Re: Request rate limiting

2025-09-24 Thread Erik de Waard
You can setup lload or haproxy and point the offending apps to the new endpoints On Wed, Sep 24, 2025, 08:37 Marc wrote: > Exactly! It seems very difficult to get developers to understand even the > basics... > > > > > > In most cases, these problems are caused by poorly developed LDAP > > integ

Re: ppolicy_forward_updates - operation is restricted

2025-05-16 Thread Óscar Remírez De Ganuza Satrústegui
the slave from succeeding via this path. Everything is now functioning as expected. I wanted to share this resolution in case it could help others who might encounter a similar debugging scenario in the future. Thanks for your work and patience. Regards, On Thu, May 15, 2025 at 2:02 PM Óscar Re

ppolicy_forward_updates - operation is restricted

2025-05-15 Thread Óscar Remírez De Ganuza Satrústegui
there some way to check where it is trying to bind? I don't know where else to look in order to find out what 's wrong. Anyone have any tips? Thank you so much for your help. [1] https://kb.symas.com/en_US/configuration/configuring-ppolicy-for-openldap-25 [2] https://kb.symas.com/e

LMDB: issues when resizing via set_mapsize

2025-03-11 Thread Stefan de Konink
Hi, Some background; a Windows user of my open source ETL software complained about the huge files. Under Linux I don't have any issues, but I wanted to resolve this issue by implementing automatic growth via a pattern: MapFullError, set_mapsize, apply writing batch again. This week I enter

Re: Replication Questions

2024-04-20 Thread Erik de Waard
As taken from elsewhere on this list: The primary issue is that if a server goes into REFRESH mode, the order in which the entries are sent back may not allow the slapo-memberOf overlay to rebuild the groups correctly. Details: https://bugs.openldap.org/show_bug.cgi?id=8613 For dynlist: Take th

Re: What drives CPU usage spikes?

2023-06-23 Thread Erik de Waard
I see this on our consumers when waiting on writes to be accepted by the provider/ or when it's unreachable.

leave

2023-04-21 Thread Alceu Rodrigues de Freitas Junior
leave

Re: openldap TLSv1.0 is enabled

2022-12-14 Thread Erik de Waard
Hi, Take a look at TLSCipherSuite Erik On Wed, Dec 14, 2022, 07:23 Andre Rodier wrote: > Hello, > > I have configured OpenLDAP using SSL certificate, but I have a few issues. > > Here the TLS configuration, especially "olcTLSProtocolMin: 3.3" > > > # AUTO-GENERATED FILE - DO NOT EDIT!! Use lda

Re: openldap TLSv1.0 is enabled

2022-12-14 Thread Erik de Waard
Try "NORMAL:-RSA" Your version is probably build against gnutls instead of openssl See: the manual on TLSCipherSuite On Wed, Dec 14, 2022, 08:41 Andre Rodier wrote: > On 14/12/2022 07:32, Erik de Waard wrote: > > Hi, > > > > Take a look at TLSCipherSuite >

Re: RE25 testing call (2.5.14)

2022-10-04 Thread Alceu Rodrigues de Freitas Junior
Not sure if OpenBSD should be supported, but I gave it a try and the second test failed. $ uname -a OpenBSD cpan-smoker-openbsd 7.1 GENERIC.MP#465 amd64 > Starting test001-slapadd for mdb... running defines.sh Running slapadd to build slapd database... Segmentation fault (core dumped) slapa

Re: RE25 testing call (2.5.14)

2022-10-04 Thread Alceu Rodrigues de Freitas Junior
Em 04/10/2022 18:17, Quanah Gibson-Mount escreveu: Generally, if you can let us know what OS you ran the tests on, and if they all passed (or failed) and if you can also run "make its" in the test suite directory after running "make test" to check that there are no failures in the regressio

Re: RE25 testing call (2.5.14)

2022-10-04 Thread Alceu Rodrigues de Freitas Junior
Hello Quanah, I would like to help but his is the first time I run the tests. Is there a guideline/howto to follow up? I executed the tests and go no errors, should I provide back the results? Is there any infrastructure to report the tests, something like https://qa.perl.org/? I went quic

