Re: enable SSL

Am 17.08.23 um 18:50 schrieb Jean-Luc Chandezon: I want to enable SSL, but I cannot find “/etc/sysconfig/slapd” file. for an overview: https://openldap.org -> OpenLDAP Admin Guide -> choose your version -> search for "Using TLS" First, I've to say, think about your ldap-server's name. The

Re: Data migration

Am 16.06.23 um 16:30 schrieb Quanah Gibson-Mount: -o ldif-wrap=no man slapadd say "-o ldif_wrap=no" (note the underscore) Is one version legacy, and the other preferred? This commit looks like the underscore is preferred: https://github.com/openldap/openldap/commit/8a259e3df16def3f05828f355

Re: pcache not working with dirx

Am 13.04.23 um 18:17 schrieb Quanah Gibson-Mount: --On Wednesday, April 12, 2023 11:31 AM +0200 "A. Schulze" wrote: One upstream server is DirX, No idea what DIRX is. Hi Quannah, Sorry for assuming things that may be unclear for others. DirX is an X500 Server th

pcache not working with dirx

Hello, I'm playing with the slapo-pcache overlay (openldap-2.6.4). Using the folloging configuration: ``` # https://www.openldap.org/doc/admin26/guide.html#The%20Proxy%20Cache%20Engine database ldap suffixdc=dirx,dc=example rootdndc=dirx,dc=example uri

Re: OpenLDAP on Debian 11: missing TLS ciphers?

Am 01.08.22 um 16:30 schrieb Quanah Gibson-Mount: As far as I'm aware, both Debian and Ubuntu continue to link OpenLDAP to GnuTLS, so pointing out how openssl behaves probably doesn't help them progress much.  I'm guessing though that similar changes were done to the GnuTLS defaults. rig

Re: OpenLDAP on Debian 11: missing TLS ciphers?

Am 30.07.22 um 20:46 schrieb Jochen Keutel: We did run into this issue because some special devices (e.G. Cisco Prime Collaboration Assurance) cannot connect to the new OpenLDAP server. The server logfile states: TLS handshake: negotiation failure. It's not yet clear whether they really can

Re: question on replica IDs

Quanah Gibson-Mount: Hi Quanah! The only problem I see here is that you have the same serverID for both nodes, and serverIDs are what must be unique across MMR servers. this was a typo while writing the message, sorry. Not clear to me why you don't just drop SIDs 1 & 2 and keep 3 & 4 li

question on replica IDs

Hello, I'm running a Cluster of 4 Servers of openldap-2.6.1 ServerID1 ldaps://member1.example/ ServerID2 ldaps://member2.example/ ServerID3 ldaps://member3.example/ ServerID4 ldaps://member4.example/ syncrepl rid=1 provider=ldaps://member1.exampl

Re: Antw: [EXT] ppolicy-question

Am 01.12.21 um 08:00 schrieb Ulrich Windl: > But isn't the real question whether clients using MD5 can handle ARGON2? Hello Ulrich, no, it isn't. MD5 was an example only. mostly I see {SHA} and {SSHA} Let me explain my understanding of operating an identity-provider. - identity-provider = Op

Re: ppolicy-question

Am 27.11.21 um 00:50 schrieb Michael Ströder: > On 11/26/21 23:34, A. Schulze wrote: >> using slapo-ppolicy I could configure slapd to hash a password if >> it's sent unhashed. > [..] >> overlay ppolicy >> ppolicy_default "cn=default,ou=ppol

ppolicy-question

Hello, using slapo-ppolicy I could configure slapd to hash a password if it's sent unhashed. moduleload ppolicy.la moduleload argon2.la password-hash {ARGON2} database mdb suffix dc=test ... overlay ppolicy ppolicy_default "cn=default,ou=ppolicies,dc=test" ppolicy_hash_cleartext That work and

Re: Logfile timestamp in 2.6

Am 16.10.21 um 00:06 schrieb Nick Folino: > Thanks, Howard.  That's basically what I'm doing now.  Just checking to see > if there was an option I was missing. Hello, just an idea: maybe a similar function could be added to slapd itself. One clean & reasonable fast implementation take the bu

Re: OT: Net:LDAPapi / LDAPS-Support?

Am 25.08.21 um 17:43 schrieb Quanah Gibson-Mount: >> I took over a service using the Perl NET::LDAPapi. Now I fail to >> establish an LDAPS connection. Does anybody know if that's even supported >> and if so, how I've to setup that? > > Yes, it's fully supported and has been as long as I've use

OT: Net:LDAPapi / LDAPS-Support?

