[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: openldap-technical Digest, Vol 38, Issue 26
- To: <openldap-technical@OpenLDAP.org>
- Subject: RE: openldap-technical Digest, Vol 38, Issue 26
- From: "Alexey Shalin" <a.shalin@ipc.kg>
- Date: Fri, 28 Jan 2011 13:58:04 +0600
- Content-class: urn:content-classes:message
- Thread-index: Acu+GoknEqJPG7YVSCWKEk1ucVr06QApgbRw
- Thread-topic: openldap-technical Digest, Vol 38, Issue 26
Hello, can you please help me pwdExpireWarning
I have setuped
pwdExpireWarning 300 *5 min*
then UI updated password for user
0000: 30 6d 02 01 02 64 68 04 1f 75 69 64 3d 6d 61 78
0m...dh..uid=max
0010: 2c 6f 75 3d 75 73 65 72 73 2c 6f 75 3d 74 72 61
,ou=users,ou=tra
0020: 6e 73 6d 61 73 74 65 72 30 45 30 1e 04 0b 6f 62
nsmaster0E0...ob
0030: 6a 65 63 74 43 6c 61 73 73 31 0f 04 0d 69 6e 65
jectClass1...ine
0040: 74 4f 72 67 50 65 72 73 6f 6e 30 23 04 0e 70 77
tOrgPerson0#..pw
0050: 64 43 68 61 6e 67 65 64 54 69 6d 65 31 11 04 0f
dChangedTime1...
0060: 32 30 31 31 30 31 32 38 30 37 35 34 33 31 5a
20110128075431Z
After 5 minutes, if a user tries to connect to the database, it must
issue a message, right ?
--------------------------------------------------
This attribute controls whether and when a warning message of password
expiration will be returned on a bind attempt.
--------------------------------------------------
But nothing happen.. :(
I have this ppolice :
dn: cn=std, ou=ppolicy, ou=transmaster
pwdCheckModule: check_password.so
pwdMaxFailure: 6
pwdMustChange: TRUE
pwdAttribute: userPassword
pwdMinLength: 7
pwdSafeModify: FALSE
pwdInHistory: 4
pwdGraceAuthNLimit: 3
pwdCheckQuality: 1
objectClass: pwdPolicy
objectClass: top
objectClass: device
objectClass: pwdPolicyChecker
pwdLockoutDuration: 60
cn: std
pwdAllowUserChange: TRUE
pwdExpireWarning: 300
pwdLockout: TRUE
Thank you
-----Original Message-----
From: openldap-technical-bounces@OpenLDAP.org
[mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of
openldap-technical-request@OpenLDAP.org
Sent: Thursday, January 27, 2011 6:00 PM
To: openldap-technical@openldap.org
Subject: openldap-technical Digest, Vol 38, Issue 26
Send openldap-technical mailing list submissions to
openldap-technical@openldap.org
To subscribe or unsubscribe via the World Wide Web, visit
http://www.openldap.org/lists/mm/listinfo/openldap-technical
or, via email, send a message with subject or body 'help' to
openldap-technical-request@openldap.org
You can reach the person managing the list at
openldap-technical-owner@openldap.org
When replying, please edit your Subject line so it is more specific
than "Re: Contents of openldap-technical digest..."
Send openldap-technical mailing list submissions to
openldap-technical@openldap.org
When replying, please edit your Subject: header so it is more specific
than "Re: openldap-technical digest..."
Today's Topics:
1. Re: Replication monitoring (Andreas Andersson)
2. Re: Replication monitoring (Peter Boosten)
3. Re: problem with limits configuration (Dan Pritts)
4. Re: Replication monitoring (Peter Boosten)
5. Re: Replication monitoring (Peter Boosten)
6. Re: Failover Failure Advice (Anton Chu)
7. Re: Failover Failure Advice (Quanah Gibson-Mount)
8. Re: Failover Failure Advice (Chris Jacobs)
9. Re: slapd logging in chroot() environment (Peter Palmreuther)
10. Re: slapd logging in chroot() environment (Dieter Kluenter)
11. meta directory backend and rewriting option '|' (Lehnert, Hartmut)
12. constraint overlay question (jarek)
13. openldap memberof attribute (Vincent Li)
14. deleting schema elements from cn=config (Tim Gustafson)
15. Re: openldap memberof attribute (Michael Str?der)
16. MemberOf attribute not being returned (Mark Cairney)
----------------------------------------------------------------------
Message: 1
Date: Wed, 26 Jan 2011 19:32:22 +0100
From: Andreas Andersson <zreoxx@gmail.com>
To: Peter Boosten <peter@boosten.org>
Cc: openldap-technical@openldap.org
Subject: Re: Replication monitoring
Message-ID: <7705A370-58E9-4D18-ACF1-9E287851835E@gmail.com>
Content-Type: text/plain; charset="windows-1252"
Hi!
