no accesslog record on "delete" sync state control

hi I face a weird situation with my LDAP syncrepl consumer [1], please advise ... on "delete" sync state control receiving, I'm trying to search for accesslog object with the just deleted object to use it in further processing, but it is not available yet though if I set delay (sleep) for 1

[Q] ModRDN object via Net::LDAP::Control::SyncRequest

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, please advise, how can I catch ModRDN object in syncrepl cosumer? I use perl Net::LDAP on ldapmodrdn I successfully catch LDAP_SYNC_MODIFY event with Net::LDAP::Entry object, DN of which contains *new* rdn ... but how to know/get the old one?

[Q] RFC2307bis2 "An Approach for Using LDAP as a Network Information Service"

greetings, We've found RFC2307bis2: "An Approach for Using LDAP as a Network Information Service" and now wondering, what've happened to it finally? Is it just expired and forgotten? Recently we've began to deploy netgroup usage in our network and found it impossible to do search by

Re: how to run script on event (modify/delete/add)?

thanks to everybody for soon reply Michael Ströder wrote: > On 07/30/2018 02:32 PM, Zeus Panchenko wrote: > Basically you have two options: > 1. run something within slapd (back-perl or back-sock) I'm still missing something ... what is/are the condition/s to see a candidate objec

how to run script on event (modify/delete/add)?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 greetings, please advise how can I run external script on event (LDAP operation)? for example: I am generating config files for users from LDAP data with perl script I want to re-generate config files each time LDAP operation (modify, add,

[Q] how to add country attribute to organizationalUnit objectclass?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, I'm using organizationalUnit to hold organization related data and I'm wondering, how can I add country attribute to the object? I find it stumbling, all other address attributes are available but country ... I'd like to be able to do

Re: [Q] what is the best practice or right way to change schemas order for cn=config case?

Christian Kratzer wrote: > > 1. to move file? > > 2. to ldapmodify? > > > > for the one used to slapd.conf both of ways look weird ... :( > > for those cases that ldapmodify that does not work you can use slapcat > to dump all of the cn=config database edit it and reimport

[Q] what is the best practice or right way to change schemas order for cn=config case?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, what is the best practice or right way to change schemas order for cn=config case? 1. to move file? 2. to ldapmodify? for the one used to slapd.conf both of ways look weird ... :( - -- Zeus V. Panchenko

Re: Antw: Re: [Q] amendments to schemes existent

Andrew Findlay wrote: > You could try using the extended search filter syntax: > > (dhcpOption:caseIgnoreSubstringsMatch:=boot*) > > See RFC4515 for more details. In practice you will probably want to create a I tried and failed ... where did I mistake?

Re: Antw: Re: [Q] amendments to schemes existent

Andrew Findlay wrote: > Try this: > (authorizedService:caseIgnoreSubstringsMatch:=m...@hh001.umi) now there is no error message, though the result is still empty alas ... # base

Re: Antw: Re: [Q] amendments to schemes existent

Ulrich Windl wrote: > But you are basically changing the semantics of attribute authorizedService: > Before "*" was literal, after it is magic (substring match). > > The discussion on which variant is more useful is a different issue ;-) for *my* flow, the

Re: [Q] amendments to schemes existent

thank you for reply Andrew Findlay wrote: > You should not change the definitions of standard attributes or > objectclasses. I remember that, though I wasn't able to get that working without patching ... > That does not stop you from setting up an index for

[Q] amendments to schemes existent

greetings, I'm wondering of search possibility lack for some attributes my question is: is it correct/good/sane/e.t.c. to patch them this way? is there other way to get those attributes searchable? for example I have to patch some schemes like this: ---[ PATCH SAMPLES START

consumer state is newer than provider (was "can I replicate several branches to the same slave from one master?")

greetings, alas, but I still face the issue ... :-\ ---[ replica log quotation start ]--- ... Jul 27 12:29:46 ABC slapd[15466]: do_syncrep2: rid=000 LDAP_RES_SEARCH_RESULT (53) Server is unwilling to perform Jul 27 12:29:46 ABC slapd[15466]: do_syncrep2:

Re: [Q] "selective" ACL

Andrew Findlay wrote: > [ This is a very old thread you are resurrecting! ] sorry, but was not able to find the answer yet bellow is a bit long reply/commentary ... > > access to dn.subtree="ou=People,dc=foo" > > by

Re: [Q] can I replicate several branches to the same slave from one master?

Quanah Gibson-Mount wrote: > > emm ... I was sure I can not do that on the master side ... just I try > > do that, I receive full data ... > > Then likely your ACLs were incorrect? yes, they were at last I was able to fix that and get it working the way (I believe) I want:

Re: [Q] can I replicate several branches to the same slave from one master?

Quanah Gibson-Mount wrote: > > Wouldn't it be simpler to define ACLs on the master that limit what > the replication identity has access to that matches your filters? > emm ... I was sure I can not do that on the master side ... just I try do that, I receive full data ...

Re: [Q] can I replicate several branches to the same slave from one master?

Quanah Gibson-Mount <qua...@symas.com> wrote: > --On Friday, June 30, 2017 12:48 AM +0300 Zeus Panchenko > <z...@ibs.dn.ua> wrote: > ... > > 22:45:30 ABC slapd[12593]: do_syncrep2: rid=000 (53) Server is unwilling > > to perform Jun 29 22:45:30 ABC slapd[1

Re: [Q] can I replicate several branches to the same slave from one master?

Andrew Findlay wrote: > > Try fixing the RIDs - use small numbers, all different. The exact values are > not important. > Also try commenting out the second syncrepl clause until you have the others > working properly. > You should be able to merge the first

[Q] can I replicate several branches to the same slave from one master?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, please advise I need to replicate not all but some branches from one master to one slave not sure how much correct I have done that, but here what I have: slave starts successfully, records appear on slave as expected, services successfully

ACL advice needed ...