Hello, I took over a service using the Perl NET::LDAPapi. Now I fail to establish an LDAPS connection. Does anybody know if that's even supported and if so, how I've to setup that? Andreas

ldap utils: option dropped

Hello, in openldap-2.5.6, ldapsearch no longer understand '-h' to specify an LDAP server. '-H' must be uses now everywhere. Yes, it makes sense, but it break some things here. So I read https://www.openldap.org/doc/admin25/appendix-changes.html and https://www.openldap.org/doc/admin25/appendix-

Re: migrate from 2.4 to 2.5, determine existing MDB format

Am 31.07.21 um 18:05 schrieb Michael Ströder: > As far as I understood the MDB disk format changed. Hi Michael, I'm also start testing openldap-2.5, so could you provide a reference for that claim? Andreas

Re: RE24 testing call #1 (OpenLDAP 2.4.59)

Am 28.05.21 um 23:36 schrieb Quanah Gibson-Mount: > his is the first testing call for OpenLDAP 2.4.59.  Depending on the results, > this may be the only testing call. build & make test run without problems on Debian 10 I noticed some suggestions from Debian lintian (but they do not seem to be

Re: OpenLDAP 2.5 Release Candidate Testing (OpenLDAP 2.5.4)

Am 22.04.21 um 18:56 schrieb Quanah Gibson-Mount: > Execute the test suite (via make test) after it is built.  Optionally, cd > tests && make its to run through the regression suite. ./configure say "--enable-mdbenable mdb database backend no|yes|mod [yes]" so I took the default

Re: opinions on schema-checking

Am 08.03.21 um 19:08 schrieb Michael Ströder: >> Am 02.03.21 um 13:19 schrieb A. Schulze: >>> Q: does it make sense to enforce schema checking on a LDAP consumer, too? > Maybe it's easier to answer if you explain which problem you want to solve? Hi Michael, thanks to

Re: opinions on schema-checking

Am 02.03.21 um 13:19 schrieb A. Schulze: > I'm running a LDAP provider and multiple LDAP consumer and like to ask > for your opinions to such a setup: > While writing data to the LDAP provider, schema-checking is enforced. > Currently also the LDAP consumer enforce schema check

opinions on schema-checking

Hello, I'm running a LDAP provider and multiple LDAP consumer and like to ask for your opinions to such a setup: While writing data to the LDAP provider, schema-checking is enforced. Currently also the LDAP consumer enforce schema checking. Q: does it make sense to enforce schema checking on a

verify openldap source

Hello, I'm searching for a way to verify the integrity of downloads from openldap.org. Many open source projects use to provide foo-$version.tar.gz.[asc|sha256sum] next to foo-$version.tar.gz Is something similar available for openldap? Andreas

Re: MDB Backend database definition

Am 30.04.20 um 16:19 schrieb Beker: > olcRootDN: cn=mdbadm,test,dc=local shouldn't this be "cn=mdbadm,dc=test,dc=local" ?

Re: RE24 testing call (2.4.49) LMDB RE0.9 testing call (0.9.25)

Am 27.01.20 um 18:17 schrieb Quanah Gibson-Mount: >> update: same build for 2.4.48 also fail. >> So maybe nothing new, but related to my build system ... > > Seems like it, I routinely build on those OSes and have never seen an error > like that. ;) the archive say: I reported the same issue

Re: RE24 testing call (2.4.49) LMDB RE0.9 testing call (0.9.25)

Am 26.01.20 um 20:59 Schrieffer A. Schulz: > using Debian sbuild to build for Debian Stretch/9 and Debian Buster/10, > "make test" fail: update: same build for 2.4.48 also fail. So maybe nothing new, but related to my build system ... Andreas

Re: RE24 testing call (2.4.49) LMDB RE0.9 testing call (0.9.25)

Am 13.01.20 um 18:12 schrieb Quanah Gibson-Mount: > This is the first testing call for OpenLDAP 2.4.49.  Depending on the > results, this may be the only testing call. > > Generally, get the code for RE24: > >

Re: Replication account problem

Am 08.01.20 um 16:16 schrieb Vincent Ducot: > Hi all, > I'm testing multi-master replication between (at least 2) openldap nodes > (2.4.45, on Ubuntu 18.04) and facing a problem with replication account. At some point in time I decided to create a separate database as replication-account sla

Re: Default autoconf values / building OpenLDAP 2.4.48

Am 08.08.19 um 16:23 schrieb Dominique Fuchs: > A - From the docs I was assuming this is simply necessary to be able to > enable specific backends, not automatically enabling all of them. Hello OpenLDAP Team, just an idea: rename "--enable-backends" to "--enable-all-backends" in openlda

Re: where is debuglevel documented ?

