Re: [Cooker] openldap 2.1.22 inkompatible todirectory_administrator-1.4-1
Hello, today I hadn't much time same as every Monday ;-( Nearly all time left was spend in compiling samba3 --with ldap. After that I spoke my co-worker he told me that he unsuccessful tied to rebuild openldap2.1.22-2mdk.src.rpm (--with bdb) so he downloaded original sourcen. Now I know, that the schemas nearly all were taken from openldap.org and only the some which only are at the cooker rpm was copied out there. So long the prestory. After I enabled all schema and replaced samba.schema Igot the following messages at startup: /etc/openldap/schema/rfc822-MailMember.schema: line 7: Duplicate attributeType: 1.3.6.1.4.1.42.2.27.2.1.15 /etc/openldap/schema/qmail.schema: line 24: AttributeType inappropriate matching rule: integerMatch /etc/openldap/schema/mull.schema: line 45: AttributeType inappropriate matching rule: bitStringMatch /etc/openldap/schema/dns.schema: line 23: OID could not be expanded: oid BTW: is someone still translating or plans to translate openldap-guide-2.1.22-2mdk.i586.rpm ? More tomorrow, Regards Falko On Sat, 26 Jul 2003 23:53:54 +0200 (SAST) Buchan Milne [EMAIL PROTECTED] wrote: I have started a script to do some schema checks, but the best way seems to be to have a server running with schema check on, and try and import from LDIF, that is if you have spare servers. I am planning to have checks to run on a server that has schema checking off, but I am having a bit of trouble getting all the objectclasses using perl-ldap, so haven't progressed very far. Main ideas are to check each entry has one and only one structural class, that all objectclasses and attributes exist etc (assuming the schema itself is correct). Regards, Buchan
Re: [Cooker] openldap 2.1.22 inkompatible to directory_administrator-1.4-1
On Mon, 28 Jul 2003, Falko Pilz wrote: Hello, today I hadn't much time same as every Monday ;-( Nearly all time left was spend in compiling samba3 --with ldap. Why? AFAIK, there is no need (so far, in my tests, samba3 uses samba2 schema fine with passdb backend = ldapsam_compat, samba3 schema with passdb backend = ldapsam). After that I spoke my co-worker he told me that he unsuccessful tied to rebuild openldap2.1.22-2mdk.src.rpm (--with bdb) so he downloaded original sourcen. -Openldap-2.1.22-2mdk should have bdb support (I haven't tested, but the configure summary says it is building bdb support) -He should file a bug if he has buildrequires satisfied, and it doesn't build. But if he is missing buildrequires, chances are a build from source would either miss important options, or would fail. Now I know, that the schemas nearly all were taken from openldap.org and only the some which only are at the cooker rpm was copied out there. So long the prestory. After I enabled all schema and replaced samba.schema Igot the following messages at startup: /etc/openldap/schema/rfc822-MailMember.schema: line 7: Duplicate attributeType: 1.3.6.1.4.1.42.2.27.2.1.15 /etc/openldap/schema/qmail.schema: line 24: AttributeType inappropriate matching rule: integerMatch /etc/openldap/schema/mull.schema: line 45: AttributeType inappropriate matching rule: bitStringMatch /etc/openldap/schema/dns.schema: line 23: OID could not be expanded: oid The only schema file in /etc/openldap owned by openldap packages is local.schema. All other provided schemas are in /usr/share/openldap/schema. BTW: is someone still translating or plans to translate openldap-guide-2.1.22-2mdk.i586.rpm ? Only the people at http://www.openldap.org would know. Regards, Buchan -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
Re: [Cooker] openldap 2.1.22 inkompatible todirectory_administrator-1.4-1
Hello, thanks I should try it on Monday, which security issues does you mean?? Regards Falko On Sat, 26 Jul 2003 01:49:31 +0200 Stefan van der Eijk [EMAIL PROTECTED] wrote: Add the following line to the end of /etc/openldap/slapd.conf: allow bind_anon_cred bind_anon_dn bind_v2 It works for me (I had the same issues) but there may be security consequences with this configuration. Stefan
Re: [Cooker] openldap 2.1.22 inkompatible to directory_administrator-1.4-1