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 greetings, I'm trying to configure ACL, I belive it is possible to ... but after some attempts I doubt it is ... please, help me to understand where I'm making the mistake/s ... I need to manage possibility for "coadmins" group members to manage

[Q] "selective" ACL

hi, I'm trying to configure a not complex (as I believe) ACL ... but have some difficulties I have two posixGroup groups cn=admins,ou=group,dc=foo cn=coadmins,ou=group,dc=foo my users resides in ou=People,dc=foo so, in subtree ou=People,dc=foo I need to allow anything to admins (and it is

Re: is there hardware inventory schema?

thanks much, Côme BERNIGAUD wrote: If not, maybe you can inspire yourself from it anyway. You can see the schema there:

is there hardware inventory schema?

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 greetings, please advise, is there schema or what will it be correct to use, for hardware inventory data to be stored in LDAP (except custom schema)? perhaps I'm not the first who asks that ... - -- Zeus V. Panchenko

Re: journal of changes

thank you very much, it is really what I need Michael Ströder mich...@stroeder.com wrote: Zeus Panchenko wrote: is there way to have something like, I'd call, journal of changes where it could be saved all changes (modifications and deletions in particular) for each object what I'm

journal of changes

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, is there way to have something like, I'd call, journal of changes where it could be saved all changes (modifications and deletions in particular) for each object what I'm talking about is *whole* history of the actions the object has undergone

Re: dhcp.schema attribute dhcpStatements value in filter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Harry Jede harry.j...@arcor.de wrote: By default, that's not possible. yes, and I really wonder why? ... isn't it beneficial to be able to find which MAC has which IP? ... but this question is to dhcp.schema author/s of course :) You need to

Re: dhcp.schema attribute dhcpStatements value in filter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Ströder mich...@stroeder.com wrote: Because there's no SUBSTR matching rule defined for 'dhcpHWAddress' so, there is no way to ldapsearch by that attribute exept `*' ? You should really make yourself familiar with the various search

dhcp.schema attribute dhcpStatements value in filter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 hi, I configured my isc-dhcpd servers to work with openldap, all works now when I want to find dn for some definite MAC or IP, I am unable to do that please, help to understand how can I ldapsearch by attribute dhcpStatements values? in

Re: dhcp.schema attribute dhcpStatements value in filter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Ströder mich...@stroeder.com wrote: I use filter: ((objectClass=dhcpHost)(dhcpStatements=fixed-address 10.0.0.222)) and receive empty result ... Did you change the indexing configuration for attribute 'dhcpStatements'? the only

Re: dhcp.schema attribute dhcpStatements value in filter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Ströder mich...@stroeder.com wrote: I rephrase my question: Did you change the indexing configuration for attribute 'dhcpStatements' *after* adding/modifying the entries? no, I didn't If yes, then see this:

Re: dhcp.schema attribute dhcpStatements value in filter

-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Michael Ströder mich...@stroeder.com wrote: Because there's no SUBSTR matching rule defined for 'dhcpHWAddress' so, there is no way to ldapsearch by that attribute exept `*' ? which is not needed anyway. mmm ... no need to be able to find the

Re: separate login/password for several services?

Andrew Findlay andrew.find...@skills-1st.co.uk wrote: That can be done - it is just a matter of choosing a naming structure that allows it. that's simple but was not obvious to me :( That one won't work, as there is no way to link the individual uid and userPassword values. You need one LDAP

Re: separate login/password for several services?

Andrew Findlay andrew.find...@skills-1st.co.uk wrote: mmm ... will not it prevent non-uniqueness only for parent DN-s? while what I'm trying to ask (I'm sorry for muddled up explanation what I mean) about is - uniqueness for the uid *in* the entry ... so, the uniqueness of the attribute

attribute to store system mailbox value

hi, may somebody to recommend the attribute to store path to system mailbox, among attributes of schema files shipped with openldap, system mailbox is the path to mbox format file or maildir directory where MDA (depends on MDA configuration) stores received mail messages so, to not to add new

Re: attribute to store system mailbox value

Nick Milas n...@eurobjects.com wrote: so, to not to add new LDAP object and attribute definition, I'd like to know, may be close by function attribute already exists? I suggest using a specialized schema for such use. Maybe you would want to read through this thread:

Re: separate login/password for several services?

Andrew Findlay andrew.find...@skills-1st.co.uk wrote: ... You would end up creating two new attributes for each service type, and OpenLDAP would still not check the passwords for you in a useful way. Better method: Create a sub-entry below the user entry for each service. The

Re: separate login/password for several services?

Andrew Findlay andrew.find...@skills-1st.co.uk wrote: Do you reall want every user account on every service to have a different username? to be honest, I do not want, but in practice when I need to land some mail domain with whole it's users at my MTA, I need to decide what to do with widely

Re: how to configure subsuffix?

Quanah Gibson-Mount qua...@zimbra.com wrote: what I mean is structure for head office (ho), branch 1 of head office (bo1), ... branch N of head office (boN): This is generally a bad way to implement. I would generally advise tracking their organization based on attributes in their entry.

separate login/password for several services?

hi all, please, may somebody advice I need to set separate credentials for each service I provide (optionally) to my users I think of something like this: dn: uid=target-user,ou=People,dc=ibs userPassword: ** ... authorizedService: xmpp authorizedService: smtp authorizedService: pop

how to configure subsuffix?

hi all, I'm absolutely new to LDAP and need advice, please how is it better/correct to configure database to implement corporative users tree covered? what I mean is structure for head office (ho), branch 1 of head office (bo1), ... branch N of head office (boN): - ho -+- bo1 -+- People