in the LDAP mail attribute, which should
be just LHS@RHS.domain
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
ot;interesting"
behaviour when replication is involved.
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
ld probably want to keep it for that.
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
to specify the server ID so that it can go the
other way through the config, convert ID to FQDN, and drop that FQDN from the
set of replication sources?
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd
Anyway, running with fully-replicated config makes it even more important
to have a good solution to the problem I described.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large
ncing/failover in this environment would be done separately ]
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
On Fri, Oct 20, 2017 at 01:08:01PM +0300, Zeus Panchenko wrote:
> 1. search works with filter: (authorizedService=mail@hh001.umidb)
>(and without index it returns empty result)
That is odd. Th eindex should only be a performance thing - it should
not change the results at all. You need to be
ry=finance)(dhcpOption:caseIgnoreSubstringsMatch:=boot*))
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills
ity.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
2017.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
ple,dc=com"
mech=SIMPLE ssf=0
Aug 8 17:48:33 owl slapd[616]: conn=1282270 op=105 RESULT tag=97 err=0 text=
Finally the password is checked by binding to LDAP using the account DN and
password as credentials.
Andrew
--
---
.
This will tell you what the app is actually doing.
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
oupOfNames then
you could use the memberof overlay to reflect membership into an attribute
of the user entry.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
onfig file (probably /etc/ldap/ldap.conf). I seem to remember a change in
behaviour of OpenSSL libs a while ago where I was bitten by something
similar. Maybe Juergen's earlier setup used ldap.conf and the new one
is ignoring it?
Andrew
--
-------
On Thu, Jun 29, 2017 at 03:47:07PM +0100, Andrew Findlay wrote:
> I suspect part of the trouble is that you have two syncrepl clauses using the
> same search base on the same master. The timestamps are likely to be stored
> in the same place, causing a clash.
>
> One definite er
ncrepl rid=123
> provider=ldap://master.example:389
> starttls=critical
> searchbase="ou=ABC,ou=Sendmail,dc=example"
> bindmethod=simple
> binddn="uid=replABC,ou=repl,dc=example"
> credentials="***"
> tls_cacert=/usr/local/etc/openldap/ssl/ca.crt
> tls_ce
rew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
gather up all the ownerOf
values.
To be really cute you could add the dynlist overlay to do this for you...
Andrew
--
-----------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scal
s...
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
that 64k aliases would trigger a
problem, or is something else going on here?
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory
view of your data that it
can cope with. Does the app need to modify LDAP data or is it read-only?
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems,
ld be worth checking that you have indexed the objectclass attribute.
I prefer to avoid aliases...
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, a
he only thing that needs to care about hash formats is the LDAP
server process.
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
lcPasswordHash: {CRYPT}
olcPasswordCryptSaltFormat: "$6$%.12s"
It should be added to the olcDatabase=frontend,cn=config entry.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
hines
only need a copy of the CA cert to verify trust.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.s
ou have the basic service working you can start thinking about ACLs.
You may then want to define an account for your Linux client machines to use
when accessing LDAP so that you don't have to give anon access to your data.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
tribute (e.g. if the new one is mixed case
and the existing one is all upper case).
It would still be wise to load the data through LDAP rather than using
slapadd, but the process will be much slower.
How many entries do you have? Do you run multiple LDAP servers?
Andrew
--
--------
_host: lines.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
!
There are opportunities for commercial sponsorship that will be of
interest to companies working in related areas. See
http://ldapcon.org/2015/?page_id=101 for details.
Andrew Findlay
Conference Chairman
Thanks to our sponsors for their support.
Our first Platinum sponsor: Symas http
ing like iconv to process the command-line args
and input files:
iconv --from-code=CP1250 --to-code=UTF-8 /path/to/inputfile
Andrew
--
-------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant
run an instance of it on every client
machine if you need to.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.s
client during testing.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
if run on a server that has a heavy write load at the
time.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
Network Working Group
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
of the
mailing list as well as the address of the list. The Postfix LDAP README
has some ideas about how you might set this up:
http://www.postfix.org/LDAP_README.html#example_group
Andrew
--
---
| From Andrew Findlay
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
the list. If the MTA cannot do this two-stage process itself,
you could consider using the dynlist overlay in slapd to collect
the members' mail addresses into the group entry itself.
Andrew
--
---
| From Andrew
nscd. It is not helpful when sssd is in use, and can
cause great confusion and problems of its own.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks
or CentOS mailing list or forum.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk
transaction to
finish and report back before queuing the next one...