Re: using memberof to authenticate Linux with PAM

2022-08-22 Thread Alceu Rodrigues de Freitas Junior
I guess I failed to express myself properly. I do know memberOf is not a requirement: regular exporting data from /etc/passwd, /etc/shadow and /etc/group as LDIF files are working as expected. But wouldn't it be a better option to use it instead of handling data in multiple places (users and

using memberof to authenticate Linux with PAM

2022-08-20 Thread Alceu Rodrigues de Freitas Junior
Greetings, For a matter of studying OpenLDAP, I decided to create a CLI in Golang that is based on the migrationtools (https://gitlab.com/future-ad-laboratory/migrationtools), which is written in Bash and (very old) Perl code. All the Golang module is available here: https://github.com/gl

Re: Error: Could not locate TLS/SSL package

2022-08-09 Thread Alceu Rodrigues de Freitas Junior
I guess you need to install the development package of OpenSSL on CentOS 7, the "regular" one won't do it. Double check that. Besides that, I suggest quitting using CentOS 7: look for Rocky Linux and AlmaLinux. On 09/08/2022 03:01, vmaidar...@gmail.com wrote: Hi Team, I'm compiling OpenLDAP

Re: MemberOf group in group search not working

2022-04-13 Thread Erik de Waard
Hi, So I'm not really sure if this is a bug or a limitation. Or misconfiguration on my part. But If someone from Sysmas could clarify it. I'd appreciate it :D if your app allows filter modification you can work around it by making an unnested filter like so: ldapsearch -H ldap:/// -LLL -x -b 'dc

olcLastBind default to true

2022-03-11 Thread Erik de Waard
$OpenLDAP: slapd 2.5.11 Hi, i've a weird case where olcLastBind defaults to TRUE. When using convert (slaptest) method. and explicit lastbind to off/false has no effect. #Initialize slapd with convert method slaptest -f /etc/openldap/slapd.conf.init -F /etc/openldap/slapd.d/ slapcat -n0 | grep La

Re: Need to define behaviour when storing pwdChangedTime

2022-01-12 Thread Óscar Remírez de Ganuza Satrústegui
; > I agree with your suggestion: it seems more interresting for the given > pwdChangedTime to take precedence over the one computed by the password > policy. > > If it is ok for you, I can create an issue. > > > > >> Could you define this behaviour somewhere? >

Re: OpenLDAP and Ansible

2020-08-29 Thread Giuseppe De Marco
Great, I wrote these https://github.com/peppelinux/ansible-slapd-eduperson2016/tree/master/roles/slapd_configure Il sab 29 ago 2020, 18:49 Stefan Kania ha scritto: > I wrote some Ansible roles to set up a testing environment, mybe someone > is interested in testing the roles. You can find all fi

Re: LDAP Tool Box packages [was: OpenLDAP 2.4.51 available, LMDB 0.9.26 available]

2020-08-17 Thread Giuseppe De Marco
Bad news Quanah, I think that there would the need to have many pluggable storages with an abstract layer in between. NoSQL, SQL and others (like elastic search) are so many important storage engines nowadays, It would be awesome to have them in slapd. Replication would works only on mdb, because

Re: LDAP Tool Box packages [was: OpenLDAP 2.4.51 available, LMDB 0.9.26 available]

2020-08-17 Thread Giuseppe De Marco
Hi Clément, great job, awesome! Is there any possibilities to have in ltb the SQL backend in future releases? Official Deb packages lacks of this, It seems a little bit Buffy so ltb would be a great opportunità to have a well supported sql backend without SRC compilations Regards Il lun 17 ago

Re: TLSv1.3 support on openldap 2.4.44

2020-08-12 Thread Giuseppe De Marco
You can find slapd 2.4.50 in buster-backports https://github.com/peppelinux/ansible-slapd-eduperson2016#debian-10-2447-memory-leakage Il mar 11 ago 2020, 20:38 Shaheena Kazi ha scritto: > My product is a security product and hence I would like to stick to 2.4.44 > or a version provided by buste

Re: syncrepl does not work as expected

2020-06-15 Thread Giuseppe De Marco
Ciao kumar, A fully working example, configurable with ansible with delta syncrepl ready to go, for studies and prototyping, Is here: https://github.com/peppelinux/ansible-slapd-eduperson2016 Run as It come in a container, for a replica node see delta repl readme, Have fun and don't give up Il

olcAccess from b64 to plaintext

2020-05-31 Thread Giuseppe De Marco
Hi guys, I wrote this simple script to have human readable olaAccess lists https://github.com/peppelinux/slapd_acl hope you'll enjoy -- Dott. Giuseppe De Marco CENTRO ICT DI ATENEO University of Calabria 87036 Rende (CS) - Italy Phone: +39 0984 496961 e-mail: giuseppe

