y for BIND operations,
> however the only BIND operations that get recorded are BINDS to the
> LDAP server itself. BINDS to clients do not get recorded in the
> accesslog. Is this the advertised behavior of the accesslog?
Yes, slapd has no knowledge of the system environment.
-Dieter
--
ial
> issues that I'll have to ponder.
It is not PAM but the name service switch nss which can be configured to
us ldap as credentials storage.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
d
> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> SASL SSF: 0
> dn: cn=config
> add: olcTLSCertificateFile
> olcTLSCertificateFile: /etc/pki/tls/certs/ldap.crt
Don't rely on third party documentation! Read the manual pages!
In particular ldapmodify(1
. I'm unsure
> where my 'str2entry's are.
>
> Any help is greatly appreciated. Like I said, I had it working just
> fine yesterday, and after a reboot it didn't like something.
Presumably you have mixed up some characters in a schema file.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
; resource pig in the extreme, and would prefer to avoid if possible.
>
> If you have this working I would love to see the relevant
> configuration files.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
should enable proxy authentication by authz-policy, and
create and define a proxy user as part of ldapdb configuration. In order
to pass mail attribute values instead uid values, you may define
authz-regexp uid=(.*),cn=.*,cn=auth
ldap:///dc=example,dc=com??sub?mail=$1
for this mail attribute must be indexed.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
e any way to don't export the operational attributes from
> OL in the above scenario?
RFC 3673 describes an 'All Operational Attributes' mechanism, which is
defined as '+', while an '*' defines all user attributes.
man slapd-config(5) comments in the olcSyncrepl part on default value
'attrs=*,+'. Just define attrs=*
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
o always set
lastmod off
...
The current implementation automatically sets
lastmod to off, so its use is redundant and should be omitted.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Tue, 25 Feb 2014 16:03:34 -0300
schrieb Italo Valcy :
> Hello Dieter,
>
> On Tue, Feb 25, 2014 at 10:50 AM, Dieter Klünter
> wrote:
>
> > You didn't mention the OpenLDAP version, as actual man slapd-ldap
> > states:
> >
> > In early versions o
Am Tue, 25 Feb 2014 18:24:14 -0300
schrieb Italo Valcy :
> Hello Dieter,
>
> On Tue, Feb 25, 2014 at 5:05 PM, Dieter Klünter
> wrote:
>
> > No, syncrepl (consumer) does not reqire operational attributs. Only
> > if the ldap backend is also defined as syncpro
oot,dc=lab,dc=farm"
> rootpw **
> dbname lab
> dbuser ldap
> dbpasswd
> subtree_cond"ldap_entries.dn LIKE CONCAT('%',?)"
> insentry_stmt "INSERT INTO ldap_entries
> (dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)"
> has_ldapinfo_dn_ru no
There are some solutions
1. define NULL values for suffix, that is suffix ""
2. attach 1 sql database to a subordinate relay database with
additional rwm modul and a suffixmassage rule.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
a preceding sql database
> serving namingContext ""
>
> Thanks again for such a fast and accurate response
>
> Alan
>
> -Original Message-
> From: openldap-technical-boun...@openldap.org
> [mailto:openldap-technical-boun...@openldap.org] On Behalf Of
ting error:
> Unrecognized database type (bdb) in openldap 2.4.39
>
>
> In order to fix this i added below line in slapd.conf file:
> moduleload back_bdb.la
>
>
> Please help as implementing open ldap is getting crazy now.
Please post the ouput of ./slapd -VVV
-D
propriate authz-regexp, see man slapd.conf(5)
You may use any sasl mechanism that you sasl framework provides.
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
onf file
> configuration?
>
>
> Best regards,
>
>
> Eileen
>
>
> -- 原始邮件 --
> 发件人: "Michael Ströder";;
> 发送时间: 2014年3月5日(星期三) 下午4:09
> 收件人: "Dieter Klünter";
> "openldap-technical";
>
> 主题
(=0)
> slapd[44745]: <= check a_dn_pat: users
> slapd[44745]: <= acl_mask: [1] applying add(=arscxd) (stop)
> slapd[44745]: <= acl_mask: [1] mask: add(=arscxd)
> slapd[44745]: => slap_access_allowed: write access denied by
> add(=arscxd) slapd[44745]: => access_allowed: no more rules
>
> What am I missing?
>
access to dn.base=ou=groups,dc=whatever
attrs=entry,children by read
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
e for creating wild-card certs and sharing
> those out to other servers? The procedure that was used was from
> openssl.org so it was not a fly-by-night weblog.
