LDAP Architecture for CardDAV/OpenLDAP interface
by Nicolas Mora
Hello,
I'm using both an OpenLDAP server and an owncloud server, both for
different but convergent purposes.
The OpenLDAP manages an addressbook that is used by all mail client
(Thunderbird, Horde, etc.), and the owncloud server also manages an
addressbook for phone numbers, addresses and stuff, this one is a
CardDAV one with VCard files.
My goal is to converge these 2 different back-ends into one, all the
data would be stored in the LDAP server.
I did some research about how to do it and I have some clue that I would
like to submit to you for feedbacks.
The first interrogation is about the VCard/LDAP interface.
After studying the VCard format and the different LDAP schemas, mostly
RFC 6350 and 2256 and the schema files in the OpenLDAP conf folder in a
Debian Stable server.
I think that a new schema would do the connection.
All the VCard properties can be easily linked to an existing person or
inetOrgPerson or another *person objectClass. And the properties that
doesn't exist yet are to be created in a schema extension.
Also, one or two additional properties fields per property are to be
created for the VCard parameters.
Actually, there are different objectClass that might be extended:
person, inetOrgPerson, organizationalPerson and residentialPerson.
Considering that inetOrgPerson, organizationalPerson and
residentialPerson are designed for specific purposes, I think that
extending the person objectClass would be the best guess, what do you
think ?
The second question is more about the OpenLDAP configuration to handle
this need. Right now, the OpenLDAP server is only used by me as an
addressbook and an authentication server, the directory looks like this:
dc=babelouest,dc=org
|
|-ou=addressbook
| |
| |-cn=Address1
| |-cn=Address2
| |-[...]
|
|-ou=users
| |
| |-uid=user1
| |-uid=user2
| |[...]
I would like to add another branch to allow users to add their own
addressbook entries, these entries would be in read/write mode only for
the owner, no one else but him should have access.
The new directory would look like this:
dc=babelouest,dc=org
|
|-ou=addressbook (global, read-only for all users)
| |
| |-cn=Address1
| |-cn=Address2
| |-[...]
|
|-ou=users
| |
| |-uid=user1
| |-uid=user2
| |[...]
|
|-ou=personnalAddressbooks (personnal addressbook entries)
| |
| |-uid=user1
| | |
| | |-cn=Address1
| | |-cn=Address2
| | |-cn=Address3
| |
| |-uid=user2
| | |
| | |-cn=Address1
| | |-cn=Address2
I took a look at the Access control help page but I couldn't find how to
properly set the OpenLDAP configuration like this. Can you help me
configuring the slapd.conf ?
Thanks in advance.
/Nicolas
10 years, 7 months
Dynamic configuration / admin users
by Simon Walter
Greetings,
First off, I'm sorry if this is the wrong place to ask this. Please
direct me to the appropriate list.
Here goes with the n00b questions:
Debian Squeeze is using the dynamic configuration. While I am sure there
are benefits, all the documentation is for static configuration
(slapd.conf).
I've got a basic tree up and running and several services are using it
no problem. There are several things I'd like to do, like replication.
For this and some other services, SOGo for example, that don't bind
anonymously, I'd like to create some more users for this. I could be
mistaken, but perhaps they need some kind of admin privileges. If not,
that means that any user can modify anything in the tree.
I see various information about ACI and ACL and access.conf. I can't
find clear documentation about how any of this relates to dynamic
configurations.
To conclude, how do I add additional users to a dynamic configured
openldap tree and configure those users with specific access permissions?
Thank you,
Simon
10 years, 7 months
Mirror mode replication problem
by cbulist
Hi,
We have configured 2 server with openldap 2.4.23-26 version and
everything is working well (ppolicy,acl etc). We implemented replication
in mirror mode and it is working well. When we add/delete/modify
something in serverID 1 it sync the data to serverID2 without problem
but when we add/delete/modify in serverID 2 it is not sync to serverID
1. We tried to stop openldap server1 then make changes on server2 and
start server 1 again in order to get the changes from server2 but it did
not work. According to 2.4 guide: "When a crashed provider is repaired
and restarted it will automatically catch up to any changes on the
running provider and resync".
