d.d)
* slapadd dump.ldif
* start slapd
That way, I know exactly what configuration is running _and_ I can test
_exactly_ the modified configuration in a VM, beforehand.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
to respond: this project had
swapped right out of my head, and it was only a couple of days ago that
it was able to page back in).
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
without the overlay.
I notice that there's an ongoing list thread 'help to get our openldap
updated and replicated'. That thread might be worth monitoring, on
general principles.
Best wishes (and good luck),
Norman
--
Norman Gray : https://nxg.me.uk
SUPA School of Physics and Astronomy, Un
that that ought to be
unnecessary -- that I'm missing something simple.
This is 2.4.45 on FreeBSD.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
etStringMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
#
# printableString SYNTAX yes|no
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey'
SUP top AUXILIARY
DESC 'OpenSSH LPK objectclass'
MUST uid
MAY sshPublicKey )
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
access specification,
or is there another way to do this?
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
d
in combination'.
And an example in the admin guide would indeed be most welcome.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
/openldap-bcrypt/issues/1
[5] https://github.com/Tarsnap/scrypt
--
Norman Gray : https://nxg.me.uk
f-spec.md>).
But I may have been unclear: by 'unspecified' I meant 'not described in
a formal specification' (as far as I can see), so that I would not be
comfortable trying to reimplement the glibc password-hashing process
based on documentation alone.
Best wishes,
Norman
--
Norman Gr
-argon2
That makes sense -- thanks.
Patches for adding this to OpenLDAP would of course be welcome.
I'm sure. However I fear I'm not going to be able to oblige in the
short term
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
Greetings.
On 11 Sep 2019, at 11:09, Norman Gray wrote:
So there is at least a documentation gap here.
Of course slapd should not run crazy because of this.
Is there enough information in my previous message for me to add a
reasonable ITS report, do you think?
I've added ITS#9486
my list). I'll study those.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
ple there does
look VERY much like what I tried.
So:
* I'm pretty sure I shouldn't be able to make slapadd spin its
wheels like that.
* The manpage text might be a little too telegraphic. While I'm sure
it's not _wrong_, it is quite hard to go from that text to a
working spec with
/Software%20Bugs?id=7400;selectid=7400
[4] http://www.openldap.org/its/index.cgi/?findid=8613
[5]
https://www.openldap.org/lists/openldap-technical/201809/msg00099.html
--
Norman Gray : https://nxg.me.uk
Michael, hello.
On 9 Sep 2019, at 16:16, Michael Ströder wrote:
On 9/9/19 4:06 PM, Norman Gray wrote:
However, immediately after that, the text says:
Note that slapo-memberOf is not compatible with syncrepl based
replication, and should not be used in a replicated environment
/admin24/overlays.html
[3]
https://mishikal.wordpress.com/2019/04/23/configuring-mmr-using-delta-syncrepl-in-openldap-updating-an-existing-standalone-configuration/
[4] Ie, grep -i syncprov /usr/local/etc/openldap/schema/* (and similar)
produces nothing.
--
Norman Gray : https://nxg.me.uk
lays manpage early in my search for this
information. Something like the above would have led me to the
information I needed very quickly.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
Client operating in that order.
Yes, you _can_ and should do that, and most folk do. The problem here is that,
with LDAP+StartTLS, the server can't prevent a client doing it the other way
around, and sending the bind credentials before StartTLS. That's bad, from the
server's point of view.
out the question, taken its deprecation of LDAPS as current doctrine.
And ah, FAQ-o-matic I have fond memories of FAQ-o-matics, back when wikis
were new...
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
s is less weird in the latter case than the former).
Or: what would I be losing if support for slapd.conf disappeared tomorrow?
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
of design clarity.
It also gets a fair amount of specification for free, in that the semantics of
the HTTP verbs are well-defined, in terms of idempotency and the like.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
URIs, yes, but that's surely a very minor
inconvenience, if it's an inconvenience at all.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
, if I'm confident I know that, I have other
ways to confirm the cert directory.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
iple pass algorithm that the RFC suggests).
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
// DNS support -- return information about LDAP servers,
// by looking up a SRV record.
