Re: Why didn't rfc2307bis supersede rfc2307?
Hi, As far as I remember, since this happened more than 10 years ago, Luke working with people at HP started to revise RFC2307 (which is experimental i.e. not even close to a standard). Sun and HP implemented some of the ideas, but other vendors did not. Just my 2 cents. Ludo — Ludovic Poitou http://ludopoitou.com On 27 June 2017 at 17:43:09, John Lewis (oflam...@gmail.com) wrote: On Tue, 2017-06-27 at 11:01 +0200, Michael Ströder wrote: > John Lewis wrote: > > https://tools.ietf.org/html/draft-howard-rfc2307bis-02 > > > > They only thing that jumps at me is the name. It doesn't follow rfc > > norms. > > Naming is fine because it's still only a Internet draft and not an RFC. > > > I am having a really hard time finding anyone who says that the standard > > is bad. > > It's simply not finished. After LDAPcon 2015 there was an attempt to resurrect > ietf-ldapext WG and one of the possible work items would be to get this to RFC status. > > If you're eager to push this you should thoroughly review the discussions on the still > functional ietf-ldapext mailing list before: > > https://mailarchive.ietf.org/arch/browse/ldapext/ > > Ciao, Michael. > It is only going to take me a couple days to read the whole archive (Thanks Evolution team https://wiki.gnome.org/Apps/Evolution/ for mbox import support) and another half hour to change into the cloths of the corporate entity I want to go into the discussion as. I haven't manage to come across any flamewars that caused and impasse yet. Were there any troublesome threads where a decision wasn't made? The only thing particularly notable is one or two guys are trying to standardize behavior they want to see in the main standard that nobody wants as a default because it is a bad default and try to sell another standard that will work whether or not rfc2307-02 gets ratified as a new rfc. They already negated their own issue and has no room to negotiate.
Re: Attribute pwdPolicySubentry
In my opinion, the pwdPolicySubentry attribute should be read-only generated by the server. We had made the error in Sun Directory Server to allow customers to set it manually, and it was very confusing that the attribute served 2 roles : a way to find the pwd policy entry applicable for the entry, and a way to set a different or new policy for an account. In OpenDJ ( and all other servers from the same code base) we use 2 different attributes. That separation made it easier to handle for applications and administrators. My 2 cents Ludo
Re: Ldap challenge
Interesting how this question is hitting a number of different mailing lists… Here’s an edited extract of an email I’ve sent yesterday on OpenDJ mailing list: The memberOf attribute name was used by Microsoft Active Directory with specific semantic. There is no LDAP representation of the attribute definition, but details, including OID, can be found here: <https://msdn.microsoft.com/en-us/library/ms677099(v=vs.85).aspx>. It was also used by a Sun product (Delegated Administration) with another definition and semantic. This is why we choose in Sun Directory Server, OpenDS and now OpenDJ to have a properly defined attribute with a different name: isMemberOf, operational and read-only. My 2 cents, Ludo -- Ludovic Poitou http://ludopoitou.com From: Michael Ströder Reply: Michael Ströder > Date: 27 Apr 2015 at 22:43:41 To: Andrew Findlay > Cc: openldap-technical@openldap.org > Subject: Re: Ldap challenge Andrew Findlay wrote: > On Mon, Apr 27, 2015 at 06:27:39PM +, Ross, Daniel B. wrote: > >> ismemberof does not exist we have to use memberof > > Memberof is fairly common. I don't think I have ever found a system > that used 'ismemberof'. 'isMemberOf' is used on Sun/Oracle DSSE, Netscape/Fedora/389-DS and OpenDS/OpenDJ. 'memberOf' was originally defined in MS Active Directory and is used as default in slapo-memberof. It's configurable though. Ciao, Michael.
RE:OpenLDAP incroyable!
So do i ;-) -- Ludovic Poitou http://ludopoitou.wordpress.com On 26 Nov 2014 at 07:57:27, Gremaud Cyrill (cyrill.grem...@hefr.ch) wrote: Yes i know, that was a joke... De : Ludovic Poitou [ludovic.poi...@gmail.com] Envoyé : mercredi 26 novembre 2014 07:53 À : Onno van der Straaten; Gremaud Cyrill Cc : openldap-technical@openldap.org Objet : Re: OpenLDAP incroyable! There are alternative open source enterprise solutions to OpenLDAP… no need to start developing your own ! Regards, Ludo -- Ludovic Poitou Product Manager for OpenDJ, open source LDAP directory services... On 26 Nov 2014 at 07:29:18, Gremaud Cyrill (cyrill.grem...@hefr.ch<mailto:cyrill.grem...@hefr.ch>) wrote: If you not appreciate OpenLDAP, nobody force you to use it :-) You can choose a non-opensource software or develop your own :-)
Re: OpenLDAP incroyable!
