[apologies if you get this twice: I originally sent this from the
wrong non-subscribed address]
Hi,
I'm using the refint overlay with a few attributes, but I can't get it
to work with krbPwdPolicyReference from MIT kerberos 1.7. I get the
error from the subject when deleting the entry this
On Wed, Sep 16, 2009 at 17:42, Ryan Steele ry...@aweber.com wrote:
query returns nothing:
ldapsearch -x -w SECRET -D cn=admin,dc=example,dc=com -b
cn=testgroup,ou=Groups,dc=example,dc=com -LLL '(uid=user1)'
This filter doesn't look right. Try
(member=uid=user1,ou=Users,dc=example,dc=com)
On Seg, 2008-02-04 at 12:07 -0800, Paul B. Henson wrote:
On Mon, 4 Feb 2008, [iso-8859-1] Michael Ströder wrote:
Paul B. Henson wrote:
Feb 3 03:50:36 derp idmgmt[3722]: error deleting user cjlindsay: DN index
delete failed (LDAP)
Everything right with ownership/permissions on the
On Fri, Feb 01, 2008 at 03:24:50PM -0600, Ryan Horrisberger wrote:
same as RH's packages and will replace them--but so far it works great, and
the upgrade was flawless (you have to rebuild the DB since it is using an
older [better] version of bdb), and yes the package RH ships is an
On Seg, 2008-01-28 at 09:12 -0500, Aaron Richton wrote:
My syncrepl provider seems to be missing updates following an upgrade to
2.3.40. While I was trying to push them through this morning, I got an odd
message:
Jan 28 08:46:19 slapd[12685]: [ID 588225 local4.debug] conn=234174 op=2
Em Sáb, 2007-11-03 às 03:30 -0700, Howard Chu escreveu:
OpenLDAP 2.3 has been unrivaled as the fastest directory server in the world
for the past two+ years, but today that's no longer true. Now OpenLDAP 2.4
takes over as the most scalable, most reliable, highest performing directory
Gavin Henry escreveu:
Dear All,
It this a bad ACL?:
access to dn=ou=Users,dc=suretecsystems,dc=com
by self write
by users read
by anonymous auth
If a .subtree match is implied, this could be bad from a security point
of view, perhaps. It allows an authenticated user
Em Sex, 2007-10-19 às 01:37 -0700, Gilles Schlienger escreveu:
Hi,
I would like to export an existing Openldap database on a local new Openldap
install?
I exported the data in an LDIF file, but it does not contain the passwords
If you used ldapsearch, most likely ACLs prevented you from
Em Ter, 2007-10-16 às 14:53 +0200, Luka escreveu:
Hi,
haven't been able to find any answers regarding this question. If my replica
is shut down and some changes are made to master (inside
ou=access,o=example.net,
which is set as a searchbase in syncrepl configuration) replica doesn't
Em Qua, 2007-09-26 às 17:12 +0200, Guillaume Rousse escreveu:
So, I set up a very minimal default password policy object, as it seems
to be quite mandatory:
dn: cn=default,ou=policies,dc=futurs,dc=inria,dc=fr
cn: default
objectClass: pwdPolicy
objectClass: organizationalRole
pwdAttribute:
Em Sáb, 2007-09-15 às 00:45 +0200, Pierangelo Masarati escreveu:
Andreas Hasenack wrote:
Now I want to be able to use nested groups, so I follow the FAQ and do a
test with sets:
access to dn.regex=^([^,]+,)?ou=sudoers,dc=example,dc=com$
attrs=children,entry,@sudoRole
by set=[cn
openldap-2.3.38
I have this ACL:
access to dn.regex=^([^,]+,)?ou=sudoers,dc=example,dc=com$
attrs=children,entry,@sudoRole
by group.exact=cn=Sudo Admins,ou=System Groups,dc=example,dc=com
write
by * read
The group is:
dn: cn=Sudo Admins,ou=System Groups,dc=example,dc=com
cn: Sudo Admins
On Wed, Jul 11, 2007 at 04:30:00PM +0200, Dieter Kluenter wrote:
Hi,
I am using ppolicy overlay control password policy. Now I would like
to define 3 different policies as policyDN.
