Laurent Meunier wrote:
> I'm trying to build a ldap query with the current date or the current
> timestamp (something like myAttributeDate >= now()). All solutions I've found
> on Internet require to compute the current date in a script and then build the
> ldap query with the computed date.
>
> U
Philip Colmer wrote:
> 1. UNIX needs group membership to be UIDs and not DNs, so attempts to use a
> class that defines members with DNs are likely to fail.
Nope.
> 3. rfc2307bis has expired so there won't be much (any?) application support
> for it. One of my key criteria when designing how our
Philip Colmer wrote:
> > Nonsense. nss_ldap, nss-pam-ldapd, and nssov all support RFC2307bis.
>
> Just to clarify, then, are you saying that if I use RFC2307bis so that
> I can define a group that built from object classes posixGroup and
> groupOfNames, and I define the membership of that group u
Howard Chu wrote:
> Matteo Perego wrote:
>> Hi,
>> I know that openldap usage behaviour is case insensitive.
>
> False. OpenLDAP conforms to the schema. If an attribute is defined to be
> case-insensitive in the schema, then it will be treated as such. If it is
> defined to be case-sensitive, that
Cyril Grosjean wrote:
> pwdFailureTime should not exist or at least should not increase when
> pwdLocjout is false. So it looks to me like a bug, as you mentioned.
I strongly disagree. I don't use password failure lockout but I definitely
want to see pwdFailureTime appear!
> When can we expect it
Clément OUDOT wrote:
> An entry that is not associated to a password policy (and no default
> ppolicy configured) should not own any ppolicy operational attribute.
Why?
'pwdFailureTime' is declared as
NO-USER-MODIFICATION
USAGE directoryOperation
and is not referenced in any object class at
Clément OUDOT wrote:
> 2014-03-01 20:07 GMT+01:00 Michael Ströder :
>
>> Clément OUDOT wrote:
>>> An entry that is not associated to a password policy (and no default
>>> ppolicy configured) should not own any ppolicy operational attribute.
>>
>>
Howard Chu wrote:
> http://arstechnica.com/security/2014/03/critical-crypto-bug-leaves-linux-hundreds-of-apps-open-to-eavesdropping/
>
> Perhaps folks will take us more seriously the next time we say "don't use
> GnuTLS" ... http://www.openldap.org/lists/openldap-devel/200802/msg00072.html
While
Aaron Richton wrote:
> and take a look at some decent examples:
> http://www.openldap.org/lists/openldap-software/200803/msg00237.html
I wonder what this means in the posting mentioned above:
by * none break
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Dieter Klünter wrote:
> Am Wed, 5 Mar 2014 14:38:04 +0800
> schrieb "Eileen(=^ω^=)" <123784...@qq.com>:
>> This is Eileen from China SINAP. I am a beginner for openldap soft. I
>> encountered a problem in my study on two LDAP services replication.
>> I have 2 LDAP services, one name LDPA1, the oth
On Wed, 5 Mar 2014 11:33:51 + Rodrigo Coutinho
wrote
> Ok, thank you for the information, but I must confess that I am a bit
> shocked, as that implies I can have a directory full of non compliant
> passwords.
>
> So, that begs the question: How do we prevent this ? What is the
> normal/sta
Pierangelo Masarati wrote:
> In any case, sets are only used in the context of ACL evaluation.
Additionally sets can be used with slapo-constraint.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Joshua Schaeffer wrote:
> when I runthe following ldapsearch I get an error:
>
> jschaeffer@zipmaster07:~$ ldapsearch -LLL -v -D cn=admin,dc=harmonywave,dc=com
> -W -H ldaps://baneling -b uid=jschaeffer,ou=People,dc=harmonywave,dc=com
> ldap_initialize( ldaps://baneling:636/??base )
> Enter LDAP P
Stephan Fabel wrote:
> On Saturday, March 08, 2014 12:17:58 PM Pierangelo Masarati wrote:
>> What functionality? Please define it in compliance with LDAP specs.
