Hello,
I'm having a heck of a time getting certs to function correctly. This server
is being setup with another server in mirrormode - and currently they cannot
talk to each other (or themselves when using ldapsearch).
We have a root CA, with a subordinate CA used to sign the cert our ldap ser
system resources.
syncinfo_free: rid=001
slapd stopped.
connections_destroy: nothing to destroy.
Needless to say, this server will be a mirror - and I'd had this config working
previously. The other server, setup seemingly identically works fine.
What the heck does this error m
essage, but I haven't received it (I had
recently changed my options to receive an email for each, rather than a digest)
-Original Message-
From: Chris Jacobs
Sent: Friday, March 12, 2010 2:54 PM
To: 'openldap-technical@openldap.org'
Subject: database is not a shado
moduleload ppolicy.la or ppolicy.so I get in the logs:
line 18 (moduleload ppolicy.la)
module_load: (ppolicy.la) already present (static)
Which I'm pretty sure means it's already loaded...
Any idea as to what I'm doing wrong?
Thanks,
- chris
Chris Jacobs, Jr. Linux Administrator, Infor
one-man project.
Thanks!
- chris
PS: I'd failed to reply-to-all on my previous emails. Please pardon my mailing
list etiquette and use failure. :)
________
From: Chris Jacobs
Sent: Monday, March 22, 2010 4:12 AM
To: Howard Chu
Subject: RE: attribute '
Alexander,
I don't know if they only get read at startup or not... but it does bring up
the question: Why?
Protect the file with chmod 440 permissions (with root/root or ldap/ldap or
whatever the user/group you use to run slapd).
If there are others with root permission to this box that should
What method(s) have you used to force people to change their password -
beyond asking them?
Thanks!
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.44
ample LDIF of a test account and a legacy account later.
- chris
Chris Jacobs, Jr. Unix System Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apollogrp.edu
--
want people to just end-up locked out either, if at all possible.
Thoughts?
Thanks!
- chris
Chris Jacobs, Jr. Unix System Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9
.com]
Sent: Tuesday, March 23, 2010 8:21 PM
To: Chris Jacobs; 'h...@symas.com'
Cc: 'tgate...@gmail.com'; 'openldap-technical@openldap.org'
Subject: Re: Tips when implementing password policies
--On Tuesday, March 23, 2010 7:37 PM -0700 Chris Jacobs
wrote:
> Okay, it say
I could be horribly wrong though - I'm not a dev, just a user of the
software.
:)
- chris
Chris Jacobs, Jr. Unix System Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
e
d mismatch here?
(I suspect and hope that the last bit here is a totally unrelated red herring.)
Thanks,
- chris
Chris Jacobs, Jr. Linux Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.
enldap-technical-bounces+chris.jacobs=apollogrp@openldap.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Monday, March 29, 2010 12:37 PM
To: 'openldap-technical@openldap.org'
Subject: Not getting password expiry warn
've also seen mention of a '-k' flag, but it's not an option with the version
of ldapsearch compiled with openldap 2.4.
-Original Message-
From: Buchan Milne [mailto:bgmi...@staff.telkomsa.net]
Sent: Tuesday, March 30, 2010 3:57 AM
To: openldap-technical@openldap.org
You're thinking of dyngroups (Dynamic Groups).
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apollogrp.edu
- Ori
while one
would only be setup on ldap servers, mine are identical and things work with a
mirror master, both setup behind a VIP (fail over, not load balanced) and a
plethora of slaves in different subdomains.
- chris
PS: I'd forgotten to 'reply-to-all' earlier. :)
C
Also, if you've the CA's cert in a file and point the conf directly to it (via
tls_cacert) it's unnecessary to use the tls_cacetdir directive.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phon
Be careful - it didn't do what I wanted (like 64 bit). And on top of that,
none of the tools were in the default paths.
- chris
PS: I only found that after tons of googling too.
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattl
Hello again,
I'm having an odd issue with ppolicy and my master/slave config.
First, my goals
General use:
Slave handles all reads locally.