>
>
>
> What did I miss (besides: a lot)?
>
>
>
> Thanks in advance,
>
>
>
&g
cated on
> > openssl.org) then copied that to each client. Is there a step I
> > missed in there?
>
> Yes, you have to create a client certificate for each host, while the
> Common Name must match the FQDN of this host. my blog entry may be of
> help:
>
> htt
ate database files index.txt and
serial.
-Dieter
> -Original Message-
> From: Dieter Klünter [mailto:die...@dkluenter.de]
> Sent: Monday, March 10, 2014 5:12 PM
> To: Borresen, John - 0442 - MITLL
> Subject: Re: TLS QUESTION
>
> Am Mon, 10 Mar 2014 16:55:04 -0400
t myKey.pem
mv newcert.pem host.pem
./CA.pl -verify host.pem
-Dieter
>
> -Original Message-
> From: Dieter Klünter [mailto:die...@dkluenter.de]
> Sent: Tuesday, March 11, 2014 9:31 AM
> To: Borresen, John - 0442 - MITLL
> Cc: openldap-technical@openldap.org
> S
penssl commands to remove the passphrase...but, that's
> not working either.
>
> Any ideas?
That's what 'openssl rsa -in newreq.pem -out myKey.pem'
does. Ore else
https://sys4.de/de/blog/2013/08/20/how-create-and-administer-x509-certificate-chains-part-i/
-Diete
nssl.org pages) and would like clarification.
You could create a pkcs12 package, but that would not be recognized,
AFAIK. And there is no configuration parameter for a openssl generated
pkcs12 file.
-Dieter
> -Original Message-
> From: Dieter Klünter [mailto:die...@dkluenter.de]
in place and it still
> prompted me for the passphrase.
Something must be misconfigured, just test
openssl rsa -in cakey.pem -text
this will ask you for a passphrase, while
openssl rsa -in cakey_nopass.key -text
should not aks for a passphrase.
-Dieter
> -Original Message-
I can use subjectAltNames or wildcard
> certificat.
As you know the answer to your question already, just test to find out
which one fits best to your requirements.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
entries
with the same attribute value. But if you want to maintain uniqueness
of email addresses, well that's what slapo-unique(5) would provide.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
report for Debian, I guess.
Rubbish, have you ever seen a Debian or Ubuntu maintainer posting to
this mailing list?
Actually there is no qualified Debian or Ubuntu maintainer.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
w Q&As about this, but I am really trying to understand
> where this issue is originating. Maybe I haven't looked at the right
> one yet.OpenDJ has the ability to utilize it in custom classes,
> so I was hoping to be able to also do the same in OpenLDAP. Thoughts?
man slapo-
or continue
> > is specified)
>
> I posted it before, but will post it again. This is the database
> specific ACL :
>
> database bdb
> suffix "dc=mydomain"
> rootdn "cn=Manager,dc=mydomain"
> rootpw {SSHA}blCAG/CNdFPY597Cf4Ssuj
run slapd in debugging mode and debug level acl
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Tue, 01 Apr 2014 14:25:47 +0200
schrieb Jonas Kellens :
>
> On 01-04-14 12:20, Dieter Klünter wrote:
> > Am Tue, 01 Apr 2014 11:04:15 +0200
> > schrieb Jonas Kellens :
> >
> >> On 01-04-14 10:53, Terje Trane wrote:
> >>> On 01.04.2014 09:58, Jon
Hi,
The OpenLDAP Project will be present at Linuxtag 2014 in Berlin
http://linuxtag.org/2014/
I am looking for volunteers to support the OpenLDAP booth. Prospective
volunteers may contact me.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95
> now appear with two colons?
>
> I have added more test users and on their entry the uid entry also
> has the double colons with a hashed entry following.
this is the base64 encoded attribute value. The manual page ldif(5)
provides more information.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
uot;Michael Ströder"; <mailto:mich...@stroeder.com> >;
>
> 发送时间: 2014年3月5日(星期三) 下午4:09
>
> 收件人: "Dieter Klünter" <mailto:die...@dkluenter.de> >;
> "openldap-technical" <mailto:openldap-technical@openldap.org> >;
>
&
try a ldapsearch it doesn't work , the object class and
> attribute are not re written
This is not a proper modify operation, the syntax is incorrect, see man
ldapmodify.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
>
> - How to configure openLdap to return a control when a
> password is about to expire.
