LDAP enabled ISC DHCP problem

Does anyone know of a list/forum appropriate for discussion of the use of 
ISC DHCPd's with the LDAP patch (as shipped with SuSe 9.2)?

We've been using LDAP enabled DHCP for a long time on RedHat;  we just 
moved our DHCP server to SuSe 9.2 which comes with a dhcp-server package 
with the LDAP patch (less building!).  Everything checked out and has been 
working great except that the dhcp service periodically dies after posting 
a message of -

Dec 16 09:27:33 littleboy dhcpd: Cannot search for 
(&(objectClass=dhcpHost)(dhcpHWAddress=ethernet 00:08:02:32:12:59)) in 
LDAP tree 
cn=morrison-primary,ou=Configs,ou=ISCdhcpDaemon,ou=SubSystems,o=Morrison 
Industries,c=US: Can't contact LDAP server

- and then works fine again when restarted.

The LDAP server is available, since other services are using it without 
incident (OpenLDAP 2.2.19). 

---
You are currently subscribed to ldap@... as: [gclu-ldap <at> m.gmane.org]
To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.

Re: LDAP enabled ISC DHCP problem

awilliam@... writes:

> Does anyone know of a list/forum appropriate for discussion of the use of 
> ISC DHCPd's with the LDAP patch (as shipped with SuSe 9.2)?

Suse maintains more than 20 mailinglists on several topics in several
languages, you could subscribe to 'suse-linix-e@...' to start
with.
Just mailto <subscribe-suse-linux-e@...>

-Dieter.

--

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53

---
You are currently subscribed to ldap@... as: [gclu-ldap <at> m.gmane.org]
To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.

Re: revitalize LDAP

Chuck Theobald, Patrick von der Hagen and I have been added as
list admins, though some of us will mostly be gone until January.

References headers are no longer stripped.  Message-Id rewriting
has been turned off.  Anyone who filtered on Message-Id can filter
on X-LYRIS-Message-Id instead.  However, we may have to revert
this if the change makes it harder to track bounce messages.

(References were stripped because of the Message-Id rewriting.
There was no point in References when everyone received a
different message ID for the same message.)

Still working on Gmane, it just doesn't seem to like Lyris
(umich's the mailing list manager).

--

-- 
Hallvard

---
You are currently subscribed to ldap@... as: [gclu-ldap <at> m.gmane.org]
To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.

pop and imap daemons using ldap

Re: pop and imap daemons using ldap

Kevin Appel wrote:
| Has anybody gone down this path and implemented a solution
| where you can  isolate the pop daemon on a separate server but
| still have it able to  access the email stored on the main
| mail server?

I like the courier-imap + postfix solution.  (and yes
courier-iamp includes a pop3 daemon, but I don't actually
use pop).  See manauthldap(7) in the courier-imap distribution
for details on configuring ldap authentication.

You might want to briefly read this HOWTO (although it is
for a virtual user setup):

	http://vriesman.tk/postfix-courier-ldap-howto.html

You can also include SASL with postifx's SMTP AUTH via the
Cyrus saslauthd daemon.

cheers, jerry
---------------------------------------------------------------------
Alleviating the pain of Windows(tm)      ------- http://www.samba.org
GnuPG Key                ----- http://www.plainjoe.org/gpg_public.asc
"If we're adding to the noise, turn off this song"--Switchfoot (2003)

Query about Outlook and departments...

I am attempting to create an online contacts list for outlook. I am
using OpenLDAP.

I have created an ldif which contains all of our users. So far, with the
help of what I have found on the web, I have been pretty successful in
getting most of the fields that we need to be seen from outlook visible
(with the exception of "Company" which isn't a biggy).

However, although I have been able to get the "Department" field to
show, when I try and search on department through outlook, no result
ever get returned. (It works on our AD server).