>
> I'm asking whether there are any plans to be able to use set syntax in
> similar
> form as defined with the ACL functionality in se
Michael Ströder wrote:
> Stephan Fabel wrote:
>> On Saturday, March 08, 2014 12:17:58 PM Pierangelo Masarati wrote:
>>> What functionality? Please define it in compliance with LDAP specs.
>>
>> I'm asking whether there are any plans to be able to use set syntax
Friedrich Locke wrote:
> i am planning to use opendalp to build my email infra structure. What
> happens is two users (two entries) hold the same email address ?
You're probably looking for slapo-constraint.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Ulrich Windl wrote:
> When reading, you just say that MDB has some features BDB does not have.
> Does that make BDB obsolete technology? I think it depends on the user's
> demands.
IMO today MDB meets user's demands much better than BDB for various reasons
already mentioned here. No need to discus
Florian Weimer wrote:
> Multiple concurrent writers are nice on paper, but probably are not
> worth the complexity for an in-process database.
Your statement sounds a bit like "640 kByte RAM is enough for everybody" or
similar famous misunderstandings in the IT history already proven to be false.
Christian Kratzer wrote:
> On Thu, 20 Mar 2014, Howard Chu wrote:
>
>> "POISSON Frédéric" wrote:
>>> Hello,
>>>
>>> I'm trying to build mdb tools (mdb_stat and mdb_copy inside
>>> libraries/liblmdb
>>> directory) on a Solaris 10 SPARC operating system with OpenLDAP 2.4.39.
>>>
>>> Is there some r
Emmanuel Dreyfus wrote:
> On Mon, Mar 24, 2014 at 10:11:40AM +0100, Christian Kratzer wrote:
>> This is another situation in which it would be nice to be able to disallow
>> any ldap connections to a consumere while it is in the initial sync phase.
>
> Any client should be denied during this phase
Christian Kratzer wrote:
> I remember a discussion some time ago about the possibility of delaying access
> to a syncrepl. consumer during the intial DIT load.
>
> I seem to recall there was discussion in possibly addiing such a feature but
> my google foo is lacking and I cannot find the discussi
Howard Chu wrote:
> Christian Kratzer wrote:
>>
>> I remember a discussion some time ago about the possibility of delaying
> access to a syncrepl. consumer during the intial DIT load.
>
> http://www.openldap.org/lists/openldap-bugs/201308/msg00043.html
>
> Feel free to experiment with it and see
Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Christian Kratzer wrote:
>>>>
>>>> I remember a discussion some time ago about the possibility of delaying
>>> access to a syncrepl. consumer during the intial DIT load.
>>
Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> Howard Chu wrote:
>>>>> Christian Kratzer wrote:
>>>>>>
>>>>>> I remember a discussion some time ago about the possib
Brad Hartlove wrote:
> I have been trying to include the memberOf attribute in a new objectClass.
> If I just set it to "MAY" (for example), it complains about using an
> operational attribute in my definition. I have seen quite a few Q&As about
> this, but I am really trying to understand where t
Brad Hartlove wrote:
> The core problem is why can I not add the operational attribute
> to my custom objectclass.
Operational attributes are simply not normal user attributes.
If your LDAP client is supposed to alter an attribute via LDAP it has to be a
user attribute. Period.
Ciao, Michael.
On Tue, 01 Apr 2014 17:21:16 +0300 "Zeus Panchenko" wrote
> I use filter:
> "(&(objectClass=dhcpHost)(dhcpStatements=fixed-address 10.0.0.222))"
>
> and receive empty result ...
Did you change the indexing configuration for attribute 'dhcpStatements'?
Ciao, Michael.
On Tue, 01 Apr 2014 18:54:22 +0300 "Zeus Panchenko" wrote
> Michael Ströder wrote:
> > > I use filter:
> > > "(&(objectClass=dhcpHost)(dhcpStatements=fixed-address 10.0.0.222))"
> > >
> > > and receive empty result ...
&
Zeus Panchenko wrote:
> Michael Ströder wrote:
>
>> I rephrase my question:
>> Did you change the indexing configuration for attribute 'dhcpStatements'
>> *after* adding/modifying the entries?