>
> - Which java Ldap api should be used to process such a
> control.
http://tools.ietf.org/html/draft-behera-ldap-password-policy-10
man slapo-ppolicy(5)
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ewca/newcert).
>
CA.pl -newca
-newreq
-sign
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
7; under -e and -E options.
> But I cannot figure out what these extensions are.
>
> What is '-e ppolicy' ? and when do you need it?
man ldapsearch(5)
-e = general extended operation
-E = search extended operation
passwordPolicy is a general extended operation
-Dieter
--
Die
>
> #SIZELIMIT12
> #TIMELIMIT15
> #DEREFnever
>
> # TLS certificates (needed for GnuTLS)
> TLS_CACERT/etc/ssl/certs/ca.harmonywave.com.pem
> TLS_REQCERTdemand
> TLS_CHECKPEERyes
> TLS_CIPHER_SUITE SECUR
s in PEM format. The files each contain one CA certificate.
The files are looked up by the CA subject name hash value, which must
hence be available.
I presume, your directory does not provide c_hashed subject names.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ntries to ldap, it says that "err=17 text=aci:
> attribute type undefined"
>
> Can you please provide schema for aci attribute?
The attribute type is openLDAPaci. The model is based on
http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
-Dieter
--
Dieter Klünter | Sys
Am Thu, 15 May 2014 17:48:37 +0200
schrieb Dieter Klünter :
> Am Thu, 15 May 2014 20:45:04 +0530
> schrieb neel :
>
> > Hi,
> > I have compiled and configured OpenLDAP 2.4.39 with ACI.
> >
> > I am trying to integrate one application with LDAP. I have entered
>
> On Thu, May 15, 2014 at 9:18 PM, Dieter Klünter
> wrote:
>
> > Am Thu, 15 May 2014 20:45:04 +0530
> > schrieb neel :
> >
> > > Hi,
> > > I have compiled and configured OpenLDAP 2.4.39 with ACI.
> > >
> > > I am tr
Am Thu, 15 May 2014 19:31:33 +0300
schrieb Mike Jackson :
>
> Quoting Dieter Klünter :
> >
> > The attribute type is openLDAPaci. The model is based on
> > http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
> >
>
> Does this FAQ-O-Matic still represe
else agrees with me
> that this is undesirable behaviour. Of course, my patch would be
> submitted for consideration into the project.
If you want to disable logging, just set loglevel 0 in slapd.conf or
olcLogLevel 0 in cn=config
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
course, is not my goal.
>
> I want my stderr logs, outside of my syslog.
the messages you recieve on stdout are debug messages not log messages.
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
now if I have to give me more information to nail down
> the issue. Please Please Please someone help me on this. I am badly
> need a solution on this.
slapd has no knowledge of the hashing scheme {SHA2} unless you have
build and included an appropriate module, ie.
contrib/slapd-modules/passwd/sha2/
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
he two directories, or if you
> > have to, look towards suggestions made by others (such as using
> > Kerberos V5 Trusted Realm+OpenLDAP; or Samba+OpenLDAP).
> >
> > Best of luck,
> >
> > Stewart
> >
> >
> >
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
I have all my users under it without any hierarchy (let's say a
> million). How do I distribute them to different OpenLDAP servers
> without hierarchy? Do I use referrals or do I use subordinating?
use syncprov, accesslog and syncrepl.
-Dieter
--
Dieter Klünter | Systemberatung
http:
7;s own group etc.
> Both of these share the same users.
man slapd.access(5), the field and the field. You may
consider the statement peername.ip.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
it works for me,
ldapwhoami -Y EXTERNAL -ZZ -H ldap://
SASL/EXTERNAL authentication started
SASL username: cn=Dieter Kluenter,ou=Partner,o=AVCI,c=DE
SASL SSF: 0
dn:cn=dieter kluenter,ou=partner,o=avci,c=de
You are probably missing the TLS_CA CERT parameter in you ~/.ldaprc
Otherwise run slapd in debug level 3.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
r.
>
> Has anyone ever used the "dontusecopy" control and if so, would you
> mind terribly telling us how/where you used it?