Thanks.
Made a note about the config directory. I've focused on following the
FHS:
http://www.pathname.com/fhs/
As it is a symlink it should be possible to put the config directory
wherever you want (I guess that's what you did).
How about replication verification? Can you confirm that its working?
Regards - Andreas
On Jan 26, 2011, at 10:19 AM, Peter Boosten wrote:
>
> On 24 jan 2011, at 18:55, Andreas Andersson wrote:
>
>> As always? I appreciate all feedback I can get
>
>
> This actually looks quite decent: it needs some tinkering if you do
not follow the installation guide (I don't want my /etc directory
cluttered with software installed by me, for FreeBSD that's
/usr/local/etc), but it's nice and easy to use.
>
>
> --
> Peter Boosten
> http://www.boosten.org
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110126/d
5a1c1ec/attachment.html>
------------------------------
Message: 2
Date: Wed, 26 Jan 2011 19:48:26 +0100
From: Peter Boosten <peter@boosten.org>
To: Andreas Andersson <zreoxx@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: Replication monitoring
Message-ID: <F65C338F-861D-41A3-8B85-78737F1E1257@boosten.org>
Content-Type: text/plain; charset="us-ascii"
On 26 jan 2011, at 19:32, Andreas Andersson wrote:
> How about replication verification? Can you confirm that its working?
No, not yet, but I don't have heavy replication going on. I'll try to
force some updates to the DIT.
The only thing I'm struggling with is the screen refresh: somehow I'm
not able to keep a setting after switching menus.
One other thing (maybe it's a firefox thing): when I open the
configuration screen, and don't actually change nothing, then it's
impossible to close that screen again.
But after running a couple of hours I'm very charmed of this tool. Keep
up the good work.
--
Peter Boosten
http://www.boosten.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110126/1
1ed653e/attachment.html>
------------------------------
Message: 3
Date: Wed, 26 Jan 2011 13:58:38 -0500
From: Dan Pritts <danno@internet2.edu>
To: Pierangelo Masarati <masarati@aero.polimi.it>
Cc: openldap-technical@openldap.org
Subject: Re: problem with limits configuration
Message-ID: <E982C91A-B50D-4A21-A03C-96A2352F814A@internet2.edu>
Content-Type: text/plain; charset=us-ascii
On Jan 25, 2011, at 5:58 AM, Pierangelo Masarati wrote:
> "sizelimit" is global, while "limits" are per database. You do not
specify where you put the "limits" statements above, did you try putting
them in the database that syncrepl statement is related to?
This was my problem. I put the limits statement below the (single)
database statement and it works now.
I missed bit about per-database on my first several looks at the man
page. I probably never read the whole thing through.
To be honest, it didn't even occur to me that i might have more than
one database. newbie.
thanks!
danno
--
Dan Pritts, Sr. Systems Engineer
Internet2
office: +1-734-352-4953 | mobile: +1-734-834-7224
------------------------------
Message: 4
Date: Wed, 26 Jan 2011 19:59:03 +0100
From: Peter Boosten <peter@boosten.org>
To: Andreas Andersson <zreoxx@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: Replication monitoring
Message-ID: <F4D3DE72-54D5-4375-A979-5DBF45922C0A@boosten.org>
Content-Type: text/plain; charset="us-ascii"
On 26 jan 2011, at 19:32, Andreas Andersson wrote:
> How about replication verification? Can you confirm that its working?
Ok, looking at the screenshot you sent in your first email, replication
settings don't seem to be recognized in my setup (you have an error
below the selected server, showing the server whom is replicated to, but
in my setup there's no such arrow, nor another server).
