| |
| |
| |
|
Page: 1 2 3
Comments:
<0> aside from that, in the absence of TLS, some SASL mechs can provide an encryption layer in addition to strong authentication
<0> you can use SASL+TLS together and get the combined encryption, but that's probably overkill.
<1> hyc & hbf: I understand this. However both LDAP and SMTP share this in common: StartTLS provides for encrypted/non-encrypted connection requests. Same for pop3s. Whereas straight SSL connections (e.g.: SMTPS) do not: They're SSL-only. My only point is "SSL" != "TLS".
<2> well considering all my ldap traffic stay within this switched LAN, it might really be overkill
<0> LordBurrito: The semantics of the StartTLS request change nothing about the fact that TLS is SSL.
<1> Never mind
<0> There are two separate layers at work here, you are confusing them with each other.
<0> TLS and SSL are transport layer protocols.
<0> StartTLS is an application layer request.
<2> Transport Layer? like TCP?
<0> like TCP, but actually layered right on top of TCP.
<2> I was ***uming SSL to be layer 5 :o
<3> In ldap, connecting to the 'ldaps://' port gives you a connection which is in the same state as the ldap:// port is after a StartTLS success response. (Except that you can't "downgrade" to non-TLS again). So StartTLS and ldaps:// are just different ways to start what is otherwise the same protocol.
<3> It may be convenient to call one SSL and the other TLS, but that's not the official terminology.
<0> actually according to the OSI stack, SSL is layer 6, presentation layer. my mistake.
<2> hyc: ok :)
<0> well, considering the use of ssh tunneling and IPv6 tunneling, it's all a mess now anyway...
<2> the boundaries between the layers have become blurred somewhat
<0> yes
<2> considering most "Switches" are not level 2 as well anymore
<3> What do you expect - OSI is politics:-)
<0> yeah, true 'nuff
<0> the point that LordBurrito was ignoring is that SSL and TLS have very specific definitions.
<0> StarttTLS is just a way of enabling the use of SSL/TLS. it is not SSL or TLS.
<0> That makes as much sense as saying my car key is my car ...
<2> my car doesn't have a key :P
<2> but ok :P
<0> one bad analogy after another...
<4> hyc: you know we were talking about replication? If I'm replicating a tree into a subtree of the master tree, do i need to use subordinates at all? Wouldn't it just appear as one tree anyway?
<0> if you were using slurpd it probably would make no difference
<0> but for syncrepl, you can only have one consumer per database
<4> ah ok
<0> if all of the providers are glued into a single tree, then a single consumer could pull it all down.
<4> so basically, create,say, 5 slave dbs on the master, then one main db on the master with referral entries to the other five using ldap://localhost/ as the URI?
<0> referrals? no. subordinate glue.
<0> see the subordinate keyword in slapd.conf( 5 )
<4> oh, I was reading subordinate section of admin guide and it only mentions referrals...
<5> i'm using Samba PDC + openldap/pam backend
<5> after creating a new group and adding users , samba can see it .. but for some reason PAM is unable to get the group mappings right
<5> i do - 'id user' , and it isn't able to detect the new group
<5> even in samba i logoff the user and relogin and still it can't detect the new group info
<0> pam doesn't do ID or group mappings.
<5> how do i make "PAM" to refresh the group mappings ? even a restart of openldap server has no effect
<5> eh hyc ? sure it does if you have the pam_ldap amd nss_ldap plugins
<0> pam_ldap only does authentication. nss_ldap does mappings, yes. nss is not pam.
<5> k , how to fix the nss ldap thingy ? everytime it works right only after i reboot
<0> define "it" and "works right"
<5> i create a new group "abc" , and add user xyz
<5> until i reboot , linux refuses to recognize what i've done
<5> it insists user xyz is NOT part of group abc
<0> you running nscd?
<5> /etc/init.d/nscd start , says service started
<5> but i can't stop the service
<0> does it show up in "ps ax" ?
<5> newp .. lemme check syslog for errors
<5> nscd is running now after i mkdir /var/run/nscd .. but it doesn't try to lookup gid 1006 (new group)
<5> phew found it .. apparently the problem was because the usernames were entered capitalized into openldap group
<4> hyc: would using the meta backend be better for my needs?
<0> maybe. that in combination with proxycache may do ok. depends on how much protection you want from network outages.