Looking at the openldap log, the searches it does do not look too promising.
conn=14 op=1 SRCH base="dc=hostname,dc=com" scope=0 filter="(objectClass=*)"
conn=14 op=1 SRCH attr=objectClass
conn=14 op=2 SRCH base="dc=hostname,dc=com" scope=2
filter="(&(?=undefined)(?=undefined))"

It looks like Outlook is connecting, doing a search on the top level and
then crapping out.

The main differences seem to be that when I run an ldapsearch with the
above criteria, the AD server returns

dn: dc=corporate,dc=hostname,dc=com
objectClass: top
objectClass: domain
objectClass: domainDNS

and the openldap server returns

dn: dc=hostname,dc=com
objectClass: dcObject
objectClass: organizationalUnit

Am I looking in the right direction here?

Note that the OpenLDAP server and the AD server are entirely unconnected.

--

-- 
MIS Department      |                           |Phone: +1 615 312 5787
840 Crescent Ctr Dr | Psychiatric Solutions Inc |Fax:   +1 615 312 5711
Suite 460           |                           |
Franklin, TN 37067  |                           |

---
You are currently subscribed to ldap@... as: [gclu-ldap <at> m.gmane.org]
To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.

Query about Outlook and departments...

I am attempting to create an online contacts list for outlook. I am
using OpenLDAP.

I have created an ldif which contains all of our users. So far, with the
help of what I have found on the web, I have been pretty successful in
getting most of the fields that we need to be seen from outlook visible
(with the exception of "Company" which isn't a biggy).

However, although I have been able to get the "Department" field to
show, when I try and search on department through outlook, no result
ever get returned. (It works on our AD server).

Looking at the openldap log, the searches it does do not look too promising.
conn=14 op=1 SRCH base="dc=hostname,dc=com" scope=0 filter="(objectClass=*)"
conn=14 op=1 SRCH attr=objectClass
conn=14 op=2 SRCH base="dc=hostname,dc=com" scope=2
filter="(&(?=undefined)(?=undefined))"

It looks like Outlook is connecting, doing a search on the top level and
then crapping out.

The main differences seem to be that when I run an ldapsearch with the
above criteria, the AD server returns

dn: dc=corporate,dc=hostname,dc=com
objectClass: top
objectClass: domain
objectClass: domainDNS

and the openldap server returns

dn: dc=hostname,dc=com
objectClass: dcObject
objectClass: organizationalUnit

Am I looking in the right direction here?

Note that the OpenLDAP server and the AD server are entirely unconnected.

--

-- 
MIS Department      |                           |Phone: +1 615 312 5787
840 Crescent Ctr Dr | Psychiatric Solutions Inc |Fax:   +1 615 312 5711
Suite 460           |                           |
Franklin, TN 37067  |                           |

---
You are currently subscribed to ldap@... as: [gclu-ldap <at> m.gmane.org]
To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.

Attribute Encryption in LDAP directories

If a client attempts to read an entry which has an encrypted attribute
over a clear text channel (the encrypted attribute is in the list of
attrs requested by the client): Should the LDAP server -
1. return an error to the client and not return the entry at all
2. return the entry w/o the encrypted attribute (as if an access
control check failed)

How do most directories behave in this situation ?

Thanks,
Prasad

---
You are currently subscribed to ldap@... as: [gclu-ldap <at> m.gmane.org]
To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.

Re: Attribute Encryption in LDAP directories

At 01:33 AM 12/22/2004, Vithalprasad Gaitonde wrote:
>If a client attempts to read an entry which has an encrypted attribute
>over a clear text channel (the encrypted attribute is in the list of
>attrs requested by the client):

First, I assume what you mean by 'encrypted attribute' is
some attribute, any attribute, whose values are not to be
transferred in the clear (per some policy).  I would use
the term 'restricted attribute' or something.  For instance,
a server could (and should) require data confidentiality
services be in place to transfer values of userPassword.

>Should the LDAP server -
>1. return an error to the client and not return the entry at all

For the search operation, the server should not return an error
in this case.  It can choose to return the entry (less the attribute)
or to not return the entry.