//
// SRV records, as discussed in RFC 2782, point to locations of
// services. In the words of
And...
On 20 Jan 2023, at 15:33, Norman Gray wrote:
> This exposes a function
>
> char* get_sorted_srv_records(const char* domain);
>
> which does a SRV lookup, and orders the records that come back according to
> the specification of RFC 2782 (though in a single
Norman
--
Norman Gray : https://nxg.me.uk
// DNS support -- return information about LDAP servers,
// by looking up a SRV record.
//
// SRV records, as discussed in RFC 2782, point to locations of
// services. In the words of that RFC,
//
// If a SRV-cognizant LDAP client wants to discover
say 'URI DNS:ldap.example.com' in there. Supporting something similar
to that is why I wrote this code.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
ing obvious I'm missing.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
missing:
>
> ldapsearch -H ldap://server.example.net -b dc=example,dc=net" 'cn=foo'
Indeed, and that's what I do most of the time. In fact, this is a case where a
sequence of host+port LDAP URIs is useful.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
nt, and calling ldap_url_parselist_int in that case (instead
of ldap_url_parselist) with a sep argument of " " looks like it would do the
job with a minimal change to the code.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
CA did the legwork of setting up the PKI and checking
the users, and I piggybacked on that, feeling rather smart. Unfortunately, not
_all_ of the relevant users had those certs, so I still had to set up a local
CA, which meant it ended up more trouble than it was in fact worth.
Best wishes,
Norman
er than fixed. What is
wrong with my expectation?
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
Howard, hello.
On 8 Feb 2024, at 15:07, Howard Chu wrote:
>> Norman Gray wrote:
>>
>> Howard, hello.
>>
>> On 8 Feb 2024, at 0:34, Howard Chu wrote:
>>
>>> 65c3df21.21fc2a30 0x16cacf000
>>> ldap_url_parse_ext(ldap:///ou=groups,o
s
deliberate.
Again, if OpenLDAP/dynlist is incapable of generating this entry, then that's
fine -- I'll bodge some different way of getting what I need.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
search -LLL -H ldap:/// -b o=example '(objectclass=person)' uidnumber
dn: uid=u1,ou=dept1,o=example
uidNumber: 1000
dn: uid=u2,ou=dept2,o=example
uidNumber: 1000
% slapd -VVV
@(#) $OpenLDAP: slapd 2.6.7 (Jan 1 1980 00:00:00) $
openldap
Included static overlays:
accesslog
syncprov
unique
Included static backends:
config
ldif
monitor
mdb
relay
--
Norman Gray : https://nxg.me.uk
to challenge.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
a frame-challenge about the best way of
achieving the underlying goal.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
Quanah, hello.
On 7 Feb 2024, at 19:26, Quanah Gibson-Mount wrote:
> Since it was historically done this way, yeah, best thing is to slowly fix
> the data until it can be done correctly.
It's really a local case of NIS. Must. Die
Norman
--
Norman Gray : https://nxg.me.uk
erators,ou=groups,o=example" oc="groupOfNames" ad="member"
65c3e6ae.1da36700 0x16e80b000 => mdb_search
65c3e6ae.1da3bcf0 0x16e80b000 mdb_dn2entry("o=example")
65c3e6ae.1da3e018 0x16e80b000 => mdb_dn2id("o=example")
65c3e6ae.1da3fb70 0x16e80b000 <= mdb_dn2id: got id=0x1
65c3e6ae.1da41ab0 0x16e80b000 => mdb_entry_decode:
65c3e6ae.1da43220 0x16e80b000 <= mdb_entry_decode
65c3e6ae.1da44d78 0x16e80b000 => access_allowed: search access to
"o=example" "entry" requested
(interestingly, the string 'limit' doesn't subsequently appear in this
-d-1 log, either)
So I'm afraid I'm still puzzled.
Norman
--
Norman Gray : https://nxg.me.uk
messy in practice;
I notice group.expand, which might help.
I notice that the documentation of olcAccess doesn't actually mention the
dynlist overlay, and thus may be entirely independent of it. Something for me
to investigate.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
me.
Best wishes,
Norman
--
Norman Gray : https://nxg.me.uk
41 matches
Mail list logo
