attName[iAtt].an_name.bv_val != NULL; iAtt++ )
{
if ( attName[iAtt].an_name.bv_val[0] == dupPp-pp_symbol[0] )
...
Because when there is a symbol ( _,
Johan Jakus writes:
Hallvard B Furuseth wrote:
I don't understand what you mean with ( _, §, £, ...), but:
To set what attributes needs to be looked up by the overlay I simply
use a symbol before them, and I leave the possibility for the users to
chose what symbol they want to use (default
Johan Jakus writes:
I've been developing an overlay and I got to a well working solution.
But,I would really appreciate your opinions about it before sending it to
the contribs.
You can see my source on my site:
http://www.dataworld.be/johan/openldap/parsearch/parsearch.htm
Some notes after
Khaled Blah writes:
I've searched for portable.h but couldn't find it in /usr/include or
any of its subdirectories. I've also done grep -r LDAP_VALID
/usr/include/* and that search did not return any results either.
Quite so. ldap-int.h is in the openldap source tree. portable.h is
generated
Whoops...
If you wish to use the macro directly: Configure the
OpenLDAP source tree (to generate internal headers), then
#include openldap source/include/portable.h
#include openldap source/libraries/libldap/ldap-int.h.
At least that's what the OpenLDAP source files do.
--
Hallvard
Johan Jakus writes:
To be sure, when I use entry_dub(); it makes a duplication of the entry
from the server cache to somewhere in the memory.
So I just need to make the pointer of the SlapReply point to my new
duplicated entry,
...and dispose of the old entry according to rs-sr_flags, and
Khaled Blah writes:
I would like to ask whether there is a way which allows me to use the
macro LDAP_VALID in my own code. I would like to be able to check an
LDAP* handle for its validity before I use that handle on any of the
LDAP operation functions.
You could call something which uses
A correction to my last message:
If you want to free the entry yourself, instead you can do
rs_replace_entry(entry_dup(rs-sr_entry));
e = rs-sr_entry;
send the entry, or whatever...
entry_free(e); /* instead of entry_free(rs-sr_entry); */
I don't quite remember, but I
Howard Chu writes:
Zytrax.com is not a reliable source of OpenLDAP documentation. Most of what
they advise is misguided or flat wrong.
Yet Google(OpenLDAP cn=config)'s two first hits are at Zytrax. It's not
surprising people keep using that stuff.
Maybe the OpenLDAP site could be improved to
Brett @Google writes:
I think the popularity of Zytrax guide on google indicates that there is a
need for some simple guide or howto of how to get some sort of trivial ldap
server running, in the first instance.
True enough, but also OpenLDAP website doesn't look like a shining
example of
Johan Jakus writes:
1. In my overlay, I search for the attribute of a parent (recursively)
and then, I return it in the response using the ?attr_merge? function as
used in the ?content? overlay. But, this seems to be a permanent change, the
server will always return that attribute, till
I wrote:
Yes, the backend/overlay which returns an entry often owns that entry.
If you are
*intercepting a*
result and modifying rs-sr_entry, rs-sr_flags describe
ownership of the entry and if it is modifiable. You can call
rs_entry2modifiable( op, rs, on /*the overlay*/ );
--
Craig White writes:
Obviously there is something that I don't understand because I would
expect to be able to bind using CN as well as UID attribute...
You are not binding with either CN or UID, you are binding with the DN
(Distinguished Name) of your entry:
# ldapsearch -x -D
Joseph vasanth writes:
ldapsearch -x -h 10.127.1.146 -b dc=primecorp,dc=com -D
'ad...@primecorp.com' -W cn=admin
Enter LDAP Password:
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
The -D option (for the Simple Bind operation) takes an identity in DN
format, e.g.
(Copying some of this from an IRC conversation)
Dimitri writes:
1. We have chosen to use SLAPI, not overlay API, to make our
authentication plugin portable to other LDAP servers; but still our main
target is OpenLDAP and we're not going to migrate to any other LDAP
server (but our clients
dmitry.b.ogorodni...@gmail.com writes:
I need to install ppolicy overlay on my slapd configured via
cn=config. All that I can find for cn=config is a manpage (without
describing installation), posts in blogs (mostly very poor) and this
mailing list (with many unsolved problems).