In slapd.conf one can only define a defaultDN, how can a policyDN
declared in an entry? Or is editing the
On Wednesday 04 July 2007 15:52:45 Philip Guenther wrote:
On Wed, 4 Jul 2007, Andreas Hasenack wrote:
...
The only problem is that I really want start_tls, and not ldaps (which
is deprecated, right?).
Can't be done. The problem is that LDAP does not mandate that clients
I realized
On Wed, Jul 04, 2007 at 05:53:24PM +0200, Hallvard B Furuseth wrote:
The problem is that the rejection happens too late: the client
password was already sent to the server in clear test.
If you want to ensure it on the server side, all you can do is not
listen for ldap:// connections since
On Fri, Jun 29, 2007 at 09:33:41AM -0300, Timeu wrote:
When I try to import users and groups to LDAP I get this error:
**
*# ldapadd -x -D 'cn=administrador,dc=homolog,dc=com,dc=br' -W -f
users.ldif
Enter LDAP Password:
adding new entry uid=root,ou=People,dc=homolog,dc=com,dc=br
ldap_add:
On Wed, Jun 20, 2007 at 11:16:47AM +0200, Hans Moser wrote:
Buchan Milne schrieb:
To put the overlay into the database context does not make any
difference.
It seems, I was wrong. Sorry.
After I made a new change to one entry on the master and waited a bit
longer, the changes were
I was just wondering if this is expected behaviour.
If rootdn happens to match an existing entry in the directory, and that
entry has a userPassword attribute, the rootpw value in slapd.conf is
ignored and userPassword is used instead.
I find this a bit unexpected. Suppose someone manages to
On Fri, Jun 15, 2007 at 04:31:48PM +0200, Hallvard B Furuseth wrote:
Andreas Hasenack writes:
I was just wondering if this is expected behaviour.
It's intended behavour that rootdn can be the name of an entry and you
can use that entry's password.
Agreed
When both an entry and rootpw
On Tue, Jun 12, 2007 at 09:23:52AM -0300, Jeronimo Zucco wrote:
Hi, list.
I'm trying to implement syncrepl in my openldap 2.3.35 without sucess. I
tryed many (I sed: MANY) times to slacat, slapadd to slave for syn ldap
servers, but for some reason with I don't know, the slave
On Thu, Jun 07, 2007 at 04:07:11PM -0700, Craig wrote:
Andreas Hasenack wrote:
No need for shadowAccount.
Where do you put the password? (I don't see any kind of password in the
account object in cosine.schema.)
Use the simpleSecurityObject AUX class together with account.
On Thursday 07 June 2007 01:24:45 Craig wrote:
I need to create a user (or 2) for replication only, but don't really
know where to put it or which structural class it should be.
I was thinking about:
dn: uid=Replicator,dc=example,dc=com
objectClass: top
objectClass: account
On Thursday 22 February 2007 12:36:22 Howard Chu wrote:
Chechu wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Hi, my question is the next:
I want the entries sambaLMPassword sambaNTPassword to point kerberos
kdc, like userPassword does...but openldap is unable to do..and
On Wed, Feb 14, 2007 at 09:04:29AM +0100, [EMAIL PROTECTED] wrote:
I am running a slapd 2.2.23 (debian package) with a bdb Backend on a
Debian Sarge system. I want to use slapcat for backing up my database,
but it does never dump the complete data. After running a while it
just stops and is
Hi all,
I want to be able to check for the syncrepl consistency between a
provider and a consumer with this database layout:
provider (OL 2.3.30) consumer (OL 2.3.32)
+ dc=example,dc=com+ dc=example,dc=com
/ \/ \
... +
Hello,
while running make test on a 2.3.33 build, I get an error in
test030-relay when using the meta backend:
(...)
Using meta backend...
Starting slapd on TCP/IP port 9011...