Writes get forwarded to the master by the slave.
Password policy:
When password failures happen on clients using slave ldap servers, the
fa
chnical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Thursday, April 29, 2010 2:55 PM
To: openldap-technical@openldap.org
Subject: ppolicy master/slave issue
Hello again,
I'm having an odd issue with ppolicy and my master/slave config.
First, my
hanks,
- chris
-Original Message-
From: openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Thursday, April 29, 2010 2:55 PM
To: openldap-technical@openldap.org
Su
Side question: is there any difference between statically compiled in vs
dynamic modules?
I'm most concerned about performance vs flexibility of replacing modules.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA
nces+chris.jacobs=apollogrp@openldap.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Monday, May 03, 2010 9:07 AM
To: openldap-technical@openldap.org
Subject: RE: ppolicy master/slave issue
Really, I think this comes d
Ummm... I suspect your machine's firewall (likely built in one from Windows)
might be blocking it.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441
if you've
simply taken over an admin role, this could have been going on for a while and
the final 'culprit' may simply be missing indexes.
Good luck,
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, W
Ah, hah. I admit, I hadn't read that far back and made some ass/umptions.
Doh.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chri
acobs=apollogrp@openldap.org
[mailto:openldap-technical-bounces+chris.jacobs=apollogrp@openldap.org] On
Behalf Of Chris Jacobs
Sent: Thursday, May 06, 2010 11:45 AM
To: openldap-technical@openldap.org
Subject: RE: ppolicy master/slave issue (currently "forward ppolicy updates" OR
"au
The admin guide really does a pretty good job of covering the different
replication methods, I'd check it out a bit more. :)
- chris
PS: I'm no guru, and have recently identified an issue with mirror-mode and
ppolicy. I'll be reviewing them again myself.
Chris Jacobs, System
and, but I
don't think it'd be too difficult.
My 2 cents,
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apo
Where is it documented how the conf file slapd.conf file is processed?
I've read the documentation, more than once, and still don't know. I suspect
this whole 'order thing' is pretty darn important (outside of access config).
Seriously, please me at it.
Thanks,
- chris
C
I totally agree.
One gotcha though: to see the system attributes (like pwdpolicy settings on an
acct) you have to right click the acct and select show system attributes. That
confused me for a while.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001
Compare your login and ssh pam configs (ssh works, login doesn't). They'll be
under /etc/pam.d/.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 20
tune anything - seriously.
Caveat: I'm no expert.
Thanks,
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apollog
Sam,
You need to specify a DN (that has at least read access).
It could be a DN within the scope of the server, or root/manager/etc DN's
specified in your slapd.conf (which would give you write access).
For example, use the rootdn entry from your slapd.conf:
rootdn "cn=root,dc=example,
cated pretty quickly. Try it out, you'll see. It take
less then half a minute to replicate a tree with approx 800 entries (very rough
estimate) even on slaves in AZ and masters in WA.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste
Bryan,
Frankly though, I wonder if OpenLDAP is the right solution for your problem
(see OpenID or perhaps just something simple setup in MySQL - [encrypt those
passwords! ><] - which you're likely using /anyway/), but moving on...
Apache has pretty good LDAP support - I use it control access to
True, but then we don't know how big his set is.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apollogr
Stop slapd.
Move the directory.
Change the directory in slapd.conf.
Start slapd.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac
wned by the user slapd runs as
(usually ldap) - and the parent tree is readable; just the dirs.
4) slapadd -l (imports the db)
If that fails you're still dealing with the same issue - a typo or permissions
issue, which, sadly, we can't help you with.
- chris
Chris Jacobs, Sys
Can you reply-to-all with your /etc/ldap.conf and /etc/pam.d/common- and
/etc/pam.d/
- chris
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of murat can tuna
Sent: Thursday, July 01, 2010 8:55 AM
To: openldap-technical@openldap.org
Subje
What does your slapd.conf look like on your consumer (don't make the noob
mistake I did of posting real domain, rootdn and rootpw info)?