Is there an
Pierangelo Masarati writes:
An overlay would basically need to take the value from the compare
request, put it into a bind request structure, call the frontend's
bi_op_bind() hook.
And save the connection's BindDN before Compare and restore it after.
And serialize operations for the entire
I wrote:
And save the connection's BindDN before Compare and restore it after.
Duh, never mind - the frontend does that, I think.
And serialize operations for the entire connection during the Compare,
since Bind expects to be the lone active request on the connection
while most other
Howard Chu writes:
Nick Urbanik wrote:
That person would be me. I would be happy to do the work if the
prospect exists of me working towards getting the changes incorporated
into the main OpenLDAP code base. This change would be very useful to us.
Great. Then I suggest you start with
Nick Milas writes:
Based on the fact that the userPassword attribute is NOT single-valued
in the schema definition, I was wondering whether there are cases where
we could use a double-password approach or if doing that would just
cause a mess.
Sure. For example, when you change an entry's
Hugo Monteiro writes:
I have recently discovered that i'm not using the indexes i should, in
one translucent overlay database, for the locally stored attributes.
This being a production server, i would like to know if changing index
configuration and running slapindex on that database is
Hugo Monteiro writes:
I would like to report that i have been able to replicate a crash on slapd.
(...)
Should i file an ITS for this one?
Absolutely.
--
Hallvard
Hugo Monteiro writes:
My question was more directed to the point that being a translucent
database, the procedure to recreate the indexes would be the same as if
it was a regular one. Guess you already answered that.
Yes. An index is an optimization, it doesn't change the search results.
Nick Urbanik writes:
On 19/09/11 09:52 +0200, Christian Manal wrote:
as far as I know, OpenLDAP doesn't really use syslog priorities. You
have to set at least 'debug' (...)
Right. man slapd, options -l and -s, says slapd by default uses syslog
local4.debug.
and then control what you want to
Emmanuel Lesouef writes:
I was searching for documentation about configuration of backends with
openldap 2.4 (with cn=config).
Are there some that are up to date ?
Are there any configuration examples ?
See the OpenLDAP admin guide at www.openldap.org or in
openldap source/doc/guide/.
Could we accept some safe subset of T.61 and reject the rest?
As long as we don't need to translate back...
--
Hallvard
Howard Chu writes:
Hallvard B Furuseth wrote:
Still, I don't know why that makes it possible to store such a cert,
since certs are binary.
He said it is *not* possible to store.
Sorry, typo.
Certs are binary, but their subject and issuer DNs are still validated
before they're accepted
Liam Gretton writes:
These are defined in ldap.h, e.g.:
#define LDAP_CONSTRAINT_VIOLATION 0x13
#define LDAP_TYPE_OR_VALUE_EXISTS 0x14
Presumably these are undocumented for good reason, but in practice can
they be relied on not to change, at least as far as OpenLDAP 2 is
Oliver Schulze L. writes:
sizelimit is on 3 on slapd.conf, but you're right, I have 65 users
in /etc/passwd
Its really strange ... Today it returns 2065.
Maybe 65 from /etc/passwd, 1000 from some cache on the local machine,
1000 new ones from LDAP after something was done in slapd which
Nick Milas writes:
On 23/5/2011 1:41 ??, Howard Chu wrote:
Look before you ask. The code is in HEAD and there's a sample perl
script provided.
I feel embarrassed to ask, and excuse me for my ignorance, but, what is
HEAD?
He means the Git repository's master branch, which is currently the
I wrote:
Simone Piccardi writes:
So now I need more logic, more programs, when I can do everything with
just an editor and some text when having a file.
(...)
slapd.conf is historyless too though, so I'm not sure what you mean with
tracking change logs if you did not want something like
Olivier Guillard writes:
How to survive in operational environnement without comments
in files ( nor a way to track change logs btw ) ?
I suppose you could put slapd.d/ under version control. After making
a change or a set of changes, commit your modified slapd.d/ with your
comments in the
Simone Piccardi writes:
On 28/04/2011 12:00, Hallvard B Furuseth wrote:
Olivier Guillard writes:
How to survive in operational environnement without comments
in files ( nor a way to track change logs btw ) ?
