set.regex and substring substitution
by Ronie Gilberto Henrich
Hi,
I am trying to grant users access to a ldap object when
user/allowedDomain match the Mail object ou.
To accomplish that I have to use set.regex and substring
substitution, but I was not able to figure out what I am doing wrong.
This is the current ACL:
access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$"
by set="user/allowedDomain & this/ou" write
result:
=======
"ou=example.com,ou=Mail,o=example,c=BR" = write(=wrscxd)
"mail=test(a)example.com,ou=example.com,ou=Mail,o=example,c=BR" = 0
This is the ACL that I am trying to build. It was expecting both
results as = write(=wrscxd), but I am getting only = 0.
access to dn.regex="^(.+,)?ou=([^,]+),ou=Mail,o=example,c=BR$"
by set.regex="user/allowedDomain & $2" write
result:
=======
"ou=example.com,ou=Mail,o=example,c=BR" = 0
"mail=test(a)example.com,ou=example.com,ou=Mail,o=example,c=BR" = 0
Any ideas about what I should do for this to work?
Thanks!
Ronie
14 years
TLS Info?
by Eric Nichols
I have not been able to figure out how to dump more info on the
encryption levels, certificate CN & expiration date etc. Should this be
done through the openssl functions? If so, what do I hook them to?
--
Thanks,
Eric
Directory Wizards Inc.
www.dirwiz.com
14 years
ldap_result(), Posix signals and error checking
by John Miller
Hi all,
I have noticed a problem with my program (which is supposed to generate and
receive many Posix signals ) and the function ldap_result(). It happened to both
my code and those library functions that used it (the synchronous versions of
various add/search/modify functions).
They all failed randomly with a "Can't contact LDAP server" error. I tracked the issue
down to the poll() function in os-ip.c : it's return value is not checked to see if
it has been interrupted by a signal. Patching the library ( making the poll function
to restart if errno == EINTR after failure ), resolved my problem.
Is it a bug or a choice? The patch is trivial, but if that error is not checked by choice that
should be documented imho.
Cheers,
JM
14 years
Using SASL OTP
by Emmanuel Dreyfus
Hello
Anyone has experience using SASL OTP with OpenLDAP?
Here is what I understood so far:
- OTP stuff is stored in SASL auxprop cmusaslsecretOTP, which can be
stored in sasldb or in LDAP.
- If OpenLDAP finds a cmusaslsecretOTP attribute for a user, and if
the OTP plugin is installed both on the client and the server, then
the OTP challenge is presented when requesting the OTP method. That
leaves me with two problems: how to set cmusaslsecretOTP in LDAP?
- if I use salspasswd2, it will store cmusaslsecretOTP in sasldb. I
can copy paste it to the LDAP directory, which is not very satisfying.
- If I install the Cyrus ldapDB plugin and add a sasl2/salspasswd.conf,
it seems I can tell salspasswd2 to write to the directory:
ldapdb_uri: ldaps://ldap.example.com
I have not fully investigated, but it seems the thing cannot prompt
for credentials: DN/password must be stored in salspasswd.conf, which
makes multiuser utilization troublesome.
- salspasswd2 calls sasl_setpass(), and a look at OpenLDAP sources
shows that passwd_extop()/slap_sasl_setpass() does the same. That
suggests it is possible to have slapd doing the thing, but how does
it works? In passwd_extop(), slap_sasl_setpass() will only be
called if op-o_bd is NULL. In what situation does it happen?
- And my last problem is to generate OTP. setkey(1) does not seems
to produce something acceptable by SASL OTP. I have to investigate
further.
--
Emmanuel Dreyfus
manu(a)netbsd.org
14 years
ACL problem in slapd.conf
by Tomasz Chmielewski
I would like to allow a user to edit everything in a given subtree.
For example, I would like to allow uid=Operator,ou=Users,dc=example,dc=com to edit all entries which are in *,ou=Users,dc=example,dc=com.
I tried to follow http://www.zytrax.com/books/ldap/ch6/#access to set up access for that user, but I keep getting "insufficient access".
onn=5 fd=15 ACCEPT from IP=127.0.0.1:46917 (IP=0.0.0.0:389)
conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" method=128
conn=5 op=0 BIND dn="uid=Operator,ou=Users,dc=example,dc=com" mech=SIMPLE ssf=0
conn=5 op=0 RESULT tag=97 err=0 text=
conn=5 op=1 DEL dn="uid=d.user3,ou=Users,dc=example,dc=com"
conn=5 op=1 RESULT tag=107 err=50 text=no write access to entry
My rule in slapd.conf is:
access to dn="ou=Users,dc=example,dc=com"
by dn="uid=Operator,ou=Users,dc=example,dc=com" write
by dn="uid=Operator,ou=Users,dc=example,dc=com" read
I also tried to use:
access to dn.subtree="ou=Users,dc=example,dc=com"
...