>
> no, I didn't
>
>> If yes, then see th
Mitchell Im wrote:
> The OpenLDAP proxy works if it
> connects to the backend LDAP server via ldap://. The OpenLDAP proxy does
> *not* work if it connects to the backend LDAP server via ldaps://, though.
> What am I missing?
>
> This is on CentOS 6.5, packages openldap-servers-2.4.23-34.el6_5.1.x8
Zeus Panchenko wrote:
> Michael Ströder wrote:
>
>> Because there's no SUBSTR matching rule defined for 'dhcpHWAddress'
>
> so, there is no way to ldapsearch by that attribute exept `*' ?
You should really make yourself familiar with the variou
Jean-Marc Choulet wrote:
> I want to convert my client (ADSI and C++) for use OpenLDAP. I know I must
> encode the unicodePwd. With ADSI, Miscrosoft give me some functions to do
> that. How can I do same things from OpenLDAP ?
The best way of setting a password is to use the LDAP Password Modify E
On Wed, 9 Apr 2014 09:38:29 -0400 David Arroyo wrote
> This question may be better asked in the NSS mailing list. Feel
> free to let me know if that is the case.
>
> I'm building a service based around OpenLDAP and SASL EXTERNAL
> authentication using client certificates. One of requirements is
>
On Thu, 10 Apr 2014 11:36:50 +0100 Philip Colmer
wrote
> Given that pwdHistory is read-only and therefore I cannot delete those
> entries, does anyone have any suggestions on how I can persuade OpenLDAP to
> forget those old passwords?
You can remove this attribute by using the relax rules contro
Mike Jackson wrote:
> OCSP is, IMO, far preferable because it can perform delta CRL checking
> behind the scenes, removes the need to implement delta CRL checking in the
> clients, simplifies your certificate profiles, and is overall better for
> the network for a few reasons.
Such a general state
ML mail wrote:
> On my already existing OpenLDAP server I would like to add an attribute in
> order to store SSH RSA host keys. Currently there are no such attributes
> (for example: sshRSAHostKey) in any standard schemas.
>
> What would be the best strategy to add this attribute to my OpenLDAP
>
Mike Jackson wrote:
>
> On 16 Apr 2014, at 19.46, Michael Ströder wrote:
>
>> ML mail wrote:
>>> On my already existing OpenLDAP server I would like to add an attribute in
>>> order to store SSH RSA host keys. Currently there are no such attributes
>&g
Stephan Fabel wrote:
> On 04/16/2014 11:20 AM, Michael Ströder wrote:
>> It's quite usual nowadays to use this when dealing with SSH keys in LDAP
>> entries:
>>
>> https://code.google.com/p/openssh-lpk/
>
> Found this in sshd_config(5):
>
>
Paul B. Henson wrote:
> We're testing the ppolicy module for the purposes of enabling account
> lockout on our ldap infrastructure. During initial testing, I noticed
> that it didn't seem to be catching all of the failed logins, and then
> realized that the pwdFailureTime attribute in which they ar
Paul B. Henson wrote:
> Even without any active policies defined, the ppolicy overlay starts
> generating and replicating pwdFailureTime entries, and any replication
> consumer without the module also loaded breaks and stops replicating.
> I'm not sure what use it is to maintain pwdFailureTime entr
Julien Courtès wrote:
> Hi,
> I want to disable an account without deleting informations about it.
> This account is linked with some services such as Owncloud, ftp
> authentification, samba, linux auth and ssh auth.
> Does it exists a way to disable the account for all the services?
> I know that
Paul B. Henson wrote:
> Reviewing current time handling code, while lutil_parsetime understands
> and can parse a generalized time that includes fractions of a second,
> there doesn't seem to be any code that can generate a generalized time
> string including fractions of a second, in particular to
Paul B. Henson wrote:
>> From: Michael Ströder
>> Sent: Sunday, April 27, 2014 11:27 PM
>>
>> Sometimes it's handy to see when people had failed logins even if you
> don't
>> apply lockout policy.
>
> It would be even more handy to be able to rol
Paul B. Henson wrote:
> But it would be a lot simpler if you could load the password policy module
> and have it not actually try to replicate anything until it's actually
> configured with a policy.