The php ldap module has not implemented this control.
http://php.net/manual/en/book.ldap.php
You may test the client using ldapsearch(5), read the manual page on
search extensions.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
access to *
> by dn.base="cn=admin,dc=mydomain" write
> by * read
>
> ACL rule 4 allows the postmaster to add objects to it's "domain"
> without any restrictions. How can i restrict the object creation to
> specific object classes and attributes? Let's say postmaster should
> only be able to add objects like the following:
[...]
man slapd.access(5), the field: @
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Tue, 5 Aug 2014 13:39:13 +0200
schrieb Simeon Ott :
> On 05.08.2014, at 11:39, Dieter Klünter wrote:
>
> > Am Tue, 5 Aug 2014 09:41:36 +0200
> > schrieb Simeon Ott :
> >
> >> […]
> >>by
> >> dn.base,expand="cn=postmaster,ou=$2,ou=
Am Tue, 5 Aug 2014 16:26:44 +0200
schrieb Simeon Ott :
>
> On 05.08.2014, at 15:00, Dieter Klünter wrote:
>
> > Am Tue, 5 Aug 2014 13:39:13 +0200
> > schrieb Simeon Ott :
> >
> >> On 05.08.2014, at 11:39, Dieter Klünter
> >> wrote:
> >>
Am Tue, 5 Aug 2014 22:41:54 +0200
schrieb Simeon Ott :
> On 05.08.2014, at 18:03, Dieter Klünter wrote:
>
>
> can you help me finding the applied rule during the write process of
> an object with uid=1234? i used other objectclasses and attributes,
> which are not in the allo
a problem no ?
>
> Thanks for reply or link to exemple.
according to my private documentation, slapd has to be build with
-DLDAP_COLLECTIVE_ATTRIBUTES, this information might be outdated.
This is a sample ldif:
dn: cn=office,dc=example,dc=com
objectClass: subentry
objectClass: extensibleO
( uid $ userPassword $ employeeNumber $
> cn $ sn $givenname $ mail $ telephoneNumber $ dc ) )
I don't think that this ancient version ( released 2010/06/30) will
support runtime modification of schemas. But you may try
ldapmodify -b cn={12}uri,cn=schema,cn=config
changetype: modify
replace: objectClasses
objectClasses: {0}(1.3.6.1.4.1.14092 .
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
d CA list openldap will
> > do it (in this case, how the hostname matching with the subject DN
> > is performed)?
>
> OpenLDAP libldap does server certificate validation according to
> RFC2830 and 4513. It would be a mistake to duplicate that
> functionality and do the valid
looks like:
>
> /afs/home.example.com/users/t/jsmith
>
> We'd like to map it to something along the lines of:
>
> /users/jsmith
>
> If anyone could please point me in the right direction of how to do
> this, I'd be much appreciated.
man slapo-rwm(5)
-Dieter
--
[...]
> >
> > The external auth part works, and if I replace self with users, that
> > works as well (but is not what I want). Do I expect too much?
>
> Hi,
>
> Would anybody please provide some guidance on this problem?
define an authorization regular expression i
Am Mon, 29 Sep 2014 11:24:53 +0200
schrieb Ferenc Wagner :
> Dieter Klünter writes:
>
> > Am Mon, 29 Sep 2014 00:14:55 +0200 schrieb Ferenc Wagner
> > :
> >
> >> Ferenc Wagner writes:
> >>
> >>> I've got a partial syncrepl replica, wh
Am Tue, 14 Oct 2014 14:38:13 +0200
schrieb Nicolas RENAULT :
> Le 07/08/2014 09:09, Dieter Klünter a écrit :
> > Am Wed, 06 Aug 2014 18:16:07 +0200
> > schrieb Nicolas RENAULT :
> >
> >> Le 06/08/2014 03:12, Howard Chu a écrit :
> >>> Nicolas RENAULT wro
eload sssvlv
> #moduleload pcache
> moduleload collect
> overlay sssvlv
>
> overlay collect
> collectinfo cn=office,dc=example,dc=frl,street
These are not valid module names, thus no module will be included.
Search /usr/lib/openldap/modules for proper module names.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Mon, 20 Oct 2014 11:33:37 +0200
schrieb Nicolas RENAULT :
> Le 17/10/2014 23:02, Dieter Klünter a écrit :
> > Am Fri, 17 Oct 2014 17:40:20 +0200
> > schrieb Nicolas RENAULT :
> >
> > [...]
