jason basket | 2 Feb 17:27 2005
Picon
Picon

irix authentication


I am trying to authenticate sgi 6.5.23f against sunone ldap server 5.2. I
can't seem to make it work.
when I do ldapsearch I get all the listing of users w/ correct uid and cn
except passwd sicne it's hiding.

if I try to login to server I don't see any access logs from ldap server.
I setup /etc/nsswitch.conf to use ldap for passwd group, and shadow. what
am I doning wrong?
when I try nsadmin restart it comes up w/  "    root       1947          1
 0 09:49:34 ?       0:00 /usr/etc/nsd -a nis_secu
rity=local"

how do I make sgi to use ldap as authentication server?

Luke Howard | 3 Feb 10:55 2005

Re: Supporting apps that work wtih AD and memberOf


>I am using OpenLDAP 2.2.
>
>A few applications that we have been working with seem to look at group
>membership not based on a member or uniqueMember attribute in the group
>itself, but instead uses a memberOf attribute in the account entry. (This is
>an AD'ism I believe.) Is this common? If so we can create that attribute in
>our local schema definition (probably as localMemberOf with an alias of
>memberOf).

You might find the slides on the LinkEngine at:

	http://www.openldap.org/conf/odd-wien-2003/luke.pdf

interesting.

-- Luke

--

Adam Tauno Williams | 3 Feb 12:15 2005

Re: Supporting apps that work wtih AD and memberOf

> >I am using OpenLDAP 2.2.
> >A few applications that we have been working with seem to look at group
> >membership not based on a member or uniqueMember attribute in the group
> >itself, but instead uses a memberOf attribute in the account entry. (This is
> >an AD'ism I believe.) Is this common? If so we can create that attribute in
> >our local schema definition (probably as localMemberOf with an alias of
> >memberOf).

If the appliction is looking for a memberOf, just add memberOf to your
schema.

I believe memberOf is this -
(http://www.kouti.com/tables/userattributes.htm)
-

attributetype ( 1.2.840.113556.1.2.102 
        NAME 'memberOf' 
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 
        NO-USER-MODIFICATION )

- but you'll have to take out the NO-USER-MODIFICATION unless you can
find/write an overlay to implement true member of behaviour -

"All back-link attributes, such as memberOf, are "system only"—that is,
users or administrators cannot modify them. Active Directory is
responsible for updating these attributes, maintaining referential
integrity in the process. If either of the referenced objects is moved,
Active Directory modifies the reference accordingly. A forward-link
attribute must use one of the following syntaxes: DN, DN with Unicode
string, DN with binary, access point DN, and OR name. A back-link
(Continue reading)

Greg Matthews | 3 Feb 14:22 2005
Picon

Re: irix authentication

On Wed, 2005-02-02 at 11:27 -0500, jason basket wrote:
> I am trying to authenticate sgi 6.5.23f against sunone ldap server 5.2. I
> can't seem to make it work.
> when I do ldapsearch I get all the listing of users w/ correct uid and cn
> except passwd sicne it's hiding.
> 
> if I try to login to server I don't see any access logs from ldap server.
> I setup /etc/nsswitch.conf to use ldap for passwd group, and shadow. what
> am I doning wrong?
> when I try nsadmin restart it comes up w/  "    root       1947          1
>  0 09:49:34 ?       0:00 /usr/etc/nsd -a nis_secu
> rity=local"
> 
> how do I make sgi to use ldap as authentication server?

ah yes... the good news is, you seem to be using a fairly recent Irix.
You will have to edit /var/ns/ldap.conf to get it to work properly. Its
actually quite straightforward once you figure out how it works.
Essentially Irix searches the directory for the relevant "maps" and then
contructs them as files. Therefore you need to put the correct filters
into /var/ns/ldap.conf to generate the correct cache files.

One good thing about Irix is the documentation - read as much as
possible with relevance to LDAP. If you cant sort it out, let me know
and I can post my config.

Summary: definitely possible and quite flexible, but no encryption

GREG

(Continue reading)

Richard Thomas | 3 Feb 15:52 2005

Re: Supporting apps that work wtih AD and memberOf

Luke Howard wrote:
> 	http://www.openldap.org/conf/odd-wien-2003/luke.pdf

Cool, if a little printer unfriendly. This would be ideal to use to add 
a department attribute to the user objects calaculated from groups so 
that it could be searched from Outlook. My network manager is real 
impressed by LDAP but wants to be able to search for people depending on 
which group they are in.

The only question is how expensive this is in terms of time (of 
calculation).