AFAICS nothing prevents you from loading the schema first on all replicas.
And after that load the
Paul B. Henson wrote:
>> From: Michael Ströder
>> Sent: Tuesday, April 29, 2014 12:50 PM
>>
>> AFAICS nothing prevents you from loading the schema first on all replicas.
>> And after that load the overlay.
>
> The attribute in question is not defined in t
Howard Chu wrote:
> Clément OUDOT wrote:
>> You could also use alias if the application supports them. With LSC
>> (http://lsc-project.org) it is really is to create a synchronization task
>> that
>> will create aliases in a new branch.
>
> That is a horrible suggestion, for multiple reasons. E.g
Dieter Klünter wrote:
> Am Wed, 30 Apr 2014 14:56:41 -0600
> schrieb Thierry Thelliez :
>>
>> Looking at the test source code of 2.4.39 for the ppolicy script, I
>> can see the ldapsearch is using a '-e ppolicy' option. The man page
>> for ldapsearch lists 'general extensions' under -e and -E opt
Michael Ströder wrote:
> Paul B. Henson wrote:
>>> From: Michael Ströder
>>> Sent: Tuesday, April 29, 2014 12:50 PM
>>>
>>> AFAICS nothing prevents you from loading the schema first on all replicas.
>>> And after that load the overlay.
>>
>&
Paul B. Henson wrote:
>> From: Michael Ströder
>> Sent: Friday, May 02, 2014 4:21 AM
>>
>> If just add "moduleload ppolicy" to your slapd.conf (or similar action for
> [...]
>> In a second step you have to add "overlay ppolicy" to the databa
Michael Ströder wrote:
> It would be nice if one could explicitly exclude attributes with parameter
> 'attrs' though. This would allow to work around an issue with slapo-allowed in
> a MMR setup...
With example:
http://www.openldap.org/its/index.cgi?findid=7847
Ciao, Mic
Paul B. Henson wrote:
>> From: Michael Ströder
>> BTW: AFAIK write operations to 'pwdFailureTime' are normally not
>> replicated.
>
> Hmm, in my initial testing, it seemed to be.
The attribute is replicated when the entry is replicated as a whole (e.g.
during i
Paul B. Henson wrote:
>> From: Quanah Gibson-Mount
>> Sent: Wednesday, May 07, 2014 5:58 PM
>>
>> I've filed an ITS on the issue and will see if I can replicate it in our
> lab. This
>> looks exactly like what I am seeing as well. Howard may be able to provide
>> some gdb actions he would like to s
HI!
Still trying to optimize a bunch of set-based ACLs I wonder whether the
(possibly heavy-weight) set-clauses in the part are evaluated only in
case of an actually matching part.
Any hint is appreciated.
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Howard Chu wrote:
> Michael Ströder wrote:
>> Still trying to optimize a bunch of set-based ACLs I wonder whether the
>> (possibly heavy-weight) set-clauses in the part are evaluated only in
>> case of an actually matching part.
>>
>> Any hint is appreciated.
&
Seshadri, Anitha wrote:
> I would like to open a discussion with OpenLDAP team.
Please don't spam all these e-mail adresses.
openldap-technical@openldap.org is sufficient for asking OpenLDAP usage
questions.
> We are currently using OpenLdap 2.4.16 version on Win 64 .We are using RSA
> and MES
Mike Jackson wrote:
> Quoting Christian Kratzer :
>>
>> as has been said before several times. There is no reason to lose your
>> ability to put your configs into version control when you move to cn=config.
>>
>> - You can check the output from slapcat -n0 into your vcs.
>
> "You" in my message r
Brett @Google wrote:
> But can we reliably create the slap.d config file with deployment scripts
> directly, as it also seems to just be text.
That's *not* the official way of doing it. The general recommendation on this
mailing list has always been not to touch the LDIF files in slapd.d/ directly
Mike Jackson wrote:
> I have built a fully automated installation system directly using cn=config. I
> have a file called config.ldif which contains a lot of %%MACROS%% and a tiny
> perl script that replaces those macros with actual values depending on the
> details of the particular installation.