Re: front end for openldap

2020-04-07 Thread Giuseppe De Marco
on Python 80) > > > > I look at django-ldapdb but project is almost dead and does not have > > all that I need. > > > openldapjs > https://github.com/6labs/openldapjs.git > perl Net::LDAP > python-ldap > https://stroeder.com/software.html > > -Dieter >

Re: RE24 testing call #2 (2.4.49) LMDB RE0.9 testing call (0.9.25)

2020-01-30 Thread Lucio De Re
On 1/29/20, Howard Chu wrote: > > Most likely slapd ran out of filedescriptors, as the BSD default for the > nfiles > ulimit tends to be small. Raising your ulimit should allow this to pass. Easy enough to check. Will do as soon as I get a chance to start up that server. Probably not an OpenLDAP

Re: RE24 testing call #2 (2.4.49) LMDB RE0.9 testing call (0.9.25)

2020-01-29 Thread Lucio De Re
On 1/28/20, Quanah Gibson-Mount wrote: > This is the second testing call for OpenLDAP 2.4.49. Depending on the > results, this may be the only testing call. > Under NetBSD 8.1 (i386) compilation was eventually successful: - SASL is not in the distribution, so the "/usr/pkg" prefix was needed in a

Re: Openldap support SHA-256 or SHA-3.

2020-01-07 Thread Giuseppe De Marco
This Is quite cute, https://github.com/P-H-C/phc-winner-argon2 Regards Il mer 8 gen 2020, 03:08 Quanah Gibson-Mount ha scritto: > > > --On Tuesday, January 7, 2020 11:25 PM +0100 Michael Ströder > wrote: > > > AFAICS RFC 3112 was never implemented in OpenLDAP. Thus I'd consider > > this to be r

Re: Openldap support SHA-256 or SHA-3.

2020-01-07 Thread Giuseppe De Marco
https://sha-mbles.github.io/ Probably it's time to consider the deprecation of SHA1 Il mar 7 gen 2020, 23:28 Michael Ströder ha scritto: > On 1/7/20 10:47 PM, Quanah Gibson-Mount wrote: > > --On Tuesday, January 7, 2020 10:33 PM +0100 Michael Ströder > > wrote: > > > >> On 1/7/20 9:22 PM, Quan

Re: Openldap support SHA-256 or SHA-3.

2020-01-07 Thread Giuseppe De Marco
Ho I made SSHA512 as default this way dn: olcDatabase={-1}frontend,cn=config replace: olcPasswordHash olcPasswordHash: SSHA512 EOF Once pw-sha2 module was loaded https://github.com/peppelinux/ansible-slapd-eduperson2016/blob/master/roles/slapd_configure/templates/modules/pw-sha2.ldif Il ma

Re: Issues with OpenLdap using OpenTLS

2020-01-02 Thread Giuseppe De Marco
Try to connect to ldaps://localhost:636 Cn must be localhost if that's configured in the certs, but... Are you sure that localhost should be the fqdn? Il gio 2 gen 2020, 17:39 Dunne, Kenneth ha scritto: > All > > > > I am able to connect to my home-built OpenSSL installation (from Dec-19 > sou

Re: slapd-sock as overlay

2019-09-08 Thread Giuseppe De Marco
Probably that error is something regarding socket read/write permissions Il giorno gio 5 set 2019 alle ore 17:14 Giuseppe De Marco < giuseppe.dema...@unical.it> ha scritto: > Hi Shiva, > > Here you should find what you're looking for: > https://github.com/peppelinux/pyMult

Re: slapd-sock as overlay

2019-09-08 Thread Giuseppe De Marco
erlayConfig > objectClass: olcOvSocketConfig > olcOverlay: {0}sock > olcDbSocketPath: /tmp/sockoverlay-listener1 > olcDbSocketExtensions: binddn peername ssf > olcOvSocketOps: bind unbind search > > Eagerly waiting for the reply. > > Thanks, > Shiva > --

Re: Socat tcp to local socket

2019-08-25 Thread Giuseppe De Marco
Hi Marc, Slapd-proxy or slapd-meta could be the solution Il dom 25 ago 2019, 14:42 Marc Roos ha scritto: > > Anyone having some experience using socat (or something similar?) to > connect to a remote slapd server tcp/tls with a local socket? I have a > client that requires the local ldapi socket

Re: Environment variable in slapd config

2019-08-16 Thread Giuseppe De Marco
Il ven 16 ago 2019, 12:20 Michael Ströder ha scritto: > On 8/16/19 12:02 PM, Marc Roos wrote: > > Is it possible to reference an environment variable in olcSyncrepl: > > {0}rid= ? > > No. > > My recommendation is to use a decent config managment (ansible, chef, > puppet, salt, ..) for the job. >

