| |
| |
| |
|
Page: 1 2
Comments:
<0> hi _ranger_
<0> whats up
<1> hey guys...I'm trying to setup a small test server on my LAN. For a suffix, I don't need a FQDN right?
<1> I could jus use my hostname?
<2> suffix can be whatever you want it to be. Though the overwhelming convention is to use fqdn for the network the server serves to
<2> with s/\./,dc=/g of course
<1> okay
<1> so when I'm setting up slapd..
<2> yes...?
<1> slapd.conf I mean...
<1> when I am setting up the database, suffix, rootdn, rootpw
<1> thats the actual root container and p***word for it?
<2> when you're setting up the server you can declare the main suffix to be whatever you want it to be. Naturally when setting up clients they must ask for the same suffix
<1> okay...and what is the p***word used for?
<1> for administrative rights?
<2> when you set up the server you need to set up a user that has access to the directory/database. that's what the rootdn and rootpw are for.
<1> okay..gotcha
<2> (otherwise you could never add anything to the db/dir)
<1> that makes sense..
<2> some docs suggest removing this account once you have everything set up and have other user accounts that allow administrative/topological access
<3> well, you can of course populate the DB using slapadd, and not need the rootdn at all.
<1> thats what I'm kind of confused about
<1> slapadd is used to populate the Directory..
<3> slapadd is a bulk load tool.
<3> it's intended to be used when slapd is not running.
<1> but I would need rootdn, rootpw for administrative rights?
<1> okay..
<3> it access the backend APIs directly, it doesn't go through the LDAP protocol. So it doesn't need to start with an LDAP Bind, so it doesn't need rootdn/rootpw.
<2> ldap* accesses the db via the ldap protocol with authentication, verification, and all that. slapd* just hacks on the db directly byp***ing those things
<3> in general, you should use ldapadd.
<3> but if you've done a dump of an existing DB using slapcat, it's generally OK to reload it using slapadd.
<3> i.e., when you know your LDIF is well-formed / legal / correct ...
<4> does LDAP similiar like active directory in windows server? i would like to employee authentication on each computer for permission (share file/directory, install software, change registry, etc)
<4> is that possible use LDAP to do that? i will use LDAP installed in debian
<4> because microsoft windows server license is too expensive :(
<5> any way to solve openldap's limit to 1024 open files?
<4> sorry got dc..
<4> does LDAP similiar like active directory in windows server? i would like to employee authentication on each computer for permission (share file/directory, install software, change registry, etc)
<4> is that possible use LDAP to do that? i will use LDAP installed in debian
<4> because microsoft windows server license is too expensive :(
<4> any answer related to my question before
<6> anyone around?
<7> no.
<7> where all square.
<6> lmao
<6> is there anyway to make ldap do a command like the unix groups command?
<6> like if i do a groups someuser it shows me all thier groups... even secondary
<7> "do a command"?
<6> is there any command that will do that :)
<6> bad wording..
<6> its late here ;)
<7> nss_ldap is what your looking for.
<6> eh?
<7> and pam_ldap.
<6> i have those setup
<6> so if i remove the user from /etc/groups and /etc/gshadow files it will still show them in thier groups?
<6> because they are in the ldap tree?
<7> then use "getent p***wd" or "getent group"
<7> NEVER remove /etc/groups and /etc/gshadow
<6> ok ... what is getent exactly?
<7> man getent
<7> RTFM!
<6> there is no manual entry
<6> mail etc # man getent
<6> No manual entry for getent
<6> i will google it
<6> not exactly what i am wanting
<6> here is the output i have right now.
<6> mail etc # groups rnance
<6> root adm users portage admin everyone teachers MEC webpage login reading athena myweb localadmins dragon 3dhome mtmm
<6> say i remove that user from the login group in ldap... will groups rnance still reflect that?
<6> let me rephrase this entire conversation ;)
<6> is there anyway to check a user and see ALL the groups they belong to?
<6> i mean i can check the group and see what users are in it... but i want to be able to query the user and see what groups they belong to
<6> not just thier primaryguid
<6> gie
<6> gid
<6> blah
<1> hey guys...
<1> not sure what I'm doing wrong here. I configured a database through the slapd.conf file, and I'm trying to add stuff into the directory using slapadd. I'm getting the following errors...
<1> http://pastebin.ca/100532
<8> hi guys
<9> anybody know a good full documentation to learn from scratch how to use openldap ?
<9> i am not looking for a specific "how to" but a general documentation
<9> and if possible, not outdated
<10> morning, is it possible to include attributes in self-defined schemas when using ldapsearch? i'm seeing those attributes in the output of slapcat but not when doing an ldapsearch. any pointers appreciated
<10> never mind, damn those acls
<10> so long
<11> hello
<12> when i try to BIND to LDAP using the Manager account I get this in the log: RESULT tag=97 err=49 text= anyone know what it means?
<13> err=49 is invalidCredentials. Wrong p***word, DN does not exist, access controls do not give 'auth' access to userP***word, or whatever.
<14> hi, i have openldap 2.3.24-r1 and freeradius 1.1.1-r1 installed on 2 servers. On one sever it works perfekt, but on the other server i got after 1-2 correct user check error messages. If i use on that fail server the ldap address of the other server it works well. So i think its a ldap problem but what is problem? (configurations of ldap and radius are the same (only ip addresses and ldap sync settings different) and the ldap database is sync).