Using ldapsearch to check that slapd is running...
Using ldapadd to populate the database...
Searching
On Wed, Jan 31, 2007 at 07:52:26PM +0100, Pierangelo Masarati wrote:
The log shows:
$ tail testrun/slapd.1.log
conn=3 op=1 meta_search_dobind_init[0]
conn=3 op=1 meta_search_dobind_init[0]=1
== rewrite_context_apply [depth=1] string='o=Example,c=US'
== rewrite_rule_apply
/home/andreas/updates-svn/openldap/BUILD/openldap-2.3.33/servers/slapd/.libs/lt-slapd:
symbol lookup error: ../servers/slapd/back-meta/.libs/back_meta-2.3.so.0:
undefined symbol: ldap_back_proxy_authz_ctrl
Anybody else with the same problem?
You should build and load the back_ldap.la
openldap-2.3.30
Not sure if this it intended or not, but it seems to be impossible to delete
the userPassword attribute from an entry if the ppolicy overlay is loaded.
I found this out when I accidentally added a userPassword attribute to a
posixGroup entry and discovered I could no longer
On Thu, Nov 09, 2006 at 03:34:38PM +0100, Sylvain Amrani wrote:
Hi list,
I've got an attribute that could contains very long strings (more than
150 chr).
It's a string made of small tokens separated by spaces and slashes :
departmentUID: BA/BAC ANDL/BAPZ IDF/GRPT YVLN/CIE GN ST GERM...
On Fri, Nov 03, 2006 at 10:47:02AM +0100, jef peeraer wrote:
i am using openldap for many years now ( arround 300 users ) but
recently i encountered some problems. i installed a new server (
opensuse 10.1) and tried to import an ldap database which comes from a
suse 9.3
There seems to be a
On Tue, Sep 19, 2006 at 07:32:12PM +0300, Hai Zaar wrote:
This description is semantically equivalent to that provided in
dynschema. That is, both describe the class as structural.
Thank you for reply. Back to original problem:
How can I implement Dynamic posixGroup - i.e. posixGroup with
On Mon, Sep 18, 2006 at 12:07:03PM +0100, Barry Flanagan wrote:
Hi,
I am using 2.3.24 and have one master and one slave, using the syncrepl
overlay on the master. My problem is that in refreshAndPersist mode,
after some time the slave no longer receives updates. If I restart the
slave the
On Wed, Sep 13, 2006 at 01:34:07PM -0400, Brian White wrote:
I tried that, but it semes I may need to add it to _all_ the access
lines, since there are separate one that control access to passwords,
etc.
The ordering of ACL's make a difference. Maybe you can just try to
put it near the
On Thu, Aug 31, 2006 at 02:59:10PM -0700, Quanah Gibson-Mount wrote:
Yep, MIT Kerberos is exactly what I was beginning to expect as well, which
is why I asked about the Kerberos libraries being used. That's what it
looks like is being used from Allan's libraries he provided as wel.
As
On Thu, Aug 31, 2006 at 07:47:32PM +0200, Pierangelo Masarati wrote:
Quanah Gibson-Mount wrote:
Sure, I can use that to set a limit for a user but this application
needs
to bind anonymously (or the equivalent of anonymous, since the
credentials would have to be public).
I couldn't find
I was reading the appendix A of RFC4533 (about syncrepl and CSN) and the
definition of contextCSN is as follows:
The context CSN is the greatest committed entry CSN that is not greater
than any outstanding (uncommitted) entry CSNs for all entries in a
directory context.