>2. return the entry w/o the encrypted attribute (as if an access
>control check failed)

Basically, this is an access control check.  Note that
access control decisions can involve numerous factors, including
whether or not data confidentiality protections are in place.

>How do most directories behave in this situation ?

While I cannot speak for most, the OpenLDAP server simply denies
access to the values if adequate protections are not in place.

>Thanks,
>Prasad
>
>---
>You are currently subscribed to ldap@... as: [Kurt <at> openldap.org]
>To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.

---
You are currently subscribed to ldap@... as: [gclu-ldap <at> m.gmane.org]
To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.

upcoming open source software

Greetings fellow tinkerers and enthusiasts,

It is over five years now since I wrote my first LDAP client 
applications. I managed an infrastructure that employed web servers and 
a directory from Netscape back when that company still existed. We used 
LDAP people and groups for central authentication in web access control 
and authoring, and so I wrote routines in Perl and then Java to do four 
distinct things: create a person entry, create a group entry, fetch the 
data for a person, fetch the data for a group. These little apps were 
simple and straightforward, but the code was procedural and plainly 
redundant.

I later began to work more exclusively with directories, and as the 
number of object classes I used grew, I decided it would be better to 
consolidate the information about a class of entry in one place, and 
write single routines for handling tasks like adding, deleting, 
modifying, retrieving, etc. entries of all types. That work led to my 
first attempt at an open source offering, some Java servlets and 
packages built on the Netscape Java LDAP SDK which I called LDAPHttp. 
The results had the gist of what I wanted, even if it had some missing 
functions and major kludges that exposed my own Java development 
deficiencies.

What followed was a painful and patently unsuccessful initiation into 
the world of public open source software collaboration. With an immature 
offering, a perversely incompatible attitude, and several major gaps in 
my experience with open source, I knew even as I progressed that I only 
had myself to blame for what was a failure in all appearances. However, 
I learned a great deal in this process and the irony seems to be that I 
got exactly what I needed.

In the new year soon to arrive, I plan to try and make good. There are 
many preparations I will need to make before I can say anything about a 
real project, but it is my intention to introduce the new ideas here 
first in the hopes of making a connection. I'll start with some Java API 
documentation for what I've got:

http://www.mentata.com/upcoming/

Note that the rest of the site is irrelevant to this initiative, and is 
being renovated behind the scenes.

The new packages are built on the Novell JLDAP Java libraries supported 
in part by the OpenLDAP project. The package called "l3d" can be used to 
create clients, while the "sg8" package extends these basic capabilities 
into a customizable servlet gateway. Error messages, object/attribute 
labels, and context information (e.g. server, port, connection type, 
..etc) are now in properties files so that they can be changed without 
Java compiling and easily internationalized. The servlet gateway uses 
encryption, a single sign-on model, and customizable JSP for all web 
page generation. Plenty more going on, but I'll leave it at that for now.

I plan to spend the first half of 2005 documenting and demonstrating 
this new code and preparing it for consumption. I don't want to make it 
a project until it's ready to be one, although I'll gladly take feedback 
from anybody anyhow anytime. I'll plan to use CVS and Ant this time 
around, like a real OSS Java developer should. If it looks like the 
software will be useful to another living person (besides myself and the 
good people who've employed me to develop it), I intend to release the 
l3d portion under the LGPL (or looser license) to promote 
commercialization while keeping the sg8 part under the GPL to serve as 
an example extension.

I have no ulterior motives. I'm not driven to make money, I'm not 
looking for any ego boosting, and I have no illusions about changing the 
world. I just want to do something useful. Please let me know if you 
have an interest. Otherwise, I apologize for the novella.

Peace on earth, good will towards man.

Jon Roberts
www.mentata.com

---
You are currently subscribed to ldap@... as: [gclu-ldap <at> m.gmane.org]
To unsubscribe send email to ldap-request@... with the word
UNSUBSCRIBE as the SUBJECT of the message.