| |
| |
| |
|
Page: 1 2 3
Comments:
<0> hi folks
<0> is somebody using sun directory server
<0> .
<0> ?
<1> some are, others don't
<0> i just want to ask some question
<1> ask, then wait.. its a channel of lurkers and idlers
<0> i want to replicate just a subbranch of my DIT
<0> i'm using directory server 2005q4
<2> G'day folks. I'm having trouble searching my ldap tree using a boolean for a filter. filter: "isAC=TRUE" it always returns no records even though I know for a fact that there's 20 of them
<3> hello, i have looking for a Active Directory + LDAP syncrhonization.. any tips?
<4> Hi -- does anyone know anything about setting up openldap with SSL (I'm using Gentoo Linux, specifically) and a lovely error:14077410:SSL routines:SSL23_GET_SERVER_HELLO:sslv3 alert handshake failure ?
<5> why on earth is the userP***word attribute suffixed with two :: in stead of one?
<5> createTimestamp: 20060316134428Z
<5> userP***word:: 5e98af9222038iRGeFJYY0ZkSjY=
<5> cn: root
<1> sven: :: in ldif means the value is base64-encoded
<6> sven, it's base64 encoded
<6> sven, but, it doesn't look valid:
<6> echo "5e98af9222038iRGeFJYY0ZkSjY="|openssl base64 -d
<6> |ivm7$FxRXcFdJ6
<7> is there any way to do a numerical comparion with "<=" ?
<7> because a filter of shadowExpire=42 works, but a filter of shadowExpire<=43 does not
<5> ah, thanks
<5> _ranger_: i obfuscated the numbers a bit
<5> o m g
<5> i just solved a long standing crapalicious problem with ldap+pam+ssh
<5> all i needed to do was to restart sshd.. jeez
<5> none of the howtos i read mentioned that.. and i think it's fixed in a later version of debian
<6> Celestar, AFAIK the schema doesn't have an ordering rule ... so you can't
<6> if you add one, you should be able to
<7> _ranger_: any docs how to do this or any way find expired user accounts?
<8> hello
<8> i'v create addressbook on openldap, but its not browserable by outlook
<8> why?
<1> swarog: ACLs? firewall? binding? try adding "allow bind_v2" at the top of your slapd.conf and restart your server
<8> Gagatan: already there
<8> i can access it, with search i do get response
<1> aha.. ok.. well - I'm nowhere near using outlook - so I can't help you any further
<8> but when you click on address book you should get browserable list, without searching
<8> i dont use it either but ... company does
<1> yep.. company usually ****s with regards to mua
<6> swarog, AFAIK, this is a limitation in Outlook
<6> probably an intentional one
<1> anyone know of a faster pastebin than pastebin.com? preferrably with php syntaxhighlighting
<6> pastebin.ca ?
<9> hello
<9> I want to allow specified users to login on specified boxes
<9> (with auto-creating ~) - any suggestion to doc
<6> IceD^, uh, no, just read the man page for pam_ldap ...
<1> IceD^: use group or host-based access in combination with pam_mkhomedir
<9> host based - how
<9> ldiff example if possible
<9> or doc
<9> I'm even not sure which type of object host should be
<9> probably pam_member_attribute will go for this purpose... but in this case /etc/ldap.conf will be different on each box - which is not good
<9> nss_base_hosts probably?
<9> pam_filter |(host=example)(host=\*) - should work
<6> IceD^, pam_check_host_attr ????
<6> and, host would be an attribute, eg the on defined in ldapns.schema as distributed with nss_ldap
<9> pam_filter works
<9> ahha
<9> pam_check_host_attr looks like more flexible way
<9> _ranger_: thnx!!!!
<9> the only thing left to implement is sudo now :)
<10> _ranger_: I gave up on replicating glued databases with syncrepl
<10> I changed the consumer to have two databases and also use glue, so I have two replications
<10> this works
<10> my guess is syncprov/syncrepl gets confused when the provider uses glue, because the CSNs of the two databases are unrelated
<6> ahasenack, did I reply to that effect or not?
<6> no, I still have a draft
<10> hmm?
<6> I have an email draft in reply to your "contextCSN and glue'd databases" mail
<6> I think loading glue then syncprov with one consumer db may have some weird issues (vs syncprov then glue with one consumer for each real db))
<10> ah
<10> the slapd.conf manpage implied this should work (loading glue and then syncprov to provide one view for both databases)
<10> but it's not working at all
<10> I did several tests last week, two full days
<6> ahasenack, I mentioned to hyc on irc a while back (2.3.24 days) that glue, syncprov did not work for me, where syncprov, glue did
<10> but then you need one syncprov for each database, right?