I suppose you could put slapd.d/ under version control. After making
a change
Howard Chu wrote:
When you know what these things are, cn=config is just another DIT, that
you manage just like every other DIT. The learning curve for cn=config
is shorter than for slapd.conf, because once you learn the essential
elements of LDAP, you also know all the essentials for
Emmanuel Lécharny writes:
What comes to my mind now is that we (the OSS gang) could define a
common extension to help organize those added schema elements. That
could help...
I'm in favor of that as long as someone else does the work:-)
Don't know if I'd have time to do much about it for a
Howard Chu writes:
Hallvard B Furuseth wrote:
(...) it would be friendly if
OpenLDAP used the same attribute types for reading and writing schema,
without an 'olc' prefix for writing. I presume there's a good reason it
doesn't, and I don't know how hard that would be to change.
We use
Emmanuel Lécharny writes:
On 4/12/11 11:19 PM, Howard Chu wrote:
Performing an update is not the problem. Funneling updates of
cn=subschema into meaningful branches of the schema tree is the problem.
Got it.
We have a workaround for that : each schema is stored in it's own
sub-entry,
I wrote:
There are other ways one could specify which internal schema entry/tree
to use when that is not specified in the LDAP update operation -
e.g. cn=schema,cn=config children could hold mappings from OID/schema
element name to the entry which should receive the update.
I meant, a
Emmanuel Lécharny writes:
On 4/11/11 3:21 PM, Hallvard B Furuseth wrote:
Emmanuel Lecharny writes:
#!ERROR [LDAP: error code 21 - attributeTypes: value #0 invalid per syntax]
(...)
See the admin guide. In OpenLDAP you add schema by modifying a schema
below cn=schema,cn=config, and you set
Pierangelo Masarati writes:
In principle, one could modify cn=schema by using back-relay and a
slapo-rwm that maps cn=schema to the appropriate cn=config node, and
attributeTypes to olcAttributeTypes.
Nice. But what's the appropriate cn=config node? I think you'd have
to map cn=schema
sarath chandra writes:
line 27 (modulepath /usr/lib/openldap)
/usr/local/etc/openldap/slapd.conf: line 27: keyword modulepath ignored
That's supposed to mean slapd was compiled without --enable-modules,
so only statically linked modules will be available.
I'm using openldap-2.4.25 on CentOs
Emmanuel Lecharny writes:
#!ERROR [LDAP: error code 21 - attributeTypes: value #0 invalid per syntax]
dn: cn=schema
changetype: modify
add: attributeTypes
attributeTypes: ( 1.3.6.1.4.1.18060.0.4.1.2.10001 NAME 'type1' SUP name )
See the admin guide. In OpenLDAP you add schema by modifying a
owen nirvana writes:
error is the following:
error: 'ldap_init' was not decalred in this scope
error: 'ldap_simple_bind_s' was not decalred in this scope
error: 'ldap_unbind' was not decalred in this scope
These calls are deprecated, even thouth that's undocumented except with
ldap_init. To
Kilian R?hner writes:
1. Is it possible to specify a regexp as rootdn?
No, but if you use SASL (e.g. ldapsearch -H ldapi:// -QY EXTERNAL) or
proxy auth, then you can use authz-regexp to rewrite multiple DNs to
a single one which you then can use as rootDN.
2. In an access-rule, i have a set
Kilian R?hner writes:
1. Is it possible to specify a regexp as rootdn?
(...)
Would be nice for the future to have this (if this is the right place to
say it).
If you want someone to remember, the right place is ITS
http://www.openldap.org/its/. I doubt it'll happen anytime soon
unless
Marco Pizzoli writes:
(...)
How could I populate manually (in the Perl code) those entries?
In this way?
In sub new:
$this { uid=pippo,dc=ciao,dc=it = objectClass: uidObject\nuid: pippo }
I think like this, but I have not tried:
my $dn = uid=pippo,dc=ciao,dc=it
my $this ={ $dn = dn:
I wrote:
$this should be the return value from sub new. It's a blessed reference
to a hash table, thus %{$this} (or just %$this) is the hash table.
Oops, I lost the final sentence:
%$this is a {dn: entry} hash, filled in by sub add co.
--
Hallvard
Michael Smith writes:
Anybody interested in collaborating on a back-python
analogous to back-perl? After a cursory glance at the
code for the latter, it looks like it wouldn't be hard to
adapt for the Python case.