> >
> >>@(#) $OpenLDAP: slapd 2.4.40 (Oct 17 2014 15:08:4
Am Tue, 21 Oct 2014 14:35:14 +0200
schrieb Nicolas RENAULT :
> Le 21/10/2014 09:23, Michael Ströder a écrit :
> > Dieter Klünter wrote:
> >> collectiveAttrbibuteSubentry is declared in schema_prep.c. When I
> >> tested collective attributes, a few years ago, slap
Am Wed, 22 Oct 2014 18:41:41 +0200
schrieb Nicolas RENAULT :
> Le 21/10/2014 17:42, Dieter Klünter a écrit :
> > Am Tue, 21 Oct 2014 14:35:14 +0200
> > schrieb Nicolas RENAULT :
> >
> >> Le 21/10/2014 09:23, Michael Ströder a écrit :
> >>> Dieter Klünter
gt; supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
> supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
> supportedLDAPVersion: 3
> entryDN:
> subschemaSubentry: cn=Subschema
> It seems it's no good at all, any help appreciated
> Best regards
A LDAP client should know the servers capabilities in order to connect
in conformance with the protocol. So there is nothing bad about this
search result.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
simple or paranoid,
but that is the art of directory management.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
user, probably ldap or openldap.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
y configured it.
> Feel free to contact me off list if it is more convenient.
Probably OpenLDAP has not been built with static back-mdb but with
back-mdb module. You may check with ./slapd -VVV, this will show all
built-in modules.
-Dieter
--
Dieter Klünter | Systemberatung
https://sys4.de
GPG Key ID:E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Sun, 2 Nov 2014 05:46:07 -0500
schrieb Jerry :
> On Sat, 1 Nov 2014 22:08:38 +0100
> Dieter Klünter wrote:
>
> > Am Sat, 1 Nov 2014 14:29:10 -0400
> > schrieb Jerry :
> >
> > > I am running OpenLDAP on a FreeBSD-10 amd 64 machine. It is
> > >
Am Sun, 2 Nov 2014 08:07:32 -0500
schrieb Jerry :
> On Sun, 2 Nov 2014 13:40:56 +0100
> Dieter Klünter wrote:
>
> > Am Sun, 2 Nov 2014 05:46:07 -0500
> > schrieb Jerry :
> >
> > > On Sat, 1 Nov 2014 22:08:38 +0100
> > > Dieter Klünter wrote:
>
Am Sun, 2 Nov 2014 09:59:50 -0500
schrieb Jerry :
> On Sun, 2 Nov 2014 14:52:36 +0100
> Dieter Klünter wrote:
>
> > > # Load dynamic backend modules:
> > > modulepath /usr/local/libexec/openldap
> > > moduleload back_bdb
> > > # moduleloa
. How it is compiled
> and what options are available to it may vary from distribution to
> distribution (whether those are linux or *bsd distributions), but
> there is zero to do with FreeBSD vs Linux.
Quanah,
be patient, remember 14-15 years ago we had almost the same questions
and problems.
-Dieter
--
Dieter Klünter | Systemberatung
https://sys4.de
GPG Key ID:E9ED159B
53°37'09,95"N
10°08'02,42"E
obably read GnuTLS Docs on this matter, and this blog for
background information.
https://sys4.de/de/blog/2013/09/09/perfect-forward-secrecy-eine-zusammenfassung
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
signature.asc
Description: PGP signature
ify them, you may
> > completely corrupt/destroy your installation. You should be using
> > ldapmodify, etc, to update the configuration database.
> >
> >
> > --Quanah
> >
> > --
> > Quanah Gibson-Mount
> > Platform Architect
> > Zimbra, Inc
> >
> > Zimbra :: the leader in open source messaging and collaboration
> >
>
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
you don't. But what you should do is pointing configure and make
to the libsasl2 and sasl.h path. An other hint, configure the dynamic
linker to provide the path to libsasl2.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
penSUSE and this distro provides a meta package
openSUSE-devel-basis. You might find something similar on ubuntu.
-Dieter
--
Dieter Klünter | Systemberatung
https://sys4.de
GPG Key ID:E9ED159B
53°37'09,95"N
10°08'02,42"E
r client with
strace or similar tools.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ve to access the master
> withldapsearch -x -H ldap://mail.ier.hit-u.ac.jp -W -D
> 'cn=replicator,ou=Users,dc=ier,dc=hit-u,dc=ac,dc=jp' '(uid=someone)'
> and it works. What is wrong? I really need your help.
