| |
| |
| |
|
Page: 1 2 3
Comments:
<0> that worked
<0> thanks hbf
<0> and kon :)
<1> BTW, we've set up our directory so that "simple" searches with -b dc=uio,dc=no only finds info that normal people would find "interesting". Users, groups etc are not searched unless one explicitly uses DN cn=users,cn=system,dc=uio,dc=no.
<0> ah smart :)
<2> Hello :)
<2> so... any views on http://directory.fedora.redhat.com/ ?
<2> is this better than openldap? Should I use http://diradmin.open-it.org/ to administer?
<3> MartinCleaver: You may want to join #fedora-ds if you want more information.
<4> MartinCleaver, but, I wouldn't base my choice of ldap server on what the directory administrator author says
<2> what would you use?
<2> http://directory.fedora.redhat.com/wiki/FAQ#How_is_Fedora_Directory_Server_different_from_OpenLDAP.3F tells me nothing
<5> I get the impression that most people on this channel use OpenLDAP
<5> but, the number of people who actually speak up, vs the number present, is pretty small, so no idea.
<6> so far as I've been informed, that's the case. For fedora's and sun's versions #fedora-ds is a bit better, though less populous
<7> I use openldap. :P
<6> I use SunONE DS :p
<6> (unfortunately)
<7> I used to use SunOne DS
<7> well
<7> Netscape DS prior to it being sunone DS. :P
<7> then it started corrupting all my data and crashing all the time
<7> and data loads took 22+ hours
<7> now my data loads take 2.5 hours on similar hardware, and about 20 minutes on modern linux hardware.
<7> and it doesn't corrupt
<7> so life eez good.
<6> I haven't noticed it corrupting data, but I have noticed it being otherwise buggy
<7> well, that was the nice thing about it. It didn't *tell* you it had corrupted data
<7> if you just happened to hit a corrupted spot of data, you were screwed
<7> eventually, so much of it got corrupted, that happened pretty often. ;)
<6> we're still in the pre-test setup from switchign over a fairly complex nis schema, and I've had to wipe and reinstall it once already
<6> of course we're dealing with a lot of sparc systems so I'm not sure how feasible it would be to switch to openldap
<7> ??
<7> oh
<7> was going to say, we used OpenLDAP on sparc for years
<5> solaris automounter is unable to use PADL nss_ldap
<5> it has its own nss LDAP code statically linked in.
<7> autoloader is for NFS?
<7> or what?
<7> never used it myself. ;)
<7> but our solaris systems get p***word information from our OpenLDAP servers
<6> well, if things get too hairy I might be able to convince them to switch (we're about 60/40% solaris/linux)
<7> well, p***word file information (but not p***words themselves)
<6> yeah, for nfs/autofs
<7> ah, yeah, we use afs
<6> through ldap? linux or solaris?
<7> we use AFS on windows, linux, solaris, and OS X
<7> we use LDAP for storing the login information, for linux, solaris, and OS X
<7> we use Kerberos for storing p***words
<6> AFS == AndrewFS or autofs?
<7> AndrewFS
<8> re
<8> i don't seem to be able to add the root node to openldap
<8> getting "ldapadd: no attributes to change or add"
<8> or... "additional info: no structural object cl*** provided"
<4> TPABKA, 2nd one seems to indicate you've re-used your rootdn as replicadn ...
<4> TPABKA, for the first one, paste your ldif at pastebin.com
<9> this sounds like two things to me... ldapadd with an entry that already exists, so there's nothing different (nothing to change or add), and the second being adding an entry that has no structural objectcl***, i don't think he's even close to being as far as replication
<4> hmm, entry that doesn't exist should give err=68 already exists, but you're probably right on the 2nd one
<4> (BTW, Hi JoBbZ_ )
<5> 1st one is also possibly feeding an LDIF entry to ldapmodify instead of ldapadd
<9> heya ranger :)
<5> or vice versa...
<9> blah, nickserv is beign me to me
<9> mean to me
<9> back to watching stargate. ;)
<5> stargate? are new episodes starting yet?
<5> guess I missed the beginning of this season already
<10> morning
<10> I'm about to set up an LDAP server for user management (nss). LDAP will also be samba backend, user authentication will happen via kerberos. Where do I find LDIFs to do some intial population of my database?
<11> you have to write them
<10> grmbl: nothing to download?
<10> so I need computers, groups, users .. righty?
