,
but in the mean time does anyone have any pointers to a neat way of
doing this?
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory
have it running so I will write a section for the Admin Guide
explaining how to do it.
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory se
administrativeRole attribute but seems to have 'not implemented'
hard-wired into the result code.
Are subentries expected to work, or am I mis-reading something here?
Thanks
Andrew
--
---
| From Andrew Findlay, Skil
On Fri, May 16, 2008 at 06:17:44PM +0100, Andrew Findlay wrote:
> On Thu, May 15, 2008 at 11:58:28AM -0600, Philip Guenther wrote:
>
> > How about by using saslauthd? Configure the users that need pass-through
> > authentication with userPassword values in the form "[E
ont need that...") so I still usually
use the unique sequential allocation scheme: Perl implementation attached.
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scal
B.
Is there aome way that I can force a complete re-sync on a live server? I
tried deleting the contextCSN through LDAP, but of course it won't let
me do that on the slave.
Andrew
--
---
| From Andrew Findlay,
pecific to that
> replica...
Yes. Trivial via LDAP of course, but rather slower.
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
easured by timing an ldapmodify script, so
not very accurate below 0.5s)
Does anyone know why this operation should have got slower from 2.3.x
to 2.4.x ?
Andrew
--
---
| From Andrew Findlay, Skil
--------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
rts to the end of the list.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
sers,dc=Company,dc=com write
by * read
access to *
by * read
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
users
> #
> dn: cn=Elliott Smith,ou=users,dc=company,dc=com
> objectclass: top
> objectclass: person
> cn: Elliott Smith
> sn: Smith
> userPassword: mysecret
> uid: esmith
That won't load, as uid is not in the person object class: you need
inetOrgPerson for that.
Andrew
expiry dates in
the future and make the ACL dependent on that. Something will have to
update the group definition each day. I don't know whether this
overlay works with ACLs though.
Andrew
--
-----------
|
scans to detect other changes.
The solution to this problem is not really specific to OpenLDAP so
you may get more answers from a different mailing list.
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd
s?
You need to do that to see things like failure times.
Add '+' to the end of the ldapsearch command and see what you get.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Cons
a reminder when dealing with configs
for older versions.
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
es to permit access to the RDN components of entries
higher up the tree.
The 'by * break' statement is an easy way of making sure this
clause does not affect any other users.
Andrew
--
-------
| From Andrew F
nt is defined by the ACLs that apply to
"cn=limited,dc=example,dc=com"
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
me
How did you generate the LDIF file that you are importing? It seems to
be lacking some vital information.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
he problem here?
You cannot just copy the files of a running database.
You must either shut down slapd before starting the backup, or you
must follow the Berkeley DB backup instructions. In either case I
would advise keeping a slapcat backup as well.
Andrew
--
---------
odel Divide
Howard Chu (Symas Corp. & OpenLDAP project)
* Writing Access Control Policies for LDAP
Andrew Findlay (Skills 1st)
* Securing Access to UNIX, Linux and Mac with Active Directory
Barry Scott (Centrify)
There is also a Kerberos tutorial and several papers on systems
mo
conference in London, and a tarball with the examples and
test-suites mentioned in the paper.
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Comments are welcome.
Andrew
--
---
| From Andrew Findlay, Skills 1st
disk for example.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
missing though!
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
inous, but it
can help you to understand what is going on.
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
ds,ou=people,dc=usask,dc=ca" read
Make sure that you have a rule that will deny access to other users.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
x27;write' keyword includes read access
>
> '=w' just grants write privilege but no read privilege.
Exactly. Protecting password attributes is a case that the privilege
model handles much better than the level model.
Andrew
--
but
they will not be able to read the existing password.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
nvironment with the latest 2.4.x release to see what
happens.
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
31 matches
Mail list logo
