gmane.comp.ldap.umich

Help

Akhil Bhardwaj — 2008-12-02T07:26:41

Dear, I am new for ldap am configuring open ldap as a domain controller my clients are also working fine but my open ldap users cannot change our own password please help me about this problem

newbie question: how to put company structure to ldap

Gerd König — 2008-10-21T06:14:48

Hello again, in my first email there was an copy-paste error. The dn of the teams are also of the format dn=,ou=teams,dc=example,dc=com any help appreciated....GERD....

newbie question: how to put company structure to ldap

Gerd König — 2008-10-21T06:01:25

Hello, I'm going to create a ldap directory for the company to have a central place for user administration. I've started with an example found in the web. First of all I created the top level dc=example,dc=com and the manager (cn=manager,dc=example,dc=com). Afterwards I created 2 organizational units: ou=persons ou=teams and filled them with content (see at bottom of the email). I'm in doubt if this is the correct way to build the directory and "connect" each user to its team. I only set the "ou=" property of each person to its teamname, and added one "member=" entry for each person to the team-object. I'm not happy with such setting. What if a person changes the team, do I have to update the person's "ou=" and the "member=" section of the teams ?? Is this really the way to implement such a company->team->person hierarchy ? any help appreciated....GERD.... dn: cn=Tinky Winky,ou=people,dc=example,dc=com objectclass: inetOrgPerson sn: Tinky cn: Tinky Winky uid: twinky userpassword: twinky ou: support dn: cn=Dipsy,ou=people,dc=example,dc=com objectclass: inetOrgPerson sn: Dipsy cn: Dipsy uid: dipsy userpassword: dipsy ou: support dn: cn=Laa Laa,ou=people,dc=example,dc=com objectclass: inetOrgPerson sn: Laa cn: Laa Laa uid: laa userpassword: laa ou: marketing ## team MARKETING dn: cn=marketing,ou=teams,dc=transporeon,dc=nil objectclass: groupofnames cn: marketing description: team marketing member: cn=Laa Laa,ou=people,dc=transporeon,dc=nil ## team SUPPORT dn: cn=support,ou=teams,dc=transporeon,dc=nil objectclass: groupofnames cn: support description: team support member: cn=Tinky Winky,ou=people,dc=transporeon,dc=nil member: cn=Dipsy,ou=people,dc=transporeon,dc=nil

LDAP Error 32 v/s Empty Result Set

Agarwal, Sharad — 2008-10-15T14:57:02

Hi All, Is it standard behavior for an LDAP server to respond with (LDAP Error 32) when a query is run that has no match? I tried a zero result query with the embedded LDAP Server (that comes with WebLogic). This query does not return LDAP Error 32, it just returns an empty result set. Code snippet: ~~~~ int ldapVersion = LDAPConnection.LDAP_V3; int ldapPort = 27001; String ldapHost = "fesbosbgdd33v3"; String loginDN = "uid=vgnadmin,ou=people,ou=VgnLDAPRealm,dc=vgndomain"; String password = "password masked"; String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain"; String searchFilter = "(&(uniquemember=cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai n)(objectclass=groupOfUniqueNames))"; ~~~~ Code output: ~~~~ searchResults.getCount() = 0 ~~~~ The same kind of query against another LDAP interface (Oracle Virtual Directory) returns LDAP Error 32. ~~~~ searchResults.getCount() = 0 Error: LDAPException: No Such Object (32) No Such Object LDAPException: Server Message: LDAP Error 32 : No Such Object LDAPException: Matched DN: ~~~~ I tried all kinds of queries (valid, invalid, meaningless) against the embedded LDAP, and each succeeded with either no result or the correct result. Please advise, Sharad