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http
.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
with sensible values to work
with
then you will have to maintain a parallel or overlay directory service. There
are
several ways to do that, so let's start by establishing what you have!
Andrew
--
---
| From Andrew Findlay
Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
attributes that you want to use.
LDAP does not support 'present but empty' attributes, so there must
be a non-null value in each MUST attribute.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd
/2015/
Contacts
General enquiries: enquir...@lists.ldapcon.org
Paper/Tutorial submissions:submissions2...@lists.ldapcon.org
--
---
| From Andrew Findlay, Skills 1st Ltd
trivial BEFORE doing the tests.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk
On Fri, Feb 06, 2015 at 10:42:45AM +0530, Bharath K wrote:
To: Andrew Findlay andrew.find...@skills-1st.co.uk
Please keep your replies on-list so that others with similar problems
can learn from the archive.
Subject: Re: plz provide me any simple authentication code in ldap
i configured
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
, and by the olcLogLevel attribute of cn=config if you are using
slapd-config.
File based:
loglevel stats stats2
or in LDIF:
dn: cn=config
...
olcLogLevel: stats stats2
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd
Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
to add. It should
be very quick.
Also look at your replication setup. With this sort of data you really
do need delta mode.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large
/Tutorial submissions:submissi...@lists.ldapcon.org
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills
will only probably solve
the problem, why must he update? ;-)
Because until he does, people on this list will assume that the
problem is due to a bug that has already been fixed.
Andrew
--
---
| From Andrew Findlay
Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
libraries. LMDB (database mdb) is highly
recommended.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills
not.
It would be interesting to have more detail on exactly what you did and what
results you found.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems
: limited ACLs, fundamental mismatch in data
model, poor performance and resource usage when compared with back-mdb etc...
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large
config so ldaps: will
not work.
Quick test:
ldapmodify -x -h ldap://server/ -W -D
'cn=root,dc=ier,dc=hit-u,dc=ac,dc=jp'
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant
one of those interfaces twice.
Note also that you should be using fully-qualified domain names everywhere.
Simple hostnames will not work properly with TLS.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd
Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
DIGEST-MD5 anyway, as it requires
the server to store the password in cleartext rather than hashed.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks
this is not something
to be undertaken until you are more familiar with OpenLDAP.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services
software then hdb may be safer.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk
in the config go through NFS or automount points?
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
databases into LDIF files
then configure new MDB databases and slapadd the data. You will find
that loading MDB with slapadd -q is extremely fast.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd
deprecated for some time now.
I would suggest using MDB.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
should help you
to isolate the problem.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
.500 are designed.
Is there any option to prevent it. ?
Use the 'unique' overlay:
http://www.openldap.org/doc/admin24/overlays.html#Attribute%20Uniqueness
Andrew
--
---
| From Andrew Findlay, Skills 1st
to fill in those
attributes.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
to add
the objectclass 'domainRelatedObject' as well.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http
On Fri, Aug 09, 2013 at 05:53:57PM +0300, Zeus Panchenko wrote:
To: Andrew Findlay andrew.find...@skills-1st.co.uk
Please keep replies on the list so that they become searchable
and everyone can benefit.
here is the diagram depicting what I am thinking about while talking :)
https
on your own institution's allocation,
but that is not critical at this stage.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services
)(authorizedService=smtp))
Your POP3 server would issue searches of the form:
((uid=USERNAME)(authorizedService=pop3))
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant
:
http://www.skills-1st.co.uk/papers/ldap-acls-jan-2009/
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http
to nearer 12,000 guesses per
second. If your LDAP database gets compromised or someone steals your
backup tapes then that extra protection could be very valuable.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
).
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
userPassword and uid at the same time.
The LDIF parser will take care of the Base-64 for you as well.
You should be able to do the whole job in less than 20 lines of Perl or Python.
Andrew
--
---
| From Andrew
said that, you still might be able to do substring searches on
some of these attributes by using 'matching rule assertion' rather
than 'attribute-value assertion' forms - see RFC4515.
Andrew
--
---
| From Andrew
on pwdAccountLockedTime
would be beneficial, but would it help for an acl filter?
An index is very unlikely to make any difference to the ACL
you propose.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
is in the ldif file.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44
in the Admin
Guide.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk
when extended into swap, I
would expect this to be faster than a normal filesystem as it
does not have to take precautions to recover after a crash.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd
owners to write, nothing to everyone else.
With the change given above, that bit should work.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks
tests.
Andrew
--
---
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/+44 1628 782565 |
---
1 - 100 of 163 matches
Mail list logo