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245
Oh, I'm not bothered. I'm not touchy or impatient. I've done it myself. :)
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
e
Not I...
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apollogrp.edu
- Original Message -
From: Christian Bösch
To: Chris
Bryan,
The method of completing "Does openldap provide a mechanism that will
accomplish the same thing (automatic client cert acceptance)?" is to have a
real cert authority issue the cert. They're pretty nice about it even, at
least if you give them money.
I /highly/ recommend you read up on
What I've done in my implementation is to enable password expiration warnings -
with the warning age being set to just a few seconds less than the password
expiration period.
For example, when I login I see:
$ ssh
@'s password:
Your LDAP password will expire in 182 days.
ing for a camping trip on
probably the first 'summer' weekend here in western Washington (state), and I
won't be able to get that for you until Tuesday.
I'm using CentOS 5.2 thru .4 - so at least it'll be redhat related.
I'm fairly certain I've posted it before
Nicholas,
This has been covered before.
Google: DB_CONFIG Expect poor performance
It's just Berkeley DB complaining that there's no DB_CONFIG file... Harmless.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle
ents to trust the
signer of that cert.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apollogrp.edu
__
ev. Bash or PERL is more my style :p.
Warning: there are two ldap.conf files in most linux distros:
/etc/ldap.conf : used by PAM
/etc/openldap/ldap.conf : used by OpenLDAP tools. Primarily on OpenLDAP servers
(whether masters or slaves - now referred to as providers and consumers).
- chris
Chris Ja
And, when it's time to ditch the old 'DN' all together, search/replace all
instances of the old DN with the new DN on a slapcat output, wipe your DB, and
slapadd the new version.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6
0' for the last 24
hours, they won't be warned then. :-/
You'll need to update the password with an account that has those privileges,
and set whatever the setting is that requires users to reset their password now.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apoll
configures for active/passive fail over) other and slaves against
master VIP.
Caveat: we've only a 1000 entries or so... This may not be efficient for larger
dbs - as I'm sure some might bring that up.
Try it: see if it takes too long or spikes the cpu too much.
- chris
Chris Jaco
ifferently (I'm astonished this is still the case)
- likely even between versions.
Good luck,
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9
And make sure pam_ldap is ref'd in your 'password' pam file (CentOS 5.4: just
do it in /etc/pam.d/system-auth).
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobil
What did you end up doing, out of curiosity?
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apollogrp.edu
- Original
This has been asked before - and the response has always been any gui ldap
browser - like apache directory studio.
Nothing (yet) for editing cn=config specifically yet.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA
y be found
in Thing Y.1's forums, etc.
Good luck!
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.441.9100 x1245 | mobile: 206.601.3256 | fax: 206.441.9661
email: chris.jac...@apollogrp.edu
- O
It would be nice if it were /easy/ to identify how different distros compiled
the various packages they include. I suspect that's likely the issue.
- chris
-Original Message-
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Mus
Devender,
You did see this email reply, right:
"Singh, Devender (GE Capital, consultant)"
mailto:devender.sin...@ge.com>> writes:
> Hi Dieter,
>
> I need to tune any parameter in DB_CONFIG file for this or not? Because
> I am using default DB_CONFIG file.
Just edit DB_CONFIG
set_l
).
Our mirrored masters are VMs as well.
It's all about the load - there's nothing inherently bad about OpenLDAP on VMs
- many people simply overload them.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phon
And you're also probably going to be told to upgrade. Support for previous
versions tends to start with 'use the newer version'. Fyi...
- chris
-Original Message-
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Aaron Richton
Matheus,
What was generating the 'too many ACKs'?
We're also using F5's in all locations (in front of mirrored masters, and 3
sets of load balanced slaves) - and have only had an issue in one location
which was related to an overloaded VM cluster.
Thanks,
- chris
From: openldap-technical-boun
Uhh, you didn't. I did though - it seems I was mildly dyslexic for a few
moments.
Carry on... (I have nothing useful to contribute here).
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 |
True. My dumb.
