Re: how to enable crypt password in Openldap under Windows!!!

[Hang Zhang]

Quanah Gibson-Mount wrote:
--On Wednesday, October 31, 2007 1:16 AM -0600 Hang Zhang 
<[EMAIL PROTECTED]> wrote:



Hi Quanah,


Please read:



--Quanah



--

Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc

Zimbra ::  the leader in open source messaging and collaboration


Hi Quanah,

Thanks for your reply. However, I found that cannot bind to the ldap 
server with any

types of hashed password. I use the command slappasswd, and copied the
generated {sha} password and then paste this hashed password into my
slapd.conf file. Then I cannot bind to the ldap server anymore unless I use
the clear text version. I do not know why? Thanks.

Hang

Re: setting up admin password on openldap

[Szombathelyi György]

Ezzel a dátummal: Tuesday 30 October 2007 21.54.49 Naufal Sheikh ezt írta:
> Hi Piotr,
>
> Here is my ldif file.
>
> dn: cn=nsadmin
> changetype: modify
> userpassword: {SHA}R0f182La8UTJewHKUWIr2ltHPXc=
>  and the command I used is:
>
> [EMAIL PROTECTED] bin]# ./ldapmodify -x -v -f /main/backup/nsadmin.ldif
> ldap_initialize(  )
> replace userpassword:
> {SHA}R0f182La8UTJewHKUWIr2ltHPXc=
> modifying entry "cn=nsadmin"
> modify complete
> ldap_modify: Strong(er) authentication required (8)
> additional info: modifications require authentication
>
> and I cannot still connect bind to ldap through credentials. It says
> invalid credentials when I try to connect it through ldap browser.
>
>
You didn't specify what DN you want to connect.  "Use ldapmodify -D 
cn=nsadmin,o=trac -x ...". And use the password you gave in slapd.conf. 
The "rootdn" and "rootpw" have precedence over the one you have in the 
directory.

Bye,
György

Re: When to delete client content during RFC4533 synchronization?

[Howard Chu]

Erik van Oosten wrote:

Hello,

I am writing a RFC4533 client implementation based on JLDAP. I have a
question on how to interpret the rfc as a client, and secondly how the
OpenLDAP server interprets it.

My question is: how can the client determine that it must delete content
at the end of the refresh stage, when a refreshAndPersist is requested
with an initial cookie?

The problem is that I can not defer from the rfc how I can differentiate
between a server that sends an initial content poll and a server that
sends a content update poll. The RFC specifies that the server may choose
to ignore the initial cookie and the reloadHint flag, so either poll mode
may be choosen by the server.


Your use of the words "client" and "server" seem inconsistent here. The above 
questions made no sense to me. Servers don't send polls.



In the case of a refreshOnly the RFC is clear: when refreshDeletes of
syncDoneValue is FALSE, content that is not added, changed, or indicated
as present must be deleted from the client copy (section 1.3.1 paragraph
8).
However, in the case of a refreshAndPersist, there is no similar flag in
the SyncInfoMessage that ends the refresh stage. SyncInfoMessage does have
values named refreshDelete and refreshDeletes, but these are used for
other purposes (see section 3.4.1 and section 3.3.2 paragraph 7 and 9).

Am I missing something?


If the server used a present phase, then it will send a SyncInfoMessage with 
refreshPresent. If it used a delete phase, it will send a SyncInfoMessage with 
refreshDelete. If the refresh is stage is complete, the message will have 
refreshDone set to TRUE.


If the client receives a SyncInfoMessage with refreshPresent and refreshDone 
set to TRUE that means there's only a present phase and no delete phase. 
Therefore, any entry that wasn't marked present or added must be deleted.



What is the behavior of the OpenLDAP server in this matter? Does it ever
ignore the reloadHint of the sync request control?


In OpenLDAP 2.2 and early versions of 2.3 it always ignored the hint. In 
current versions you can configure it to use the hint.


Regards,
 Erik.


--
Erik van Oosten
http://2008.rubyenrails.nl/
http://www.day-to-day-stuff.blogspot.com/






--
  -- Howard Chu
  Chief Architect, Symas Corp.  http://www.symas.com
  Director, Highland Sunhttp://highlandsun.com/hyc/
  Chief Architect, OpenLDAP http://www.openldap.org/project/

When to delete client content during RFC4533 synchronization?

[Erik van Oosten]

Hello,

I am writing a RFC4533 client implementation based on JLDAP. I have a
question on how to interpret the rfc as a client, and secondly how the
OpenLDAP server interprets it.

My question is: how can the client determine that it must delete content
at the end of the refresh stage, when a refreshAndPersist is requested
with an initial cookie?

The problem is that I can not defer from the rfc how I can differentiate
between a server that sends an initial content poll and a server that
sends a content update poll. The RFC specifies that the server may choose
to ignore the initial cookie and the reloadHint flag, so either poll mode
may be choosen by the server.
In the case of a refreshOnly the RFC is clear: when refreshDeletes of
syncDoneValue is FALSE, content that is not added, changed, or indicated
as present must be deleted from the client copy (section 1.3.1 paragraph
8).
However, in the case of a refreshAndPersist, there is no similar flag in
the SyncInfoMessage that ends the refresh stage. SyncInfoMessage does have
values named refreshDelete and refreshDeletes, but these are used for
other purposes (see section 3.4.1 and section 3.3.2 paragraph 7 and 9).

Am I missing something?

What is the behavior of the OpenLDAP server in this matter? Does it ever
ignore the reloadHint of the sync request control?

Regards,
Erik.


--
Erik van Oosten
http://2008.rubyenrails.nl/
http://www.day-to-day-stuff.blogspot.com/

Re: how to enable crypt password in Openldap under Windows!!!

[matthew sporleder]

On 10/31/07, Piotr Wadas <[EMAIL PROTECTED]> wrote:
>
>
> On Tue, 30 Oct 2007, Quanah Gibson-Mount wrote:
>
> > --On Tuesday, October 30, 2007 4:05 PM -0500 Hang Zhang <[EMAIL PROTECTED]>
> > wrote:
> >
> > > C:\OpenLDAP>slappasswd -h {CRYPT}
> > > New password: Re-enter new password: Password generation failed for
> > > scheme {CRYPT}: scheme not recognized
> >
> >
> > Using crypt is bad.
> >
> > --Quanah
> >
>
> Can you explain why it is bad? We use it mainly because we're
> moving our users and passwords from shadow files, is something
> wrong with {CRYPT} passwords ? Is it deprecated, or something?
> Regards,
> Piotr
>

See:
http://www.openldap.org/faq/data/cache/419.html
http://www.openldap.org/faq/data/cache/344.html
http://www.openldap.org/faq/data/cache/348.html

Re: how to enable crypt password in Openldap under Windows!!!

[Piotr Wadas]

On Tue, 30 Oct 2007, Quanah Gibson-Mount wrote:

> --On Tuesday, October 30, 2007 4:05 PM -0500 Hang Zhang <[EMAIL PROTECTED]>
> wrote:
> 
> > C:\OpenLDAP>slappasswd -h {CRYPT}
> > New password: Re-enter new password: Password generation failed for
> > scheme {CRYPT}: scheme not recognized
> 
> 
> Using crypt is bad.
> 
> --Quanah
> 

Can you explain why it is bad? We use it mainly because we're 
moving our users and passwords from shadow files, is something
wrong with {CRYPT} passwords ? Is it deprecated, or something?
Regards,
Piotr