Re: OpenLDAP 2.5 plans and community engagement

2019-08-08 Thread Lucio De Re
On 8/7/19, David Magda wrote: > > That is an argument for timed releases. The OpenBSD project is a good > example: they release twice a year. If a feature cannot be made stable in > time for one release, they either back it out or do not commit in the first > place, and simply try to make it work

Re: slapd-sock v2.4.47 not returning LDIF

2019-07-26 Thread Giuseppe De Marco
ood it was a silly ACL problem behind this. I just added an ACL as follow and everything works fine! export BASEDC="dc=myorganization,dc=it" ldapadd -Y EXTERNAL -H ldapi:/// < ha scritto: > On 7/25/19 11:31 AM, Giuseppe De Marco wrote: > > I made a configuration to g

slapd-sock v2.4.47 not returning LDIF

2019-07-25 Thread Giuseppe De Marco
8051, to get it to work in Debian10 ? or Am I facing a bug present in openldap 2.4.47 ? Thank you in advance for everything you would tell me, Cheers [1] https://github.com/openldap/openldap/blob/master/servers/slapd/back-sock/searchexample.pl -- Dott. Giuseppe De Marco CENTR

Re: slapd-sock v2.4.47 not returning LDIF

2019-07-25 Thread Giuseppe De Marco
Il giorno gio 25 lug 2019 alle ore 11:31 Giuseppe De Marco < giuseppe.dema...@unical.it> ha scritto: > > My doubts: > Is there any need to change configuration, following ITS#8714 and > ITS#8051, to get it to work in Debian10 ? > or > Am I facing a bug present in openlda

Re: OpenLDAP 2.5 plans and community engagement

2019-07-25 Thread Lucio De Re
m and it also blocked efforts on my part to port the client tools from OpenLDAP 2.4: I just felt I was not up to the task. That's my CV in a few sentences. If you can find a role for me to play towards 2.5, I'll help. The price is dealing with scratchy personality and some very fixed i

Re: Question about OID / feedback on schema

2019-04-09 Thread Lucio De Re
On 2019/04/08 09:06, Mikael Bak wrote: Since there seems to be no concept of private OID space, then I will start the procedure to register the Hungarian National Library with IANA to obtain OID number. I once went through the process and it seemed very simple. But it lapsed as it was prematur

Re: Rsyslog stdout and stderr

2019-03-12 Thread albert de montreuil
Abdelkader Chelouah wrote: > > Hi, > > > > slapd 2.4.44 > > > > OpenLDAP instance configure as a proxy (back-ldap) > > > > > > From time to time, bind operations can take more than 5 sec. These > > latencies do not seem to come from a CPU or memory problem. I'm trying to > > see if the network >

Re: LMDB mdb_dbi_open mystery

2019-02-11 Thread Lucio De Re
On 2019/02/11 16:14, Hallvard Breien Furuseth wrote: No.  We could document that as a recommendation for opening existing DBs. That just proves my point, I suppose: it usually suffices for documentation to be complete, whereas what is happening here is that OP overlooked something that would

Re: LMDB mdb_dbi_open mystery

2019-02-11 Thread Lucio De Re
On 2019/02/11 16:25, Howard Chu wrote: There's nothing subtle here, the doc is quite explicit. Wasting additional paragraphs only brings complaints from users that "the docs are too big to read." For every such complaint, Howard, I am confident that there are dozens of users who are grateful

Re: LMDB mdb_dbi_open mystery

2019-02-11 Thread Lucio De Re
On 2019/02/11 09:22, Howard Chu wrote: *Opening* a DBI handle can only be done by one transaction.*Using* an open DBI handle can be done by any transactions. That still means that the "opening transaction" must complete before the handle becomes public. I guess (I really am applying commons

Re: Copying SSHA userPassword from Oracle to OpenLDAP

2019-01-22 Thread Lucio De Re
KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==base64: invalid input It's not what you want, is it? $ echo '{SSHA}KxMAUhDf4cFLUwUDFPoUC0SoDWQoG6NsKE5YQg==' | base64 e1NTSEF9S3hNQVVoRGY0Y0ZMVXdVREZQb1VDMFNvRFdRb0c2TnNLRTVZUWc9PQo= Was that "o" near the end a cut-n-paste error? -- Lucio De Re