Any ideas?
--
Peter Boosten
http://www.boosten.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110126/2
4c567af/attachment.html>
------------------------------
Message: 5
Date: Wed, 26 Jan 2011 22:30:16 +0100
From: Peter Boosten <peter@boosten.org>
To: Peter Boosten <peter@boosten.org>
Cc: Andreas Andersson <zreoxx@gmail.com>,
openldap-technical@openldap.org
Subject: Re: Replication monitoring
Message-ID: <FD5E0DF3-E053-4B3C-ACF9-036DF10834D0@boosten.org>
Content-Type: text/plain; charset="us-ascii"
On 26 jan 2011, at 19:59, Peter Boosten wrote:
>
> On 26 jan 2011, at 19:32, Andreas Andersson wrote:
>
>> How about replication verification? Can you confirm that its working?
>
>
> Ok, looking at the screenshot you sent in your first email,
replication settings don't seem to be recognized in my setup (you have
an error below the selected server, showing the server whom is
replicated to, but in my setup there's no such arrow, nor another
server).
>
> Any ideas?
>
After some testing there's actually more not working, for instance: the
collectsummary.php script doesn;t return any values (all 0), ut if I try
the ldapquery manually, it actually gives non-zero results:
ra% ldapsearch -x -D "cn=root,dc=boosten,dc=org" -W -b
"cn=operations,cn=monitor" -LLL '(cn=modify)' monitorOpCompleted
Enter LDAP Password:
dn: cn=Modify,cn=Operations,cn=Monitor
monitorOpCompleted: 19
and from the cli log:
0 ) modify - Summary Value: 0
0 ) modify - Value NOT Stored to db as it is empty
I'm on OpenLDAP 2.4.23, on FreeBSD.
--
Peter Boosten
http://www.boosten.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110126/6
f8d9b9f/attachment.html>
------------------------------
Message: 6
Date: Wed, 26 Jan 2011 13:40:59 -0800
From: Anton Chu <anton.chu@telecommand.com>
To: jekvb@gmx.co.uk
Cc: openldap-technical@openldap.org
Subject: Re: Failover Failure Advice
Message-ID:
<AANLkTinuOU6Ec7ghkAbHJWjgVyeyVktfuLQEz_nZ0YgX@mail.gmail.com>
Content-Type: text/plain; charset="iso-8859-1"
I currently have a Master/Slave Failover setup and I'm planning to
deploy
100 ldap clients soon. I'm thinking about installing a Slave LDAP
Server in
all my ldap clients. I'm sure this will bog down the network but can
I
program syncrepl to be less chatty between master and slave? I'm
planning
to point 60 of my clients to the master while the rest will point to the
slave. Your thoughts?
Kindest regards,
Anton
On Tue, Jan 18, 2011 at 3:22 PM, jekvb <jekvb@gmx.co.uk> wrote:
> On Tue, 2011-01-18 at 14:43 -0800, Anton Chu wrote:
>
>
> > I've setup a master and slave ldap service for failover;
>
> My failover construction is a bit different, but it works quite
nicely,
> so I 'd like to share this.
> For a simple and reliable failover I have two LDAP servers in Mirror
> mode with Keepalived on top of it. This is based on having one virtual
> IP for both machines. When the one LDAP server (master) that has the
IP,
> fails, all read & write operations are directed to the backup server.
> When the failed LDAP server comes up again it takes over the IP again
> and SyncRepl on the slave takes care of updating the master.
>
>
> Best regards, Kuba
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110126/8
2d30fd1/attachment.html>
------------------------------
Message: 7
Date: Wed, 26 Jan 2011 13:49:47 -0800
From: Quanah Gibson-Mount <quanah@zimbra.com>
To: Anton Chu <anton.chu@telecommand.com>, jekvb@gmx.co.uk
Cc: openldap-technical@openldap.org
Subject: Re: Failover Failure Advice
Message-ID: <B575BCC811E6022F6980A86F@[192.168.1.2]>
Content-Type: text/plain; charset=utf-8; format=flowed
100 ldap clients is tiny. Why would you need 100 replicas? Seems
massively overkill to me. If you want a couple of replicas for failover
and load distribution create a few replicas. You shouldn't need one
replica per client...