On Sat, 26 Jul 2003, Falko Pilz wrote: I've today updatet my LDAP-Server (not critical still a playground) After that an also updatet directory_administrator couldn't access the LDAP-Server because of an LDAP-protocol mismatch / disallowed. Pecause of that openldap's tools like ldapsearch and ldapadd still works my question is, because of no config changes. It could an error in dir_adm or in openldap the protocol was changed. It took a while for the directory_administrator-1.5 package to make it in, but it *should* work with openldap-2.1.22 without enabling ldapv2 binds (I have not tested, since I need a working autofs/ldap, and current autofs doesn't do ldapv3 yet). Please try the directory_administrator-1.5-1mdk package, before making the changes Stefan mentioned. Also, plase note that the migration to openldap-2.1.x is not totally complete, so if you run an openldap server on cooker, you may have some extra migration work to do. I would be interested in any schema violations or similar issues ... and any more ldap software that isn't ldapv3 capable. Regards, Buchan -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
Re: [Cooker] openldap 2.1.22 inkompatible to directory_administrator-1.4-1
Falko, I do suggest you try the new directory administrator package as Buchan said. We want to be able to run openldap with as little configuration changes as possible. thanks I should try it on Monday, which security issues does you mean?? I'm not sure if there are security issues with these setting, but it does sound like it: From slapd.conf(5) man page: allow features Specify a set of features (separated by white space) to allow (default none). bind_v2 allows acceptance of LDAPv2 bind requests. Note that slapd(8) does not truely implement LDAPv2 (RFC 1777), now Historic (RFC 3494). bind_anon_cred allows anonymous bind when credentials are not empty (e.g. when DN is empty). bind_anon_dn allows unauthenticated (anonymous) bind when DN is not empty. update_anon allow unauthenticated (anony- mous) update operations to be processed (subject to access con- trols and other administrative limits). As you can see, some annoymous actions are allowed with these options. There may be cases where the information stored in the LDAP is to be kept confidential and you only want authenticated requests to be able to access it. My concern is that with these options: bind_anon_cred bind_anon_dn (not: bind_v2) information leakage may be possible. I needed my LDAP to work again quickly (also using autofs) and this made it happen... If you copy these settings, I suggest you look into the *possible* consequences -- I won't accept responsibility if these setting lead to your LDAP server being opened up. Regards, Stefan Regards Falko On Sat, 26 Jul 2003 01:49:31 +0200 Stefan van der Eijk [EMAIL PROTECTED] wrote: Add the following line to the end of /etc/openldap/slapd.conf: allow bind_anon_cred bind_anon_dn bind_v2 It works for me (I had the same issues) but there may be security consequences with this configuration. Stefan smime.p7s Description: S/MIME Cryptographic Signature
Re: [Cooker] openldap 2.1.22 inkompatible todirectory_administrator-1.4-1
Hello, Okay this should be the better way. Has you but it on cooker? I couldn't found it at my mirror(nluug.nl). Thanks for the migration note, but I'm still at the Start of the LDAP Server. I would implement Samba3 with Openldap as PDC so no migration is done at the moment. I used the Shemes from 9.1 at /usr/share/openldap/schema (seems to be out off 2.0.x) with the 2.1.22 there where a lot off violations. After chnages slapd.conf to /etc/openldap/schema only the kerberos und DNS schemas still not work. I could report more on Monday, because I doesn't test all. Regards and thanks again Falko On Sat, 26 Jul 2003 11:25:14 +0200 (SAST) Buchan Milne [EMAIL PROTECTED] wrote: On Sat, 26 Jul 2003, Falko Pilz wrote: I've today updatet my LDAP-Server (not critical still a playground) After that an also updatet directory_administrator couldn't access the LDAP-Server because of an LDAP-protocol mismatch / disallowed. Pecause of that openldap's tools like ldapsearch and ldapadd still works my question is, because of no config changes. It could an error in dir_adm or in openldap the protocol was changed. It took a while for the directory_administrator-1.5 package to make it in, but it *should* work with openldap-2.1.22 without enabling ldapv2 binds (I have not tested, since I need a working autofs/ldap, and current autofs doesn't do ldapv3 yet). Please try the directory_administrator-1.5-1mdk package, before making the changes Stefan mentioned. Also, plase note that the migration to openldap-2.1.x is not totally complete, so if you run an openldap server on cooker, you may have some extra migration work to do. I would be interested in any schema violations or similar issues ... and any more ldap software that isn't ldapv3 capable. Regards, Buchan -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