Re: syncrepl with exattrs

2018-11-08 Thread Lucio De Re
On 11/7/18, Frank Swasey wrote: > > I'm justifying it to myself by saying that schemachecking is on on the > producer, and as long as the consumer works correctly (and has no local > writes), the data being valid on the producer is more important than the > schema being valid on the replica. > I g

Re: syncrepl with exattrs

2018-11-07 Thread Lucio De Re
On 11/7/18, Frank Swasey wrote: > [ ... ] > With schemachecking off, the only problem is inside my head. > But also in mine, as I would assume that turning schemachecking off should be reserved for short burst of special purpose (recovery, for example) activities, not for production operation. I

Re: syncrepl with exattrs

2018-11-07 Thread Lucio De Re
On 11/6/18, Frank Swasey wrote: > [ ... ] > It actually turns out that it is best to leave the objectClass values there > (I've discovered I have customers who are using the presence of the > objectClass value as an indicator of eligibility for some service). > I thought you said that this caused

slap_global_control: unrecognized control: 1.3.6.1.4.1.4203.666.5.16

2017-06-17 Thread Jelle de Jong
Hello everybody, I am getting a lot of these slap_global_control messages in my syslog. I searched online and tried adding the bellow to my /etc/ldap/slapd.conf but it did not help. Does somebody know how to resolve these messages? Kind regards, Jelle de Jong include /etc/ldap

Error: Can't contact LDAP server

2017-06-17 Thread Jelle de Jong
? Kind regards, Jelle de Jong Jun 15 12:39:29 stayce smbd[9632]: [2017/06/15 12:39:29.549569, 0] lib/smbldap.c:1225(smbldap_connect_system) Jun 15 12:39:29 stayce smbd[9632]: failed to bind to server ldap://localhost with dn="cn=admin,dc=companyone,dc=nl" Error: Can't cont

Seach Object

2017-05-20 Thread Bruno de Oliveira Bastos
Someone know how to search a object DN and return a CN ? I have this object DN ( Q049c3Vwb3J0ZTNkYiBzdXBvcnRlIGRhIDNkYixPVT1Vc3XDoXJpb3MsREM9Y2hlc3BhZ ) and i need the CN of object.

Re: How to move from hdb to mdb

2016-09-21 Thread Óscar Remírez de Ganuza Satrústegui
(8) + slapadd(8)) and start replicating from your actual servers. And then, after some testing, you can make the switch between servers. Regards, *Oscar Remírez de Ganuza Satrústegui* IT Services Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.edu/web/it/

Re: Ldap Replication getting delayed for 20 seconds.

2016-09-14 Thread Óscar Remírez de Ganuza Satrústegui
ldap-a-compar >> ison-of-back-mdb-and-back-hdb-performance/> and < >> https://wiki.zimbra.com/wiki/OpenLDAP_MDB_vs_HDB_performance>. >> >> --Quanah >> >> *Oscar Remírez de Ganuza Satrústegui* IT Services Universidad de Navarra Tel. +34 948425600 x803130 http://www.unav.edu/web/it/

Re: contextCSN attribute update on replication

2016-08-29 Thread Óscar Remírez de Ganuza Satrústegui
On Fri, Aug 19, 2016 at 7:52 PM, Michael Ströder wrote: > Óscar Remírez de Ganuza Satrústegui wrote: > > * We have adapted our nagios script so that it now checks both contextCSN > > and last modified entry's entryCSN values in order to know if slave > > replication is

Re: contextCSN attribute update on replication

2016-08-19 Thread Óscar Remírez de Ganuza Satrústegui
e will have to live with this issue then: * We have adapted our nagios script so that it now checks both contextCSN and last modified entry's entryCSN values in order to know if slave replication is working ok. * We are also checking on cn=Tasklist,cn=Threads,cn=Monitor if the replicatio

contextCSN attribute update on replication

2016-08-09 Thread Óscar Remírez de Ganuza Satrústegui
Good morning, I am writting from IT Services from Universidad de Navarra. We have recently upgraded our openldap servers from openldap 2.4.34 with BDB 5.3.21 to openldap 2.4.44 with MDB databases. We have got configured replication from the master server [1] to some slave servers [2] (syncrepl

Re: Significance of name forms.

2015-05-01 Thread dE
On 05/01/15 00:08, Howard Chu wrote: Michael Ströder wrote: Howard Chu wrote: Now - nameForms only specify a structuralObjectClass that they control. It's up to the DIT Structure Rule to define where in the DIT they take effect. But there is no reference from a DIT structure rule to the stru

Re: Significance of name forms.