^^
On Fri, Aug 18, 2006 at 10:43:05AM -0300, Andreas Hasenack wrote:
I was reading the appendix A of RFC4533 (about syncrepl and CSN) and the
definition of contextCSN is as follows:
The context CSN is the greatest committed entry CSN that is not greater
than any outstanding (uncommitted) entry
On Fri, Aug 18, 2006 at 06:21:47PM +0200, chechu chechu wrote:
Hi
i have gssapi correctly installed...but i get thius error with
ldapsearch :
[EMAIL PROTECTED]:~# ldapsearch -D cn=admin,dc=ironman,dc=es -w secret
SASL/LOGIN authentication started
ldap_sasl_interactive_bind_s: Invalid
On Fri, Aug 18, 2006 at 06:31:16PM +0100, Gavin Henry wrote:
Dear all,
On the 15th this happened and about half an hour ago too:
Aug 18 17:49:02 server1 slapd[653]: = bdb_equality_candidates:
(sambaGroupType) index_param failed (18)
Aug 18 17:49:02 server1 slapd[653]: bdb_db_cache:
REL_ENG_2_3 from a few hours ago (labeled as 2.3.26)
I get this error when trying to slapadd an ldif file with the -w option
on a database that is glue'd:
# slapadd -b dc=example,dc=com -w -v -g remote1.ldif
slapadd: database doesn't support necessary operations.
(same without -g)
Since I'm
On Wednesday 09 August 2006 18:42, Atom Powers wrote:
Ok, I know there has to be an easy way to do this, but I'm having a hard
time figuring it out.
How can I force a syncrepl consumer to do a full refresh from the provider?
Stop the consumer, delete its database and start it up again?
On Thursday 03 August 2006 05:01, Jakob Breivik Grimstveit wrote:
Thanks, this was the way to solve it. I was really afraid I had lost
some user data, and will now look into hourly exports with snapshots
:-). Thank you very much everyone who answered me.
So this problem is fixed in
On Wed, Aug 02, 2006 at 03:19:30PM +0200, Jakob Breivik Grimstveit wrote:
slapcat hangs when I try running it while the LDAP server is not
running, has to be breaked to stop. strace of that is here:
http://www.starshipping.com/~jakobbg/slapcat.txt. Slapd.conf:
On Wed, Jul 19, 2006 at 03:24:22PM +0200, Halbritter, Matthias wrote:
closed connection. When I start the consumer again, it starts in the
REFRESH_DELETE mode, although it hasn't replicated all entries yet.
Shouldn't the consumer finish or restart the refresh?
I'm getting the same behaviour
On Friday 28 July 2006 06:23, Tim Tassonis wrote:
Then, I wanted to import entries from a sunone directory into my
openldap server, where passwords where stored as SSHA hashes:
ldapsearch -h sunone | ldapmodify -h openldap
and that made the ppolicy module apparently hashing the already
On Mon, Jul 17, 2006 at 03:12:23PM +0800, Wang Penghui wrote:
Hello, everyone,
There is a openldap installation on my gentoo server. The version of
server is net-nds/openldap-2.1.30-r2.
The hardware information is
CUP: Intel Xeon 2.4G x 2
MEM: 512M x 2
HD: SCSI 73G x 2 with Raid 1.
On Mon, Jun 19, 2006 at 06:31:39PM +0100, Ade Fewings wrote:
Dear all
We are setting up an OpenLDAP 2.3.34 directory server structure and I
have started using syncrepl to produce replica servers. Everything is
going OK, except that userPassword's crypt'd using {MD5} rather than
{crypt}
On Fri, Jun 02, 2006 at 06:04:36PM -0300, Andreas Hasenack wrote:
If yes, how is this possible considering that pam_ldap uses the
ldap_extended_operation_s() for the EXOP and later on ldap_modify_s()? These
are synchronous operations, right? So how come the second operation be
initiated before
I need some help interpreting these logs. They are from pam_ldap-182 changing a
password on an openldap-2.3.24 server with the password policy overlay:
slapd[11017]: conn=112 op=12 BIND dn=uid=john,ou=People,dc=example,dc=com
method=128
slapd[11017]: conn=112 op=12 BIND
On Tue, May 30, 2006 at 04:31:37PM +0200, Bernd Schubert wrote:
Hi,
if I run on the failover system 'kinit ldapadmin-h2' syncreply works - until
the ticket experies. After the ticket is expired or if I didn't get a ticket
via kinit, syncreply fails.