There are alternative open source enterprise solutions to OpenLDAP… no need to start developing your own ! Regards, Ludo -- Ludovic Poitou Product Manager for OpenDJ, open source LDAP directory services... On 26 Nov 2014 at 07:29:18, Gremaud Cyrill (cyrill.grem...@hefr.ch) wrote: If you not appreciate OpenLDAP, nobody force you to use it :-) You can choose a non-opensource software or develop your own :-)
Re: SAML Identity Provider for OpenLDAP
Hi Marc, If you're looking for a proven identity provider that works with SAML but not only, you cannot go wrong with OpenAM. It's widely deployed, serving millions of identities for critical businesses, consumer facing portals and governments (or church). Just check Forgerock website for a list of customers Kind regards, Ludovic NB: I work for ForgeRock On Tuesday, April 22, 2014, Marc Patermann < hans.mo...@ofd-z.niedersachsen.de> wrote: > Hi, > > I searching for proven "extention" to use my OpenLDAP directory data with > an SAML identity provider. > > I found LemonLDAP:NG and OpenAM as possible candidates. > > Howtos and success stories are welcome! > > > Marc > > -- Ludovic Poitou http://ludopoitou.wordpress.com
Re: Regarding LDAP structure
A few comments inline... -- Ludovic Poitou http://ludopoitou.wordpress.com From: Alejandro Imass aim...@yabarana.com Reply: Alejandro Imass aim...@yabarana.com Date: March 13, 2014 at 20:25:49 To: Joshua Riffle jrif...@apu.edu Cc: openldap-technical@openldap.org openldap-technical@openldap.org Subject: Re: Regarding LDAP structure On Thu, Mar 13, 2014 at 12:18 PM, Joshua Riffle wrote: > I'm aware this may not be the best mailing list to discuss something as > generalized as best practices for LDAP structuring within OpenLDAP, but > would anyone be able to direct me to a mailing list that would be better > suited for this kind of conversation? > I think it's an excellent discussion and I don't see why this list cannot accommodate it. After all, OpenLDAP is currently a reference model in the OSS world for LDAP so it could very well house discussion around reference models for DITs. > I'm looking for any or all of these kinds of communications within a mailing > list: > > Designing a person, account, group LDAP tree directory that would be > scalable and flexible enough to grow to large sizes (millions) and still > have a grip on best practices for identity management on an enterprise > level. I’m not sure I understand the issue here. Directories like OpenLDAP or OpenDJ are already capable of handling millions of entries, and I know several of our customers that have services with tens of millions, and even beyond a hundred millions of entries. Usually you should aim towards a DDS (Distributed Directory Service) and all nodes sharing some sort of agreement in the DIT structure although it's not alway necessary. > Specifically for an educational institution if I can share the aches and > pains of other directory owners with similar problems. > I also am trying to prove / disprove the use of having a person directory > object with multiple child account objects as good or bad architecture and > understand why. I've never seen this discussed in practice. Most LDAP implementations are quite poor and revolve around Posix and/or Windows AD management instead of using more elaborate DIT modelling , aliasing, and the entryUUID operational attribute (RFC 4530). The DIT model is unique to every application but I do agree with you that we should have some reference models that break the traditional People, Computer Group paradigm. I guess that the point of view will differ whether your building a directory service to support your network (which revolves around Posix users and/or AD) or a directory service to support portals and user facing applications, in which case the directory is like any other generic database technology and you have some freedom of implementing the model you want for your applications. Regards, Ludovic. RDN and DN are actually quite malleable and should never be used as unique identifiers of any sort, but rather as temporary addresses/names to locate entries, much the same way a person may have different addresses throughout his life yet remain the same person (aliases to a single entry/entryUUID). By the same token, two people may have identical attributes, yet be two distinct individuals (distinct entries/entryUUID). This can also happen in an LDAP DIT as the LDAP specification purposely makes no effort in preventing or controlling this. Moreover, the entryUUID is the perfect "key" to integrate your LDAP technology to other data sources that may need to "link" with the LDAP. So long as your tools actually use moddn and modrdn (as opposed to deleting and re-creating the entry) then the entryUUID should never change for the life of the entry regardless on where it's located in the DIT. > Good and