Re: [Cooker] openldap 2.1.22 inkompatible to directory_administrator-1.4-1
On Sat, 26 Jul 2003, Falko Pilz wrote: Hello, Okay this should be the better way. Has you but it on cooker? Lenny uploaded it to cooker on Thursday IIRC ... see the changelog date for when I first tried to get it uploaded ... I couldn't found it at my mirror(nluug.nl). It's on the cluster, it hasn't made it to my local mirror though ... but there is one here: ftp://mandrake.redbox.cz/Mandrake-devel/cooker/i586/Mandrake/RPMS/directory_administrator-1.5.1-1mdk.i586.rpm Thanks for the migration note, but I'm still at the Start of the LDAP Server. I would implement Samba3 with Openldap as PDC so no migration is done at the moment. I had one running without problems, but I reverted the schema change to test samba3 with samba2 schema, so it's running the 2.2.x schema again. We need to take a decision on how to handle the schema. I think for 9.2 we should include both samba2 and samba3 schemas in the samba.schema file. I will try and do this for the next openldap package. BTW, feedback on samba3 also welcome. And if you haven't seen it yet, you may want to look at these articles, even though they were for samba-2.2.x: Oh, and the migration scripts in openldap-migration package still need some work (patches welcome) for schema compliance. I used the Shemes from 9.1 at /usr/share/openldap/schema (seems to be out off 2.0.x) with the 2.1.22 there where a lot off violations. After chnages slapd.conf to /etc/openldap/schema only the kerberos und DNS schemas still not work. Hmm, my kerberos and dns-related objectclasses went into my 2.1.22-2mdk server on 9.1 with only the schema files in the package, with schema checking enabled. I could report more on Monday, because I doesn't test all. Regards, Buchan -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
Re: [Cooker] openldap 2.1.22 inkompatible todirectory_administrator-1.4-1
On Sat, 26 Jul 2003 16:14:19 +0200 (SAST) Buchan Milne [EMAIL PROTECTED] wrote: On Sat, 26 Jul 2003, Falko Pilz wrote: I couldn't found it at my mirror(nluug.nl). It's on the cluster, it hasn't made it to my local mirror though ... but there is one here: Thanks I try it out. I had one running without problems, but I reverted the schema change to test samba3 with samba2 schema, so it's running the 2.2.x schema again. We need to take a decision on how to handle the schema. I think for 9.2 we should include both samba2 and samba3 schemas in the samba.schema file. I will try and do this for the next openldap package. Is there any roadmap for this package ? There is no shema in the samba3 rpm's isn't it? How do you think about a samba3-ldap*.rpm or a samba3-passwd-ldap*.rpm? BTW, feedback on samba3 also welcome. And if you haven't seen it yet, you may want to look at these articles, even though they were for samba-2.2.x: Sorry the articles were lost. The 3 at mdk-secure about LDAP and Samba I'm still using for building my server. BTW: should samba3 rpm's still be rebuild for LDAP support? The server was cleaned from all devel, make and gcc packages. I should rebuild on another server, thats why I ask. Oh, and the migration scripts in openldap-migration package still need some work (patches welcome) for schema compliance. You're right the error wasn't the kerberos schema, it was the migrate_passwd.pl. Where could I send patches? You or padl.com? I used the Shemes from 9.1 at /usr/share/openldap/schema (seems to be out off 2.0.x) with the 2.1.22 there where a lot off violations. After chnages slapd.conf to /etc/openldap/schema only the kerberos und DNS schemas still not work. Hmm, my kerberos and dns-related objectclasses went into my 2.1.22-2mdk server on 9.1 with only the schema files in the package, with schema checking enabled. schema checking, how to start, sorry I'm still a newbee at LDAP. Regards Falko
Re: [Cooker] openldap 2.1.22 inkompatible to directory_administrator-1.4-1
