| |
| |
| |
|
Page: 1 2 3 4
Comments:
<0> hmm how come running ldapsearch on localhost works, but then when i do it remotely from ldapsearch -H ldap://foo.bar returns No such object?
<1> did you specify a base?
<1> you probably have a local ldap.conf specifying various options for you that ldapsearch is using
<0> jobbz: i got SASL/GSSAPI authentication..
<0> so i know it's at least connecting to the ldap server
<0> oh ok
<0> i missed the base
<0> thanks =0
<2> hey guys i have an issue with postfix + sasl and ldap
<2> TLS connection established from 65-101-235-201.fibertel.com.ar[201.235.101.65]: SSLv3 with cipher RC4-MD5 (128/128 bits)
<2> Jan 30 00:02:55 audiolibre postfix/smtpd[32476]: connect from 65-101-235-201.fibertel.com.ar[201.235.101.65]
<2> Jan 30 00:02:59 audiolibre postfix/smtpd[32476]: warning: SASL authentication failure: no secret in database
<2> Jan 30 00:02:59 audiolibre postfix/smtpd[32476]: warning: 65-101-235-201.fibertel.com.ar[201.235.101.65]: SASL CRAM-MD5 authentication failed
<3> moin
<4> heya... i'm trying to run a small experimental LDAP server on my home server, which doesn't have much memory
<4> any tips for tweaking the DB_CONFIG and other settings to reduce memory footprint? since oracle took over sleepycat the berkeley db documentation has vanished
<5> it's still there, just in a new place
<5> google for berkeley db documentation, second link
<5> http://www.oracle.com/technology/documentation/berkeley-db/db/index.html
<5> |pvh|: do you have more entries than fit in ram with a large entrycache?
<4> lucca: i have less than 100 entries
<4> really, only a few users and groups
<5> |pvh|: then you shouldn't be having size issues at all really
<5> hyc: mornin, guvna
<4> lucca: yeah, that's what i think... my RSS of openldap is small, but the VSZ can be 100 mb
<6> howdy
<6> sounds like I missed an interesting part. But I was wondering the other day if any field in /proc shows what part of a process' address space is currently swapped out.
<6> would be cool to take a snapshot of that memory map
<5> |pvh|: don't worry about VSZ
<6> correlate it with a malloc tracer, and see which data structures aren't doing any good...
<5> VSZ is virtual memory size; address space
<4> yeah, it is still backed by swap though...
<7> good morning #ldap
<5> |pvh|: so? If it's never hit it won't hurt you
<5> |pvh|: though if it worries you, just tune your db
<6> |pvh| not entirely. some of it can be unused code, which is just the executable file image
<4> lucca: that's what i'm looking into
<7> I'm needing to create my own schema, anyone know any good tutorials on how to develop my own please?
<5> hyc: mincore(2) ?
<4> hyc: some of it, yeah, but the vast majority of the 100mb isn't
<5> hm, won't work on private maps
<6> right. no, there's a good reason for concern.
<6> the kernel only pushes memory out to swap because there was pressure from somewhere else.
<6> otherwise the VSZ and RSS would grow concurrently.
<6> so that means you ran out of RAM at some point and you should consider shrinking your cache configs
<5> hm, in /proc/n/maps, the rwxp column p is private?
<6> or, if it was temporary and there's free memory available now, you'd want to find out who caused the temporary spike
<4> well i just radically cut down on the cache size in DB_CONFIG and it still seems to be getting good % of cache hits, so i think that's the right thing to do
<5> hyc: think it'd be possible to make an LD_PRELOAD thing that would at an early point in the process startup unmap all the libs and executable and remap them to local copies as shared mmaps? Then mincore would work...
<8> I had an LDAP server that broke off during updates. The data on the disk is still usable, nothing's happened to it. What should I consider when migrating the data and config from the previous Ubuntu Linux server to the current Gentoo Linux server?
<9> A complete noob question: is it normal that users have to log in using their complete DN (tree), or did I misconfigure the openLDAP server?
<7> I always use the complete dn of the user
<6> lucca: that sounds nasty. well, the shared libs are fine already.
<10> berkes: ldap-binds are using the complete dn.. but for nss/pam, you can configure it to fetch username from user and generate the rest of the dn (e.g. uid=<username>,ou=users,dc=example,dc=com)
<7> berkes, you could use an alias I guess if the dn is real long
<6> you can also configure things to use SASL binds
<6> which work with simple usernames
<6> ZeiP: if it's OpenLDAP, slapcat with the old installation and import the ldif into a new installation
<8> hyc, the older one doesn't boot and we don't have any backups, just the things that it saves on the disk (config, /var, ...)
<8> But yes, the newer one is OpenLDAP and so is the older one AFAIK.
<6> ZieiP: you're talking about two separate machines, two separate CPUs? you can't boot the old drive on the new machine?
<9> [miles]: Gatan: but I guess from your reply, that it is not at all unusual that people enter the complete DN when logging in?
<6> berkes: logging in to what?
<6> for most usage you shouldn't need to know your DN
<6> you ought to be able to use a simple name
<9> hyc: into the LDAP 'thing' tree? say to administrate entries, or to change ones own information etc.
<6> most people don't login to LDAP.
<6> they login to other systems and programs that talk to LDAP for authentication
<6> but that's not the same thing
<9> hyc: sure. but a simple thing as an addressbook application fails with 'invalid DN' unless the user log in, using his full DN
<6> but yes, if you are an administrator and you need to administer the entries, then you probably need to know the DNs of the entries you're going to manage
<6> then that addressbook app is braindead.
