openldap-technical October 2012

openldap-technical@openldap.org

68 participants
66 discussions

LDAP Architecture for CardDAV/OpenLDAP interface
by Nicolas Mora 21 Oct '12

21 Oct '12

Hello, I'm using both an OpenLDAP server and an owncloud server, both for different but convergent purposes. The OpenLDAP manages an addressbook that is used by all mail client (Thunderbird, Horde, etc.), and the owncloud server also manages an addressbook for phone numbers, addresses and stuff, this one is a CardDAV one with VCard files. My goal is to converge these 2 different back-ends into one, all the data would be stored in the LDAP server. I did some research about how to do it and I have some clue that I would like to submit to you for feedbacks. The first interrogation is about the VCard/LDAP interface. After studying the VCard format and the different LDAP schemas, mostly RFC 6350 and 2256 and the schema files in the OpenLDAP conf folder in a Debian Stable server. I think that a new schema would do the connection. All the VCard properties can be easily linked to an existing person or inetOrgPerson or another *person objectClass. And the properties that doesn't exist yet are to be created in a schema extension. Also, one or two additional properties fields per property are to be created for the VCard parameters. Actually, there are different objectClass that might be extended: person, inetOrgPerson, organizationalPerson and residentialPerson. Considering that inetOrgPerson, organizationalPerson and residentialPerson are designed for specific purposes, I think that extending the person objectClass would be the best guess, what do you think ? The second question is more about the OpenLDAP configuration to handle this need. Right now, the OpenLDAP server is only used by me as an addressbook and an authentication server, the directory looks like this: dc=babelouest,dc=org | |-ou=addressbook | | | |-cn=Address1 | |-cn=Address2 | |-[...] | |-ou=users | | | |-uid=user1 | |-uid=user2 | |[...] I would like to add another branch to allow users to add their own addressbook entries, these entries would be in read/write mode only for the owner, no one else but him should have access. The new directory would look like this: dc=babelouest,dc=org | |-ou=addressbook (global, read-only for all users) | | | |-cn=Address1 | |-cn=Address2 | |-[...] | |-ou=users | | | |-uid=user1 | |-uid=user2 | |[...] | |-ou=personnalAddressbooks (personnal addressbook entries) | | | |-uid=user1 | | | | | |-cn=Address1 | | |-cn=Address2 | | |-cn=Address3 | | | |-uid=user2 | | | | | |-cn=Address1 | | |-cn=Address2 I took a look at the Access control help page but I couldn't find how to properly set the OpenLDAP configuration like this. Can you help me configuring the slapd.conf ? Thanks in advance. /Nicolas

2 1

Dynamic configuration / admin users
by Simon Walter 19 Oct '12

19 Oct '12

Greetings, First off, I'm sorry if this is the wrong place to ask this. Please direct me to the appropriate list. Here goes with the n00b questions: Debian Squeeze is using the dynamic configuration. While I am sure there are benefits, all the documentation is for static configuration (slapd.conf). I've got a basic tree up and running and several services are using it no problem. There are several things I'd like to do, like replication. For this and some other services, SOGo for example, that don't bind anonymously, I'd like to create some more users for this. I could be mistaken, but perhaps they need some kind of admin privileges. If not, that means that any user can modify anything in the tree. I see various information about ACI and ACL and access.conf. I can't find clear documentation about how any of this relates to dynamic configurations. To conclude, how do I add additional users to a dynamic configured openldap tree and configure those users with specific access permissions? Thank you, Simon

3 3

Mirror mode replication problem
by cbulist 19 Oct '12

19 Oct '12

Hi, We have configured 2 server with openldap 2.4.23-26 version and everything is working well (ppolicy,acl etc). We implemented replication in mirror mode and it is working well. When we add/delete/modify something in serverID 1 it sync the data to serverID2 without problem but when we add/delete/modify in serverID 2 it is not sync to serverID 1. We tried to stop openldap server1 then make changes on server2 and start server 1 again in order to get the changes from server2 but it did not work. According to 2.4 guide: "When a crashed provider is repaired and restarted it will automatically catch up to any changes on the running provider and resync". We appreciate any help to try fix this problem. Thanks in advance! This is the relevant configuration directives: #Server 1 overlay syncprov syscprov-checkpoint 100 10 syscprov-sessionlog 100 serverID 1 syncrepl rid=001 provider=ldap://server2:389 bindmethod=simple binddn="cn=Manager,dc=sample,dc=com" credentials=secret searchbase="dc=sample,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on #Server 2 overlay syncprov syscprov-checkpoint 100 10 syscprov-sessionlog 100 serverID 2 syncrepl rid=001 provider=ldap://server1:389 bindmethod=simple binddn="cn=Manager,dc=sample,dc=com" credentials=secret searchbase="dc=sample,dc=com" schemachecking=on type=refreshAndPersist retry="60 +" mirrormode on