bad ways to relate tree objects with each other. I only know of > parent / child tree relationships or more "softly" by using DN's within an > attribute like the group-member relationship. > There are two popular and generic reference models for LDAP DIT hierarchies: (a) the more traditional X.500 form, and (b) the more modern domain-based around the DNS model. Each one is just a general guideline and they are by no means strict models for any LDAP implementation. In fact, the whole idea behind X.500 and LDAP is precisely that the model is flexible and adaptable over time, meaning that you don't have to "get it right" from the start and should be able to evolve your DIT over time, provided of course that your toolset is adequate. Web-based tools such as LAM for example are almost hard-wired into a People, Computer, Group paradigm whereas tools like PHPLDAPAdmin are more flexible but less intuitive. The latter provides a template mechanism which allows for easy customization to a particular implementation, but I think both (as almost all pop
Re: NEW LDAP PROJECT
Hi John, Your comments are surprising. Can you elaborate on how OpenDJ is not friendly and slow ? Kind regards, Ludovic Poitou ForgeRock Product Manager for OpenDJ. On Tuesday, March 4, 2014, Borresen, John - 0442 - MITLL < john.borre...@ll.mit.edu> wrote: > All, > > There is a new project; a group that I support will be using OpenAM to > manage single sign-on (SSO). > > The environment is outward facing, where multiple entities (outside users) > will log on to a web portal via openam/opensso. The OpenAM will query the > OpenLDAP (currently it is an embedded OpenDJ implementation) for user > information. > > Based on their user credentials they will, hopefully, be forwarded to > either > a Production, Development or a Demonstration environment. The group wants > to migrate to OpenLDAP as OpenDJ is 1) not friendly 2) very slow. > > I've been looking around at the OpenAM/OpenDJ configuration and most of the > schemas are specifically legacy Sun Microsystems & Java specific. > Basically, the OpenLDAP will be the User-store for OpenAM. > > 1) Should I migrate those schemas and everything else currently in OpenDJ > over to OpenLDAP and import them? > 2) What is the recommended methodology that I should follow to best > implement the above scenario? > > Any pointers are much appreciated. > > Thanks, > > John D. Borresen (Dave) > Linux/Unix Systems Administrator > MIT Lincoln Laboratory > Surveillance Systems Group > 244 Wood St > Lexington, MA 02420 > Email: john.borre...@ll.mit.edu > > -- Ludovic Poitou http://ludopoitou.wordpress.com
Re: Java library to manage LDAP entries
OpenDJ LDAP SDK and toolkit is Java based : opendj.forgerock.org. Otherwise, Apache Directory also has a Java based library. Regards, Ludovic. -- Ludovic Poitou ForgeRock http://ludopoitou.wordpress.com From: Ali Gholami ghol...@kth.se Reply: Ali Gholami ghol...@kth.se Date: February 12, 2014 at 14:16:49 To: openldap-technical@openldap.org openldap-technical@openldap.org Subject: Java library to manage LDAP entries Dear list, I wonder if anyone knows about a Java based library to manage LDAP entires instead of the command line, something like phpLDAP admin? Thanks in advance for your answer! Ali
Re: Help me for " LDAP Sync Replication with Active Directory from Openldap side"
Howard, I don't dispute the 2 implementations. 2 doesn't make a standard though, even if it's more than any other LDAP replication spec. My main point is that RFC4533 is not a standard but describes an experimentation. Regards, Ludo -- Ludovic Poitou http://ludopoitou.wordpress.com On Sunday, March 24, 2013 at 16:33 , Howard Chu wrote: > Ludovic Poitou wrote: > > > > On Sunday, March 24, 2013 at 14:11 , Howard Chu wrote: > > > > > devzero2000 wrote: > > > > Sorry for the top posting > > > > > > > > no, it is not possible to do what you are trying to do, not so simply. > > > > There are solution for synch different ldap product, free and > > > > commercial. In a very old oreilly ldap book the topic is also > > > > discussed somehow, iirc. In effect the ietf effort to create an > > > > multiple vendor ldap synch repl standard is failed, in retrospect, i > > > > think. > > > > > > > > > > > > > The IETF succeeded, and RFC4533 is the result. Currently OpenLDAP and > > > Apache > > > Directory support it, I'm not aware of anyone else. > > > > > > > I wouldn't say that IETF succeeded. RFC4533 is an experimental document and > > in > > no way represents a consensus on how to do LDAP synchronization or > > replication. > > > > > Perhaps no consensus today, but the existence of two interoperable > independently developed implementations means the experiment succeeded. > That's > more than any other replication spec for LDAP can claim. > > > Regards, > > > > Ludovic. > > -- > > Ludovic Poitou > > http://ludopoitou.wordpress.com > > > > > > > > Best > > > > > > > > 2013/3/24, Suman Karki > > > (mailto:sumankark...