How can I make slapd to get a ticket
(openldap-2.3.23)
If I have an ACL like this:
access to dn.subtree=dc=example,dc=com
[EMAIL PROTECTED]
by group.exact=cn=LDAP Admins,ou=System Groups,dc=example,dc=com
by * none
Would it be equivalent to, instead of using @shadowAccount, just listing all
attributes of
(pam_ldap-18[0-2], openldap-2.3.21)
While testing pam_ldap's ppolicy support I came accross this scenario.
The uid=fulano user has pwdReset set to TRUE, and my policy mandates
that he then changes the password.
These are the logs of what is happening (grepped for just conn=58 which
is where the
On Fri, Apr 28, 2006 at 10:08:59AM +, Michael wrote:
hey list,
i tried to change a user dn (uid=test,ou=People ...) but it didnt work. Is
there any chance to change the
uid=test to uid=test2 ? I used the ldap account manager but it doesnt have a
function for that. I also searched the
On Wed, Mar 29, 2006 at 09:01:13AM -0500, Brian Gaber wrote:
Why does slapcat produce a LDIF entry with attributes that ldapsearch does
not show?
With my slapcat I get these additional attributes (with values), not shown by
ldapsearch:
creatorsName:
createTimestamp:
modifiersName:
On Mon, Feb 20, 2006 at 06:04:33PM -, [EMAIL PROTECTED] wrote:
Hi,
I'm having this huge problem that I can't resolve.
I'm using slapcat to backup my ldap and I'm sending it to a file.
I use that file to restore my ldap using slapadd
I have a program that counts all the nodes in ldap
On Mon, Feb 20, 2006 at 09:33:46AM -0500, Francis Swasey wrote:
Folks,
Having been bitten by someone installing a SASL mechanism on a server
that also is one of my LDAP servers which was not configured (it
happened to be Red Hat decided this mechanism is required to have
sendmail on the
On Sun, Feb 19, 2006 at 09:51:05PM +0100, Jürgen Herz wrote:
Hello,
today I got started with LDAP and OpenLDAP - but I didn't come far.
I'm using OpenLDAP 2.2.23 and ldaptools of same version from Debian
Sarge. At installation time I was asked about my admin user and
password. I've chosen
On Mon, Feb 20, 2006 at 08:33:19PM +0100, Jürgen Herz wrote:
Andreas Hasenack wrote:
E.g.
ldapsearch -D cn=admin,dc=mysystem,dc=test -x -w secret cn=itsme
or
ldapsearch -D cn=itsme,dc=mysystem,dc=test uid=ldap -W
and entering mypassword as password.
Someone on IRC the other day
On Mon, Feb 13, 2006 at 03:58:31PM -0800, Howard Chu wrote:
What's missing?
Read the slapo-ppolicy(5) manpage again, look for pwdReset.
Aha, got it, thanks!
I was wrongly assuming that password reset by administrator meant a
password change done by the administrator, and not literally setting
How is the pwdMustChange policy supposed to be applied to ldap clients?
Doesn't this need support in the client? I'm sure ldapsearch(1), for
example, can't change the userPassword attribute, but it can
authenticate without problems. So how is this policy going to be
enforced?
On Mon, Feb 13, 2006 at 11:25:27AM -0800, Howard Chu wrote:
Andreas Hasenack wrote:
How is the pwdMustChange policy supposed to be applied to ldap clients?
Doesn't this need support in the client? I'm sure ldapsearch(1), for
example, can't change the userPassword attribute, but it can
On Thu, Jan 19, 2006 at 05:55:40AM -0800, Howard Chu wrote:
# From: Andreas Hasenack [EMAIL PROTECTED]
--On Wednesday, January 18, 2006 2:38 PM +1100 Dennis Matotek
[EMAIL PROTECTED] wrote:
Having an error compiling the source on 2.3.17.
machine is:
mandriva 2006 2.6.12-14mdk
libsasl2
On Tue, Jan 17, 2006 at 08:51:48PM -0800, Quanah Gibson-Mount wrote:
--On Tuesday, January 17, 2006 8:39 PM -0800 Quanah Gibson-Mount
[EMAIL PROTECTED] wrote:
--On Wednesday, January 18, 2006 2:38 PM +1100 Dennis Matotek
[EMAIL PROTECTED] wrote:
Having an error compiling the
With 2.3.11 and a provider/consumer setup with refreshAndPersist, what
triggers the consumer to reconnect to the provider when the provider goes
down?