We appreciate any help to try fix this problem.
Thanks in advance!
This is the relevant configuration directives:
#Server 1
overlay syncprov
syscprov-checkpoint 100 10
syscprov-sessionlog 100
serverID 1
syncrepl rid=001
provider=ldap://server2:389
bindmethod=simple
binddn="cn=Manager,dc=sample,dc=com"
credentials=secret
searchbase="dc=sample,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
#Server 2
overlay syncprov
syscprov-checkpoint 100 10
syscprov-sessionlog 100
serverID 2
syncrepl rid=001
provider=ldap://server1:389
bindmethod=simple
binddn="cn=Manager,dc=sample,dc=com"
credentials=secret
searchbase="dc=sample,dc=com"
schemachecking=on
type=refreshAndPersist
retry="60 +"
mirrormode on
10 years, 7 months
SSL/TLS issue
by Darouichi, Aziz
Hi,
I am running Openldap-2.4.32, BD-5.3.21 and openssl-1.0.1c on RHEL 5.5. I created CA cert and singed it but when I run ldeapsearch with -ZZ I get the following error:
TLS trace: SSL_connect:before/connect initialization
TLS trace: SSL_connect:SSLv2/v3 write client hello A
TLS trace: SSL_connect:SSLv3 read server hello A
TLS certificate verification: depth: 1, err: 19, subject: /C=US/ST=Mass/O=Curry College/OU=Technology Center/CN=LDAP-SSL.curry.edu/emailAddress=adarouic@curry.edu, issuer: /C=US/ST=Mass/O=Curry College/OU=Technology Center/CN=LDAP-SSL.curry.edu/emailAddress=adarouic@curry.edu
TLS certificate verification: Error, self signed certificate in certificate chain
TLS trace: SSL3 alert write:fatal:unknown CA
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS trace: SSL_connect:error in SSLv3 read server certificate B
TLS: can't connect.
ldap_perror
ldap_start_tls: Connect error (-11)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Please let me know if I missed something in my configuration.
Thanks,
Aziz
10 years, 7 months
Virtual view of ldap subtree
by Marco Pizzoli
Hi list,
I would like to create a virtual view of my data.
In short, this is my tree
ou=main
|--ou=unitA
|--uid=user1
|--uid=user2
|--ou=unitB
|--uid=user3
|--ou=unitC
|--uid=user4
|--uid=user5
And this is what I would like to have:
ou=main
|-- ou=my_virtual_view
|--uid=user1
|--uid=user2
|--uid=user3
|--uid=user4
|--uid=user5
Could someone advice on how to do this?
Thanks in advance
Marco
10 years, 7 months
ldapsearch agains Tivoli Directory Server
by Alejandro Rodriguez Luna
Hi all!
I have a TDS (Tivoli Directory Server) in one of my servers, every time i
need to query it i need to go to another server and do it, i'd like to
be able to query from my machine, but i can't using openldap, do you
guys have a hint/idea/clue??
i use this from another server
idsldapsearch -h ldapserver.homeluna.org -Z -K /opt/PolicyDirector/ssl/homeluna.kdb -P passw0rd -b "" -s base objectclass=*
btw, My servers only accepts SSL conections.
btw, i put the following values inside /etc/openldap/ldap.conf without succeed.
#
# LDAP Defaults
#
BASE l=world
URI ldap://ldapserver.homeluna.org ldap://ldapserver.homeluna.org:636
PORT 636
TLS_CACERT /home/alexrl/Desktop/ldapserver.homeluna.org.cer
TLS_REQCERT demand
alexrl@localhost ~ $ ldapsearch -v -H ldaps://ldapserver.homeluna.org -Dcn=root -w passw0rd -bl=world uid=alex*
ldap_initialize( ldaps://ldapserver.homeluna.org:636/??base )
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
----------------------------------
Alejandro Rodriguez Luna
E-mail: el_alexluna(a)yahoo.com.mx
----------------------------------
10 years, 7 months
Generated fields from static rules ?
by Yoann Gini
Hello,
I’m new on this list. I actually try to configure a LDAP server to manage my identities (and use Kerberos as authentication backend). In my goal, I want to minimize information that need to be set by administrator to create entry.