<9> hyc: ANY application i've tried fails with that error
<6> a user-friendly app would hide the DNs from the user
<6> and just ask for simple usernames...
<9> LAT, luma, directorymanager, kaddressbook, thunderbird, outlook.
<6> yes, what's your point? none of them have good LDAP support
<9> unless I give the full DN in the 'user' field.
<9> hyc: I don't HAVE a point. I only have a question, wether or not that is considered normal.
<6> perhaps it is common. it is not a Best Practice.
<6> it is an archaic practice that should have died with LDAPv2
<9> maybe you gave me a hint there. /me looks if ldapv3 is properly running at all
<4> berkes: can you do a ldapsearch -x ??
<9> |pvh|: yea. it was running fine. ldapv2 is not even enabled :)
<4> so you can do anonymous bind with ldapsearch -x but address book apps don't work??
<6> berkes: the immediate answer then is, if your app requires a valid DN, then that's what it requires...
<9> |pvh|: oh, sorry, no, I don't allow anonymous to read.
<9> nor to search
<4> ah yes. so that's why you need a DN to bind...
<6> the long-term answer is - app writers need to quit using the LDAPv2 API and actually start using LDAPv3 like LDAPv3.
<9> hyc: well, at least I can tell my client that its not me misconfiguring the server, but that the apps are being stoopid :)
<6> yeah, that's a fair statement ;)
<4> hyc: so what's the LDAPv3 way of doing things? if you don't bind with a DN, what do you bind as?
<6> you do a SASL Bind with a simple username
<6> and let the directory server figure out what that means
<4> oh yeah, if you got SASL + LDAP working ;)
<9> yea, I kindof expected that to be he case. Hence I thought I misconfigured the server :p
<9> hmm, indeed, I don't have sasl...
<6> it's not hard to get SASL + LDAP working. pretty darn easy really.
<4> hyc: well i've tried damn hard on my SuSE box with SASL + GSSAPI + Kerberos
<4> still doesn't work... even though I can get the same working fine on FreeBSD
<6> are you using bundled packages or compiled yourself?
<4> RPMs...
<6> oh well
<4> look, SuSE kerberos RPMs are MIT Kerberos... and FreeBSD is heimdal - but that shouldn't normally be a problem
<6> hahhahahahaaaaaaa
<6> no, technically they're interoperable
<6> but MIT's track record for code quality ****s.
<4> my logins for that box all use kerberos.... ok, i know kadmin isn't interoperable
<9> hyc: well, I fiddled with it for days but SaSL somehow refused to work normal :) its on Debian.
<4> but yeah... its been a nightmare... i don't really need SASL auth for ldap on there, so i've just left it
<6> installing MIT kerberos is always a mistake, IMO
<4> hey, installing SuSE is largely a mistake in my book ;)
<6> heh heh
<6> could be.
<6> I have 9.2 on my laptop, works fine
<6> but I build everything I use.
<4> but you work with what you got. and once you got that, installing things from source is not really great if you want to keep up with updates easily
<6> keeping up with updates is meaningless to me. I fetch source patches and rebuiild them far sooner than any distro makes updates available.
<6> I don't really care what the distro is. I just install the kernel and basic tools.
<4> fine... but i got too many other servers to look after
<6> then I build everything else myself - compiler, debugger, kernel, and go on from there.
<6> my only reason to use a distro these days is to save the h***le of having to burn my own boot CD :P
<6> but anyway... building from source is not a big deal.
<4> no its not. heimdal builds very easily
<6> if you have a lot of different distros, it's simpler to just download source once, than to use X different update tools.
<4> well i mostly use freebsd... and then there's some ubuntu... and one suse
<4> freebsd is beautiful :D easy to debug, relatively easy to keep up to date, provides you with an automated list of security issue with packages, etc
<6> heh. yeah, I used to be a BSD bigot, before Linux got popular
<6> worked on the Atari port of netbsd
<6> (first learned Unix on a VAX running 4.2BSD. upgraded it to 4.3 all by myself, I was so impressed...)
<6> back then BSD came on a reel of 9-track tape.
<4> i've been with freebsd since version 1.... used it a lot since version 2.... its definitely got much better (as in easier to maintain) recently...
<4> anyway, if i get some time in the near future i'll poke further at the SASL+LDAP+GSSAPI combo
<6> just remember that the MIT Kerberos libraries are really bad news in a server.
<6> if you're going to use GSSAPI with slapd, you should use Heimdal's library
<6> the client side isn't so crucial
<6> I guess most clients wouldn't notice the speed differences, but they add up fast on a server.
<6> there are a couple of principles of software design - correctness first, no premature optimization
<6> don't worry about the speed until you've got the correct functionality
<6> MIT has been doing Kerberos for around 20 years and they still haven't gotten past step 1.
<11> Does anyone know of a good tutorial on how to use ldap with encryption?
<11> I managed to get my first authentication ldap server working, but now i need encryption
<7> Knight_Lord, you meen ldaps?
<6> what kind of encryption?
<7> Knight_Lord, TLS/SSL is pretty simple
<11> yes TLS/SSL would be the thing
<7> Knight_Lord, u got the O'Reilly book, it explains a lot
<11> [miles] i already ordered it, it's on the way
<6> http://www.openldap.org/doc/admin23/tls.html
Return to
#ldap
or
Go to some related
logs:
Applying iptables firewall rules: iptables-restore v1.2.11: iptables-restore: un
#kernel
gettz c++
azx_get_reponse
FATAL: Module usb_audio not found
cron clean up portage
#linux
Fatal error: Uncaught exception 'DOMException' with message 'Wrong Document Erro
permission denied to set window.href
xfce cannot run in framebuffer mode
|
|