Rich

--

-- 
MIS Department      | Psychiatric Solutions Inc | Phone: +1 615 312 5787
840 Crescent Ctr Dr |                           | Fax:   +1 615 312 5711
Suite 460           +---------------------------+----------------------- 

Franklin, TN 37067  |Support: helpdesk@..., +1 615 312 5888 

Attachment (smime.p7s): application/x-pkcs7-signature, 4364 bytes
Luke Howard wrote:
> 	http://www.openldap.org/conf/odd-wien-2003/luke.pdf

Cool, if a little printer unfriendly. This would be ideal to use to add 
a department attribute to the user objects calaculated from groups so 
that it could be searched from Outlook. My network manager is real 
(Continue reading)

Richard Thomas | 3 Feb 16:19 2005

Re: Supporting apps that work wtih AD and memberOf

Luke Howard wrote:

> 	http://www.openldap.org/conf/odd-wien-2003/luke.pdf

Even better, this may provide a decent mechanism for implementing the
controls that Outlook requires to display a list of people when the
addressbook is first viewed. I was worried I'd have to hack the slapd
source.

Surprised someone hasn't done it already actually.

Rich

--

-- 
MIS Department      | Psychiatric Solutions Inc | Phone: +1 615 312 5787
840 Crescent Ctr Dr |                           | Fax:   +1 615 312 5711
Suite 460           +---------------------------+-----------------------

Franklin, TN 37067  |Support: helpdesk@..., +1 615 312 5888

alessandro bottoni | 3 Feb 18:35 2005
Picon

Schema for medical/clinical data?

Does anybody know of any directory schema suitable for holding 
medical/clinical data (blood analysis data, pneumologycal data, etc...)? 

I'm consulting for a worker's health medical center and I would 
like to store their analytica data into an LDAP directory. 
Do you have any suggestion about the directory schema to use?

Thanks in advance

PS: I visited the OID databased at http://www.alvestrand.no, already.

----------------------------------------
Alessandro Bottoni

Richard Thomas | 3 Feb 16:19 2005

Re: Supporting apps that work wtih AD and memberOf

Luke Howard wrote:
> 	http://www.openldap.org/conf/odd-wien-2003/luke.pdf

Cool, if a little printer unfriendly. This would be ideal to use to add
a department attribute to the user objects calaculated from groups so
that it could be searched from Outlook. My network manager is real
impressed by LDAP but wants to be able to search for people depending on
which group they are in.

The only question is how expensive this is in terms of time (of
calculation).

Rich

--

-- 
MIS Department      | Psychiatric Solutions Inc | Phone: +1 615 312 5787
840 Crescent Ctr Dr |                           | Fax:   +1 615 312 5711
Suite 460           +---------------------------+-----------------------

Franklin, TN 37067  |Support: helpdesk@..., +1 615 312 5888

Luke Howard | 3 Feb 21:38 2005

Re: Supporting apps that work wtih AD and memberOf


>Cool, if a little printer unfriendly. This would be ideal to use to add

Try the PowerPoint slides:

http://www.openldap.org/conf/odd-wien-2003/luke.ppt

should be easier to remove the black background (but no doubt the toner
is already gone!).

>a department attribute to the user objects calaculated from groups so
>that it could be searched from Outlook. My network manager is real
>impressed by LDAP but wants to be able to search for people depending on
>which group they are in.
>
>The only question is how expensive this is in terms of time (of
>calculation).

It does cost an extra search per linked attribute value; in practice I
have not noticed any problem, and we've been using LinkEngine in a
commercial product for some time now.

-- Luke

--

alessandro bottoni | 4 Feb 12:44 2005
Picon

Multi-company LDAP directory?

I'm trying to use LDPA (OpenLDAP, actually) for managing the descriptive data 
corresponding to the several companies and their many employees served by a 
Professional Service Agency (a worker's health monitoring agency, to be 
exact). 

As a conseguence, I have the need to create and manage the address book of 
each of the companies served by the PSA and put them inside a _single_ LDAP 
directory (managed by the PSA).  Most of these companies do not have any LDAP 
directory, at the moment, but they could grow up and decide to create their 
own LDAP directory in the future. So, I have a few doubts:

1 - Can I define and manage more than a company inside a LDAP directory (for 
example: "dc=first-company,dc=com"  and "dc=second-company,dc=com")?

2 - Does the presence of more than one company can confuse the most diffused 
LDAP clients/admin tools (Ximian Evolution, Directory Administrator, Labe, 
etc...)? Can these clients manage more than a company from within the same 
LDAP directory?

3 - Is there any risk of name collision between one of mine company address 
book and the one that could be created, in the near future, by the 
corresponding company, in the case both address books would be exposed on the 
Net? In other terms: do I have to assign a IANA OID to each and every of my 
"virtual" address books in order to avoid possible collisions in the future?

Many thanks in advance for your attention

----------------------------------
Alesandro bottoni

(Continue reading)


Gmane