I think you also need a bit of help with your spam setup ;)
<<< 550-XM-RJCT22: [212.26.193.44] is prohibited from connecting to
XMission mail <<< 550-servers due to high spam volume. See the following
for more information:
This server is not even sending out that many mails.
-Original Me
> So management is insisting that we migrate our openLDAP systems from
on premise into the cloud
If I maybe totally off topic. Why would they, for what reasons?
Now combining acl attribute access with regular access
fails
You are confusing “continue” with “break”.
> On Aug 31, 2020, at 9:22 AM, Marc Roos
wrote:
>
>
> Now I have that either works, but not both. Reversing these rules also
> does not work (with keeping the continue at 5
Where can I get some support on these acl's?
-Original Message-
To: openldap-technical
Subject: Now combining acl attribute access with regular access fails
Now I have that either works, but not both. Reversing these rules also
does not work (with keeping the continue at 5)
{5} acc
Now I have that either works, but not both. Reversing these rules also
does not work (with keeping the continue at 5)
{5} access to dn.subtree="ou=People,dc=example,dc=com"
by dn="cn=outsourced_bla,dc=example,dc=com" read
by * continue
{6} access to dn.subtree="ou=People,dc=example,dc
However attributes of cn=test,ou=People,dc=example,dc=com are not
working.
Anyone there?
-Original Message-
To: openldap-technical
Subject: RE: Acl attribute access
I had to add objectClass to Dan's example to get this to work. Not sure
if this is the correct approach though.
acc
I had to add objectClass to Dan's example to get this to work. Not sure
if this is the correct approach though.
access to dn.subtree="ou=People,dc=example,dc=com"
attrs="entry,uid,cn,sn,mail,mailHost"
by dn="cn=outsourced_ironport,dc=example,dc=com" read
by * break
[1]
https://www.op
In 2005 this was not possible, has this changed?
> access to dn.children="ou=users,o=mydomain.com"
filter=(groupname=(.+))
> by group.expand="cn=$1,ou=groups,o=mydomain.com" write
[1]
https://www.openldap.org/lists/openldap-software/200501/msg00322.html
-Original Message-
To: o
I am not getting this page. Maybe there should be an example or so. I
can use user anywhere in the acls and it will expand to the dn of the
binddn of the ldapsearch request?
user | this : resolves to the set {
"cn=User,cn=adfasdfa,cn=asdfadfa,ou=asdfasdfas,ou=adsasdfasdf",
"cn=Resource" }
Is it possible to have a variable VAR in an acl filter?
Something like this:
to
dn="sendmailMTAKey=t...@b.com,ou=,ou=d,ou=c,dc=b,dc=
a,dc=local" filter="(sendmailMTAMapValue=VAR1)
by ssf=64
dn.exact="uid=VAR1,ou=,ou=d,ou=c,dc=b,dc=a,dc=local"
read
If I have this acl:
to
dn="sendmailMTAKey=t...@b.com,ou=,ou=d,ou=c,dc=b,dc=
a,dc=local"
by ssf=64
dn.exact="uid=acctest,ou=,ou=d,ou=c,dc=b,dc=a,dc=loc
al" read
I can access with this ldap search:
ldapsearch -LLL -W -s sub -b
"sendmailMTAKey=t...@
Share some comparison performance charts ;)
-Original Message-
Subject: Re: slapd 2.4.44 Performance problems
We are using the version that comes with CentOS/RHEL7.
Will try a new deployment using back-mdb.
Thanks.
Maybe use acls with different ssf? This way you can keep your queries
the same and extract full data on your own very secure connection?
-Original Message-
To: openldap-technical@openldap.org
Subject: anonymize data
Hi all,
I have a question anonymizing data.
My openldap have some co
Thanks for this clear insight!
-Original Message-
To: Scott Classen
Cc: Vijay Kumar; openldap-technical@openldap.org
Subject: *SPAM* Re: Info needed on OpenLDAP support / compliance
on FIPS 140.2
On Mon, 15 Jun 2020, Scott Classen wrote:
> Did you build the OpenLDAP binary fro
With sync replication, having a provider at state C (newest) and a
consumer starting with rid=100 and state=A.