<10> *me scratches head* where do I enter phone numbers now :o
<10> If I have a dn of objectCl*** inetOrgPerson, there should be attributes like "Telephone", right?
<12> Celestar: I know it's an obvious thing to say, (I really don't know the answer), but check out the schema
<12> it's well documented
<10> Stonekeeper: I'm just not all too familiar with the syntax of schema files
<12> ok
<10> thanks anyway
<12> hey, Celestar, do you know anything about replicated subordinates?
<10> nope
<10> I'm a total ldap newbie :)
<12> I wonder what people use for replication these days. There's slurpd and syncrepl
<5> slurpd is about to disappear from openldap 2.4
<12> hyc: ok. can syncrepl sync many databases into one?
<5> ? no, replication is one context to one context.
<12> er, yes. sorry, i meant can it replicate a.tree.example.org as a subordinate of tree.example.org
<12> IE, replicate a whole tree to a subtree (but have the same context)
<5> I still don't see what you mean
<5> do you have this setup currently working with slurpd?
<12> er... i haven't tried yet.
<12> I'm not very good at explaining things
<5> why do you have many separate databases in the first place?
<12> well, that's a samba issue and poor wan links. But i don't want to talk samba here obviously :)
<5> and why wouldn't you just keep replicating them as separate databases?
<12> i want to create a "super tree" which can search all trees. I know i can do this with subordinates
<5> yes
<12> but i would like to use replicated subordinates so it doesn't traverse the wan links each time
<5> so do that.
<12> so that _is_ possible?
<5> of course.
<12> i guessed it might be, but wasn't sure. So can you replicate a number of databases into one tree?
<5> no.
<5> you replicate each subordinate database into the corresponding subordinate.
<12> so you can have, say, 4 subordinates defined in one slapd.conf?
<5> you can have as many DBs as you want.
<5> as many as you have memory for, anyway.
<12> ah ok, that's what foxed me
<12> for some reason i thought you could only have one. strange...
<12> hyc: do you know of a URL with some info on this and syncrepl? I don't want to generate noise! :)
<5> why would there be a subordinate feature, if you could only have one DB?
<5> no logic...
<12> i thought subordinates referenced external dbs
<5> www.openldap.org of course.
<5> read the Admin Guide for starters.
<12> ok thanks
<10> hm .. should one use TLS, SSL or both?
<5> TLS and SSL are the same
<10> I mean SSL via StartTLS or SSL via LDAPS?
<5> you can only use one or the other.
<10> and which is preferable?
<5> depends on your clients. StartTLS is LDAPv3. LDAPS is LDAPv2+.
<13> TLS and SSL aren't really *quite* the same. TLS implies negotiation, does it not?
<5> nobody should be using LDAPv2 for anything any more.
<5> no, TLS implies no such thing.
<10> because currently I'm using StartTLS and it works nicely. only problem is, how do I prevent no-encryption-access?
<5> in OpenLDAP see the "security" keyword in slapd.conf( 5 )
<10> ok
<10> I just needa set the ssf .. nice
<13> 'Scuse me, but StartTLS does imply at least the possibility of negotiation. One side or the other may not choose to allow, say, non-encrypted connections, but StartTLS *is* a mechanism to allow for the possiblity.
<5> StartTLS is an LDAP request. TLS is TLS is SSLv3.1 is SSL.
<13> StartTLS is not LDAP-specific. StartTLS is used in conjunction with multiple protocols, incl, for example, SMTP.
<5> In this conversation, we're only talking about LDAP.
<5> There is a specific LDAP extended operation called StartTLS.
<10> cool it works
<10> thanks hyc
<5> n/p Celestar
<5> What other protocols do is not part of this conversation...
<10> so why should I use SASL instead of "simple" authentication?
<1> LordBurrito: SMTP and LDAP both have an operation they call StartTLS. It's not the _same_ operation, since sending an SMTP request over LDAP or vice versa wouldn't work too well.
<5> Using SASL lets you use plain usernames instead of Bind DNs
<10> ah ok
<5> aside from that, in the absence of TLS, some SASL mechs can provide an encryption layer in addition to strong authentication
Return to
#ldap
or
Go to some related
logs:
#debian
#bash
udev captive-ntfs ubuntu
#perl
#php
PCI1620 NetBSD
nautilus known_hosts
modem driver keygen linuxant ubuntu
supaplex perl
#lisp
|
|