Many thanks, Ryan.
I'll schedule a maintenance window so that I can do some testing without
affecting users.
Regards
Philip
On Thu, 7 Feb 2019 at 17:09, Ryan Tandy wrote:
> On Thu, Feb 07, 2019 at 06:05:02PM +0100, Michael Ströder wrote:
> >You should rather set
> >
> >olcTLSProtocolMin:
I want to restrict the cipher suites used in OpenLDAP so that only TLS1.2
is supported.
Looking at https://openldap.org/doc/admin24/tls.html, I first tried setting
olcTLSCipherSuite to "HIGH" but the LDAP server gave an error 80 and then
stopped accepted further connections until I restarted it.
tober 23, 2018 2:21 PM +0100 Philip Colmer
> wrote:
>
> > Yes, I can run slapd in debug mode but this is a production system so
> > that means scheduling a maintenance window in several weeks' time. I
> > was rather hoping to have a solution in place sooner than that thanks
On Tue, 23 Oct 2018 at 12:32, Michael Ströder wrote:
>
> You would rather have to grant search access to 'entryDN'.
>
> But sorry, I will not debug your ACLs.
I'm not asking you to debug them.
I was hoping that someone on this list would *know* what access I need
to grant in order for "ou:dn"
On Tue, 23 Oct 2018 at 11:08, Michael Ströder wrote:
> Summary:
> You have to grant search privilege to all attributes used in the filter
> and read access to pseudo-attribute 'entry' and all other attributes to
> be returned in search results.
>
> Attribute 'entry' is missing here?
>
> Ciao,
I'm trying to use the following search filter:
(&(objectClass=organizationalPerson)(!(ou:dn:=external-community))(memberOf=cn=users,ou=mailing,ou=groups,dc=linaro,dc=org))
If I use an admin account, the search works. If I use a restricted
account, the search doesn't work. The restricted account
I'm adding a third server to an existing multi-server configuration
and I think the LDIF files I'm using to configure the replication have
some errors in them.
dn: olcOverlay=syncprov,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
Hi
We've got a core set of OpenLDAP servers that are in a multi-master
configuration. We are looking at building out that set of servers so
that our data centres can have local copies of the data. However,
those copies don't need to be of everything, so I want to limit which
attributes get
We've got LDAP ACLs to restrict who can make changes to a group, like this
one:
to dn.sub="ou=groups,dc=example,dc=com" by dnattr="owner" write by
set="this/owner/member & user" write by users none by * none
so that both direct owners and people in groups that are owners can modify
the group
cha...@gmail.com> wrote:
> Le 01/04/16 12:45, Philip Colmer a écrit :
>> I've currently got stats logging turned on while I try to troubleshoot
>> an application and I've noticed some rather strange searches going on.
>> Strange in that the searches are for very high uidNumber
I've currently got stats logging turned on while I try to troubleshoot
an application and I've noticed some rather strange searches going on.
Strange in that the searches are for very high uidNumber values or for
uid values that don't exist ... suggesting that someone might be
trying to grab data
We're currently using OpenLDAP 2.4.38 on our production server using
HDB as the database type. I wanted to upgrade to the latest version
and take advantage of LMDB as the database type so I've built a second
server and transferred the data.
Before making that server the production server, we're
THANK YOU!
Goodness, I really couldn't see the wood for the trees there.
Many thanks.
Philip
On 26 February 2015 at 10:56, Yann Cézard yann.cez...@univ-pau.fr wrote:
Le 25/02/2015 15:13, Philip Colmer a écrit :
I'm getting a generic error 80 when I try to use ldapmodify to
configure my
I'm getting a generic error 80 when I try to use ldapmodify to
configure my LDAP server to use a SSL certificate. Here is the LDIF
I'm using:
dn: cn=config
changetype: modify
add: olcTLSCACertificateFile
olcTLSCACertificateFile: /etc/ssl/certs/gd_bundle-g2-g1.pem
-
add: olcTLSCertificateFile
I've been asked to log track changes made to our LDAP system. My
initial thought was to use the auditlog overlay as it outputs to a
text file, thus making it relatively straightforward to parse, but a
2009 discussion
(http://www.openldap.org/lists/openldap-technical/200911/msg00092.html)
On 22 July 2014 16:09, Harry Jede harry.j...@arcor.de wrote:
I assume you manually edit the config database? You should never
do this.