ANNOUNCE: web2ldap release 1.0.5

Michael Ströder — 2008-10-13T14:13:31

HI! Find a new release of web2ldap on http://www.web2ldap.de/download.html About: web2ldap is a full-featured LDAPv3 client written in Python and designed to run as a stand-alone Web gateway or under the control of a web server with FastCGI or SCGI support (e.g., Apache with mod_fastcgi or mod_scgi). Ciao, Michael. ------------------------------------------------------------------------ Changes since last 1.0.0 announcement: 1.0.5 Release Date: 2008-10-13 * Improvements to plugin modules/classes: o New plugin module lotusdomino for LDAP interface of Lotus Domino server. o New plugin class for attribute types found in schema of MIT Kerberos LDAP backend: krbTicketFlags, krbPrincipalType and krbTicketPolicyReference. o New plugin class for LDAP syntax UUID. o Fix in BitArrayInteger.formValue for adding new values. * Case-insensitive sorting for... o attributes in table view when displaying or editing entries o object classes in object class input select lists o lists of schema links in schema viewer * Fixed SyntaxErroronly occuring with Python_2.3. * Several updates to the country code configuration file including a fix NON-ASCII encoding of country names. 1.0.4 Release Date: 2008-09-23 * The basic searchform is displayed now when the server to connect to is chosen from the select list of [Connect] page. This avoids the annoying message "no search results found" when connecting without specifying a base DN. * Corrected HTML templates for object class organization. * Values for form parameter search_attrs can now be 1000 chars long. 1.0.3 Release Date: 2008-09-06 * Fix in schema viewer: When doing a wildcard search schema elements with several NAMEs are not listed more than once anymore. * New plugin module eduperson and HTML templates for eduPerson. * Exception ldap.NO_SUCH_OBJECT is ignored when adding a new entry and therefore reading the parent entry (for determining the governing structure rule). This happens when adding the root entry in a naming context. * Documentation update: Update to python-ldap_2.3.5+ is required if the LDAP server's subschema contains name forms. * Fixed a regression when adding a new entry if the structural object class of the superior entry cannot be determined (e.g. a rootDSE without objectClass attribute). 1.0.2 Release Date: 2008-09-04 * Fixed more regressions in case the subschema subentry cannot be read (e.g. because of access control). * Fixed a regression when trying to modify the rootDSE... 1.0.1 Release Date: 2008-09-03 * Fixed regression in SubSchema.get_applicable_name_form_objs() which raised an exception when trying to add a new entry (choosing [New Entry]) in root naming context (empty DN). * Fixed regression when generating context menu in schema viewer in case the subschema subentry cannot be read (e.g. because of access control).

ldap model to provide rights to people/groups

Wessel Louwris — 2008-10-13T10:09:00

Guessing root DNs for active directory

Justin Dearing — 2008-10-11T15:09:13

Hi, Let me know if this is the wrong list for this question, and where best to ask this. I am trying to write a simple program in java that "guesses" if the machine is running on active directory and connects to the domain controller via LDAP. My goal is to submit a patch to JXPlorer (and eventually other software like apache directory studio) to "detect" active directory and "auto-configure" a connection to it. Right now I am grabing the envirormental variable "USERDNSDOMAIN", and transforming it from "foo.com" to "dc=foo,dc=com". This works good enough. However, Is it possible via some sort of LDAP query to get the base DN of either the domain I am authenticated to, or better yet all domains in the forest? If anyone cares to help me in my research, or laugh at a .NET programmer trying to write JAVA, feel free to take a poke at my code in SVN, http://nightelves.svn.sourceforge.net/viewvc/nightelves/LI-PHP/LDAP/LDAP.Tests/src/LDAP/Tests.java?revision=57&view=markup Thanks and Regards, Justin Dearing