Here is a basic example :
dn: uid=yoann,ou=people,dc=example,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
objectClass: posixAccount
cn: Yoann Gini
gidNumber: 20
homeDirectory: /home/users/yoann
sn: Gini
uid: yoann
uidNumber: 2000
givenName: Yoann
loginShell: /usr/local/bin/zsh
mail: yoann(a)example.com
userPassword: {SASL}yoann(a)EXAMPLE.COM
As you can see, they have many redundant informations…
What I looking for is a way to fix some field for posixAccount or *,ou=people,dc=example,dc=com.
For example, userPassword should be construct with a static text, a ldap entry and a global variable… {SASL}$uid$#KRB_REALM#.
Like the mail : $uid$#domain#
If you have any suggestion :-)
Yoann
10 years, 7 months
Re: mdb_stat question
by Roman Rybalko
17.10.2012 04:19, Howard Chu пишет:
> Have a look at mdb_stat in git mdb.master commit
> 617769bce5bcac809791adb11301e40d27c31566
>
> Use options -e and -f, that should give you everything you want.
> Feedback appreciated, I doubt this is its final form yet.
>
Thanks!
Nice tool!
But how would I determine storage usage percent?
((Number of pages used)-(Free pages))/(Max pages)*100
or just
(Number of pages used)/(Max pages)*100
?
I mean is there possible a situation when (Number of pages used)==(Max
pages) and (Free pages)!=0 ?
root@log:~# mdb_stat -e /mnt/data/ldap/2
Environment Info
Map address: (nil)
Map size: 15032385536
Page size: 4096
Max pages: 3670016
Number of pages used: 1042935
Last transaction ID: 2802459
Max readers: 126
Number of readers used: 18
Status of Main DB
Tree depth: 1
Branch pages: 0
Leaf pages: 1
Overflow pages: 0
Entries: 12
root@log:~# mdb_stat -f /mnt/data/ldap/2
Freelist Status
Tree depth: 3
Branch pages: 7
Leaf pages: 673
Overflow pages: 1
Entries: 2745
Free pages: 140824
Status of Main DB
Tree depth: 1
Branch pages: 0
Leaf pages: 1
Overflow pages: 0
Entries: 12
root@log:~#
--
WBR,
Roman Rybalko
10 years, 7 months
mdb_stat question
by Frank Swasey
If I've failed to find this on the mailinglist or in my google searches,
I am sorry. However, as I'm experimenting with using mdb for the
backend with OpenLDAP-2.4.33 on RHEL 6.3, I'm wondering what am I
looking for when I run mdb_stat and it tells me:
Page size: 4096
Tree depth: 2
Branch pages: 1
Leaf pages: 2
Overflow pages: 0
Entries: 59
--
Frank Swasey | http://www.uvm.edu/~fcs
Sr Systems Administrator | Always remember: You are UNIQUE,
University of Vermont | just like everyone else.
"I am not young enough to know everything." - Oscar Wilde (1854-1900)
10 years, 7 months
Three issues with rwm overlay and olcExtraAttrs
by k3kk0n3n k3kk0n3n
[Resending this as the first one didn't seem to appear on the mailing list,
I apologize if this creates a duplicate.]
Hi,
I believe I have found 3 issues related to the rwm overlay and the
extra_attrs (or olcExtraAttrs) setting written to fix the issues described
in ITS#6513 (
http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6513;selectid=65...).
The description is long but I tried to provide as much information as
possible. I am hoping someone can test and confirm the issues or tell me
what I'm doing wrong if there in fact is no issue.
I'm running version 2.4.32 on Ubuntu 10 and Debian Squeeze.
1)
The documentation in the slapd-config manpage is incorrect. The
olcExtraAttrs setting is said to be a global configuration setting when in
reality it seems to be database specific. In the slapd.conf manpage, the
corresponding setting (extra_attrs) is listed as being database-specific. I
believe that is correct although I have not checked it.