Mike Jackson wrote:
> So before you all go blowing smoke out of your asses, Stroeder, that includes
> you, too, it might be wise not to underestimate with whom you are speaking.
Well, judging from your postings my impression of your analytical skills are
pretty precise.
Ciao, Michael.
smime.p
Mike Jackson wrote:
>
> Quoting Michael Ströder :
>
>> When using slapadd to fully load cn=config you have to stop your slapd during
>> that. So this is definitely *not* how cn=config is supposed to be operated.
>> Also when mucking directly with the LDIF you
Howard Chu wrote:
> Michael Ströder wrote:
>> Mike Jackson wrote:
>>> I have built a fully automated installation system directly using
>>> cn=config. I
>>> have a file called config.ldif which contains a lot of %%MACROS%% and a tiny
>>> perl script
Mike Jackson wrote:
> Quoting Michael Ströder :
>
>> *You* clearly don't understand what the discussion is all about.
>> And you're arguing with contradictions.
>
> Either you are wilfully dense, or your grasp of the english language hasn't
> quite reac
neel wrote:
> I am trying to integrate one application with LDAP. I have entered all
> settings. Authentication is working fine. Only thing when it tries to add
> some entries to ldap, it says that "err=17 text=aci: attribute type
> undefined"
Could you please elaborate on this particular client
Mike Jackson wrote:
> would like to be able to dynamically adjust logging levels on a per-server
> basis
If you use back-monitor this particular functionality could also be achieved
by tweaking attribute 'managedInfo' in entry cn=Log,cn=Monitor.
The admin guide is not really clear on this becaus
Howard Chu wrote:
> Mike Jackson wrote:
>>
>> Quoting Dieter Klünter :
>>>
>>> The attribute type is openLDAPaci. The model is based on
>>> http://tools.ietf.org/html/draft-ietf-ldapext-acl-model-08
>>>
>>
>> Does this FAQ-O-Matic still represent the current situation regarding
>> the semantics and
Mike Jackson wrote:
>
> Quoting Michael Ströder :
>
>> Mike Jackson wrote:
>>> would like to be able to dynamically adjust logging levels on a per-server
>>> basis
>>
>> If you use back-monitor this particular functionality could also be achieved
&g
neel wrote:
> I am using HPCC and I am integrating it with openldap. In that when I start
> one component I.e. mydali server. It throws this error.
I don't know HPCC. Is it this one?
https://track.hpccsystems.com/browse/HPCC-7999
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Sign
Brendan Kearney wrote:
> adding new entry "cn=64.89.32.0,c=US,ou=GeoLocation,dc=bpk2,dc=com"
> ldap_add: Other (e.g., implementation specific) error (80)
> additional info: entry store failed
Anything wrong with ownership/permissions of the DB files?
Ciao, Michael.
smime.p7s
Description:
Tuc wrote:
> We're having an issue with a slightly older version of openldap. (2.4.23-26 on
> CentOS). Using Apache Directory Studio I do a search:
>
> "(objectclass=person)" on a search base of "ou=People,dc=example,dc=com"
>
> This should be the easiest and simplest search in the world. However
Tuc wrote:
> Is there some way I can modify the query to only get ones that would look
> like :
>
> dn: uid=tuc,ou=People,dc=example,dc=com
> objectClass: radiusprofile
> objectClass: pwmUser
> objectClass: top
> VVV
> objectClass: person
> ^^^
> objectClass: posix
Paul B. Henson wrote:
>> From: Michael Ströder
>> Wir können ja auch auf Deutsch schreiben.
>> Dann habe ich den Vorteil der Muttersprache.
>
> Was auf der Erde haben die Menschen tun, bevor Google übersetzen?
They hired better translators. ;-)
> So your native
Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Michael Ströder wrote:
>>>> Mike Jackson wrote:
>>>>> I have built a fully automated installation system directly using
>>>>> cn=config. I
>>>>> have a f
Howard Chu wrote:
> Michael Ströder wrote:
>> Tuc wrote:
>>> Is there some way I can modify the query to only get ones that would look
>>> like :
>>>
>>> dn: uid=tuc,ou=People,dc=example,dc=com
>>> objectClass: radiusprofile
>>> ob
Tuc wrote:
> On 2014-05-16 13:42, Quanah Gibson-Mount wrote:
>> --On May 16, 2014 at 10:02:04 AM -0700 Howard Chu wrote:
>>
>>> But you could, of course, filter on
>>> (&(objectclass=person)(!(objectclass=inetorgperson))) if you wanted.