<4> hmmm.. i wish i knew more about this stuff. Docs seem thin on the ground
<0> there are pretty good examples in the tests directory...
<4> ah, source, yeah.... thanks.
<2> hm
<2> I have an LDAP server for user management. Can I somehow set up a system that enables me to allow/disallow certain users to log into certain computers? I thought pam_groupdn can do something like that, but I find zero documentation on that
<3> All I know is that netgroups are used for that, and etc/openldap/nis.schema is a schema for storing netgroups in LDAP (as described in RFC 2307).
<0> recent versions of pam_ldap include manpages describing all their options, have you found that?
<2> lets see
<2> because I haven't found such an option there yet
<2> ah :) found it
<6> in an LDAP directory i have users and groups, is there a way to get a visual representation of that data? like which users belong to which groups etc
<6> or a textual report would be good enough
<4> phpldapadmin?
<2> phpldapadmin is a sweet little tool
<6> to big
<6> im thinking more about some graphviz thing that can show ldap data
<2> weird
<2> LDAP authentication works even tho pam_ldap is nowhere :o
<7> hi
<3> ho
<7> does OpenLDAP support "in-tree ACI's" ?
<7> ... and if yes: are there some official docs around it?
<7> s/around/about
<3> OpenLDAPAci attribute, if you configure with --enable-aci. The semantics has changed a few times, and I don't know if the faq is up to date, but see <http://www.openldap.org/faq/data/cache/634.html>;.
<7> ok, thanks a lot
<8> Hey.
<8> I got syncrepl working, but now when I delete entries on the master, they stay on the replica
<0> could be a known issue,ITS#4589
<0> still tracking it down at the moment. what version are you running?
<8> 2.3.24
<0> very likely, then
<8> Is there a workaround?
<8> Disable sessionlog?
<0> yes
<8> Anything else that causes?
<8> er, lemmen rephrase.
<8> Does that negatively affect anything else
<0> in general, refreshes could take longer.
<8> k.
<8> if I disable sessionlog, will the slave catch up, or should I rebuild its database
<0> should make no difference to the slave
<8> okay; i'll slapcat the master and reload the slave, then.
<9> hi
<9> I'm getting an error with ldap running slapd 2.2.23 in Debian sarge about Duplicate attributeTypes, but the files have not been edited
<9> it was working before and now its not
<10> hello
<10> i've a ldif file that fails to create a root entry
<10> can anyone look at it and tell me what's wrong?
<11> sure.
<10> http://www.linuxjournal.com/article/5917
<11> post the ldif and post a copy&paste of you trying to run it
<11> what is that?
<10> it's the one under Creating the Directory Tree
<11> haha. hell no.
<11> show me just the ldif and you trying to run it.
<11> i didnt realize iw as going to have to read an article
<10> no
<10> no need to read the article :)
<10> just scroll down to the ldif
<10> what's the url for the pastebin?
<11> i think pastebin.org or .com
<10> something is broken there...
<11> o
<10> http://eugeneciurana.com/pastebin/pastebin.php?show=10166
<10> here we go
<12> well gee
<12> where to start
<12> first
<12> there must be an empty line between *each* entry
<12> second
<12> the RDN value for an entry must be present in every entry
<12> which is definitely missing for your first LDIF entry
<12> so I see two immediate reasons why it would fail
<10> RDN == root DN?
<12> plus your spacing is weird, not sure if that's a cut and paste issue, or a problem with your LDIF file.
<12> no, RDN==relative DN
<10> spacing is important?
<12> yes
<12> and you don't want spaces at the end of a line, either
<12> if you don't intend them to be there
<12> etc
<10> ok...
<10> how should RDN be used?
<12> The RDN value of an entry must be present in the entry
<12> so for example
<12> if my entry's DN is:
<10> this ldif is supposed to create a root dn
<12> dn: cn=people,dc=stanford,dc=edu
<12> then the RDN value is
<12> cn: people
<12> etc
Return to
#ldap
or
Go to some related
logs:
undefined symbol: __glxactivescreens
#perl
#lisp
ERROR 2003 (HY000): Can't connect to MySQL server on ' ' (111)
#linux
gentoo passwd: Critical error - immediate abort
#css
#python
#asm
mplay repo fc6
|
|