| |
| |
| |
|
Page: 1 2 3 4 5 6
<siezer> freebox right now nt4 style "pdc killer"s can be put together using samba and ldap.... as far as a native AD dc, where youre acually tricking windows clients into thinking theyre on a 2k+ domain, nothing exists
<freebox> i want replace nt4 domain controller
<Gagatan> siezer/freebox: closest thing today is XAD by padl.com I guess.. but its not opensource
<New0rder> nscd is the issue...
<New0rder> grrr
<Deedubb> Hello. how does ldap know where to look for anonymous 'auth' privilges? I'm trying to implement the ACLs in section 5 of http://www.gentoo.org/doc/en/ldap-howto.xml but they're breaking it and I don't see how openldap knows where to look for auth...
<Aaron> hm
<Deedubb> Hey again Aaron ;)
<Aaron> it's those gentoo docs again ;)
<Aaron> hullo
<Aaron> give me a minute
<Deedubb> ya... defaults works but it does seem like I should restrict access
<Aaron> Deedubb: which set of rules do you have?
<Aaron> if they're longer than about 3 lines, pastbin
<Aaron> er
<Aaron> pastebin
<Deedubb> exactly whats on the pay; default is root = write for all; read for *; right?
<Aaron> heh
<Deedubb> pay -> page;
<Deedubb> okay
<Deedubb> wheres that pastebin...
<JoBbZ> www.pastebin.com ?
<Aaron> for access to * by root= write
<Aaron> by users read
<Deedubb> http://pastebin.com/407258
<Aaron> and by anonymous allow them to authenticate.
<Aaron> but nothing else
<Aaron> is what that means
<Deedubb> that part isn't working aaron; the anonymouse authenticate
<Aaron> anonymous people cant read anything
<Aaron> they have to authenticate to read anything
<Deedubb> so should pam be authenticated to do user lookups?
<Aaron> but that rule must be there (as I understand it) to allow someone to bind in the first place.
<JoBbZ> by anonymous auth
<JoBbZ> is a valid rule
<Aaron> *nod*
<Aaron> Deedubb: so what are you trying to do that does not work
<Deedubb> its not working for me JoBbZ - what directives do I need to use to tell openldap where to do authentication
<Aaron> because your rules look correct
<Aaron> Deedubb: that's all stored in whatever backend you use
<Aaron> which is to say
<Deedubb> I wnat to use ldap as my backend ;)
<Aaron> if you've imported users into the ldap database
<Deedubb> http://www.saas.nsw.edu.au/solutions/ldap-auth1.html seems like they just allow anonymous access
<Aaron> those users and p***words are in the ldap database
<Deedubb> "defaultaccess read"
<Aaron> Deedubb: 'slapd' can have different database types, that's what I'm referring to by 'backend'
<JoBbZ> eww, don't reda that page
<JoBbZ> it is using ldbm
<Deedubb> so does mine
<JoBbZ> anything that says LDBM should be ignored :P
<Deedubb> Someone could have said that YESTURDAY
<Deedubb> ...
<Aaron> *yesterday
<Deedubb> bah
<JoBbZ> their ACL's aren't allowing anonymous to do everything, either
<JoBbZ> the first ACL says
<JoBbZ> for access to userP***word
<JoBbZ> self write
<JoBbZ> i.e., an entry can write its p***word
<JoBbZ> root write
<JoBbZ> so the root can write
<JoBbZ> and then
<JoBbZ> by * auth
<JoBbZ> everything else (anonymous or not) can use the p***word to authenticate
<Deedubb> agreed
<JoBbZ> second one says, for everything else *other* than the userp***word attribute
<JoBbZ> since ACL's are applied sequentially
<JoBbZ> self write, root write, everyone read
<JoBbZ> the last ACL is pointless, as it is covered by the previous one
<Aaron> *nod*
<Deedubb> indeed, pointless isn't good
<JoBbZ> a real big hint here, about avoiding this page, however
<JoBbZ> is that it refers to OpenLDAP 2.0.7
<JoBbZ> which is a few years old
<JoBbZ> ;)
<JoBbZ> there have been 3 major releases since 2.0
<JoBbZ> (2.1, 2.2, and 2.3)
<Deedubb> but what about this ldbm? can I easily change it to... dbd? was that the default?