2015-04-30 Thread dE
On 04/30/15 22:02, Howard Chu wrote: Michael Ströder wrote: Howard Chu wrote: Michael Ströder wrote: On 2015-04-30 13:37, Howard Chu wrote: No. Name forms are only used when a DIT Structure Rule references them. Are you sure? If yes, then please point out what's missing herein: PS: you sh

Re: Significance of name forms.

2015-04-30 Thread dE
On 05/01/15 01:37, Michael Ströder wrote: Howard Chu wrote: There can only be one DIT Structure Rule for an entry, and a DIT Structure Rule can only reference one nameForm. For any given entry, only one n

Significance of name forms.

2015-04-30 Thread dE
Suppose a name form is attached to a structural object class. Then, when referring to entries belonging to that object class (which has no DIT Structure Rules associated to it), is using the MUST attributes as defined in the name form to construct AVA still necessary? No DIT Structure Rules re

Re: Antw: Re: All entries belong to the top object class?

2015-04-28 Thread dE
On 04/28/15 13:22, Christian Kratzer wrote: Hi, On Mon, 27 Apr 2015, Quanah Gibson-Mount wrote: --On Tuesday, April 28, 2015 10:58 AM +0530 dE wrote: Yes, so subclasses do not define MAY; it's defined by the MAY of the top object class. The "top" objectClass does not co

Re: top object class contains all possible attributes?

2015-04-28 Thread dE
On 04/28/15 11:18, Dario Zanzico wrote: On Tue, Apr 28, 2015, at 07:21 AM, dE wrote: From https://tools.ietf.org/html/rfc4512 it can be said that an object class inherits the sets of *allowed* and required attributes from its superclasses Therefore the top

top object class contains all possible attributes?

2015-04-27 Thread dE
From https://tools.ietf.org/html/rfc4512 it can be said that an object class inherits the sets of *allowed* and required attributes from its superclasses Therefore the top object class contains all possible attributes? OR A subclasses cannot contain any attribute which is not i

Re: All entries belong to the top object class?

2015-04-27 Thread dE
On 04/19/15 11:42, dE wrote: As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added as well if not already present. That means the top object

Re: All entries belong to the top object class?

2015-04-27 Thread dE
On 04/27/15 02:07, Dieter Klünter wrote: Am Sun, 26 Apr 2015 21:05:44 +0530 schrieb dE : On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn

Re: All entries belong to the top object class?

2015-04-27 Thread dE
On 04/21/15 15:36, Andrew Findlay wrote: On Mon, Apr 20, 2015 at 11:06:07AM +0530, dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. 'top' is defined in RFC4512: ( 2.5.6.0 NAME 

Re: Antw: Re: All entries belong to the top object class?

2015-04-27 Thread dE
On 04/21/15 11:43, Ulrich Windl wrote: dE schrieb am 20.04.2015 um 07:36 in Nachricht <55349047.7020...@gmail.com>: On 04/20/15 00:59, Ryan Tandy wrote: On Sun, Apr 19, 2015 at 11:42:16AM +0530, dE wrote: As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an en

Re: All entries belong to the top object class?

2015-04-27 Thread dE
es. Might it be possible that dE (miss)reads 'SUB' as 'subprdinate' when it actually means 'subclass'? When talking about LDAP the term 'subordinate' does have a well defined meaning (that is irrelevant to this discussion). The possible attributes that any

Re: All entries belong to the top object class?

2015-04-27 Thread dE
On 04/27/15 01:13, Mattes wrote: Am Sonntag, 26. April 2015 20:07 CEST, Michael Ströder schrieb: Also I don't understand what the term "significance of subordinate classes" means to you in this context. Yes. Might it be possible that dE (miss)reads 'SUB'

Re: All entries belong to the top object class?

2015-04-27 Thread dE
On 04/26/15 23:37, Michael Ströder wrote: dE wrote: On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (expli

Re: All entries belong to the top object class?

2015-04-26 Thread dE
On 04/26/15 17:13, Michael Ströder wrote: dE wrote: Super this is the superclass chain -- A->B A is defined by MUST ObjectClass MAY ( cn abc xyz cxy ) B is defined by MUST ObjectClass MAY ( cn cxy ) Then an entry belonging to B (explicit) and A (implicit, automatically added) cannot h

Re: All entries belong to the top object class?