Low performance on searches

Joao Amancio — 2008-10-06T21:26:33

Hi people, First of all: "I'm new to OpenLDAP..." The problem is: Every search on the base take several time and sometimes (not so rare) returns a "time out" message. I don't know if the problem is in the app query or if it's in configuration files. When I run the 'db_stat -m' command, the results are: 320MB 740B Total cache size 1 Number of caches 320MB 8KB Pool individual cache size 0 Maximum memory-mapped file size 0 Maximum open file descriptors 0 Maximum sequential buffer writes 0 Sleep after writing maximum sequential buffers 0 Requested pages mapped into the process' address space 542724 Requested pages found in the cache (99%) 20 Requested pages not found in the cache 463 Pages created in the cache 20 Pages read into the cache Based on the official OpenLDAP documentation, the values in red are great and so I've made no change on file DB_CONFIG. My slapd.conf is set as follow: include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/schema/samba.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args database bdb suffix "dc=bluefish,dc=com,dc=br" rootdn "cn=Manager,dc=bluefish,dc=com,dc=br" rootpw secret directory /usr/local/var/openldap-data index objectClass eq index cn,sn,givenname,mail,uid eq index entryCSN,entryUUID eq access to dn.base="cn=Manager,o=Bluefish" by peername.regex=127\.0\.0\.1 auth by peername.regex=192\.168\.0\.100 auth by peername.regex=192\.168\.0\.135 auth by peername.regex=192\.168\.0\.32 auth by peername.regex=192\.168\.0\.35 auth by peername.regex=192\.168\.0\.37 auth by users none by * none access to attrs=userPassword,sambaLMPassword,sambaNTPassword by self write by anonymous auth by * read Could anyone help me to determine where is the problem for getting "time out" message on searches? Server configuration: Intel Core2 Quad 2.40Ghz 2 GB RAM 1 HD - 250 GB SATAII (everything is here) Thanks for any kind of help, João Ferreira

Several DN one LDAP query

Manuel Vacelet — 2008-10-06T14:15:55

Hello, I'd like to know if it's correct to retrieve several entries from a directory in one LDAP query based on the DN. I have several group DN: cn=marketing,ou=Groups,dc=example,dc=com cn=sales,ou=Groups,dc=example,dc=com And I'd like to get the entries of all DN in only one query (I actually want to get all the members of these groups). Is it correct/possible to do this or do I have to run one query per DN ? Thanks, Manuel

Standard test suite for LDAP client testing?

Emiel van de Laar — 2008-09-10T22:30:52

Hello list, I'm posting this to two mailing lists... Hope no one minds. I'm working on an LDAP client API implementation. To test the API I'm looking for a standard test set (data) which can be loaded into various server implementations. The closest thing I have found so far is the following project which seems to be quite dormant. http://www.opengroup.org/dif/blits/ The LDIFs I tried worked for 99%; a couple of errors were found relating to schema. It is quite dated... And then there are the test cases... which could probably be updated as well. Any one have any other recommendations? Perhaps someone is involved with BLITS or something similar? I could flesh out my own test data and test cases but I'd rather build on something that already exists. Thanks in advance! Regards, - Emiel van de Laar

Standard test suite for LDAP client testing?

Emiel van de Laar — 2008-09-10T22:27:16

default access in ACLs, and how to prevent it?