--Quanah
--On Wednesday, January 26, 2011 1:40 PM -0800 Anton Chu
<anton.chu@telecommand.com> wrote:
> I currently have a Master/Slave Failover setup and I'm planning to
deploy
> 100 ldap clients soon.? I'm thinking about installing a Slave LDAP
> Server in all my ldap clients. ?? I'm sure this will bog down the
> network but can I program syncrepl to be less chatty between master
and
> slave?? I'm planning to point 60 of my clients to the master while the
> rest will point to the slave.? Your thoughts?
>
> Kindest regards,
> Anton?
>
>
> On Tue, Jan 18, 2011 at 3:22 PM, jekvb <jekvb@gmx.co.uk> wrote:
>
>
> On Tue, 2011-01-18 at 14:43 -0800, Anton Chu wrote:
>
>
>> I've setup a master and slave ldap service for failover;
>
> My failover construction is a bit different, but it works quite
nicely,
> so I 'd like to share this.
> For a simple and reliable failover I have two LDAP servers in Mirror
> mode with Keepalived on top of it. This is based on having one virtual
> IP for both machines. When the one LDAP server (master) that has the
IP,
> fails, all read & write operations are directed to the backup server.
> When the failed LDAP server comes up again it takes over the IP again
> and SyncRepl on the slave takes care of updating the master.
>
>
> Best regards, Kuba
>
>
>
--
Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
------------------------------
Message: 8
Date: Wed, 26 Jan 2011 14:56:43 -0700
From: Chris Jacobs <Chris.Jacobs@apollogrp.edu>
To: "'anton.chu@telecommand.com'" <anton.chu@telecommand.com>,
"'jekvb@gmx.co.uk'" <jekvb@gmx.co.uk>
Cc: "'openldap-technical@openldap.org'"
<openldap-technical@openldap.org>
Subject: Re: Failover Failure Advice
Message-ID:
<6C447584419BFE4E83D46E88F81314865336F7F745@EXCH07-05.apollogrp.edu>
Content-Type: text/plain; charset="utf-8"
Overkill.
Setup two slaves behind a VIP.
Point local clients to that vip.
If load is high on them, add nodes.
Setup mirror masters - behind a vip (the prefs one server - no round
robin - active/standby).
Point slaves (and perhaps any local clients) to that vip.
* If using SSL (and you should be), you'll have to use either wildcard
certs or certs using hostname of the vip.
- chris
Chris Jacobs, Systems Administrator
Apollo Group | Apollo Marketing | Aptimus
2001 6th Ave Ste 3200 | Seattle, WA 98121
phone: 206.839-8245 | cell: 206.601.3256 | Fax: 208.441.9661
email: chris.jacobs@apollogrp.edu
________________________________
From: openldap-technical-bounces@OpenLDAP.org
<openldap-technical-bounces@OpenLDAP.org>
To: jekvb@gmx.co.uk <jekvb@gmx.co.uk>
Cc: openldap-technical@openldap.org <openldap-technical@openldap.org>
Sent: Wed Jan 26 14:40:59 2011
Subject: Re: Failover Failure Advice
I currently have a Master/Slave Failover setup and I'm planning to
deploy 100 ldap clients soon. I'm thinking about installing a Slave
LDAP Server in all my ldap clients. I'm sure this will bog down the
network but can I program syncrepl to be less chatty between master and
slave? I'm planning to point 60 of my clients to the master while the
rest will point to the slave. Your thoughts?
Kindest regards,
Anton
On Tue, Jan 18, 2011 at 3:22 PM, jekvb
<jekvb@gmx.co.uk<mailto:jekvb@gmx.co.uk>> wrote:
On Tue, 2011-01-18 at 14:43 -0800, Anton Chu wrote:
> I've setup a master and slave ldap service for failover;
My failover construction is a bit different, but it works quite nicely,
so I 'd like to share this.
For a simple and reliable failover I have two LDAP servers in Mirror
mode with Keepalived on top of it. This is based on having one virtual
IP for both machines. When the one LDAP server (master) that has the IP,
fails, all read & write operations are directed to the backup server.
When the failed LDAP server comes up again it takes over the IP again
and SyncRepl on the slave takes care of updating the master.