<JoBbZ> bdb or hdb
<JoBbZ> are the preferred backends
<JoBbZ> I am currently moving my data to hdb
<JoBbZ> from bdb
<Deedubb> why?
<Deedubb> what does hdb do?
<JoBbZ> hdb supports modRDN
<JoBbZ> bdb doesn't
<JoBbZ> I need modRDN for supporting an organization tree in my DB
<JoBbZ> it is AKA subtree rename
<Deedubb> sounds like a fine thing to use off the bat
<JoBbZ> yes
<JoBbZ> hdb wasn't really usable until OpenLDAP 2.3.9 or later if you needed solid performance
<JoBbZ> that was fixed in 2.3.9
<JoBbZ> now it is essentially equivalent to bdb
<JoBbZ> which is the fastest backend
<JoBbZ> it is likely in 2.4 that ldbm will be entirely dropped
<Deedubb> alright... so is there a migration tool or should I just reimport from my p***wd,shadow,hosts etc after changing the 'database' directive?
<JoBbZ> slapcat your database
<JoBbZ> update your slapd.conf file
<JoBbZ> slapadd your database
<JoBbZ> :P
<JoBbZ> read up on DB_CONFIG
<JoBbZ> for hdb/bdb databases you want to set that
<Deedubb> JoBbZ: and do you use qmail or postfix? I want to integrate my email stuff; and later address books too
<JoBbZ> we use sendmail, and are migrating to postfix
<JoBbZ> addressbooks are a totally different can of worms
<Deedubb> thats a later project
<JoBbZ> http://www.stanford.edu/~quanah/directory/email/
<JoBbZ> see that :P
<JoBbZ> I also suggest reading the documentation at http://www.openldap.org/
<JoBbZ> specifcally the FAQ
<Deedubb> JoBbZ: snazzy... so no interoperability between different mail clients - cute
<JoBbZ> that's and the Admin guide
<JoBbZ> http://www.stanford.edu/services/directory/openldap/configuration/
<JoBbZ> might be of some help
<JoBbZ> it still is based on OpenLDAP 2.2
<JoBbZ> but there are useful bits about DB_CONFIG in there
<JoBbZ> that apply
<JoBbZ> i'll be updating that soon
<JoBbZ> :P
<Deedubb> ... oh? Mr Stanford eh?
<JoBbZ> that's one thing I do, yes :P
<Deedubb> hdb uses openldap-data? cause for ldbm I have a seperate directory
<Deedubb> alright... I'll read
<apeiron> Be sure to revel in TFM's existence, for it will not always exist. :)
<Deedubb> you're sick
<apeiron> ... pardon?
<apeiron> What's so sick about appreciating manuals when they exist?
<JoBbZ> that's why i said slapcat (export your database to an ldif file)
<JoBbZ> then use slapadd
<JoBbZ> after updating your slapd.conf file
<JoBbZ> you can just wipe out openldap-data's contents after you do the slapcat
<JoBbZ> once you have the LDIF file, you can restore your datbase with it anytime
<JoBbZ> :P
<Deedubb> ... off to a good start 'Unrecognized database type (hdb)'
<apeiron> At least it's descriptive.
<Deedubb> true that
<apeiron> I tend to get errors like "Unknown error" and "File error".
<apeiron> (the quotes indicating the beginning and ending of the full error messages)
<Deedubb> You must be using Visual Basic... I like when people have on error resume... then the app just closes or hangs
<apeiron> Heh, uh, no. :)
<apeiron> Last time I used VB was about 8-9 years ago.
<Deedubb> the gentoo boys don't enable hdb; and because I'm lazy I'll go with bdb
<apeiron> I was tasked with either modifying some VB for work (and not just normal VB; this was *VBA*!) or rewriting the program from scratch. Guess which I chose?
<apeiron> "program", of course, since it was actually an Excel document.
<Deedubb> I don't like this man page search on the openldap site...
<Deedubb> much betters... modulepath /usr/lib/openldap/openldap\nmoduleload back_hdb.la
<JoBbZ> what version of OpenLDAP are you using?
<JoBbZ> ah, there ya go
<Deedubb> 2.2.8
Return to ldap
or
Go to some related
logs:
"turn off binary logging" mysql"
wow
|
|