Ric — 2008-09-03T15:49:05

I'm working on learning & setting up ACLs. My goal is to /not/ have anything set by default, deny all, and step-by-step allow each required access. In slapd.conf, I've defined security/ACLs as: security ssf=256 update_ssf=256 tls=256 update_tls=256 simple_bind=256 ... access to * by tls_ssf=256 peername.ip=127.0.0.1 break by tls_ssf=256 peername.ip=10.0.1.0%255.255.255.0 break access to dn.exact="uid=system,ou=System,dc=domain,dc=com" attrs=userPassword by ssf=256 self =x by * none access to * by * none When I test with: ldapsearch -LLL -ZZZ -x -W -D 'uid=system,ou=System,dc=domain,dc=com' -H ldap://domain.com:389 -b "" -s base '(objectclass=*)' + Enter LDAP Password: I get: dn: supportedSASLMechanisms: GSSAPI as expected. In logs I see: Sep 3 08:33:06 test slapd[5727]: conn=1 fd=11 ACCEPT from IP=10.0.1.16:37316 (IP=10.0.1.16:389) Sep 3 08:33:06 test slapd[5727]: conn=1 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Sep 3 08:33:06 test slapd[5727]: conn=1 op=0 STARTTLS Sep 3 08:33:06 test slapd[5727]: conn=1 op=0 RESULT oid= err=0 text= Sep 3 08:33:06 test slapd[5727]: conn=1 fd=11 TLS established tls_ssf=256 ssf=256 Sep 3 08:33:09 test slapd[5727]: conn=1 op=1 BIND dn="uid=system,ou=System,dc=domain,dc=com" method=128 Sep 3 08:33:09 test slapd[5727]: => access_allowed: auth access to "uid=system,ou=System,dc=domain,dc=com" "userPassword" requested Sep 3 08:33:09 test slapd[5727]: => acl_get: [1] attr userPassword Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: result not in cache (userPassword) Sep 3 08:33:09 test slapd[5727]: => acl_mask: access to entry "uid=system,ou=System,dc=domain,dc=com", attr "userPassword" requested Sep 3 08:33:09 test slapd[5727]: => acl_mask: to value by "", (=0) Sep 3 08:33:09 test slapd[5727]: <= check a_peername_path: 127.0.0.1 Sep 3 08:33:09 test slapd[5727]: <= check a_peername_path: 10.0.1.0%255.255.255.0 Sep 3 08:33:09 test slapd[5727]: <= check a_authz.sai_tls_ssf: ACL 256 > OP 256 Sep 3 08:33:09 test slapd[5727]: <= acl_mask: [2] applying +0 (break) Sep 3 08:33:09 test slapd[5727]: <= acl_mask: [2] mask: =0 Sep 3 08:33:09 test slapd[5727]: => dn: [2] uid=system,ou=system,dc=domain,dc=com Sep 3 08:33:09 test slapd[5727]: => acl_get: [2] matched Sep 3 08:33:09 test slapd[5727]: => acl_get: [2] attr userPassword Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: result not in cache (userPassword) Sep 3 08:33:09 test slapd[5727]: => acl_mask: access to entry "uid=system,ou=System,dc=domain,dc=com", attr "userPassword" requested Sep 3 08:33:09 test slapd[5727]: => acl_mask: to value by "", (=0) Sep 3 08:33:09 test slapd[5727]: <= check a_dn_pat: anonymous Sep 3 08:33:09 test slapd[5727]: <= check a_authz.sai_ssf: ACL 256 > OP 256 Sep 3 08:33:09 test slapd[5727]: <= acl_mask: [1] applying =x (stop) Sep 3 08:33:09 test slapd[5727]: <= acl_mask: [1] mask: =x Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: auth access granted by =x Sep 3 08:33:09 test slapd[5727]: => access_allowed: auth access granted by =x Sep 3 08:33:09 test slapd[5727]: conn=1 op=1 BIND dn="uid=system,ou=System,dc=domain,dc=com" mech=SIMPLE ssf=0 Sep 3 08:33:09 test slapd[5727]: conn=1 op=1 RESULT tag=97 err=0 text= Sep 3 08:33:09 test slapd[5727]: conn=1 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" Sep 3 08:33:09 test slapd[5727]: conn=1 op=2 SRCH attr=supportedSASLMechanisms Sep 3 08:33:09 test slapd[5727]: => access_allowed: search access to "" "objectClass" requested Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend default search access granted to "uid=system,ou=System,dc=domain,dc=com" Sep 3 08:33:09 test slapd[5727]: => access_allowed: search access granted by read(=rscxd) Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access to "" "entry" requested Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend default read access granted to "uid=system,ou=System,dc=domain,dc=com" Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access granted by read(=rscxd) Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access to "" "supportedSASLMechanisms" requested Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend default read access granted to "uid=system,ou=System,dc=domain,dc=com" Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access granted by read(=rscxd) Sep 3 08:33:09 test slapd[5727]: conn=1 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= Sep 3 08:33:09 test slapd[5727]: conn=1 op=3 UNBIND Sep 3 08:33:09 test slapd[5727]: conn=1 fd=11 closed As expected, I see the "auth" access greanted per my ACL, Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: auth access granted by =x Sep 3 08:33:09 test slapd[5727]: => access_allowed: auth access granted by =x But I also see "default" access being granted: Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend default search access granted to "uid=system,ou=System,dc=domain,dc=com" Sep 3 08:33:09 test slapd[5727]: => access_allowed: search access granted by read(=rscxd) Sep 3 08:33:09 test slapd[5727]: => access_allowed: read access to "" "entry" requested Sep 3 08:33:09 test slapd[5727]: => slap_access_allowed: backend default read access granted to "uid=system,ou=System,dc=domain,dc=com" I'd expect that the "by * none" clauses should prevent default anything. From 'man slapd.access' I learn: "If no access controls are present, the default policy allows anyone and everyone to read anything but restricts updates to rootdn. (e.g., "access to * by * read"). The rootdn can always read and write EVERYTHING!" But I clearly have defined access controls. Why am I seeing any default access granted, and what ACL needs to be specified to prevent it? Thanks. Ric -- Click here for great computer networking solutions! http://tagline.hushmail.com/fc/Ioyw6h4fM6mP9SLHp99dANqh2C08pocAnYQkctPkIVUwTC4e7SrQ42/