>>
>> (&(objectclass=person)(!(objectclass=inetorgperson))(!(
Howard Chu wrote:
> You need to actually use microseconds, since the time-increment is only unique
> on the local server and will not guarantee uniqueness in a replication
> scenario.
'pwdFailureTime' gets replicated?
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
Christian Kratzer wrote:
> Hi,
>
> On Sat, 24 May 2014, Michael Ströder wrote:
>
>> Howard Chu wrote:
>>> You need to actually use microseconds, since the time-increment is only
>>> unique
>>> on the local server and will not guara
Paul B. Henson wrote:
> On Fri, May 23, 2014 at 08:51:02PM -0700, Howard Chu wrote:
>
>> The *failure* occurred at that instant, not at the instant the request was
>> received. It is simply a matter of correctness.
>
> For my purposes, it doesn't really matter whether the bind is considered
> to
Howard Chu wrote:
> Michael Ströder wrote:
>> Paul B. Henson wrote:
>>> On Fri, May 23, 2014 at 08:51:02PM -0700, Howard Chu wrote:
>>>
>>>> The *failure* occurred at that instant, not at the instant the request was
>>>> received. It is simply a
Nicolas Cauchie wrote:
> Here's the piece of code I've wrote. It's not complex, but have to think about
> those ":" and "::".
>
> USER_CITY2="$(ldapsearch -LLL -C -x \
> -h $VAR_DC \
> -b $VAR_SEARCHBASE \
> -D $VAR_BINDER \
> -w $VAR
HI!
Does the on-disk-format of back-mdb depends on which LDAP syntax is used for an
attribute?
So if the LDAP syntax for an an existing attribute would change I have to
reimport the MDB?
Background:
I've changed (as a work-around for a broken client software) the LDAP syntax of
a custom attribu
Mark Henning wrote:
> I am in the process of building an LDAP schema which has a number of
> attributes which will be constrained to specific values. I have run into
> an issue where slaptest will build the ldif file without syntax errors, but
> when slapd starts up it can't find the X-ENUM syntax
Howard Chu wrote:
> Michael Ströder wrote:
>> Does the on-disk-format of back-mdb depends on which LDAP syntax is used for
>> an
>> attribute?
>
> In multiple ways. Indexing depends on the syntax and matching rule, but you
> already mentioned no indexing here. A
Michael Ströder wrote:
> Example entry created with msTestAttributeType3 declared as Boolean:
>
> dn: uid=test,dc=example,dc=com
> msTestAttributeType2: foo
> msTestAttributeType3: TRUE
> objectClass: account
> objectClass: msTestObjectClass2
> uid: test
>
>
Charles Bueche wrote:
> I have noticed the same issue when talking to an AD server (very recent
> version, I think 2012 or so). In fact, I think either AD or ldapsearch
> is encoding the values values in Base64. I will soon know more because I
> will start to use the results in a real app. Maybe we
Howard Chu wrote:
> Pierangelo already gave the right answer here - write a piece of C code that
> registers OIDs for the matching rules you want and load it as a dynamic
> module. There are many modules in contrib/slapd-modules in the source tree.
How about implementing the generic X-SUBST dummy
Paul B. Henson wrote:
> On Mon, Jun 16, 2014 at 12:23:55PM -0700, Paul B. Henson wrote:
>
>> Cool, much appreciated. Any chance of backporting it to RE24?
>
> Never mind, Quanah told me off list he'd pulled it back to RE24.
>
> Thanks again for merging it.
Great! It works!
Thanks to all for wor
Hallvard Breien Furuseth wrote:
> On 06/11/2014 08:41 AM, Jan Synacek wrote:
>> Is it intentional? If yes, could you please explain why, or point me to
>> a documentation where I can find the answer?