Best regards, Kuba
________________________________
This message is private and confidential. If you have received it in
error, please notify the sender and remove it from your system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110126/d
e56a451/attachment.html>
------------------------------
Message: 9
Date: Thu, 27 Jan 2011 00:37:26 +0100
From: Peter Palmreuther <pitpalme+openldap@gmail.com>
To: openldap-technical@openldap.org
Subject: Re: slapd logging in chroot() environment
Message-ID: <4D40B036.4060202@gmail.com>
Content-Type: text/plain; charset=UTF-8
Hello
On 01/26/11 08:54, Christian Manal wrote:
> Am 26.01.2011 07:31, schrieb Peter Palmreuther:
>> no one with any idea about what to look for?
>>
>> On 01/13/11 9:03 pm, I wrote:
>>> I'm running OpenLDAP 2.4.20 in a chroot()-ed environment on Solaris
10.
>>> I somehow don't get logging working. I don't see any logging making
it's way
>>> through syslog.
[...]
> if you are using Solaris, why don't you just put your LDAP server into
a
> zone? Would be a more "clean" separation from the global zone and you
> have your own syslog deamon in that environment.
I know. But for I don't have much influence on the Solaris configuration
itself. We don't have zones available in our setup ... The operations
section
does not support zones yet. So I'm stuck with what I've got and luckily
OpenLDAP supports chroot() itself ... Except I don't get the logging
running
the way I want.
--
Regards,
Peter
------------------------------
Message: 10
Date: Thu, 27 Jan 2011 08:03:37 +0100
From: Dieter Kluenter <dieter@dkluenter.de>
To: openldap-technical@openldap.org
Subject: Re: slapd logging in chroot() environment
Message-ID: <20110127080337.1b5b58e7@rubin.avci.de>
Content-Type: text/plain; charset=UTF-8
Am Thu, 27 Jan 2011 00:37:26 +0100
schrieb Peter Palmreuther <pitpalme+openldap@gmail.com>:
> Hello
>
> On 01/26/11 08:54, Christian Manal wrote:
> > Am 26.01.2011 07:31, schrieb Peter Palmreuther:
> >> no one with any idea about what to look for?
> >>
> >> On 01/13/11 9:03 pm, I wrote:
> >>> I'm running OpenLDAP 2.4.20 in a chroot()-ed environment on
> >>> Solaris 10. I somehow don't get logging working. I don't see any
> >>> logging making it's way through syslog.
> [...]
> > if you are using Solaris, why don't you just put your LDAP server
> > into a zone? Would be a more "clean" separation from the global
> > zone and you have your own syslog deamon in that environment.
>
> I know. But for I don't have much influence on the Solaris
> configuration itself. We don't have zones available in our setup ...
> The operations section does not support zones yet. So I'm stuck with
> what I've got and luckily OpenLDAP supports chroot() itself ...
> Except I don't get the logging running the way I want.
slapd loggs to local4, configure syslog to listen to the chroot
environment.
-Dieter
--
Dieter Kl?nter | Systemberatung
http://dkluenter.de
GPG Key ID:DA147B05
53?37'09,95"N
10?08'02,42"E
------------------------------
Message: 11
Date: Thu, 27 Jan 2011 08:56:13 +0100
From: "Lehnert, Hartmut" <Hartmut.Lehnert@secunet.com>
To: <openldap-technical@openldap.org>
Subject: meta directory backend and rewriting option '|'
Message-ID:
<516795048E5F5C4AB709C1012B9AEEB403128DAA@mail-srv1.secumail.de>
Content-Type: text/plain; charset="us-ascii"
Hello!
I have a question concerning the pipe option '|' when using the meta
directory backend and rewriting. In the manual pages the '|' option is
marked as "not implemented". Does this reflect the actual state of the
software or has somebody just forgotten to update the man page?
Regards,
Hartmut
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110127/5
1c9a0dd/attachment.html>
------------------------------
Message: 12
Date: Thu, 27 Jan 2011 09:43:18 +0100
From: jarek <jarek@poczta.srv.pl>
To: openldap-technical@openldap.org
Subject: constraint overlay question
Message-ID: <1296117798.4683.10.camel@jlap2.macro.local>
Content-Type: text/plain; charset="us-ascii"
Hello!