<15> Hello, I have openldap using bdb backend and the db is corrupt. I have two ou's hosting and dns. the ou=dns portion is corrupt. Is it possible to just delete everything in the ou=dns section, without affecting the ou=hosting section?
<15> Currently, requests for anything in the hosting section work. but the dns section doesn't and after a request to the dns section, the ldap server times out.
<16> KevinBooks: have you tried using db_recover against the berkeley environment?
<15> converter: I've got /usr/sbin/slapd_db_recover and I ran it, but it didn't fix anything
<16> hmm. not sure what that is, but it's probably a wrapper around the db_recover util. did you run it from the actual slapd data directory?
<15> yes
<16> you might try the actual db_recover util, although, if you have multiple versions of bdb installed you'll have to figure out which one to use (they're versioned: db4_recover, db4.1_recover, etc.)
<15> I've only got the one db4 installed. the slapd_db_recover causes ldap to stop responding
<16> KevinBooks: yeah, you need to stop slapd before you do anything that works directly on the berkeley environment.
<15> oh ok
<15> it worked
<15> thanks
<16> you're welcome
<12> how do you make it possible for other computers than localhost to BIND to the LDAP directory using the Manager account?
<13> If you authenticate with a plaintext p***word: Get/create a server certificate and set up TLS/SSL support, so the p***word can be transferred encrypted. Maybe listen to ldaps:// in addition to ldap://. Connect to ldaps:// or use the -ZZ option. Bind.
<13> With ldapsearch & co you use the -W option to get the client to ask for p***word, and specify the manager DN with the -D option. See also the OpenLDAP Admin guide at www.openldap.org.
<16> allowing remote bind as the manager account is a really bad idea, no?
<12> hbf: all that just to use the manager account remotely?
<14> how can i controll how mutch slurps are started?
<13> Sonderblade: All that to bind as any account with a p***word.
<13> You don't _need_ TLS, but without it the client will transfer the p***word unencrypted.
<12> hbf: i can bind other accounts but just not the Manager account
<13> converter: As for the safety of using the manager account remotely, that depends on how well you protect the p***words and so on. After all, if you use it from localhost you'll have to log in to that with a plain Unix p***word or something.
<13> Sonderblade: Then look for the access controls in slapd.conf which disables Manager binds. At least if you are using OpenLDAP. Are you?
<16> hbf: right. i never enable the manager (root, here) account unless i need it
<12> hbf: yes, what exactly should i look for?
<13> Sonderblade: Don't remember really. But check for anything which mentinons the manager account i guess. Or if there are some special "allow"/"disallow" directives.
<13> Or anything which mentions the IP address localhost or 127.0.0.1 but does not give access to anything else.
<13> Um, what is the error message when you try to bind as manager remotely?
<12> hbf: err=49
<13> Ah, invalidCredentials. OK, that's likely access controls.
<12> hbf: but i know the p***word is correct...
<13> ...so maybe you have access controls on the IP address which only accepts the p***word from localhost. (***uming it does work from localhost, but I think you said that.)
<12> hbf: where would i find those access controls? i can't find any in ldap.conf or slapd.conf
<13> Um, _does_ it work from localhost?
<12> oh wait
<12> im really sorry, i screwed up - the dn i used to connect was wrong
<13> :-)
<12> when you do an ldapsearch, is it possible to specify that you only want to search objects below the specified searchbase?
<3> it is impossible to specify that you want to search anywhere but below the searchbase.
<17> hi there, I have a big question
<17> i'm using the pam_ldap module to authenticate against an ldap server
<12> hyc: yeah, but the object i'm searching from is also returned in the result list, i dont want that
<17> I added a user called "root" with the posixAccount attribute loginShell set to /bin/false
<17> and it allowed me to login as root
<17> what am i doing wrong?
<3> Sonderblade: sounds like you want subordinate search scope. I think that's still a pretty new extension, current OpenLDAP supports it but probably nothing else.
<12> hyc: is 2.3.24 to old?
<3> that's current.
<13> Depending on where you are searching, filter (&(...whatever...)(!(objectCl***=<base object's cl***>))) may work.
<13> or scope=one, if you do not need full subtree search.
<12> hbf: what i want is exactly the opposite of scope=one :)
<13> The opposite of scope=base I think you mean
<12> yeah
<18> Hey all. I have an openLDAP<-->SASL<-->krb5 server set up for authentication on my network. I have the linux clients integrated just fine, with single signon and the whole deal. Now, I'm working on getting the windows clients into the new system. I am trying to use pGina to do it, but it seems like the LDAP plugin for pGina doesnt want to play nice with GSSAPI and krb5. Has anyone else successfully accomplished this?
<3> since you're authentication is being handled by krb5 anyway, why are you going through LDAP at all?
<3> Windows clients can do krb5 natively. just use that.
Return to
#ldap
or
Go to some related
logs:
ffdec_wmv3
uvc ubuntu deb
python-script obfuscation
windows reinstallations + grub
#python
Couldn't run Build.PL: Argument list too long at
#perl
#ubuntu
psybnc hangs
#math
|
|