I started on that once, but quit because Python and slapd both
want their
Olivier PAVILLA writes:
I have LDAP server on a fedora core 5 which is running for more than 3
years without any update nor upgrade neither. So now I've to migate this
LDAP on a new server with new Linux distribution (Debian Lenny 5.0.7 64
bits). Should I or do I need to use slapindex before I
Olivier PAVILLA writes:
So I want to LDAP with database ldbm. But it appears there
is no way on debian.
It's not Debian-related.
(...)
There is no ldbm module anymore or what?
Right. Use bdb/hdb. OpenLDAP 2.3 was the final branch with ldbm.
--
Hallvard
l...@mm.st writes:
While sniffing traffic using tcpdump and using various
ldapsearch options I noticed that if the client doesn't request starttls
or connect on 636 is is possible to grab a users ldap record and the
transmission is in clear text.
Yup...
If I authenticate to the server using
I wrote:
+ if ( bv == NULL || ber-ber_sos_ptr != NULL ) {
+ assert( ber-ber_sos_ptr != NULL ); /* For debugging */
Whoops, assert( ... == NULL ) would work a bit better:-)
--
Hallvard
Eh, that should go in ber_flatten, not ber_flatten2. It's not just
OpenLDAP which can't be trusted with ber at the moment, I seem to be
poor at multi-tasking:)
--
Hallvard
Howard Chu writes:
You could give back-ldif a try. It certainly will not perform well, but it's
so simple that data corruption wouldn't be an issue.
Actually it can leave behind a temporary file if you pull the plug on
slapd at just the wrong moment, when an entry is being written. That
won't
Julien Vehent writes:
On my former installation, I have SASL configured using :
(...)
---
authz-regexp ^uid=([^,]+).*,cn=[^,]*,cn=auth$
ldap:///dc=domain,dc=net??sub?(uid=$1)
authz-policy to
password-hash {CLEARTEXT}
---
How do I translate this into cn=config directives
Please keep replies on the list. Then others can help when I'm not
around.
Laurent gobalraja writes:
In fact i need a complete split of the bases. The reason is that i need
duplication of cn in both domain and that is not possible in a single base
as the CN must be unique.
I think you mean
Shankar Anand R writes:
I see that most LDAP utilities (openldap included) do a ldap_bind() before
every ldap_search(). Is this mandatory?
No, not in LDAPv3. It was mandatory in LDAPv2: You started a session
with bind and ended it with unbind - which is why the latter is
misnamed, it should
Keutel, Jochen writes:
there are 6 matching rules for IA5 strings:
- caseExactIA5Match
- caseIgnoreIA5Match
- caseExactIA5SubstringsMatch
- caseIgnoreIA5SubstringsMatch
- caseExactIA5OrderingMatch
- caseIgnoreIA5OrderingMatch
Only three of them are defined in RFC4517:
-
Derek Yarnell writes:
So a while back we had to go away form stats (256) level debugging
because it was spiking our Spunk traffic so much and go to stat2
(512). Even now 1 days worth of LDAP logs on one replica is 1.5G.
Now the problem is that stat2 never gives a way to map the connection
to
masar...@aero.polimi.it writes:
ldap_new_connection(), if ( connect ) and lconn_server-lud_exts contain
the tls ext, first unlocks and then re-locks ld_req_mutex and
ld_res_mutex. As far as I understand, while the former is actually held
by the caller(s) of ldap_new_connection(), the latter
Howard Chu writes:
Thomas Wunder wrote:
The whole thing is needed because slapo-autogroup puts in full DNs as
attribute values but my client programs (e.g. nss-ldapd) expect only
a plain username to be there. In practical this means that I need to
have that overlay to split the values of a
Alex Samad writes:
I am trying to build a olcaccess statement and I am wondering how to
implement a ipv6 network
I haven't tried, but a look at slapd.access(5) and aclparse.c suggests
by peername.ipv6=address%mask
where address and mask are hex IPv6 addresses. Default mask
is
Diego Lima writes:
I'm trying to import an LDIF file where some users have values that appear
to be encoded on the file. The values have two : (i.e. ::) and appear like
this:
See the ldif(5) manpage. '::' means that the attribute value is
base64-encoded in the LDIF file, typically because it
81 matches
Mail list logo