I'd like to configure constraint for email attribute, where email is
constructed from DN in the following way:
DN: uid=user, ou=emails, ou=domain.name, ou=domaingroup, ROOT_DN
=>
email: user@dmain.name
Is it possible ?
best regards
JT.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110127/f
802a6aa/attachment.html>
------------------------------
Message: 13
Date: Wed, 26 Jan 2011 11:05:00 -0800
From: Vincent Li <vincent.mc.li@gmail.com>
To: openldap-technical@openldap.org
Subject: openldap memberof attribute
Message-ID:
<AANLkTinHdq1h6Y=Mgp5oFGkWo1etuLF1=CpHQLapc3rA@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
Hi,
I am doing remote authentication using OpenLDAP to login BIGIP, BIGIP
has a feature called remoterole to search attribute 'memberof' from
LDAP server and once found the attribute, assign the remote user a
role defined in various groups like admin, operator... the feature
works for Active Directory, but I am unable to make it work for
OpenLDAP, I couldn't find 'memberof' attribute in OpenLDAP schema, so
I created the 'memberof' attribute in core.schema as below:
[root@centos-vli schema]# diff -u core.schema core.schema.orig
--- core.schema 2011-01-24 23:54:42.000000000 -0800
+++ core.schema.orig 2011-01-24 23:46:11.000000000 -0800
@@ -345,10 +345,6 @@
DESC 'X.520(4th): pseudonym for the object'
SUP name )
-attributetype ( 2.5.4.66 NAME 'memberof'
- DESC 'RFC2256: member of a group'
- SUP distinguishedName )
-
# Standard object classes from RFC2256
# system schema
@@ -425,7 +421,7 @@
objectclass ( 2.5.6.9 NAME 'groupOfNames'
DESC 'RFC2256: a group of names (DNs)'
SUP top STRUCTURAL
- MUST ( member $ memberof $ cn )
+ MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description
) )
objectclass ( 2.5.6.10 NAME 'residentialPerson'
and here is my sample ldif file:
dn: ou=groups,dc=example,dc=com
objectclass:organizationalunit
ou: groups
description: generic groups branch
# create the itpeople entry under groups
dn: cn=administrator,ou=groups,dc=example,dc=com
objectclass: groupofnames
cn: administrator
description: bigip admin group
member: uid=user5,ou=people,dc=example,dc=com
dn: uid=user5,ou=People,dc=example,dc=com
uid: user5
cn: user5
objectClass: top
objectClass: posixaccount
objectClass: shadowaccount
objectClass: groupOfNames
userPassword: secret
shadowLastChange: 14997
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 505
gidNumber: 505
homeDirectory: /home/user5
member: cn=administrator,ou=groups,dc=example,dc=com
memberof: cn=administrator,ou=groups,dc=example,dc=com
I can login BIGIP fine with user5, but I can't get the administrator
role defined in BIGIP, is it something I configured wrong in OpenLDAP
or the problem is on BIGIP
Thanks
Vincent
------------------------------
Message: 14
Date: Wed, 26 Jan 2011 17:12:50 -0800 (PST)
From: Tim Gustafson <tjg@soe.ucsc.edu>
To: openldap-technical@openldap.org
Subject: deleting schema elements from cn=config
Message-ID:
<2071017051.85340.1296090770606.JavaMail.root@mail-01.cse.ucsc.edu>
Content-Type: text/plain; charset=utf-8
Hi,
I'm trying to understand how to delete a schema element. I'm running
slapd 2.4.23 on FreeBSD 8.1. When I try to run ldapdelete:
ldapdelete -H ldap://localhost -D uid=tjg,cn=config -W -x
'cn={7}java,cn=schema,cn=config'
I get the following in the log file:
----------
daemon: read activity on 18
daemon: select: listen=6 active_threads=0 tvp=zero
connection_get(18)
connection_get(18): got connid=1068
connection_read(18): checking for input on id=1068
op tag 0x4a, time 1296090324
conn=1068 op=1 do_delete
>>> dnPrettyNormal: <cn={7}java,cn=schema,cn=config>
daemon: activity on 1 descriptor
<<< dnPrettyNormal: <cn={7}java,cn=schema,cn=config>,
<cn={7}java,cn=schema,cn=config>
conn=1068 op=1 DEL dn="cn={7}java,cn=schema,cn=config"
send_ldap_result: conn=1068 op=1 p=3
send_ldap_result: err=53 matched="" text=""
send_ldap_response: msgid=2 tag=107 err=53
daemon: waked
daemon: select: listen=6 active_threads=0 tvp=zero
conn=1068 op=1 RESULT tag=107 err=53 text=
daemon: activity on 1 descriptor
daemon: activity on:
18r
----------
cn={7}java,cn=schema,cn=config is empty; I've already deleted all the
objectClass and attribute definitions from it, but now it seems I can't
delete the schema entry itself. What am I doing wrong?