For example, suppose both servers are synchronized and using
refreshAndPersist:
- restart the provider (stop start)
- change something in the
Em Seg 17 Out 2005 06:39, Dieter Kluenter escreveu:
I just experienced the same problem and it took me a few minutes to find
the reason, which resulted in
TLS trace: SSL3 alert read:fatal:certificate expired
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS: can't accept.
On Mon, Oct 17, 2005 at 10:39:15AM +0200, Dieter Kluenter wrote:
I just experienced the same problem and it took me a few minutes to find
the reason, which resulted in
TLS trace: SSL3 alert read:fatal:certificate expired
TLS trace: SSL_accept:failed in SSLv3 read client certificate A
TLS:
On Mon, Oct 17, 2005 at 09:29:57AM -0400, Aaron Richton wrote:
If I run ldapsearch from another machine which has another version of
openldap that is not 2.3.11 nor 2.3.10, then it works.
So this is against your 2.3.11 slapd, 2.3.11 ldapsearch -ZZ fails while
2.3.10 connects OK (2.3.11
On Mon, Oct 17, 2005 at 10:16:28AM -0400, Samuel Tran wrote:
If I run ldapsearch from another machine which has another version of
openldap that is not 2.3.11 nor 2.3.10, then it works.
On my OL 2.3.11 test servers both SSL and TLS work fine.
We use our own CA certificate to sign our cert
I reviewed ITS#4082 and I have that patch applied in tls.c (I'm running 2.3.11
which has it). However, I still get TLS errors when using ldapsearch -ZZ:
connection_get(13)
connection_get(13): got connid=0
connection_read(13): checking for input on id=0
TLS trace: SSL_accept:before/accept
/usr/include/ldap.h (OL-2.3.6):
#if LDAP_DEPRECATED
/*
* in bind.c:
* (deprecated)
*/
LDAP_F( int )
ldap_bind LDAP_P(( /* deprecated */
Em Sábado 27 Agosto 2005 12:39, Kurt D. Zeilenga escreveu:
The quoted material implies this particular interface is deprecated.
It says nothing about LDAP simple bind itself.
What is the non-deprecated way of unbinding? ldap_unbind(3) is marked as
deprecated in /usr/include/ldap.h from
Em Quarta 24 Agosto 2005 19:44, Quanah Gibson-Mount escreveu:
I agree, why not? I do. :P But this isn't necessarily an argument for
compiling from source. It is an argument against using Debian's packaged
releases since they are inadequate. There are other packages of OpenLDAP
that keep
Em Sexta 05 Agosto 2005 20:26, Gustavo Rios escreveu:
Dear folks,
i am planing using openldap to server account for my users (unix,
email, etc). It will be authenticating by means of kerberos V (SASL) I
wonder about performance concerns.
My initial ideia was to use BDB, but on openbsd
On Thu, Jul 28, 2005 at 12:08:21AM -0400, Jeremy Silva wrote:
/usr/lib/libsasl2.a(db_berkeley.o)(.text+0x5a): In function
`berkeleydb_open':
: undefined reference to `db_create_4002'
These kind of suffixes for berkeley db are used when berkeley db was
built with --with-uniquename. So, it
Em Quinta 30 Junho 2005 14:59, juliano escreveu:
ldapsearch -b 'dc=xxx,dc=yyy' kills the slapd process.
I just compiled with --enable-ldbm
No errors reported when compiling... I do make test after and its okay too.
What i did wrong ?
do_sasl_bind: dn () mech DIGEST-MD5
SASL [conn=1] Debug:
76 matches
Mail list logo