<6> yes
<9> hmm
<6> that's how we're running at present
<9> why I can't add object cl*** sudoRole into user entry>
<6> because it is structural
<6> and, there is no reason for it to be ***ociated with a user
<9> hmm
<9> ok - make sence
<6> eg, most of ours have sudoUser: %somegroup
<9> I'd like to have per-user configuration, so I'll need to duplicate the users tree
<9> no big deal however
<6> no
<6> you can have multiple sudoUser entries
<9> sure I can :)
<6> in one sudoRole object
<6> so, no need to "duplicate the users tree" IMHO
<9> but the problem is that almost every user should have VERY different permissions on different hosts
<6> of course, you can have muliple sudoHost attributes in an entry, and multiple sudoCommand in one entry
<6> IceD^, yes, but you may have lots of users who need the same command on one host
<9> yeah
<6> so, don't force your sudo rules to be user-specific, when you may really want them host-specific, or the other way around
<9> the problem - sudo simple ignores ldap
<9> (emerging ex-ethereal now, but maybe there are some common problems)
<6> IceD^, you have your sudoers_base in /etc/ldap.conf ?
<9> yeah
<9> hmm - it looks like it's not performing any query on sudoers
<9> doublechecked - it simply reports that I'm not in sudoers file and not performing any ldap queries
<9> and sudo is linked to libldap
<6> there is a way to debug the ldap bits ..
<6> see the "Debugging your LDAP configuration" section of README.LDAP in the sudo docs
<9> already set sudoers_debug 2
<9> no single entry in logs
<6> IceD^, maybe it's using a different ldap.conf
<6> are you using sudo from a supplied package, or did you compile it yourself ?
<9> emerged it - gentoo
<9> hmm - actually there is smth strange in the logs:
<9> Aug 21 17:58:55 [sudo(pam_unix)] authentication failure; logname= uid=0 euid=0 tty=pts/5 ruser= rhost= user=iced
<9> Aug 21 17:58:55 [sudo] iced : user NOT in sudoers ; TTY=pts/5 ; PWD=/home/iced ; USER=root ; COMMAND=/bin/ls
<9> but it accepts ldap p***word (I don't have local iced user) and displays that `not in sudoers` message
<6> yes, but authentication and configuration are different things
<6> your ldap p***word is going via pam
<6> but, configuration does not go via pam
<6> the authentication failure is normal depending on your pam setup
<6> if sudoers_debug 2 is showing no debugging output, then you may have the wrong ldap.conf
<6> I don't think you can strace debug, so it's not easy to see what it is doing ...
<6> ah, you can strace it as root, so ... try see what strace (maybe with -e open) does
<9> from root - no luck I think
<9> only if I'll remove /etc/sudoers
<6> ?
<6> ??
<9> ok - does strace
<9> open("/etc/ldap.conf.sudo", O_RDONLY) = 3
<9> stupid bastards
<9> WORKS NOW!!!
<6> you'd think they would patch the docs too ....
<9> _ranger_: whooooa - everything works perfectly now
<6> cool
<11> While attempting to set up openldap (v 2.2.23), I've been unable to set up an admin user. I tried adding: rootdn "cn=admin,dc=foo,dc=org" and rootpw {SSHA}A2342AEADSdasdfa323 to slapd.conf.
<11> however, when I try to start slapd, I get an error indicating that my rootdn is invalid.
<11> the debug output is here: http://papernapkin.org/pastebin/app/view/1098
<11> any insight/pointers would be greatly appreciated
<6> sohmestra, pastebin your slapd.conf as well ...
<6> sohmestra, it's difficult to deduce your config from the debug output
<11> _ranger_: posted at http://papernapkin.org/pastebin/app/view/1099
<6> sohmestra, try without the single quotes
<6> just to be sure
<11> _ranger_: good call. I tried it with double quotes and it seems to work now. thanks
<12> sohmestra: compare:
<12> 238. <= ldap_dn2bv(dc=hrcsb,dc=org)=0 Success
<12> 251. <= ldap_bv2dn('cn=admin,dc=hrcsb,dc=org')=-4 Decoding error
<12> the single quotes are not treated as quote characters, but literals, i guess
Return to
#ldap
or
Go to some related
logs:
#lisp
amsm for ubuntu
kvpn ubuntu
spacing between inline elements
contract vs salary
mysql Every derived table must have its own alias
#perl
#fedora
#php
#perl
|
|