Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

On 20 Nov 2017, at 08:07, Clément OUDOT wrote: >option ldap-check >option ssl-hello-chk I’ve now had a chance to test both of these. Together and separate. Still no dice :( :(. Dec 5 22:32:17 ldap50 slapd[786]: conn=1018 fd=23 ACCEPT from IP=:55807

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

On 3 Dec 2017, at 20:44, Bill MacAllister wrote: > For Kerberos the problem is in Cyrus SASL and is true for all load balancers. > Indeed it is true for any system that has more than one > name. SASL checks the name that the connection was made to and if they don't >

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

On 20 Nov 2017, at 11:06, Clément OUDOT <clem.ou...@gmail.com> wrote: > 2017-11-20 11:59 GMT+01:00 Turbo Fredriksson <tu...@bayour.com>: >> You’ve never had the issue I’m having? Or heard about it? > > No but I don't use Kerberos authentication. Ok, thanx for

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

On 20 Nov 2017, at 08:07, Clément OUDOT <clem.ou...@gmail.com> wrote: > 2017-11-19 18:09 GMT+01:00 Turbo Fredriksson <tu...@bayour.com>: > >> Have anyone tried running OpenLDAP behind HAProxy? > > I do this often, without any particular issue. Ok, thanx. I tho

Re: ldap_sasl_interactive_bind_s: Can't contact LDAP server

On 19 Nov 2017, at 16:59, Michael Ströder wrote: > Note that ldap_initialize() does not really open the connection. Yes, that I knew. But it does work in the ldap_connect_to_host() at the beginning, it’s just the ldap_sasl_interactive_bind_s() a few microseconds later that

ldap_sasl_interactive_bind_s: Can't contact LDAP server

[I’ve posted this on the OpenStack list as well, but maybe someone here knows more] I’m setting up (Open)LDAP (v2.4.40) on my old Newton installation, with the LDAP servers behind a HAProxy LB. I’m trying to have one at a time enabled to see if I can get them working individually before I try

Re: knowing which schema(s) to use

On 16 May 2017, at 20:23, Prentice Bisbal wrote: > I think many system admins would say just copy the schemas from the old > server to the new server and forget about it, but I don't think this is a > good approach. That’s what I do. I agree, on a theoretical level, that

Re: Dogtag CA with OpenLDAP?

On 28 Mar 2017, at 15:37, Geert Hendrickx <ge...@hendrickx.be> wrote: > On Mon, Mar 27, 2017 at 22:17:50 +0100, Turbo Fredriksson wrote: >> Do anyone know of any other product/project (open source preferred, but not >> a requirement) that can do the same - provide certifi

Re: Dogtag CA with OpenLDAP?

On 27 Mar 2017, at 22:09, Michael Ströder wrote: > I've looked at dogtag approx. two years ago. The use of LDAP was, uumh, > somewhat strange: Ouch, nah that doesn’t make much sense :(. Do anyone know of any other product/project (open source preferred, but not a

Dogtag CA with OpenLDAP?

I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page) with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for years). But it’s failing because of: [27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking other subtrees using

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

On Jan 31, 2014, at 3:06 PM, Michael Ströder wrote: Yeah, if she manages to setup AD the next thing is to teach her how to fix or work around replication problems. Not the point. The argument was that OpenLDAP is difficult to install and setup. NOT administrate! And my opinion (and many, many

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

On Jan 30, 2014, at 5:35 PM, Howard Chu wrote: I saw some of this on twitter before, ignored it since none of the parties involved have any clue what they're talking about. Personally, I think it's spot on. It IS hard to configure an LDAP server, and even harder to understand how it works

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?

[Sorry Howard for sending it to you personally. It was meant for the list. I sent a copy to the list as well. I hope you don't mind if I send this reply to the list. I've included every word, so not to take something out of context.] On Jan 30, 2014, at 6:17 PM, Howard Chu wrote: Personally,

Re: OpenLDAP with ppolicy and SSSD configuration question.