2)
olcExtraAttrs does not seem to work with the rwm overlay (like in
ITS#6513). With the rwm overlay present, ACIs are not evaluated when
requesting a specific attribute, regardless of whether olcExtraAttrs is
specified or not. In order to apply the ACI, you can pass the ACI attribute
name in the search. I'm providing a configuration file that can be used to
reproduce the problem as well as some search examples to demonstrate the
issue.
----Configuration file----
dn: cn=config
objectClass: olcGlobal
cn: config
olcPidFile: /usr/local/var/run/slapd.pid
olcArgsFile: /usr/local/var/run/slapd.args
#olcLogLevel: -1
olcToolThreads: 1
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by
* break
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to dn.base="cn=subschema" by * read
olcRequires: authc
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
olcAccess: to * by
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by
* break
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/etc/openldap/schema/core.ldif
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModuleload: back_hdb
olcModuleLoad: rwm
dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcSuffix: dc=example,dc=com
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: pass
olcDbConfig: set_cachesize 0 2097152 0
olcDbConfig: set_lk_max_objects 1500
olcDbConfig: set_lk_max_locks 1500
olcDbConfig: set_lk_max_lockers 1500
olcExtraAttrs: OpenLDAPaci
olcAccess: to attrs=userpassword
by anonymous auth
olcAccess: to dn.base="dc=example,dc=com"
by * search
olcAccess: to *
by self manage
by dynacl/aci=OpenLDAPaci manage
----Note----
To disable the rwm overlay, comment the following 4 lines in the config:
dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
----Test data----
dn: dc=example,dc=com
objectClass: dcObject
objectClass: top
objectClass: organization
dc: example
o: example
dn: cn=a,dc=example,dc=com
objectClass: top
objectClass: person
cn: a
sn: a
userPassword: pass
dn: cn=b,dc=example,dc=com
objectClass: top
objectClass: person
cn: b
sn: b
userPassword: pass
OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com
----Search examples----
Without rwm, requesting the whole object (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com
# b, example.com
dn: cn=b,dc=example,dc=com
objectClass: top
objectClass: person
cn: b
sn: b
# numResponses: 2
# numEntries: 1
Without rwm, requesting an attribute (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn
# b, example.com
dn: cn=b,dc=example,dc=com
sn: b
# numResponses: 2
# numEntries: 1
With rwm, requesting the whole object (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com
# b, example.com
dn: cn=b,dc=example,dc=com
objectClass: top
objectClass: person
cn: b
sn: b
# numResponses: 2
# numEntries: 1
With rwm, requesting an attribute (notice the object is not returned here):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn
# numResponses: 1
With rwm, requesting an attribute and openldapaci (works as expected):
ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com
sn openldapaci
# b, example.com
dn: cn=b,dc=example,dc=com
sn: b
OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com
# numResponses: 2
# numEntries: 1
3)
The last issue came up when I was attempting to set up a certain kind of
access control logic. It is highly similar to the previous problem but it
doesn't involve ACIs. The issue is caused by the rwm overlay somehow
blocking the ACL from accessing unrequested attributes just like in the
previous case. olcExtraAttrs was created to fix this issue but I assume it
would not fully solve the problem in my case. I have naturally not been
able to test it due to the fact that I haven't gotten olcExtraAttrs to work.
The access control logic I was attempting to set up was such that objects
could contain 2 new attributes: 'rights' and 'requiredRights', both being
multivalued strings. 'requiredRights' tells what rights are required to
access the object in question, and 'rights' tells what rights each object
has. If the user's 'rights' and the target objects 'requiredRights' have at
least one common string, access is granted. Fairly simple. The ACL used to
evaluate access is as follows:
to * by set="this/requiredRights & user/rights" read
This method works unless I use the rwm overlay. I'm guessing the attributes
required to evaluate the ACLs are somehow dropped and cannot be used.
olcExtraAttrs would (if it worked) automatically add the needed attributes
to the target object but, to my understanding, not to the user object. The
user's attributes would however be needed to evaluate the set shown earlier.
The trick used in the last of the previously shown search examples does not
work in this case. I can provide requiredRights and rights as additional
attributes in the search and I assume requiredRights is returned for access
control to use but rights isn't as it is an attribute of the user object. I
don't have a cleaned-up version of the config at this time but one could be
created if needed.
10 years, 7 months