2015-04-26 Thread dE
On 04/26/15 15:27, Michael Ströder wrote: dE wrote: On 04/20/15 22:56, Michael Ströder wrote: dE wrote: Does adding of the top object class (or person) add all attributes to the entry? Nope. Which text in RFC 4512 leads to your presumption? Sorry for the late response. I was out of town

Re: All entries belong to the top object class?

2015-04-26 Thread dE
On 04/26/15 10:46, Howard Chu wrote: dE wrote: On 04/20/15 22:10, Quanah Gibson-Mount wrote: --On Monday, April 20, 2015 12:06 PM +0530 dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. Look u

Re: All entries belong to the top object class?

2015-04-25 Thread dE
On 04/20/15 22:10, Quanah Gibson-Mount wrote: --On Monday, April 20, 2015 12:06 PM +0530 dE wrote: I'm concerned about the attributes. Does adding of the top object class (or person) add all attributes to the entry? No. Look up the difference between "MUST" and "M

Re: All entries belong to the top object class?

2015-04-25 Thread dE
On 04/20/15 22:56, Michael Ströder wrote: dE wrote: Does adding of the top object class (or person) add all attributes to the entry? Nope. Which text in RFC 4512 leads to your presumption? Ciao, Michael. Sorry for the late response. I was out of town. From the responses, it appears the

Re: Structural object class rules

2015-04-20 Thread dE
On 04/20/15 01:37, Michael Ströder wrote: dE wrote: Suppose this is the superclass chain -- A -> B -> C -> D -> E -> F -> G Then for D, the superclass chain is A -> B -> C, and in this chain D is the most subordinate. Yes. For F, the superclass chain is A -> B

Re: All entries belong to the top object class?

2015-04-20 Thread dE
On 04/20/15 00:59, Ryan Tandy wrote: On Sun, Apr 19, 2015 at 11:42:16AM +0530, dE wrote: As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added as

Re: Auxiliary object class practically of no use?

2015-04-20 Thread dE
On 04/20/15 01:44, Michael Ströder wrote: dE wrote: On 04/18/15 03:24, Michael Ströder wrote: dE wrote: On 04/15/15 19:31, Howard Chu wrote: dE wrote: According to RFC 4512 An entry can belong to any subset of the set of auxiliary object classes allowed by the DIT content rule

Re: Structural object class rules

2015-04-19 Thread dE
On 04/18/15 03:19, Michael Ströder wrote: dE wrote: On 04/15/15 19:28, Michael Ströder wrote: dE wrote: "An object or alias entry is characterized by precisely one structural object class superclass chain which has a single structural object class as the most subordinate o

All entries belong to the top object class?

2015-04-19 Thread dE
As per https://tools.ietf.org/html/rfc4512#section-3.3 When creating an entry or adding an 'objectClass' value to an entry, all superclasses of the named classes SHALL be implicitly added as well if not already present. That means the top object class will always be there. Or is it that o

Re: Structural object class rules

2015-04-19 Thread dE
On 04/18/15 03:19, Michael Ströder wrote: dE wrote: On 04/15/15 19:28, Michael Ströder wrote: dE wrote: "An object or alias entry is characterized by precisely one structural object class superclass chain which has a single structural object class as the most subordinate o

Re: Auxiliary object class practically of no use?

2015-04-19 Thread dE
On 04/18/15 03:24, Michael Ströder wrote: dE wrote: On 04/15/15 19:31, Howard Chu wrote: dE wrote: According to RFC 4512 An entry can belong to any subset of the set of auxiliary object classes allowed by the DIT content rule associated with the structural object class of the entry

Re: Auxiliary object class practically of no use?

2015-04-17 Thread dE
On 04/15/15 19:31, Howard Chu wrote: dE wrote: According to RFC 4512 An entry can belong to any subset of the set of auxiliary object classes allowed by the DIT content rule associated with the structural object class of the entry. From what I understand, this means auxiliary classes

Re: Structural object class rules

2015-04-17 Thread dE
On 04/15/15 19:28, Michael Ströder wrote: dE wrote: "An object or alias entry is characterized by precisely one structural object class superclass chain which has a single structural object class as the most subordinate object class. This structural object class is ref

Structural object class rules

2015-04-15 Thread dE
"An object or alias entry is characterized by precisely one structural object class superclass chain which has a single structural object class as the most subordinate object class. This structural object class is referred to as the structural object class of the entry." T

Auxiliary object class practically of no use?

2015-04-15 Thread dE
According to RFC 4512 An entry can belong to any subset of the set of auxiliary object classes allowed by the DIT content rule associated with the structural object class of the entry. From what I understand, this means auxiliary classes do not 'augment'; the no. of attributes which are p

Where are 'attribute names' in the RFC?