On Nov 28, 2013, at 9:30 AM, Liam Gretton wrote: Now I use a custom 'lock' attribute on all accounts and use a LDAP filter at the client end. This is fine for our purposes but could be a problem for appliances that don't provide much in the way of LDAP configuration options. I've used

Re: OpenLDAP with ppolicy and SSSD configuration question.

On Nov 27, 2013, at 9:23 PM, Viviano, Brad wrote: So, I need a reliable way to lock an account that can handle both methods. I haven't followed the thread closely, but if I understand you correctly: You want to disable/lock an account, without hiding it from ls etc? As in, making sure the user

Re: Multi-master setup in debian

On Sep 18, 2013, at 3:15 AM, Listas de Correo wrote: how do you handle upgrades? I run Debian GNU/Linux on all my personal servers, and previously SuSE on thousands of machines at a previous work assignment. For certain key softwares (such as OpenLDAP, MIT Kerberos etc, etc), I do my own

GCC 4.7

Has anyone tried compile OpenLDAP with gcc 4.7? Is there any speed increase noticed? Gcc 4.7 'is supposed' to make applications up to 50% faster, so... ? -- ... but you know as soon as Oracle starts waving its wallet at a Company it's time to run - fast. /illumos mailing list

Re: Monitoring 2.3.43?

On Fri, 25 May 2012 12:46:50 +0100, Andrew Findlay wrote: In normal operation it should be enough to read the contextCSN attribute from the root of the replicated subtree on each server: Ok, most of the servers are now upgraded, but unfortunatly there's two that can't (for various reasons) not

Re: Monitoring 2.3.43?

On Sat, 16 Jun 2012 07:41:19 -0700, Howard Chu wrote: The overlay must be configured on every server for the operational attributes to be replicated. Ah, ok. Thanx. That's a problem then, because CentOS 5.x don't seem to have that compiled in... Ah, well. We're not going to use ppolicy on

Re: Monitoring 2.3.43?

On Sat, 16 Jun 2012 10:27:55 -0700, Chris Jacobs wrote: That makes me wonder what his script is doing... Sounds like the script is handling some part of the replication. Nope, nothing fancy. 15-20 lines of bash code. I helped him write it :). Just an ldapmodify with some error checking

Monitoring 2.3.43?

First of: I know it's old, we ARE going to upgrade at the next service interval in a few weeks! But in the meantime, is there any way to know/figure out if the master and it's slave(s) are in sync? One idea, of using a special object which is written to every x minute and then checked for

Re: dn.exact vs dn.base

[sorry, should have gone to the list] On Thu, 24 May 2012 14:02:28 +0300, Nick Milas wrote: access to dn.base=ou=system,dc=example,dc=com by dn.exact=uid=userx,ou=people,dc=example,dc=com write This gives 'uid=userx,...' access to 'ou=system,...' _and everything below it_. access to

Re: the root of the directory tree

On Tue, 28 Feb 2012 11:02:43 +0100, stefano wrote: i need that everyone can authenticate himself on the lan. So you'll be needing LibNSS/LDAP and LibPAM/LDAP most likley. every user will have his permissions to visit different sites, to see server resources, etc. Sorry, that I did not

Re: OpenLDAP Proxy to Active Directory

On Sep 28, 2011, at 5:13 PM, Allen, Dedrick wrote: it sends an empty bind dn no matter how I specify it How about testing an empty authzFrom, just for test/debug? idassert-authzFrom * That should match anything you're supplying. If that works, you can go back and figure out why it

Re: schema question

and learn a little theory - you need to learn to walk before you can drive… Kinda :). -- Turbo Fredriksson tu...@bayour.com

ldap rwm pcache transparent

I'm trying to proxy an AD and an OpenLDAP server on a separate machine to get a 'combined' view. First problem (or the primary one?) is that the DN doesn't match. AD: cn=turbo,ou=Office,ou=Users,ou=org1,dc=org2,dc=company,dc=tld OL: uid=turbo,ou=People,dc=org3,dc=company,dc=tld We have