Tim Gustafson
Baskin School of Engineering
UC Santa Cruz
tjg@soe.ucsc.edu
831-459-5354
------------------------------
Message: 15
Date: Thu, 27 Jan 2011 12:11:52 +0100
From: Michael Str?der <michael@stroeder.com>
To: Vincent Li <vincent.mc.li@gmail.com>
Cc: openldap-technical@openldap.org
Subject: Re: openldap memberof attribute
Message-ID: <4D4152F8.1080705@stroeder.com>
Content-Type: text/plain; charset=ISO-8859-1
Vincent Li wrote:
> I couldn't find 'memberof' attribute in OpenLDAP schema, so
> I created the 'memberof' attribute in core.schema as below:
The overlay memberof is what you're looking for.
man 5 slapo-memberof
Ciao, Michael.
------------------------------
Message: 16
Date: Thu, 27 Jan 2011 11:30:04 +0000
From: Mark Cairney <mark.cairney@ed.ac.uk>
To: openldap-technical@openldap.org
Subject: MemberOf attribute not being returned
Message-ID: <B1F4834F-6D92-4727-962F-50CCC187EF5D@ed.ac.uk>
Content-Type: text/plain; charset="us-ascii"
Hi,
I'm sure this was working in the past on this server but Im now not
getting anything returned when I request the memberOf attribute.
I compiled OpenLDAP 2.4.23 with the following flags:
./configure --prefix=/usr/local/authz --enable-meta --enable-ldap
--enable-bdb --enable-monitor --enable-syncprov --enable-translucent
--enable-memberof --enable-dyngroup --enable-dynlist --with-threads
--with-tls --with-cyrus-sasl --enable-syslog --enable-spasswd cd make
depend make make test make install
I'm using slapd.d and I have the following in
/usr/local/authz/etc/openldap/slapd.d/cn=config/olcDatabase={1}bdb
olcOverlay={0}dynlist.ldif
olcOverlay={1}memberof.ldif
olcOverlay={2}syncprov.ldif
The contents of olcOverlay\=\{1\}memberof.ldif are:
dn: olcOverlay={1}memberof
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcMemberOfDangling: ignore
olcMemberOfRefInt: FALSE
olcMemberOfGroupOC: posixGroup
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
structuralObjectClass: olcMemberOf
entryUUID: 4d5a3aa8-fbac-45c9-b259-941d13e02724
creatorsName: cn=config
createTimestamp: 20100318151149Z
entryCSN: 20100318151149.488341Z#000000#003#000000
modifiersName: cn=config
modifyTimestamp: 20100318151149Z
olcOverlay: {1}memberof
The log is attached.
--
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openldap.log
Type: application/octet-stream
Size: 8033 bytes
Desc: not available
URL:
<http://www.openldap.org/lists/openldap-technical/attachments/20110127/8
e561efe/attachment.obj>
-------------- next part --------------
Any ideas? The only thing I've changed recently is the ACLs
Kind regards,
Mark
/*********************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: mark.cairney@ed.ac.uk
*********************************/
------------------------------
_______________________________________________
openldap-technical mailing list
openldap-technical@openldap.org
http://www.openldap.org/lists/mm/listinfo/openldap-technical
End of openldap-technical Digest, Vol 38, Issue 26
**************************************************
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5823 (20110127) __________
The message was checked by ESET NOD32 Antivirus.
http://www.esetnod32.ru/.ml
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 5825 (20110127) __________
The message was checked by ESET NOD32 Antivirus.
http://www.esetnod32.ru/.ml