On 20 Nov 2017, at 08:07, Clément OUDOT wrote:
>option ldap-check
>option ssl-hello-chk
I’ve now had a chance to test both of these. Together and separate. Still
no dice :( :(.
Dec 5 22:32:17 ldap50 slapd[786]: conn=1018 fd=23 ACCEPT from
IP=:55807
On 3 Dec 2017, at 20:44, Bill MacAllister wrote:
> For Kerberos the problem is in Cyrus SASL and is true for all load balancers.
> Indeed it is true for any system that has more than one
> name. SASL checks the name that the connection was made to and if they don't
>
On 20 Nov 2017, at 11:06, Clément OUDOT <clem.ou...@gmail.com> wrote:
> 2017-11-20 11:59 GMT+01:00 Turbo Fredriksson <tu...@bayour.com>:
>> You’ve never had the issue I’m having? Or heard about it?
>
> No but I don't use Kerberos authentication.
Ok, thanx for
On 20 Nov 2017, at 08:07, Clément OUDOT <clem.ou...@gmail.com> wrote:
> 2017-11-19 18:09 GMT+01:00 Turbo Fredriksson <tu...@bayour.com>:
>
>> Have anyone tried running OpenLDAP behind HAProxy?
>
> I do this often, without any particular issue.
Ok, thanx. I tho
On 19 Nov 2017, at 16:59, Michael Ströder wrote:
> Note that ldap_initialize() does not really open the connection.
Yes, that I knew. But it does work in the ldap_connect_to_host() at the
beginning, it’s just the ldap_sasl_interactive_bind_s() a few microseconds
later that
[I’ve posted this on the OpenStack list as well, but maybe someone
here knows more]
I’m setting up (Open)LDAP (v2.4.40) on my old Newton installation,
with the LDAP servers behind a HAProxy LB.
I’m trying to have one at a time enabled to see if I can get them
working individually before I try
On 16 May 2017, at 20:23, Prentice Bisbal wrote:
> I think many system admins would say just copy the schemas from the old
> server to the new server and forget about it, but I don't think this is a
> good approach.
That’s what I do. I agree, on a theoretical level, that
On 28 Mar 2017, at 15:37, Geert Hendrickx <ge...@hendrickx.be> wrote:
> On Mon, Mar 27, 2017 at 22:17:50 +0100, Turbo Fredriksson wrote:
>> Do anyone know of any other product/project (open source preferred, but not
>> a requirement) that can do the same - provide certifi
On 27 Mar 2017, at 22:09, Michael Ströder wrote:
> I've looked at dogtag approx. two years ago. The use of LDAP was, uumh,
> somewhat strange:
Ouch, nah that doesn’t make much sense :(.
Do anyone know of any other product/project (open source preferred, but not
a
I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page)
with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for
years).
But it’s failing because of:
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking
other subtrees using
On Jan 31, 2014, at 3:06 PM, Michael Ströder wrote:
Yeah, if she manages to setup AD the next thing is to teach her how to fix or
work around replication problems.
Not the point. The argument was that OpenLDAP is difficult to install and
setup. NOT administrate!
And my opinion (and many, many
On Jan 30, 2014, at 5:35 PM, Howard Chu wrote:
I saw some of this on twitter before, ignored it since none of the parties
involved have any clue what they're talking about.
Personally, I think it's spot on. It IS hard to configure an LDAP server, and
even harder to understand how it works
[Sorry Howard for sending it to you personally. It was meant for the list.
I sent a copy to the list as well. I hope you don't mind if I send this reply
to the list. I've included every word, so not to take something out of
context.]
On Jan 30, 2014, at 6:17 PM, Howard Chu wrote:
Personally,
On Nov 28, 2013, at 9:30 AM, Liam Gretton wrote:
Now I use a custom 'lock' attribute on all accounts and use a LDAP filter at
the client end. This is fine for our purposes but could be a problem for
appliances that don't provide much in the way of LDAP configuration options.
I've used
On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote:
So, I need a reliable way to lock an account that can handle both methods.
I haven't followed the thread closely, but if I understand
you correctly: You want to disable/lock an account, without
hiding it from ls etc?
As in, making sure the user
On Sep 18, 2013, at 3:15 AM, Listas de Correo wrote:
how do you handle upgrades?
I run Debian GNU/Linux on all my personal servers, and
previously SuSE on thousands of machines at a previous
work assignment.
For certain key softwares (such as OpenLDAP, MIT Kerberos
etc, etc), I do my own
Has anyone tried compile OpenLDAP with gcc 4.7? Is there any speed
increase noticed?
Gcc 4.7 'is supposed' to make applications up to 50% faster, so... ?
--
... but you know as soon as Oracle starts waving its wallet at a
Company it's time to run - fast.
/illumos mailing list
On Fri, 25 May 2012 12:46:50 +0100, Andrew Findlay wrote:
In normal operation it should
be enough to read the contextCSN attribute from the root of the
replicated subtree on each server:
Ok, most of the servers are now upgraded, but unfortunatly there's
two that can't (for various reasons) not
On Sat, 16 Jun 2012 07:41:19 -0700, Howard Chu wrote:
The overlay must be configured on every server for the operational
attributes to be
replicated.
Ah, ok. Thanx. That's a problem then, because CentOS 5.x don't seem to
have that
compiled in...
Ah, well. We're not going to use ppolicy on
On Sat, 16 Jun 2012 10:27:55 -0700, Chris Jacobs wrote:
That makes me wonder what his script is doing... Sounds like the
script is handling some part of the replication.
Nope, nothing fancy. 15-20 lines of bash code. I helped him write it
:).
Just an ldapmodify with some error checking
First of: I know it's old, we ARE going to upgrade at the next service
interval in a few weeks!
But in the meantime, is there any way to know/figure out if the master
and it's slave(s) are in
sync?
One idea, of using a special object which is written to every x minute
and then checked for
[sorry, should have gone to the list]
On Thu, 24 May 2012 14:02:28 +0300, Nick Milas wrote:
access to dn.base=ou=system,dc=example,dc=com
by dn.exact=uid=userx,ou=people,dc=example,dc=com write
This gives 'uid=userx,...' access to 'ou=system,...' _and everything
below it_.
access to
On Tue, 28 Feb 2012 11:02:43 +0100, stefano wrote:
i need that everyone can authenticate himself on the lan.
So you'll be needing LibNSS/LDAP and LibPAM/LDAP most likley.
every user will have his
permissions to visit different sites, to see server resources, etc.
Sorry, that I did not
On Sep 28, 2011, at 5:13 PM, Allen, Dedrick wrote:
it sends an empty bind dn no matter how I specify it
How about testing an empty authzFrom, just for test/debug?
idassert-authzFrom *
That should match anything you're supplying. If that works,
you can go back and figure out why it
and
learn a little theory - you need to learn to walk before you
can drive… Kinda :).
--
Turbo Fredriksson
tu...@bayour.com
I'm trying to proxy an AD and an OpenLDAP server on a
separate machine to get a 'combined' view.
First problem (or the primary one?) is that the DN doesn't
match.
AD: cn=turbo,ou=Office,ou=Users,ou=org1,dc=org2,dc=company,dc=tld
OL: uid=turbo,ou=People,dc=org3,dc=company,dc=tld
We have
26 matches
Mail list logo