After syncing provider and consumer both are in state C
When then the consumer is killed, and a new consumer is started with the
same rid=100 and again state A.
Does this consumer
> -w `cat /var/lib/nethserver/secrets/libuser`
Use -y option? (and 'echo -n' password to file, thus without newline
character)
Start with acls something like this (default do not allow access):
olcAccess: {0} to dn.exact="" by * read
olcAccess: {1} to dn.exact="cn=Subschema" by * read
olcA
)
access to attr
by self write
by * none
This (1) will give permission to all Users located in [1] write access
to their own object. (2) will give access only to a list (comma
separated) of attributes. But be aware that you have to look at which
position you put the new ACL in your ACL-List
Can I just copy the mdb databases to a different server, or are there
'unique' values inside?
hole tree you need some kind
of regex-ACLs
Am 27.11.19 um 22:41 schrieb Marc Roos:
> Can anyone help how I should make the acls that allows users[2] access
> attributes of ldap entries[1] that have themselves listed in the
> attribute value sendmailMTAMapValue
>
> Something like
Paid support is also welcome.
-Original Message-
To: openldap-technical
Subject: acl help access to 'own' attributes
Can anyone help how I should make the acls that allows users[2] access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMa
Can anyone help how I should make the acls that allows users[2] access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMapValue
Something like:
Access to children? ou=,ou=,ou=,dc=,dc=,dc=local
filter=(sendmailMTAMapValue=VAR1) at
I have now setups with vm's with a local slapd and nscd for caching
authentication requests. If I separate these processes eg. different container
for slapd, different container for the application that does system
authentication. I will not be able to share cache memory etc.
I was wondering
I have problems authenticating against this acl[0] with nslcd, if I
use[1] authentication is fine. I have the impression the dn.exact is not
able to access the password attribute, because getent shows the other
attributes. How should I rewrite this so the dn.exact is able to read
the password
haproxy?
-Original Message-
Subject: LDAP loadbalancer with URL redirect
Hi,
I have two different LDAP ldap://ldap1 and ldap://ldap2 behind a same
public IP 10.0.0.1 Is there a solution to make a reverse proxy with
redirection ?
I mean if a LDAP request arrive to 10.0.0.1 with URI
I have client that coredumps with these acl's. When I remove them, the
client is getting data from the ldap server and I can see the queries it
is doing on the server. I thougt the lines below would give access to
ou=Services and below by test, but I guess not.
dn: olcDatabase={-1}frontend,c
I am adding the syncprovider to a running server with these:
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: sy
Got it working with this:
socat -s UNIX-LISTEN:/var/run/ldapi,unlink-early,fork
OPENSSL:ldap.local:8443,cafile=/etc/pki/ca-trust/source/anchors/ca.crt,v
erify=0,keepalive,reuseaddr
-Original Message-
To: openldap-technical
Subject: RE: Socat tcp to local socket
With this I am ab
Hi Harry,
I just did a build from srpm, and currently I trying to get the scenario
of a pipe between sockets working. Just to make sure this pipe is
working correctly before I am moving to the tcp/tls connection.
Of course my problem persists with socat using something like this.
socat -s -d
With this I am able to issue just one ldap search on the socket.
Subsequent queries fail with 'ldap_sasl_bind(SIMPLE): Can't contact LDAP
server (-1)'
socat -d -d
OPENSSL:192.168.10.18:8443,cafile=/etc/openldap/cacerts/ca.crt,verify=0,
keepalive,reuseaddr,ignoreeof
UNIX-LISTEN:/var/run/lda
Anyone having some experience using socat (or something similar?) to
connect to a remote slapd server tcp/tls with a local socket? I have a
client that requires the local ldapi socket. But I do not want to
install there an instance of slapd.
http://www.openldap.org/doc/admin24/tls.html
And maybe something like this:
https://www.ibm.com/support/knowledgecenter/en/SSMNED_5.0.0/com.ibm.apic.cmc.doc/task_apionprem_gernerate_self_signed_openSSL.html
-Original Message-
From: Dmitri Seletski [mailto:drj...@gmail.com]
Sent: maan
Is there maybe someone here that has tested the index use for sendmail,
taking into account the issue Michael addresses? :)
-Original Message-
Subject: Re: mdb index reporting available?