>
> It's the program's first call to libldap, so libldap needs to
> initialize itself. I guess it
Eivind Olsen wrote:
> 53ac30ff slapd starting
> 53ac30ff slap_client_connect: URI=ldap://ldap01-testing.aminor.no
> DN="cn=replicator,ou=admins,ou=internal,o=aminor" ldap_sasl_bind_s failed
> (49)
> 53ac30ff do_syncrepl: rid=005 rc 49 retrying (4 retries left)
49 is "invalidCredentials".
Likely e
Howard Chu wrote:
> Howard Chu wrote:
>> Clearly you have a mistake in the password of one of these two lines, because
>> if they were identical they would be identical in length, but they wrap the
>> "refreshAndPersist" in two different positions.
>>
> PS: Most mistakes are obvious if you actually
Kaushal Shriyan wrote:
> Are there any document or writeup regarding setup of Master Master Openldap
> application?
> Do i need to go with setup of Master Master or Master Slave openldap
> replication, Please advice which approach should i follow and help me
> understand with some use cases.
http:
Howard Chu wrote:
> Clément OUDOT wrote:
>> 2014-07-04 14:57 GMT+02:00 Rogério Augusto Rondini
>> mailto:rarondini.parady...@gmail.com>>:
>>
>> Hi folks,
>>
>> I need to implement password sync between AD and OpenLDAP using an IDM
>> tool.
>>
>> I want to know how to capture clear text
Howard Chu wrote:
> Michael Ströder wrote:
>> Howard Chu wrote:
>>> Clément OUDOT wrote:
>>>> 2014-07-04 14:57 GMT+02:00 Rogério Augusto Rondini
>>>> mailto:rarondini.parady...@gmail.com>>:
>>>>
>>>> Hi folks,
>>&
Liam Gretton wrote:
> On 08/07/2014 05:28, Adam Goryachev wrote:
>> I've been messing with LDAP for the past couple of days, and following
>> various online tutorials on how to create an addressbook for Thunderbird
>> in openldap.
>
> [...]
>
>> However, thunderbird doesn't seem to have any sma
Mladen Sekara wrote:
> Just out of curiosity, is there a way to have host,group,users defined
> in ldap, so each host uses the same base dn, but depending on host/group
> in ldap, only groups that are assign to that host will be available?
I have defined a custom schema and a bunch of set-based Op
Marco Pizzoli wrote:
> yes but leveraging the "copytruncate" option of logrotate. So you don't
> have to worry about the open state of the file.
Truncating in the middle of a LDIF record would be a bad idea...
Ciao, Michael.
smime.p7s
Description: S/MIME Cryptographic Signature
On Fri, 01 Aug 2014 09:06:50 +0200 "Ulrich Windl"
wrote
> monitorConnectionStartTime: 1970010100Z
> monitorConnectionActivityTime: 1970010100Z
>
> Is it a bug that Start and Activity time are both unset? If the reads and
> writes of the connection can be counted, the timestamps could be u
Howard Chu wrote:
> Use the correct attributeType - "olcObjectClasses" - pay attention to what
> you're doing, this should have been obvious.
>
> Don't use replace, that will delete all the values.
Yepp.
> Use delete/add of the specific value.
I'd recommend to use a decent LDAP client. ;-)
In
Andrew Devenish-Meares wrote:
> We are currently assessing changing our TLS Certificate setup.
>
> We have been using a self-signed CA to issue certificates for our
> OpenLDAP setup, which has required us to supply the CA to anyone outside
> our organisation that wishes to use our OpenLDAP over
HI!
I have a replication topology with providers running with MMR and a layer of
r/o consumers..
- spread across three data centers
- in two different countries (DE and foreign country)
Network traffic between the countries has higher latency so consumers are only
accessing providers within the s
Forgot this info:
OpenLDAP 2.4.39 with back-mdb
syncrepl:
refreshAndPersist with keepalive set,
authc with SASL/EXTERNAL based on TLS client certs
On Fri, 15 Aug 2014 12:21:30 +0200 "Michael Ströder"
wrote
> HI!
>
> I have a replication topology with providers running with
1 - 100 of 1802 matches
Mail list logo