Well, it is not logging anything other than what I put below, and it is NOT
exiting at the point I listed below... I wonder what is going on, because
looking over the code, it should be fine. I will check back in the morning.
> Sun Sep 24 2017 10:05:32 PM EDT from bennabiy @ Uncensored
I put some code in to see if I can log where the failure is, but to me it
looks like it is returning because
if (ctdl_ldap_initialize() != LDAP_SUCCESS) {
+ return;
+ }
and I am not seeing any of the other messages you included in that function.
Recompiling and
Sep 24 21:21:14 cit citserver[50403]: ldap: populating Citadel user database
from LDAP only entry I get repeating ... something is not right. and this is
logged to daemon.log, not debug
> Sun Sep 24 2017 05:00:58 PM EDT from IGnatius T Foobar @ Uncensored
>Subject: Re: LDAP / Cit-NG
>
Compiling... While we are at it, can you fix the /etc/init.d/webcit file to
be compliant? It is missing the init header info.
### BEGIN INIT INFO
# Provides: webcit
# Required-Start: citadel
# Required-Stop: citadel
# Default-Start: 2 3 4 5
# Default-Stop:
Ok let's do this. I've pushed the code to *scan* the LDAP server but not
to do anything with the results. Please test it on a development machine
only. It should basically just show the DN's of every qualifying user in
the debug log once per minute. If those results look correct we'll move on
inetOrgPerson is correct for POSIX, I am not sure about AD (I refuse...)
Let me know when you have the code pushed and I will recompile
> Sun Sep 24 2017 02:52:43 PM EDT from IGnatius T Foobar @ Uncensored
>Subject: Re: LDAP / Cit-NG
>
>Ok, I'm in the code working on some
Ok, I'm in the code working on some changes now, and am going to try to shift
things over from "create the account at login" to "create all accounts all
the time." For the POSIX schema it looks like we have to access all accounts
with "objectClass: inetOrgPerson" , and for the Active Directory
That sounds good. It would be good to be able on a system set for LDAP to be
able to expose the LDAP users known on the system to a list like the host
based authentication does.
Thinking about what you suggest, that would allow the system to pull the
latest LDAP info for that user
Ok, I think I might have a solution to that. Perhaps instead of shimming
the login command for LDAP, we can move that code to the "get user" function.
That would theoretically make an LDAP query work in any location where a
username is entered. Gotta think this through.
And the annoying thing with the current setup. If I want to send a local
message to a user from LDAP, or invite them to a room, etc, I have to use
what is listed under displayName. That makes for some LONG user names, even
though they log in with the uid. I wish it could be choosable what gets
With certain information changed, for good reason :)
>
>
>dn: uid=bennabiy,ou=Somewhere,ou=People,dc=domain,dc=net
>
>objectClass: inetOrgPerson
>
>objectClass: posixAccount
>
>objectClass: shadowAccount
>
>cn: ben-Nabiy Derush of Somewhere
>
>displayName: ben-Nabiy Derush of
Would it be possible to get an LDIF export of a sample user from your directory,
who has multiple email addresses? I suspect I'm not getting the format in
correctly.
The "cit[n]@[domain]" format is an automatically generated default address.
It should get replaced by a correct address if
Ok, so with an edit to my FQDN and which hosts citadel is allowed to receive
mail for, it pulled in the addresses for the from box, but only the primary
address is working, internet aliases are not.
> Fri Sep 15 2017 01:28:50 AM EDT from bennabiy @ Uncensored Subject: Re:
>LDAP / Cit-NG
>
>
Right. It filters for email addresses that are actually valid on the Citadel
host.
Valid for citadel meaning according to what is set in settings for allowed
domains...
> Thu Sep 14 2017 03:07:41 PM EDT from bennabiy @ Uncensored Subject: Re:
>LDAP / Cit-NG
>
>
>
>And by valid, meaning valid for citadel, or valid by LDAP schema?
>> Thu Sep 14 2017 10:53:45 AM EDT from
And by valid, meaning valid for citadel, or valid by LDAP schema?
> Thu Sep 14 2017 10:53:45 AM EDT from IGnatius T Foobar @ Uncensored
>Subject: Re: LDAP / Cit-NG
>
>The current expected behavior is that it ought to copy all valid email
>addresses from LDAP to the Citadel account at the
The current expected behavior is that it ought to copy all valid email addresses
from LDAP to the Citadel account at the moment the account is created or when
the user logs in.
So what is the current expected behavior?
I am getting the tester up this afternoon / tomorrow.
> Wed Sep 13 2017 09:41:02 AM EDT from IGnatius T Foobar @ Uncensored
>Subject: Re: LDAP / Cit-NG
>
>
>Making the Citadel system behave more seamlessly in an LDAP world is a good
>idea. But
Making the Citadel system behave more seamlessly in an LDAP world is a good
idea. But right now let's just test what we have :)
Also, with this, LDAP is treated as second class citizen by not exposing LDAP
users to be able to select them for room invites, etc. It would be good to be
able to set which field is used to generate what the "local" account is. Some
prefer uid (like us) and others like Full Name, some Last, First
>Site configurable, as in whether to bring in all addresses which match the
>citadel configuration? I am not sure what you are thinking when you say
site
>configurable. As in do you copy the address at all, or at each login, etc?
Yes, exactly ... I'm thinking we probably are going
Will give this a spin on my test server.
Site configurable, as in whether to bring in all addresses which match the
citadel configuration? I am not sure what you are thinking when you say site
configurable. As in do you copy the address at all, or at each login, etc?
Also, as to
Ok, the code has been uploaded to git, to copy email addresses from LDAP
to Citadel when a user logs in. Give it a try.
We probably need to do a couple of other things:
* Make it a site-configurable setting
* Make it happen automatically/periodically instead of just when the user
Ok I guess it's legal :)
I've got the code written to extract the email addresses from LDAP. Also
found the place where it needs to be called. Now I just have to figure out
the conditions under which it should be called. I'd like to do this with
as few configuration options as possible
Multiple attributes with the same name? Is that even legal?
mail = yes and it is able to have multiple entries so mail=b...@foo.net
mail=bl...@foo.net etc (where there can be more than one mail field) I do not
think it supports typically multiple addresses within one field so you would
just need to parse as many mail fields into an array and then read them
>IG: I am using OpenLDAP with my users using the basics of
>inetorgperson.schema
I spent some time looking through this tonight and I want to be 100% sure
that we get the right attributes.
As far as I can tell, in both RFC2307 and Active Directory, the email address
is stored in
IG: I am using OpenLDAP with my users using the basics of
inetorgperson.schema
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include
bennabiy: question for you!
I know you're using LDAP on your system, but which LDAP server and what does
the schema look like? If we're going to pull email addresses in from LDAP
at account creation time, I need to know where to pull them from. I'm guessing
you're using OpenLDAP or
And for the aide user, the viewable flag should not apply to them. They
should be able to see the list of anyone.
> Tue Aug 15 2017 02:19:05 PM EDT from bennabiy @ Uncensored Subject: Re:
>LDAP / Cit-NG
>
>
>
>I also forgot to post in my LDAP rant, based on the viewable flag (whether
I also forgot to post in my LDAP rant, based on the viewable flag (whether
someone is a hidden user or not) we need LDAP users to populate an address
book list so that room permissions and such can be set from a list (like the
contact list, but without having to strip out the email address part).
31 matches
Mail list logo