On 8/19/19 11:22 AM, Ulrich Windl wrote:
> Can you present an example here where an index added a
I am not sure if this is true. Because it looks like provider and
consumer are a bit to long on high load for the changes that were made.
-Original Message-
Subject: Initial syncreplication details
Am I correct to understand from this page[0] that the consumer gets its
'new' contex
Am I correct to understand from this page[0] that the consumer gets its
'new' contextCSN from the slapcat import. (I saw it in the file). And
will get all data since that date at startup?
The replication id is of no influence. So if I would stop slapd import
again the same old slapcat file.
Nevermind, I see the statement now with the ber sync logging, after
removing an index and then querying it
-Original Message-
Subject: RE: mdb index reporting available?
I do have to say I like this message at ber sync more. Enabling the
stats is not an option to keep in produ
I do have to say I like this message at ber sync more. Enabling the
stats is not an option to keep in production on.
Hi Michael
>
>> I am using CentOS6/CentOS7 and currently testing with CentOS7
default
>> openldap 2.4.44, but switched their default db to mdb.
>
>AFAIK they don't use my back-port patch for ITS#7796.
>
>> I am using eg sendmail as a client. So I have no clue what the
search
>> queri
m going to allow some other task to query the ldap in the
future, I will again not know if they are accessing keys that are maybe
not indexed or not properly indexed.
-Original Message-
From: Michael Ströder [mailto:mich...@stroeder.com]
Sent: zaterdag 17 augustus 2019 12:56
To: Marc Roos
I used to have some help with what and how I should add indexes, but it
looks like the new mdb backend is not telling me anymore. Is this
correct? Anyway to get a warning when some index needs to be set?
bdb_equality_candidates: () not indexed
bdb_inequality_candidates: (createTimestamp) n
This is the default file that rhel/centos have in their slapd.d dir for
the database. I thought I would just remove this one and place the one
for mdb, seems to work, don't know about this entryUUID? Or can I do
this with ldapmodify?
[@53386e4b0025 cn=config]# cat /tmp/olcDatabase\=\{2\}hdb
> You're just replacing once constant with another here, why not just
set it correctly once, in the source file?
Because the destination field is not always the same, it is different
for different vm groups.
> Why use a rootpw at all?
I though I cannot get around using this when changing th
Ok ok I will look at this mdb again.
-Original Message-
From: Quanah Gibson-Mount [mailto:qua...@symas.com]
Subject: Re: Make slapadd faster?
--On Friday, August 16, 2019 10:14 AM +0200 Marc Roos
wrote:
>
> I know you can disable some checks to make slapadd faster. But I
lapd config
--On Friday, August 16, 2019 5:17 PM +0200 Marc Roos
wrote:
> I am more fan of Centos because then I can fall back on RedHat
> support, especially for production environments.
That's the most laughable statement (in relation to OpenLDAP at least)
that I've heard in ye
Thanks Howard, I am already doing this for the default configuration.
I was hoping I could get around fetching secrets and importing changes
at run time.
-Original Message-
Subject: Re: Environment variable in slapd config
Marc Roos wrote:
>
> Indeed. Ansible is just a to
d -Q -Y EXTERNAL -H ldapi:/// -f
$SLAPD_CFG_DIR/change-config.ldif \
&& rm -f $SLAPD_CFG_DIR/change-config.ldif \
&& kill -HUP $(cat /var/run/openldap/slapd.pid) \
&& sync \
&& chown $SLAPD_USER /var/run/ldapi
#ADD db.tgz /var/lib/ldap/
RUN [ -f "/tmp
RID in multiple configs.
>
>
> -Original Message-
> Subject: Re: Environment variable in slapd config
>
> Michael Ströder wrote:
>> On 8/16/19 12:02 PM, Marc Roos wrote:
>>> Is it possible to reference an environment variable in olcSyncrepl:
>>&
Indeed. Ansible is just a tool you should use for the fitting job. Afaik
I only have to set a few variables and I do not have in the hundreds of
services. But I would not mind looking at your Dockerfile to see how you
prepare the image.
The ceph mailing list is 'full' of people using ansible,
If you have a container image, and you spawn from that multiple
instances, you have to be able to 'easily' change unique qualifiers,
not?