-Original Message-
From: Quanah Gibson-Mount [mailto:qua...@zimbra.com]
Sent: Tuesday, August 24, 2010 12:38 PM
To: Yusuf Rajah; Chris Jacobs
Cc: Aaron Richton; openldap-technical@openldap.org
Subject: RE: openldap-2.4.23 Segfault with Error number: 0x
You must be using a slapd located elsewhere.
How did you start slapd? Check the script for slapd's location, and grep that
file.
Probably something like:
/usr/local/...
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattl
Then look in the script (that's what it is) and locate where slapd is being
called.
Then run strings /path/slapd | grep slapd\.conf to see where the slapd.conf
file is at.
If it's not where you want it, re-compile openldap, specifying the path's you
want.
- chris
Chris
It certainly like it's treating the certs like slapd.conf: read once and
remember.
Well done on testing this - someone else asked this a while back (although less
technical).
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Se
#x27;s purview. However, as the user account would be ldap based, it would
contain home folder location.
This isn't intended as a complete or authoritative reply - just what I've
gleaned - and I've been wrong before (on this list even).
Good luck!
- chris
PS: my apologies for t
file storage, but you may end up configuring clients via some of the same files
(nsswitch, pam.conf, etc.).
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 2
Frankly, you probably also don't need:
>> scope=sub
My own (scrubbed) synrepl statement:
syncrepl rid=1
provider=ldaps://ldapmaster1.example.net
type=refreshAndPersist
interval=00:00:10:00
searchbase="dc=example,dc=net"
bindmethod=simple
binddn=
erent, more readable, and less error
(yes, user error) prone would have been selected.
Really, white space shouldn't kill a config.
Hindsight, eh?
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206
s I then, faulting anyone's past decisions or recent replies.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jac...@apollogrp.edu
> I have created a symlink from /etc/openldap/ldap.conf to
> /etc/ldap.conf... that seems to have gotten the majority of the system
> communicating with PAM/LDAP. I guess that making a .ldaprc file in the
> users home directory and putting those directives in there would be
> about the equivalent.
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Anton Chu
Sent: Wednesday, November 10, 2010 3:23 PM
To: openldap-technical@openldap.org
Subject: Attributes for filtering OS logins
I have a scenario where I want to setup two LDAP groups
ely
I haven't looked in the right spot. I'm currently trying to make my way
through the configure script... Blech.
Thanks for any pointers,
- chris
Chris Jacobs, Systems Administrator, Information Technology & Operations
Apollo Group | Apollo Marketing | Aptimus, Inc.
2001 6th Av
r 01, 2010 1:06 PM
To: Chris Jacobs; openldap-technical@openldap.org
Subject: Re: Rebuild openldap so all modules/overlays are separate
--On December 1, 2010 1:48:28 PM -0700 Chris Jacobs
wrote:
> Main question:
> how to build openldap with all overlays as dynamically loaded modules
>
27;t like me setting sysconfdir to /etc rather than
/usr/local/openldap/etc, but hey - if it bugs me /that/ much I can just as
easily symlink the dir.
The berkeley db package works well. Not having to recompile that makes life
easier too.
- chris
Chris Jacobs, Systems Administrator
Apollo Group
As far as OpenLDAP is concerned no. And frankly, I'd be surprised if that made
a difference for anything else.
Kinda the whole point of the VIP. :)
FWIW: I'm not using Kerberos, but all my servers are behind VIPs.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo
Try:
access to attrs=userPassword
by dn="uid=root,ou=People,o=M1,c=GB" write
by selfwrite
by anonymous auth
by * none
access to *
by selfwrite
by users read
by anonymous auth
-Original Message-
From: openldap-technica
t/ instead. It needn't be
complicated.
Also, if you're able, setup either a spare server or some multi master model (I
like mirror master behind VIP personally).
- chris
PS: sorry for top posting - my handheld client insists. :-/
Chris Jacobs, Systems Administrator
Apollo Group
Dump:
slapcat -l [ldif file]
Add from dump, with slapd off:
slapadd -l [ldif file]
If you're using BDB (typical backend), you can move the contents of the dbdir
specified by your config first.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6t
Yeah, that's the trick though. The OP indicated if they used uri
ldap://[hostname] StartTLS doesn't work.