But then I'm not even able to connect.
--
Tomasz Chmielewski
http://wpkg.org
14 years
Assertion failure in ldapsearch
by Guillaume Rousse
This server is frozen, and ldapsearch crashes:
[root@etoile main]# ldapsearch -x
ldapsearch: error.c:272: ldap_parse_result: Assertion `r != ((void *)0)'
failed.
Abandon
This is openldap 2.4.15 client, with this specific configuration:
TLS_CACERTDIR /etc/pki/tls/rootcerts
TLS_REQCERT demand
NETWORK_TIMEOUT 2
TIMEOUT 2
TIMELIMIT 2
On my own host, with 2.4.17 and no configuration, the client just hangs
indefinitly.
I'm joining the network capture.
--
BOFH excuse #229:
wrong polarity of neutron flow
14 years
Disk exhausting because of log.0000xxxx files
by Olivier Nicole
Hi,
Because of a sputid script I wrote that was unduly modifying my LDAP
directory, I endup exhausting my disk space with Berkeley DB log files
of the type log.00000xxxx.
My LDAP uses a database of type bdb, I have the option
dbconfig set_flags DB_LOG_AUTOREMOVE
and thought it would take care of removing the log files. It seems not
so I must be missing something.
(As for back-up safety, I have a script that does a slapcat every 2
hours keeping 10 days of back-ups, plus nightly back-up on a back-up
server, so removing BDB logs should be quite safe)
Any help will be warmly welcome.
Best regards,
Olivier
14 years
Adding a new user to existing LDAP group
by Subbarao Karanam
We already have a created LDAP Database with multiple groups and users.Now I want to add a new user and assign him to existing group
I have created a newuser.ldif file as follows
dn: uid=test,ou=people,dc=crmsldap,dc=agilent
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: test
sn: test
uid: test
userPassword: test
uidNumber: 10000
gidNumber: 300
homeDirectory: /home/test
dn: cn=admin,ou=groups,dc=crmsldap,dc=agilent
changetype: modify
memberUid: test
When I run the script
/opt/symas/bin/ldapmodify -x -D "cn=Manager,dc=crmsldap,dc=agilent" -W -f newuser.ldif
it gives an error as follows
ldapmodify: modify operation type is missing at line 21, entry "cn=admin,ou=groups,dc=crmsldap,dc=agilent"
Thanks
Subbarao
14 years
openldap configuration error
by Jittinan Suwanrueangsri
Hi
I have configure openldap 2.4.16 with following option
env CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" ./configure --enable-bdb=mod
--enable-hdb=mod --enable-ldap=mod --enable-monitor=mod
--enable-spasswd=yes --enable-modules=yes --enable-wrappers=yes
--enable-overlays=mod --with-cyrus-sasl --with-tls=openssl
--enable-dynacl=yes --enable-crypt=yes --enable-lmpasswd=yes
After run make test command there is error as shown below
>>>>> Starting test018-syncreplication-persist ...
running defines.sh
Starting producer slapd on TCP/IP port 9011...
Using ldapsearch to check that producer slapd is running...
Using ldapadd to create the context prefix entry in the producer...
Starting consumer slapd on TCP/IP port 9014...
Using ldapsearch to check that consumer slapd is running...
Using ldapadd to populate the producer directory...
Waiting 7 seconds for syncrepl to receive changes...
Stopping the provider, sleeping 10 seconds and restarting it...
Using ldapsearch to check that producer slapd is running...
Waiting 7 seconds for consumer to reconnect...
Using ldapmodify to modify producer directory...
Using ldappasswd to change some passwords...
Waiting 7 seconds for syncrepl to receive changes...
Stopping consumer to test recovery...
Modifying more entries on the producer...
Restarting consumer...
Waiting 7 seconds for syncrepl to receive changes...
Try updating the consumer slapd...
ldapmodify failed (255)!
>>>>> ./scripts/test018-syncreplication-persist failed (exit 255)
make[2]: *** [bdb-mod] Error 255
make[2]: Leaving directory `/home/jittinans/openldap-2.4.16/tests'
make[1]: *** [test] Error 2
make[1]: Leaving directory `/home/jittinans/openldap-2.4.16/tests'
make: *** [test] Error 2
but after that I change to not build backend as module
env CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" ./configure --enable-bdb=yes
--enable-hdb=yes --enable-ldap=yes--enable-monitor=yes
--enable-spasswd=yes --enable-modules=yes --enable-wrappers=yes
--enable-overlays=mod --with-cyrus-sasl --with-tls=openssl
--enable-dynacl=yes --enable-crypt=yes --enable-lmpasswd=yes
I work correctly.Why?
14 years