-Original Message-
Subject: Re: Environment variable in slapd config
Michael Ströder wrote:
> On 8/16/19 12:02 PM, Marc Roos wr
would be
if I could specify something like an environment variable in olcSyncrepl
-Original Message-
From: Ulrich Windl [mailto:ulrich.wi...@rz.uni-regensburg.de]
Sent: maandag 12 augustus 2019 8:56
To: Marc Roos
Subject: Antw: RE: Openldap in container advice, how have you done it
Is it possible to reference an environment variable in olcSyncrepl:
{0}rid= ?
--On Saturday, August 10, 2019 6:54 PM +0200 Michael Ströder
wrote:
> Are you talking about the serverID?
>
> serverID is not needed on a read-only consumer. Just leave it out.
He's talking about replication ID
>On Sat, Aug 10, 2019 at 01:23:41AM +0200, Marc Roos wrote:
>>- updating of a newly spawned slapd instance
>>When the new task is launched, it is not up to date with its
database,
>>can I prevent connections to the slapd until it is fully synced?
>
>This is not im
I know you can disable some checks to make slapadd faster. But I think
in my test vm with limited disk iops, it looks like this disk io is the
problem.
I am not sure how slapadd adds entries, I guess one at a time? You could
get a significant improvement by reading more entries and writing mor
Afaik from the mesos executor, it wants to keep the process in
foreground, so when the task terminates, it will be detected and
restarted.
How can I run slapd in foreground?
Ok so long rep id is not going to work
modifying entry "olcDatabase={2}hdb,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: Error: parse_syncrepl_line: syncrepl id 1911533132
is out of range [0..999]
-Original Message-----
From:
I was thinking of putting read-only slapd('s) in a container environment
so other tasks can query their data. Up until now I have had replication
only between vm's.
To be more flexible I thought of using stateless containers. Things that
could be caveats
- replication id's
say I spawn anot
Yes, I have a default hdb slap.d tree setup from the el7 rpm install. I
also noticed this olcHdbConfig. I have decided to stick with the hdb for
now.
-Original Message-
From: Quanah Gibson-Mount
Sent: 02 April 2019 15:37
To: Marc Roos; openldap-technical
Subject: RE
x: sendmailMTACluster pres,eq
olcDbIndex: sendmailMTAHost pres,eq
-Original Message-
From: Quanah Gibson-Mount
Sent: 01 April 2019 16:30
To: Marc Roos; openldap-technical
Subject: Re: mdb_equality_candidates: (entryUUID) not indexed, with
olcDbIndex=entryUUID pres, eq
--On Monday, April 01, 201
I am getting mdb_equality_candidates: (entryUUID) not indexed
While I have
[@ slapd.d]# grep entryUU cn\=config/olcDatabase\=\{2\}mdb.ldif
olcDbIndex: entryUUID pres,eq
entryUUID: 06b55588-e732-1038-8481-f782455a1e70
openldap-servers-2.4.44-21.el7_6.x86_64
First time I am installing the slapd with a mdb backend. Could this be
because the syntax has changed?
I am getting these messages:
mdb_equality_candidates: (entryUUID) not indexed
While I have in {2}mdb
olcDbIndex entryUUID pres,eq
CentOS Linux release 7.6.1810 (Core)
openldap-clients-
>>
>>
>> I am getting this error after (re)booting, if I restart slapd it is
>> gone. I guess I can ignore this message because slapd will recover
from
>> this eventually? Or do I need to give it a restart every time?
>>
>>
>> After reboot:
>>
>> jan 16 14:57:19 mail04 slapd[3283]: @(#)
I am getting this error after (re)booting, if I restart slapd it is
gone. I guess I can ignore this message because slapd will recover from
this eventually? Or do I need to give it a restart every time?
After reboot:
jan 16 14:57:19 mail04 slapd[3283]: @(#) $OpenLDAP: slapd 2.4.44 (Oct 30
Hi
I am running on a vm dovecot and sendmail with authentication through pam
agains ldap. I have got strange spikes in the load and I think slapd is
writing to much to disk. I want to reduce disk io.
Anybody an idea why slapd is so often writing to disk instead of reading?
The slapd process kee
62 matches
Mail list logo