Am 21.07.19 um 17:27 schrieb danielle lampert: > Where can I find the debuglevel values and their meaning ? man 8 slapd and search for "-d"

Re: Uniqueness across multiple attributes

Am 17.06.19 um 11:32 schrieb Stefan Schmidt: > Hello Andreas, > thank you for your reply. The idea would have been to prevent duplicates > across mail and mailAlias from being created in the first place, but you are > right if OpenLDAP doesn't allow this then using an external script to check

Re: Uniqueness across multiple attributes

Am 12.06.19 um 13:51 schrieb Stefan Schmidt: > Hello, > > is it possible define a unique constraint across attributes? We have a mail > field and a mailAlias field and would like to assure that if a mail address > exists either in mail or mailAlias it cannot be added again to either field, >

overlay unique

Hello, I've a openldap master and numerous sync replica servers running. I'm suspect my master contain mail attributes that aren't unique. My idea was to build an other sync replica with unique overlay enabled. The 'empty' sync replica will fetch data from master and complain about values that

Re: Quick question about OpenLDAP Server CA certificate handling

Am 11.04.19 um 13:35 schrieb Mark Cairney: Hello Mark, > However based on our understanding of how SSL works we should only > actually need the intermediate(s) in there as the client should have the > root and then compare the intermediate provided by the server and only > trust it if it can u

Re: Antw: Re: Replication delay

Am 26.03.19 um 07:58 schrieb Ulrich Windl: > I don't understand that: Keepalive (as I know it) has nothing to do with idle > connections, but only with dead connections. Any statefull firewall will reset/drop/delete/discard a connections state information from it's internal connection table aft

Re: slapd memory usage

Howard Chu: Any idea why the memory usage is so different? If the only difference is that you set the open file limit to 1024, then it sounds like whatever your default file limit is is much larger. Hello Howard, yes, it's unlimited by default. Tons of other daemon also run without t

slapd memory usage

Hello, A friend told me about his findings on slapd memory usage. setup: openldap-2.4.47 back_mdb slapd running as PID 1 inside a docker container docker host and docker conatiner based on Debian 9 / 64 bit finding: with minimal / trivial data slapd consum

Re: uniqueness on multiple attributes

Michael Ströder: Logical it's something like unique_uri (ldap:///dc=basedn?mail?sub?) OR (ldap:///dc=basedn?mail?sub?) The OR is not possible. What else does the following statement on "unique_uri" mean? How should I understand that? Multiple URIs may be specified within a

uniqueness on multiple attributes

Hello, my goal it to extend a uniqueness configuration. I do already enforce uniqueness of mail addresses: slapd.conf: moduleload unique.la overlay unique unique_uri ldap:///dc=basedn?mail?sub? that works. Now also address rewriting data should be migrated LDAP. Rewriti

Re: RE24 testing call (2.4.47) LMDB RE0.9 testing call (0.9.23)

Am 18.12.18 um 02:08 schrieb Quanah Gibson-Mount: > I just checked in a fix for this.  Please pull new source and see if it > passes. :) OK, it took 10h but "make its" finished successfully on my Debian9 x86_64 laptop. Andreas

Re: RE24 testing call (2.4.47) LMDB RE0.9 testing call (0.9.23)

Am 16.12.18 um 23:32 schrieb Howard Chu: >>> ./data/regressions/its8752/its8752 failed (exit 1) > > I believe this is simply due to too short a sleep between steps. It happens > quite > often on slower machines. are there plans to to relax the timings or should I simple ignore that fail?

Re: RE24 testing call (2.4.47) LMDB RE0.9 testing call (0.9.23)

Am 15.12.18 um 01:02 schrieb Quanah Gibson-Mount: > 2.4.47 is now believed to be ready for release after tracking down a deadlock > and a few other replication issues.  Please test. :) compile with many (mostly known notes) and some warnings. But "make its" fail. > Starting its8752 ... run

Re: syncrepl + rid

Am 28.11.18 um 20:11 schrieb Quanah Gibson-Mount: > Are you replicating cn=config?  If no, then serverID can just be single > valued (1-4), no URI required.  In any case, that's a separate question from > the RID one. I still use `legacy configuration files` > As documented, RIDs only need t

syncrepl + rid

Hello, I run a N-Way Multi-Master setup (N=4) and multiple read-only syncrepl. I like to make sure I understand the "rid" correct. According to http://www.openldap.org/doc/admin24/guide.html#olcSyncrepl, the "rid" has to be unique per "slapd" So I would configure on /every host/ (4x Multi-Mas

unique values

Hello, while planning a data scheme update we found it handy to have a unique value for each entry. short time later we found "entryUUID" :-) But we are still unsure.Should we simply use entryUUID or should we extend our schema to hold a new attribute similar to entryUUID. so what are the