ANNOUNCE: web2ldap release 1.0.0

Michael Ströder — 2008-09-03T09:43:17

HI! Find a new release of web2ldap on http://www.web2ldap.de/download.html Well, 10 years after the first public release (formerly called ldap-client-cgi) it was time for 1.0. ;-) About: web2ldap is a full-featured LDAPv3 client written in Python and designed to run as a stand-alone Web gateway or under the control of a web server with FastCGI or SCGI support (e.g., Apache with mod_fastcgi or mod_scgi). Ciao, Michael. ------------------------------------------------------------------------ 1.0.0 (see http://www.web2ldap.de/changes-1.0.html) Release Date: 2008-09-03 * It is now possible to specify a set of named templates for basic search forms with parameter searchform_template which appear in the context menu when displaying a search form. * When renaming an entry the new superior DN can be searched. The possible candidates are then displayed als select list. Also see new host-/backend-specific parameter rename_supsearchurl which is a named set of LDAP URLs to specify how to search for a new superior DN. * Support for DIT structures rules and nameforms: o When adding a new entry the DIT structures rules applicable to the parent entry are used to determine the set of possible structural object classes for the new entry when displaying the object class select form. o Possible name forms are displayed as RDN template strings in the [Rename] input form if there are any defined for the structural object class of the entry. o When renaming an entry the filter for searching the new superior DN is suggested according to the governing structure rule for the entry to be renamed. * Improvements to plugin modules/classes: o Placeholders can now be appended at the end of the DN portion of DynamicValueSelectList.ldap_url and are substituted by entry's current DN, entry's parent or the best matching naming context. o New plugin module dhcp for draft-ietf-dhc-ldap-schema. * Improvements in schema browser: o A certain type of schema elements can be selected in the context menu. o Simple wildcard search is supported on OIDs and NAMEs with asterisk (*) being placed at the begin and/or end of the search string. o Better error handling in the schema viewer when displaying a matching rule in case an attribute type is referenced in an attribute type description as SUP which is not present in the subschema. * Adding another attribute value in the entry input form for a textual attribute is now done with an additional submit button [+] which results in an additional input field being displayed for the chosen attribute type. The advantage is that the additional input field is generated by an accompanying plugin class if possible. * The monitor page can now be restricted by source IP. See new parameter access_allowed in the monitor configuration module. * In the monitor page the number of all web sessions initialized since start up is displayed. * A warning message is displayed (instead of exception being raised) if the user did not choose a STRUCTURAL object class when adding a new entry. * Small improvements in cert/CRL viewer: o If the subject- or issuer DN of a cert/CRL contains characters not valid for the given ASN.1 string type the viewer now falls back to display the invalid characters in hex-escaped form (instead of raising UnicodeError). o The OIDs of attribute types used in subject and issuer names are displayed.

groupOfUniqueNames join / search (sql join)

Brent Clark — 2008-08-29T18:02:19

Hi I would like to know, if you use groupOfUniqueNames and you want to follow the uniqueMember to get the mail attribute. Would anyone know how perform that type of ldapsearch e.g dn: cn=support-O2Z401siY54< at >public.gmane.org,ou=mailAlias,dc=abc.biz,dc=top uniqueMember: cn=brenttst,ou=mailUser,dc=abc.biz,dc=top dn: cn=brenttst,ou=mailUser,dc=abc.biz,dc=top mail: brent-O2Z401siY54< at >public.gmane.org Basically this is for mail routing and I want to build / use it for aliases. So all mail too support-O2Z401siY54< at >public.gmane.org will be sent to brent-/ITeif/B6Ag< at >public.gmane.org Kind Regards Brent Clark

changing a bunch of ldap entries at once?