@gmail.com) > > > > <mailto:sumankark...@gmail.com>>: > > > > > I any person is willing to help me and require more detail about this > > > > > problem i will reply that. > > > > > > > > > > On 3/24/13, Suman Karki > > > > (mailto:sumankark...@gmail.com) > > > > > <mailto:sumankark...@gmail.com>> wrote: > > > > > > I am running open ldap server in redhat server, and active directory > > > > > > in win server 2008. > > > > > > I have admin access to both servers. > > > > > > > > > > > > The thing is that i have to sync both server, like from openldap i > > > > > > could access active directory data. > > > > > > > > > > > > Can it be possible? > > > > > > If possible then then please give me some information that i could > > > > > > proceed this task. > > > > > > > > > > > > I have tried some thing like using openldap admin guide > > > > > > > > > > > > syncrepl rid=001 > > > > > > provider=ldap://IP of AD server/ > > > > > > binddn="cn=replicator,dc=suretecsystems,dc=com" > > > > > > bindmethod=simple > > > > > > credentials=Password of AD server > > > > > > searchbase="dc=suretecsystems,dc=com" > > > > > > type=refreshAndPersist > > > > > > retry="5 5 300 5" > > > > > > > > > > > > > > > > > > > > > > > > I don't how much i am right. > > > > > > Or is there any different way? Please help me to solve this. > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > >
Re: Help me for " LDAP Sync Replication with Active Directory from Openldap side"
On Sunday, March 24, 2013 at 14:11 , Howard Chu wrote: > devzero2000 wrote: > > Sorry for the top posting > > > > no, it is not possible to do what you are trying to do, not so simply. > > There are solution for synch different ldap product, free and > > commercial. In a very old oreilly ldap book the topic is also > > discussed somehow, iirc. In effect the ietf effort to create an > > multiple vendor ldap synch repl standard is failed, in retrospect, i > > think. > > > > > The IETF succeeded, and RFC4533 is the result. Currently OpenLDAP and Apache > Directory support it, I'm not aware of anyone else. > > I wouldn't say that IETF succeeded. RFC4533 is an experimental document and in no way represents a consensus on how to do LDAP synchronization or replication. Regards, Ludovic. -- Ludovic Poitou http://ludopoitou.wordpress.com > > > > Best > > > > 2013/3/24, Suman Karki > (mailto:sumankark...@gmail.com)>: > > > I any person is willing to help me and require more detail about this > > > problem i will reply that. > > > > > > On 3/24/13, Suman Karki > > (mailto:sumankark...@gmail.com)> wrote: > > > > I am running open ldap server in redhat server, and active directory > > > > in win server 2008. > > > > I have admin access to both servers. > > > > > > > > The thing is that i have to sync both server, like from openldap i > > > > could access active directory data. > > > > > > > > Can it be possible? > > > > If possible then then please give me some information that i could > > > > proceed this task. > > > > > > > > I have tried some thing like using openldap admin guide > > > > > > > > syncrepl rid=001 > > > > provider=ldap://IP of AD server/ > > > > binddn="cn=replicator,dc=suretecsystems,dc=com" > > > > bindmethod=simple > > > > credentials=Password of AD server > > > > searchbase="dc=suretecsystems,dc=com" > > > > type=refreshAndPersist > > > > retry="5 5 300 5" > > > > > > > > > > > > > > > > I don't how much i am right. > > > > Or is there any different way? Please help me to solve this. > > > > > > > > > > > > > > > > > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > >
Re: Sun(oracle) directory server to openldap
Hi Stanislas, Sun DSEE replication protocol is proprietary and thus interoperating with any other LDAP directory server. I'm sure there are several people who have migrated from Sun DSEE to OpenLDAP (and the biggest hurdles are schema and aci) , although in my part of the industry I hear more about those who migrate to OpenDJ (initially started by Sun as OpenDS to replace Sun DSEE). Cordialement, Ludovic -- Ludovic Poitou ForgeRock - Product Manager for OpenDJ. http://forgerock.com http://ludopoitou.wordpress.com On Wednesday, June 20, 2012 at 14:45 , Stanislas LEVEAU wrote: > Hi > > I wonder if someone has already migrated from a Sun DSEE to openldap > and establishment of a replication from SUN DSEE to openldap. > > thanks in advance > Regards > -- > Stanislas LEVEAU > Stanislas LEVEAU > > Rectorat de Caen > 168, rue Caponière > B.P. 6184 > 14061 CAEN Cedex > Direction des Systèmes d'Information de l'Académie de Caen > Département des infrastructures > > stanislas.lev...@ac-caen.fr (mailto:stanislas.lev...@ac-caen.fr) > Tel : 02.31.30.17.86 > >
Re: which is the structural object class for posixAccount/shadowAccount?