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Ryan Tandy: On Thu, Feb 09, 2017 at 08:27:29PM +0100, A. Schulze wrote: One point is worth to mention: I exposed the server also on port 443 and did a scan with ssllabs.com. While I'm pretty sure to configure certificates properly, ssllabs proof, the server deliver not only certificat

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Am 09.02.2017 um 22:32 schrieb Ralf Mattes: > Is this really the problem. I only use TLSCACertificateFile but still get all > the > intermediate certificats as well as the top level (German Telekpm) cert. Ah! both, TLSCACertificateFile and TLSCACertificatePath contain the acceptable issuer ce

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Am 09.02.2017 um 21:52 schrieb Quanah Gibson-Mount: > So it is not clear to me what happens if you use both. ;) I've certainly > never tried that. Since you are using both, did you correctly "hash" the CA > certs in the directory you pointed at? that's the point: the directory is empty! I co

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Am 09.02.2017 um 20:54 schrieb Quanah Gibson-Mount: > Please see the slapd.conf(5) or slapd.conf(5) man pages, which clearly state: > > TLSCACertificateFile > Specifies the file that contains certificates for all of the > Certificate Authorities that slapd wi

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount: > For this testing call, we particularly need folks to test OpenLDAP with > startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with > the 1.1 series). Hello, nearly a week I now run that release without any noise. It's com

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Am 31.01.2017 um 22:21 schrieb A. Schulze: > * but last: make test failed >( attached make_test_result.txt ) the failing test was test059 >>>>> Starting test059-slave-config for mdb... running defines.sh Starting provider slapd on TCP/IP port 9011... Using lda

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Am 01.02.2017 um 19:47 schrieb Quanah Gibson-Mount: >> I'll see if I can repo the test058 failure. > > I've not been able to reproduce this with RE24 even with several hundred runs > of the test. It may be timing related. test059 failed, not test058 is it possible that the failed test echo "te

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount: > Optionally, cd tests && make its run through the regression suite. this set of tests pass, but I noticed one line: ./data/regressions/its8521/its8521: 268: test: 1: unexpected operator here is the complete log: > Starting its8521 ...

Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)

Am 30.01.2017 um 21:49 schrieb Quanah Gibson-Mount: > > > Configure & build. * I noticed 33x "warning: unused variable" should I write a patch? * Very interesting to me how you modif

Re: OpenLDAP performance and slapindex

Am 15.12.2016 um 21:27 schrieb Real, Elizabeth (392K): > Dec 15 12:22:01 slapd[27852]: <= bdb_equality_candidates: (uid) not indexed > Dec 15 12:22:01 slapd[27852]: <= bdb_equality_candidates: (memberUid) not > indexed I would build an index if these lines are logged. Maybe the "bdb_equalit

support for openssl-1.1.0c

hello, I played with git://git.openldap.org/openldap.git and wrote a patch to support compilation using openssl-1.1.0c Just created a ITS item: http://www.openldap.org/its/index.cgi/Incoming?id=8533 The patch is available here: ftp://ftp.openldap.org/incoming/andreas-schulze-161125.patch maybe

Re: log_rdns.patch

Michael Ströder: Maybe this feature should be removed in 2.5 to make that really clear. please don't... Everybody inspecting a log full with IPv6 connections for troubleshooting will *love* reverse DNS! Apache has the similar problem + feature: http://httpd.apache.org/docs/2.4/mod/core.

log_rdns.patch

I expect the patch is not optimal for performance. But it works here in a small environment. Andreas Description: log FQDN instead of IP if "reverse-lookup on" in slapd.conf Author: A. Schulze --- This patch header follows DEP-3: http://dep.debian.net/deps/dep3/ Index: openlda

man page patches

Hello, here is my second patch set. They modify mostly man pages and spelling errors found by Debian lintain ( https://packages.debian.org/jessie/lintian) Andreas Description: fix for a warning from debian lintian Author: A. Schulze --- This patch header follows DEP-3: http://dep.debian.net

Patch: CIPHER_SERVER_PREFERENCE

Hello, The patch implement a feature similar to http://www.postfix.org/postconf.5.html#tls_preempt_cipherlist Not perfect, not configurable but works here without problems. Andreas Description: force openssl use the server side cipher preference Author: A. Schulze --- This patch header

Re: delta sync and strictrefresh

Howard Chu: strict refresh was an experiment, which is also why it remains undocumented. What you describe is the desired effect but as you've found, it doesn't work as intended. It looks to me that one of the refresh scenarios isn't being caught but I haven't looked closely at this feat

delta sync and strictrefresh

Hello, I'm a longtime openldap and syncreplica user. Now I learned about delta replication and the option "strictrefresh". But it doesn't work as promised. Maybe my expectation is simply wrong... Let's describe my use case: One ore two provider serve data to numerous consumer. Application ru