The master configuration is wrong. Configuration of slapd.conf has to
follow a defined order, that is:
- global configuration parameters
- global specific overlays parameters
- first database specific configuration parameters
- first database specific overlays configuration parameters
- second database specific configuration parameters
- second database specific overlays configuration parameters
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
sults Codes, Result 49 is invalid Credentials. there
must be a typo in your syncrepl configuration.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
* none
>
>
> When I check the /var/log/debug messages the error in this email
> subject appears. I'm trying to start the service via the invoke-rc.d
> slapd start command, but all it returns is a failed status.
run slapd in debug mode, that is ./slapd -d3, see man slapd(8) for
additional parameters.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
ynamic loadable modules, but built-in
modules.
you should run ./configure --help | less, which will show proper build
choices.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
problems.
You should set up a test environment prior to migration.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,4
't
> complain about (aren't threads a wonderful invention? ).
>
> So coming to the experts - got a fix at all? Or should I just go back
> to ye olde db backends? At this point I have a db I can't add
> anything to.
[...]
Did you read man slapd-mdb(5), in particular on th
> I'm not sure I follow here. How would this work? I attach gdb to the
> running slapd I get, but if it stops how does that help me? I've only
> had a little bit of experience with gdb...
>
> How would I get a core dump, as well? That sounds like it might be
> more usefu
Am Wed, 26 Nov 2014 19:34:49 +1000
schrieb Da Rock :
> On 26/11/2014 18:28, Dieter Klünter wrote:
> > Am Wed, 26 Nov 2014 10:31:47 +1000
> > schrieb Da Rock :
> >
> >> I'm trying to get openldap to play nice with mdb given that it is
> >> the "r
what to put there.
[...]
This is a simplified slapd.conf that may help.
http://pastebin.com/JcDz6Tkh
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
s defined in slapd.conf(5), section GENRAL DATABASE OPTIONS.
> created the directory
>
> /usr/local/openldap/etc/openldap/slapd.d/cn=config/olcDatabase=
> {1}sociale/olcOverlay={4}chain
There is no need to creat a subdirectory of etc/openldap/slapd.d/
[...]
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
database
will not be allowed to grow beyond this size.
You are still free to resize the database to yout requirements.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
n't know much about
HSM/smartcards, but if the provided key is a X.509 certificate, than it
would be simple. RFC-4422 describes SASL, if your smatcard provider is
complying with this RFC, than it could be realised.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
02 and RFC 5803?
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Tue, 09 Dec 2014 18:46:55 +0100
schrieb Michael Ströder :
> HI!
>
> Another packaging decision:
>
> Is building with -DLDAP_CONNECTIONLESS of any real use?
>
> Is there any harm using it?
There should be no harm to compile. Early Samba4 used udp for
transport.
Am Wed, 10 Dec 2014 00:01:11 +0100
schrieb Michael Ströder :
> Dieter Klünter wrote:
> > Am Tue, 09 Dec 2014 18:46:55 +0100
> > schrieb Michael Ströder :
> >> Another packaging decision:
> >>
> >> Is building with -DLDAP_CONNECTIONLESS of any real
ction that would be awesome.
namingContext is the buzz word. It seems that your DN you want to
create does'nt match the database suffix.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
t; - aborting
[...]
man slapd-sql(5), section 'statement configuration' and section
'metainformation used'.
But you should use sql tools anyhow and write directly to a sql
database, as back-sql is primarily for read operations.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
fig [-n 0], but entries [-n 1] still have
> dc=nodomain suffix. How do I change this?
[...]
You should remove the database file, slapcat the config database,
modify the files, delete the old config database and slapadd the
modified database ldif.
-Dieter
--
Dieter Klünter | Systemberatung
ned in
> > the same way like
> > back-mdb. You have to expect that some features (e.g. overlays) you
> > may want
> > to use later do not work the same way.
> >
> > Ciao, Michael.
> >
> >
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
f.org/html/draft-masarati-ldap-deref-00
This document provides some simple examples.
-Dieter
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
Am Sat, 24 Jan 2015 21:05:02 +0100
schrieb Dieter Klünter :
> Am Sat, 24 Jan 2015 19:31:44 +0100
> schrieb Michael Ströder :
>
> > Leander Schäfer wrote:
> > > I would rather add mailUid and mailGid to my
> > > schema to keep it as low weight as possible. But
Am Sat, 24 Jan 2015 23:35:01 +0100
schrieb Michael Ströder :
> Dieter Klünter wrote:
> > schrieb Dieter Klünter :
> >> [...]
> >> For documentation of deref control see
> >> https://tools.ietf.org/html/draft-masarati-ldap-deref-00
> >> This documen
1 - 100 of 539 matches
Mail list logo