- chris
-Original Message-
From: openldap-technical-boun...@openldap.org
[mailto:openldap-technical-boun...@openldap.org] On Behalf Of Andreas Ntaflos
Sent: Friday, January 07, 201
'd start looking into it.
-Original Message-
From: Richard Troy [mailto:rt...@sciencetools.com]
Sent: Friday, January 07, 2011 11:18 AM
To: Chris Jacobs
Cc: 'openldap-technical@openldap.org'
Subject: Re: Emergency recovery strategy needed by novice
On Fri, 7 Jan 2011, Chris J
Equipment limitation: Our old load balancers could load balance StartTLS, not
SSL. Our new ones can load balance SSL, not StartTLS.
Paranoia: If you wish to encrypt the entire session, from the very beginning,
use SSL.
Firewall limits you to port 389 (corp policy, difficult network/firewall team
om systems.)
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jac...@apollogrp.edu
- Original Message -
From: openldap-technical-boun
e
culprit.
Perhaps also checking the schema file for the limits or acceptable values.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jac...@apo
I was thinking along the same lines:
* is pam_password exop in your /etc/ldap.conf?
* And passwd entry for nsswitch contains ldap?
* Ditto for /etc/pam.d/system-auth-ac?
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA
Nope, it's not safe to assume that. Some items are read at startup only, like
the server cert.
A better test would be to restart after every move.
What's your goal here? Saving a few kb?
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6
if you include your relevant config
info.
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jac...@apollogrp.edu
- Original Message -
From
be), you'll have to use either wildcard certs or
certs using hostname of the vip.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chri
(|(userPassword[0]=foo)(userPassword[1]=foo))
Google: ldap filter syntax - the zytrax result is pretty handy.
- chris
Sorry for double send Tim; forgot to reply-all to list.
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA
I was continuing with Tim's example. I didn't care about his use, just
responding to how to construct an 'or' ldap query.
- chris
-Original Message-
From: Howard Chu [mailto:h...@symas.com]
Sent: Friday, January 28, 2011 12:10 PM
To: Chris Jacobs
Cc: 't...
Yeah, it's an S.E.P.
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jac...@apollogrp.edu
- Original Message -
From: openldap-tech
John,
Are you attempting to log on a client?
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jac...@apollogrp.edu
- Original Message
[mailto:john_esp...@yahoo.com]
Sent: Wednesday, February 02, 2011 12:37 PM
To: Chris Jacobs
Subject: Re: Logging to syslog
On 2/2/2011 9:01 PM, Chris Jacobs wrote:
> John,
>
> Are you attempting to log on a client?
>
> - chris
Hi Chris -
I don't understand your question - i
Check the openldap admin guide, as well as a ton of recent mailing list entries
for making changes to online configuration (stored inside /etc/openldap/slapd.d
- normally - not to be edited by hand).
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001
None at all. It's used as part of our backup strategy too.
In fact, in an older version of OpenLDAP 2.2, we used to do that to get a dump
we'd copy by hand to the remote slaves that quite often got out of sync. FWIW,
no issues with that since we upgraded to 2.4.23.
- chris
-Original Mess
The openldap admin guide goes over several different methods.
We prefer two master servers using mirror-mode, behind a VIP configured to
always use 1 of the servers (whichever has been active).
Then we point our consumers to the VIP. If the current pref'd master goes
down, the VIP switches to
d search this mailing list for more info;
e.g.: modify config slapd.d
- chris
Chris Jacobs, Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc.
2001 6th Ave | Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.
Which values are returned is part of the ldap query. Play around with
ldapsearch. I suspect there's an easier answer available.
- chris
Chris Jacobs, Systems Administrator, Technology Services Group
Apollo Group | Apollo Marketing & Product Development | Aptimus, Inc.
2001 6th Ave |
1 - 100 of 170 matches
Mail list logo