No, no manually editing - all done with LDIFs and ldapmodify.
slapcat your db
This got me thinking and I did a slapcat of cn=config only to find
that the
What's the actual query generating these messages?
Jul 22 08:04:51 ip-10-183-140-3 slapd[918]: conn=159468 op=385 SRCH
base=dc=example,dc=com scope=2 deref=0
filter=((objectClass=posixAccount)(uid=ubuntu))
Jul 22 08:04:51 ip-10-183-140-3 slapd[918]: conn=159468 op=385 SRCH
attr=uid uidNumber
Jul
2014-07-22 13:42 GMT+01:00 Harry Jede harry.j...@arcor.de:
Then your slapd process is unable to read the index. Chown the files to
openldap:openldap if that are your slapd user/group.
I think there may be some confusion between my head and OpenLDAP as to
where the files are located and that may
On 21 July 2014 16:56, Quanah Gibson-Mount qua...@zimbra.com wrote:
--On Saturday, July 19, 2014 11:39 AM +0100 Philip Colmer
philip.col...@linaro.org wrote:
While turning up the logging a bit to try to understand why slapd was
so busy, I noticed the following the log
We have a setup whereby a group of users are able to create accounts
in specific OUs. This is handled by ACLs like this one:
add: olcAccess
olcAccess: to dn.exact=ou=team1,ou=accounts,dc=example,dc=org
attrs=children by
I'm using OpenLDAP 2.4.38.
At some distant point when I was testing the configuration of our OpenLDAP
server, I must have set pwdInHistory to 5 as I have 5 previous passwords
stored in my account object.
Before going live, though, I changed my mind and set pwdInHistory to 0.
However, my account
Thank you - I didn't know about the relax rules control!
That has solved my problem.
Philip
On 10 April 2014 12:51, Michael Ströder mich...@stroeder.com wrote:
On Thu, 10 Apr 2014 11:36:50 +0100 Philip Colmer philip.col...@linaro.org
wrote
Given that pwdHistory is read-only
...@symas.com wrote:
Philip Colmer wrote:
This was an area where I also got stuck when researching this last year.
My
conclusions were:
1. UNIX needs group membership to be UIDs and not DNs, so attempts to use
a
class that defines members with DNs are likely to fail.
Nonsense. nss_ldap, nss
Hi
I've got a 2-node setup for master-master replication.
Other than creating or modifying a record on one node and then
checking/waiting for that change to appear on the other node, is there a
recommended way to check that the nodes are in sync and not encountering
any problems?
Thanks.
If I extend my existing OpenLDAP implementation to support N-way
multi-master, is it acceptable for the first server to retain an
olcServerID of 0 (the default when OpenLDAP gets installed) or do I need to
change it to a non-zero value?
Probably a stupid question but I thought I better ask before
2013 14:35, Philip Colmer philip.col...@linaro.org wrote:
This is what I've done so far on a test server that is a copy of our
production server:
1. slapcat -bcn=config -l config.ldif
2. slapcat -l backup.ldif
3. Uninstalled Ubuntu installation of OpenLDAP
4. Built and installed new version
command (which I
eventually found in another mail thread) avoids this whole issue.
On 12 December 2013 16:14, Quanah Gibson-Mount qua...@zimbra.com wrote:
--On Thursday, December 12, 2013 1:40 PM + Philip Colmer
philip.col...@linaro.org wrote:
dn: cn=module{0}
objectClass: olcModuleList
that I didn't
need to sym-link and that slapcat/slapadd was the appropriate way to
go.
On 12 December 2013 16:54, Quanah Gibson-Mount qua...@zimbra.com wrote:
--On Thursday, December 12, 2013 4:20 PM + Philip Colmer
philip.col...@linaro.org wrote:
Huh? Why didn't you just use ldapmodify
Our current implementation of OpenLDAP is Ubuntu 12.04 running version
2.4.28 which has been installed as a package.