Auxiliary objectclasses can be associated with any structural objectclasses. PosixAccount is typically used with Person or inetOrgPerson, as well as Account. Regards, Ludo On Mar 23, 2012, at 17:04 , stefano wrote: > hi, > > i've a second question: > > posixAccount and posixShadow are auxiliary objectClasses but i don't > understand which is their structural objectclass. i've seen some examples > with account object class. is it this one? Ludovic Poitou ForgeRock - Product Manager for OpenDJ, open source LDAP directory services in Java. http://www.forgerock.com/ http://ludopoitou.wordpress.com/
Re: What's the java equivalent of ldap_set_option( NULL, LDAP_OPT_X_TLS_CACERTDIR, cert_path)?
Hi, For Java apps, one might also want to consider Apache Directory API <http://directory.apache.org/api/> or OpenDJ LDAP API and Toolkit <http://opendj.forgerock.org/opendj-ldap-sdk/>. Kind regards, Ludovic. Ludovic Poitou ForgeRock - Product Manager for OpenDJ, open source LDAP directory services in Java. http://www.forgerock.com/ http://ludopoitou.wordpress.com/ On Oct 19, 2011, at 10:36 , Nick Milas wrote: > Probably not much to the point, but I thought I should send this info > (derived from earlier posts in this list). > > For Java apps one could also use: http://www.unboundid.com/products/ldapsdk/ > for Java or (now Oracle's) JNDI. > > Nick > > On 19/10/2011 2:28 πμ, daisy...@emc.com wrote: > >> I am trying to write a Java LDAP client program using Novell’s JLDAP >
Re: Schema definitions: from Sun DS to OpenLDAP
Thanks Jonathan for the reference. My blog was actually moved here : http://ludopoitou.wordpress.com And there's an updated version of the script linked from this article : http://ludopoitou.wordpress.com/2009/07/31/updated-schema-convert-py-script-for-opends/ Regards, <http://ludopoitou.wordpress.com/2009/07/31/updated-schema-convert-py-script-for-opends/> Ludo --- Ludovic Poitou ForgeRock - Product Manager for OpenDJ, open source LDAP directory services http://forgerock.com http://ludopoitou.wordpress.com On Wed, Jun 8, 2011 at 2:39 AM, Jonathan Clarke wrote: > On 07/06/11 08:06, Silvio Verrecchia wrote: > > Hello gurus, > > > > I'm migrating a Sun DS to Openldap and I've an highly personalized > > 99user.ldif file with user defined objectclass and attributes > > (hundreds... :( :( ) > > Regarding personalized schema definitions, is there a way > > (script/batch/etc) to convert quickly and easly a Sun DS 99user.ldif > > file to the standard OpenLDAP schema files ? > > > > Any suggestion is highly appreciated ! > > > > Thank you very much! > > > > Silvano > > Hi, > > There is a script that does this the other way round, here: > http://blogs.oracle.com/Ludo/entry/opends_tips_adding_schema_from > > I expect you could adapt it to reverse the process without too much hassle. > > Hope this helps, > Jonathan > >