Adam Williams — 2008-08-29T16:28:05

I have a bunch of users that have a mail entry I want to delete. As an example: dn: uid=jdoe$,ou=Computers,dc=mdah,dc=mdah,dc=state,dc=ms,dc=us mail: jdoe$< at >mdah.state.ms.us I know I can delete them one at a time with the following ldif for each user and run it manually dn: uid=jdoe$,ou=Computers,dc=mdah,dc=state,dc=ms,dc=us changetype: modify delete: mail mail: jdoe$< at >mdah.state.ms.us but is there a way to automate the process or globally drop mail: from every uid in the ou=Computers?

[OT] dealing with network connection (looking for weird ldap situations)

Gerardo Herzig — 2008-08-29T15:50:15

Hi dudes. I have a python/cgi app who interacts with an ldap server. The thing is, sometimes ldap server allows the cgi to make some changes, some times it does not. Same app, same user, same change... This is a succesfull MOD trough this cgi: Aug 29 12:44:09 db slapd[4328]: conn=291 fd=21 ACCEPT from IP=xx.xx.xx.xx:48165 (IP=0.0.0.0:389) Aug 29 12:44:09 db slapd[4328]: conn=291 op=0 BIND dn="cn=Manager,dc=xx.xx.xxx" method=128 Aug 29 12:44:09 db slapd[4328]: conn=291 op=0 BIND dn="cn=Manager,dc=xx.xx.xxx" mech=SIMPLE ssf=0 Aug 29 12:44:09 db slapd[4328]: conn=291 op=0 RESULT tag=97 err=0 text= Aug 29 12:44:09 db slapd[4328]: conn=291 op=1 MOD dn="cn=111,ou=xx.xxx." Aug 29 12:44:09 db slapd[4328]: conn=291 op=1 MOD attr=userPassword Aug 29 12:44:09 db slapd[4328]: conn=291 op=2 UNBIND Aug 29 12:44:09 db slapd[4328]: conn=291 op=1 RESULT tag=103 err=0 text= Aug 29 12:44:09 db slapd[4328]: conn=291 fd=21 closed Seconds later, try again.... Aug 29 12:46:30 db slapd[4328]: conn=297 fd=22 ACCEPT from IP=xx.xx.xx(IP=0.0.0.0:389) Aug 29 12:46:30 db slapd[4328]: conn=297 op=0 BIND dn="cn=Manager,xx.xx.xx" method=128 Aug 29 12:46:30 db slapd[4328]: connection_input: conn=297 deferring operation: binding Aug 29 12:46:30 db slapd[4328]: conn=297 op=2 UNBIND Aug 29 12:46:30 db slapd[4328]: conn=297 op=0 BIND dn="cn=Manager,dc=xx.xxx-xx" mech=SIMPLE ssf=0 Aug 29 12:46:30 db slapd[4328]: conn=297 op=0 RESULT tag=97 err=0 text= Aug 29 12:46:30 db slapd[4328]: conn=297 fd=22 closed Aug 29 12:46:30 db slapd[4328]: connection_read(22): no connection! And seconds later...it works again!! Aug 29 12:48:24 db slapd[4328]: conn=302 op=0 RESULT tag=97 err=0 text= Aug 29 12:48:24 db slapd[4328]: conn=302 op=2 UNBIND Aug 29 12:48:24 db slapd[4328]: conn=302 op=1 MOD dn="cn=xx-xx-xx" Aug 29 12:48:24 db slapd[4328]: conn=302 op=1 MOD attr=userPassword Aug 29 12:48:24 db slapd[4328]: conn=302 op=1 RESULT tag=103 err=0 text= Aug 29 12:48:24 db slapd[4328]: conn=302 fd=22 closed Cant say much more... I guess its a network issue (im getting 'connection lost' a lot) By doing tcpdump "host ldap-server or host web-server", i can see traffic, but i would like to know if there is some special flag i should search for in that traffic, so it would be a nice candidate to the 'connection close' bastard. Any hints on this one? Thanks!! Gerardo

LDAP with Exim

Brent Clark — 2008-08-23T08:21:53

Hi I would like to look into adding mail routing handling to LDAP for my Exim MTA. Does anyone know of any links or, even better, is prepared to share their schema. Ive looked at Postfix and Qmails docs, but I would like too a Exim real world / working example. If anyone can help, thank you in advance. Kind Regards Brent Clark

member-of-group user attr + group/member object classes?