To upgrade to 2.4.38, it looks like I need to remove that package and
then install my own built binaries.
Has anyone gone through this process before and got any tips/notes to
I suspect I've broken a fundamental rule of how sync works on OpenLDAP
but here goes ...
We've been running a single OpenLDAP server for a while now so I
wanted to get some resiliency into place. We are using version 2.4.28
on Ubuntu 12.04.
The original machine is a VM so I cloned it and built
Well spotted. It was indeed in the hosts file and I didn't spot that
during testing because I was using nslookup to check IP addresses.
Thanks.
Philip
On 5 December 2013 15:50, Yann Cézard yann.cez...@univ-pau.fr wrote:
Le 05/12/2013 14:38, Philip Colmer a écrit :
I suspect I've broken
only one node has the writes and
therefore reconciliation should be straightforward.
Philip
On 2 July 2013 16:27, Quanah Gibson-Mount qua...@zimbra.com wrote:
--On Tuesday, July 02, 2013 10:25 AM +0100 Philip Colmer
philip.col...@linaro.org wrote:
At the moment, we have a single LDAP
At the moment, we have a single LDAP server which we are using with LDAP
Account Manager for web-based object management and Atlassian Crowd for
authentication. The LDAP server is queried directly by other servers for
UNIX-level authentication, i.e. SSH and group membership.
I'm looking at
This is how I've done it:
Edit /etc/pam.d/sshd and uncomment
account required pam_access.so
Edit /etc/security/access.conf and add this line at the bottom:
-:ALL EXCEPT root sysadmin ubuntu (name of ssh group):ALL
The group can be an LDAP group. Users will still authenticate but they
I'm trying to find documentation for the various values that can be
specified for the MemberOf overlay, particularly olcMemberOfMemberAD and
olcMemberOfMemberOfAD. There are other values where I'm curious as to why
they have their particular value (e.g. olcMemberOfDangling: ignore).
Where is this
Hi
I wanted to run a scenario past everyone to see if there is a better
approach to the one I am thinking of implementing.
The OU structure we have is:
+- dc=example,dc=com
+-- ou=accounts
+--- ou=subsidiary1
+--- ou=subsidiary2
+--- ou=special
+--- ou=staff
+--- ou=the-rest
I have two groups
:
On Fri, Feb 01, 2013 at 04:56:18PM +, Philip Colmer wrote:
I have a followup requirement where I need to be able to restrict read
access
to the groups as well as write access. I only want the owners of an
object to
be able to read and write that object.
The reason for wanting
owners to write, nothing to everyone else.
Thanks for any suggestions/observations.
Philip
On 30 January 2013 08:00, Andrew Findlay andrew.find...@skills-1st.co.ukwrote:
On Thu, Jan 24, 2013 at 12:22:18PM +, Philip Colmer wrote:
What I want/need to be able to do is for LDAP to read the DN
Thank you, Andrew, for that clear example and explanation. I have
successfully implemented this now.
Regards
Philip
On 30 January 2013 08:00, Andrew Findlay andrew.find...@skills-1st.co.ukwrote:
On Thu, Jan 24, 2013 at 12:22:18PM +, Philip Colmer wrote:
What I want/need to be able
I'm trying to get access control for writing to groups as automated as
possible, in as much as I would like LDAP to be able to determine who is
able to write based on other attributes.
I've been able to successfully do this if I only need to grant access to
one or a few individuals, by specifying
anything that meets the
requirement.
Thanks for any feedback.
Philip
On 9 January 2013 18:36, Andrew Findlay andrew.find...@skills-1st.co.ukwrote:
On Wed, Jan 09, 2013 at 04:21:43PM +, Philip Colmer wrote:
I'm using OpenLDAP on Ubuntu 12.04. The installation of OpenLDAP
automatically
way of dealing with things.
Thank you, though, for all of the feedback.
Regards
Philip
On 10 January 2013 12:37, Andrew Findlay andrew.find...@skills-1st.co.ukwrote:
On Thu, Jan 10, 2013 at 10:51:41AM +, Philip Colmer wrote:
What I want to do is use the LDAP store for two purposes
42 matches
Mail list logo