On Sat, 26 Jul 2003, Falko Pilz wrote: On Sat, 26 Jul 2003 16:14:19 +0200 (SAST) Buchan Milne [EMAIL PROTECTED] wrote: I had one running without problems, but I reverted the schema change to test samba3 with samba2 schema, so it's running the 2.2.x schema again. We need to take a decision on how to handle the schema. I think for 9.2 we should include both samba2 and samba3 schemas in the samba.schema file. I will try and do this for the next openldap package. Is there any roadmap for this package ? There is no shema in the samba3 rpm's isn't it? No, you will have to fish them out of the samba3 package for now .. There is no official roadmap that I know of, I am just trying to fix the issues that affect samba/samba3 and that we may bump into on our own server ... How do you think about a samba3-ldap*.rpm or a samba3-passwd-ldap*.rpm? There may be no need, depending on some issues with the build process. You will notice we have samba3-passdb-{xml,mysql}, they can be built as shared modules, I have not succeeded in building the ldap passdb plugin shared, until I do, samba3-server will ship with built-in ldap support. And if the samba team makes it, it will be samba-server-3.0.0, not samba3-server. BTW, feedback on samba3 also welcome. And if you haven't seen it yet, you may want to look at these articles, even though they were for samba-2.2.x: Sorry the articles were lost. Yes, I realised after I sent I handn't added the links, but mandrakesecure.net is apparently having some trouble (it will be solved soon apparently) and was inaccessible. The 3 at mdk-secure about LDAP and Samba I'm still using for building my server. Yes, those are the 3, although some adjustments have to be made for samba3 and openldap-2.1.x. BTW: should samba3 rpm's still be rebuild for LDAP support? No, since samba3 supports run-time passdb configuration (whereas in samba2 it is compile-time-only), this is not necessary, we have ldap support out-the-box. Rebuilding with --with-ldap will (AFAIK) enforce the samba2 schema (ie similar functionality to the 2.2.x packages), but it should not even be necessary, since you can just use passdb backend = ldapsam_compat The server was cleaned from all devel, make and gcc packages. I should rebuild on another server, thats why I ask. Well, if you're running a stable release, you can always grab packages from http://ranger.dnsalias.com/mandrake/, I have been meaning to get packages up to ftp.samba.org, but have been too busy ... Oh, and the migration scripts in openldap-migration package still need some work (patches welcome) for schema compliance. You're right the error wasn't the kerberos schema, it was the migrate_passwd.pl. Where could I send patches? You or padl.com? To me first ... unless I beat you to it ;-) I used the Shemes from 9.1 at /usr/share/openldap/schema (seems to be out off 2.0.x) with the 2.1.22 there where a lot off violations. After chnages slapd.conf to /etc/openldap/schema only the kerberos und DNS schemas still not work. Hmm, my kerberos and dns-related objectclasses went into my 2.1.22-2mdk server on 9.1 with only the schema files in the package, with schema checking enabled. schema checking, how to start, sorry I'm still a newbee at LDAP. I have started a script to do some schema checks, but the best way seems to be to have a server running with schema check on, and try and import from LDIF, that is if you have spare servers. I am planning to have checks to run on a server that has schema checking off, but I am having a bit of trouble getting all the objectclasses using perl-ldap, so haven't progressed very far. Main ideas are to check each entry has one and only one structural class, that all objectclasses and attributes exist etc (assuming the schema itself is correct). Regards, Buchan -- |Registered Linux User #182071-| Buchan MilneMechanical Engineer, Network Manager Cellphone * Work+27 82 472 2231 * +27 21 8828820x121 Stellenbosch Automotive Engineering http://www.cae.co.za GPG Key http://ranger.dnsalias.com/bgmilne.asc 1024D/60D204A7 2919 E232 5610 A038 87B1 72D6 AC92 BA50 60D2 04A7 ** Please click on http://www.cae.co.za/disclaimer.htm to read our e-mail disclaimer or send an e-mail to [EMAIL PROTECTED] for a copy. **
[Cooker] openldap 2.1.22 inkompatible to directory_administrator-1.4-1
Hello, I've today updatet my LDAP-Server (not critical still a playground) After that an also updatet directory_administrator couldn't access the LDAP-Server because of an LDAP-protocol mismatch / disallowed. Pecause of that openldap's tools like ldapsearch and ldapadd still works my question is, because of no config changes. It could an error in dir_adm or in openldap the protocol was changed. Regards Falko
Re: [Cooker] openldap 2.1.22 inkompatible to directory_administrator-1.4-1
Falko Pilz wrote: Hello, I've today updatet my LDAP-Server (not critical still a playground) After that an also updatet directory_administrator couldn't access the LDAP-Server because of an LDAP-protocol mismatch / disallowed. Pecause of that openldap's tools like ldapsearch and ldapadd still works my question is, because of no config changes. It could an error in dir_adm or in openldap the protocol was changed. Regards Falko Add the following line to the end of /etc/openldap/slapd.conf: allow bind_anon_cred bind_anon_dn bind_v2 It works for me (I had the same issues) but there may be security consequences with this configuration. Stefan smime.p7s Description: S/MIME Cryptographic Signature