Hallvard B Furuseth — 2008-08-22T11:37:34

Is there a published schema with a member-of-group user attribute (i.e. an attribute maintained by the user), with a associated auxiliary member object class and preferably structural group object class? Not Microsoft's memberOf attribute - that is maintained by the server. I found http://middleware.internet2.edu/dir/docs/internet2-mace-dir-ldap-group-membership-200507.html with object class eduMember ( ... MAY ( isMemberOf $ hasMember ) ) but it seems silly to have eduMember as the group's object class.

id: cannot find name for user ID

Lonni J Friedman — 2008-08-10T01:00:12

Greetings, I've had an OpenLDAP server running on a Linux box for over a year, and its worked without any issues. The Linux distro was upgraded earlier today (to version 2.4.10), and now OpenLDAP is failing to work correctly. Users typically ssh into an assortment of Linux boxes which authenticate against the LDAP server. Since the upgrade, they can still authenticate, however they get the following output as well: su - lfriedman id: cannot find name for user ID 3215 id: cannot find name for group ID 3215 id: cannot find name for user ID 3215 [I have no name!< at >linux64 ~]$ I'm guessing this might be some crazy ACL issue, but I'm honestly not certain. The contents of /etc/openldap/slapd.conf haven't changed since the upgrade. The ACL section is as follows: ############ access to attrs=userPassword by dn="cn=Manager,dc=fs0,dc=block,dc=com" write by anonymous auth by self write by * none access to * by anonymous read ############ Does anyone have any suggestions? thanks!

Multiple login/pass for different apps

Antonio Coloma — 2008-08-06T08:09:28

Hi all! Im a newbie in ldap, and after searching mailing list archives, googling and so on I don't find the solution to my problem. I want to store in my ldap info about users. This info is the common info and some auth logins / passwords / identifiers for 3 applications .... each user have one login/pass diferent for each application. ( I know the optimal thing is to have one login/pass for all, but I need to put ldap first ) It's possible to store this uid/login/pass for each app for each user? Thanx a lot in advance. --- Antonio

ANNOUNCE: web2ldap release 0.16.41

Michael Ströder — 2008-08-03T18:06:26

HI! Find a new release of web2ldap on http://www.web2ldap.de/download.html About: web2ldap is a full-featured LDAPv3 client written in Python and designed to run as a stand-alone Web gateway or under the control of a web server with FastCGI or SCGI support (e.g., Apache with mod_fastcgi or mod_scgi). Ciao, Michael. ------------------------------------------------------------------------ 0.16.41 Release Date: 2008-08-03 * Security fix! Redirects to arbitrary URLs are only allowed with valid session ID. * Plugin class DynamicValueSelectList now also reads a simple select list from a multi-valued attribute of a certain entry (when search scope in LDAP URL is base). * Detected browser class and browser version and HTTP header User- Agent are displayed in [ConnInfo] now. * Plugin class BitArrayInteger now displays a multi-line input field for each bits. This is more handy for manipulating the single bits like in MS AD's attribute userAccountControl. * Fixed displaying the value for binary fields (e.g. OctetString) when outputting a hidden field (disabled input field). 0.16.40 Release Date: 2008-07-26 * Fixed error handling for objectClassViolation when adding a new entry. * Added doc page about improving usability by configuration. * Improved docs. * Schema browser now accepts semicolon subtype in form parameter oid. 0.16.39 Release Date: 2008-07-17 * Support for tree delete control (see draft-armijo-ldap- treedelete). * Cosmetic changes to output of [ConnInfo]. 0.16.38 Release Date: 2008-07-15 * Fixed a regression in [Password] (module w2lapp.passwd) when the entry's DN contains NON-ASCII chars. 0.16.37 Release Date: 2008-07-15 * Fixed changing the password in MS AD (attribute unicodePwd). * Fixed more regressions in [Password] (module w2lapp.passwd). 0.16.36 Release Date: 2008-07-14 * Changed the internal setting of TLS options: If OpenLDAP libs 2.4 or newer are detected the TLS options are only set for the current connection. * Fixed a regression in [Password] (module w2lapp.passwd).