2015-04-13 Thread dE
I was reading https://tools.ietf.org/html/rfc4512; there is a mention of attribute description, but there is no mention of 'attribute name'; or the name using which attributes are referred to. Does such a thing exist or is one of the attribute options used as the name to refer to it or is it i

Re: Where are 'attribute names' in the RFC?

2015-04-13 Thread dE
On 04/12/15 09:21, dE wrote: I was reading https://tools.ietf.org/html/rfc4512; there is a mention of attribute description, but there is no mention of 'attribute name'; or the name using which attributes are referred to. Does such a thing exist or is one of the attribute options u

Re: Definition of an object.

2015-04-08 Thread dE
On 04/06/15 23:39, Michael Ströder wrote: dE wrote: I was reading RFC 4512, here there is a mention of 'object' for the first time in "Object identifiers (OIDs) [X.680] are represented in". Question is what is an object? Is it an entry (aka directory) in the

Definition of an object.

2015-04-06 Thread dE
Hi! I was reading RFC 4512, here there is a mention of 'object' for the first time in "Object identifiers (OIDs) [X.680] are represented in". Question is what is an object? Is it an entry (aka directory) in the server?

using the deref control

2014-01-05 Thread Arthur de Jong
Hi list, First off, best wishes for 2014. I've been looking into the deref control that was pointed out here (in the Oracle OpenLDAP PPolicy ppolicy and the hierarchy thread). With some trail and error I got things working so I thought to document what I did in the hopes that it may be useful fo

Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy

2013-12-28 Thread Arthur de Jong
On Thu, 2013-12-26 at 07:41 -0800, Howard Chu wrote: > This was developed at the request of the Samba team, and some of those > developers also worked on SSSD, so it has already been implemented in > significant volumes. libraries/libldap/deref.c contains ldap_create_deref_control() which uses LDA

Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy

2013-12-26 Thread Arthur de Jong
On Wed, 2013-12-25 at 16:44 +0100, Michael Ströder wrote: > Furthermore there's slapo-deref which seems to work. The client > control can be used to retrieve all the 'uid' values in member > entries. The NSS provider has to extract the 'uid' values from the > response control value. > > See https:

Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy

2013-12-26 Thread Arthur de Jong
On Wed, 2013-12-25 at 15:27 +0100, Michael Ströder wrote: > Arthur de Jong wrote: > > Additionally, if you plan to use the contents of the tree > > as Unix users and want to have reasonable performance for > > large trees, you should either: > > > > - use memberUi

Re: Oracle OpenLDAP PPolicy ppolicy and the hierarchy

2013-12-25 Thread Arthur de Jong
On Mon, 2013-12-23 at 22:52 +0100, Dieter Klünter wrote: > You use attribute type uniqueMember without any additional UID in order > to enforce uniqueness. The syntax of uniqueMember attribute type is > Name and optional UID. But without any additional UID any sort of > uniqueness cannot be provide

Problem with self in acl in combination with rwm

2013-11-27 Thread Arthur de Jong
I have a configuration somewhat similar to the one below and the ACLs seem to be applied using the non-rewritten DN which causes the self specifier to never match. We are in the process of configuring a more secure LDAP server with stricter ACLs and extra security checks without affecting existing

Re: ldap users shows up in user list, but unable to login

2013-11-01 Thread Arthur de Jong
On Fri, 2013-11-01 at 19:30 +0530, slacker lnx wrote: > But on one of the client, I am unable to login (through ssh) using the > ldap userids. When I login as root and try to switch user I get a > message 'user does not exist' (getent passwd and ldapsearch shows the > user). One thing that could a

Re: Multi-master setup in debian

2013-09-17 Thread Listas de Correo
On Tue, Sep 17, 2013 at 9:49 PM, Quanah Gibson-Mount wrote: > --On Tuesday, September 17, 2013 9:06 PM -0300 Listas de Correo < > toshiro.lis...@gmail.com> wrote: > > Would you mind to provide me more details about the bugs and potential >> problems of using Debian packag

Re: Multi-master setup in debian

2013-09-17 Thread Listas de Correo
Hi Quanah, On Tue, Sep 17, 2013 at 12:21 PM, Quanah Gibson-Mount wrote: > It is always interesting to me when someone emails the technical list, > asking for guidance from people who know the most about the software, and > then ignore it. I know what you mean, I've suffered that myself :) but t

  1   2   >