Re: [Cooker] Openldap 2.1.22
From: magic [EMAIL PROTECTED] Hello all, I was just wondering what the status is of openldap. Openldap 2.1.x has been discussed for some time, and I know a few folks have even built rpms (2.1.22 was the last I saw). Any idea when we will see it hit cooker? I saw where openldap 2.0.27 is still being patched/updated - I think it would be better use of development time to work on the new version rather than patching updating the old version (that will need to be replaced anyway). Fresh listing from synced cooker main: openldap-back_dnssrv-2.1.22-2mdk.i586.rpm openldap-back_ldap-2.1.22-2mdk.i586.rpm openldap-back_passwd-2.1.22-2mdk.i586.rpm openldap-back_sql-2.1.22-2mdk.i586.rpm openldap-clients-2.1.22-2mdk.i586.rpm openldap-guide-2.1.22-2mdk.i586.rpm openldap-migration-2.1.22-2mdk.i586.rpm openldap-servers-2.1.22-2mdk.i586.rpm openldap-2.1.22-2mdk.i586.rpm Regards Thomas
[Cooker] Openldap 2.1.22
Hello all, I was just wondering what the status is of openldap. Openldap 2.1.x has been discussed for some time, and I know a few folks have even built rpms (2.1.22 was the last I saw). Any idea when we will see it hit cooker? I saw where openldap 2.0.27 is still being patched/updated - I think it would be better use of development time to work on the new version rather than patching updating the old version (that will need to be replaced anyway). Thanks, S
Re: [Cooker] Openldap 2.1.22
tisdagen den 15 juli 2003 21.00 skrev magic: Hello all, I was just wondering what the status is of openldap. Openldap 2.1.x has been discussed for some time, and I know a few folks have even built rpms (2.1.22 was the last I saw). Any idea when we will see it hit cooker? I had this built at home but now that god damn fucking two year old machine gave up on me..., I'm really pissed... What hardware can you trust these days? This is a epox 8kha+ and a amd 1700 cpu. My new samsung drive only lived 3 months... -- Regards // Oden Eriksson, Deserve-IT.com
Re: [Cooker] Openldap 2.1.22
magic wrote: Hello all, I was just wondering what the status is of openldap. Openldap 2.1.x has been discussed for some time, and I know a few folks have even built rpms (2.1.22 was the last I saw). Any idea when we will see it hit cooker? It already did... # rpm -qa |grep ldap | sort libldap2-2.1.22-2mdk nss_ldap-204-2mdk openldap-2.1.22-2mdk openldap-clients-2.1.22-2mdk openldap-servers-2.1.22-2mdk pam_ldap-161-2mdk I saw where openldap 2.0.27 is still being patched/updated - I think it would be better use of development time to work on the new version rather than patching updating the old version (that will need to be replaced anyway). Thanks, S smime.p7s Description: S/MIME Cryptographic Signature
Re: [Cooker] Openldap 2.1.22!
Thomas Backlund wrote: Fresh listing from synced cooker main: openldap-back_dnssrv-2.1.22-2mdk.i586.rpm openldap-back_ldap-2.1.22-2mdk.i586.rpm openldap-back_passwd-2.1.22-2mdk.i586.rpm openldap-back_sql-2.1.22-2mdk.i586.rpm openldap-clients-2.1.22-2mdk.i586.rpm openldap-guide-2.1.22-2mdk.i586.rpm openldap-migration-2.1.22-2mdk.i586.rpm openldap-servers-2.1.22-2mdk.i586.rpm openldap-2.1.22-2mdk.i586.rpm Outstanding!!! (I saw the post about the spec file in cvs just after I sent original message). Thanks! S
Re: [Cooker] Openldap 2.1.22
Am Dienstag, 15. Juli 2003 21:00 schrieb magic: Hello all, I was just wondering what the status is of openldap. Openldap 2.1.x has been discussed for some time, and I know a few folks have even built rpms (2.1.22 was the last I saw). Any idea when we will see it hit cooker? I saw where openldap 2.0.27 is still being patched/updated - I think it would be better use of development time to work on the new version rather than patching updating the old version (that will need to be replaced anyway). It depends. If you want to be able of a clean upgrade from 9.* to the upcomming 9.2 a ldap 2.0.* based version is not so bad. ldap 2.1.* is much more strict in using the data. So youd database may not work after a update. Don't get me wrong, I want 2.1.* in 9.2 version. But that is my oppinion. It is the same with the sasl stuff. Thanks, S Martin -- H E L I X Gesellschaft für Software Engineering mbH Hanauer Landstrasse 52 Telefon (069) 4789 35-30 D-60314 Frankfurt am Main Telefax (069) 4789 35-44 http://www.helix-gmbh.net[EMAIL PROTECTED] pgp0.pgp Description: signature