2 2

SSL/TLS issue
by Darouichi, Aziz 19 Oct '12

19 Oct '12

Hi, I am running Openldap-2.4.32, BD-5.3.21 and openssl-1.0.1c on RHEL 5.5. I created CA cert and singed it but when I run ldeapsearch with -ZZ I get the following error: TLS trace: SSL_connect:before/connect initialization TLS trace: SSL_connect:SSLv2/v3 write client hello A TLS trace: SSL_connect:SSLv3 read server hello A TLS certificate verification: depth: 1, err: 19, subject: /C=US/ST=Mass/O=Curry College/OU=Technology Center/CN=LDAP-SSL.curry.edu/emailAddress=adarouic@curry.edu, issuer: /C=US/ST=Mass/O=Curry College/OU=Technology Center/CN=LDAP-SSL.curry.edu/emailAddress=adarouic@curry.edu TLS certificate verification: Error, self signed certificate in certificate chain TLS trace: SSL3 alert write:fatal:unknown CA TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS trace: SSL_connect:error in SSLv3 read server certificate B TLS: can't connect. ldap_perror ldap_start_tls: Connect error (-11) additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed Please let me know if I missed something in my configuration. Thanks, Aziz

4 8

Virtual view of ldap subtree
by Marco Pizzoli 18 Oct '12

18 Oct '12

1 0

ldapsearch agains Tivoli Directory Server
by Alejandro Rodriguez Luna 18 Oct '12

18 Oct '12

Hi all! I have a TDS (Tivoli Directory Server) in one of my servers, every time i need to query it i need to go to another server and do it, i'd like to be able to query from my machine, but i can't using openldap, do you guys have a hint/idea/clue?? i use this from another server idsldapsearch -h ldapserver.homeluna.org -Z -K /opt/PolicyDirector/ssl/homeluna.kdb -P passw0rd -b "" -s base objectclass=* btw, My servers only accepts SSL conections. btw, i put the following values inside /etc/openldap/ldap.conf without succeed. # # LDAP Defaults # BASE l=world URI ldap://ldapserver.homeluna.org ldap://ldapserver.homeluna.org:636 PORT 636 TLS_CACERT /home/alexrl/Desktop/ldapserver.homeluna.org.cer TLS_REQCERT demand alexrl@localhost ~ $ ldapsearch -v -H ldaps://ldapserver.homeluna.org -Dcn=root -w passw0rd -bl=world uid=alex* ldap_initialize( ldaps://ldapserver.homeluna.org:636/??base ) ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) ---------------------------------- Alejandro Rodriguez Luna E-mail: el_alexluna(a)yahoo.com.mx ----------------------------------

2 1

Generated fields from static rules ?
by Yoann Gini 17 Oct '12

17 Oct '12

Hello, I’m new on this list. I actually try to configure a LDAP server to manage my identities (and use Kerberos as authentication backend). In my goal, I want to minimize information that need to be set by administrator to create entry. Here is a basic example : dn: uid=yoann,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: top objectClass: posixAccount cn: Yoann Gini gidNumber: 20 homeDirectory: /home/users/yoann sn: Gini uid: yoann uidNumber: 2000 givenName: Yoann loginShell: /usr/local/bin/zsh mail: yoann(a)example.com userPassword: {SASL}yoann(a)EXAMPLE.COM As you can see, they have many redundant informations… What I looking for is a way to fix some field for posixAccount or *,ou=people,dc=example,dc=com. For example, userPassword should be construct with a static text, a ldap entry and a global variable… {SASL}$uid$#KRB_REALM#. Like the mail : $uid$#domain# If you have any suggestion :-) Yoann

2 2

Re: mdb_stat question
by Roman Rybalko 17 Oct '12

17 Oct '12

17.10.2012 04:19, Howard Chu пишет: > Have a look at mdb_stat in git mdb.master commit > 617769bce5bcac809791adb11301e40d27c31566 > > Use options -e and -f, that should give you everything you want. > Feedback appreciated, I doubt this is its final form yet. > Thanks! Nice tool! But how would I determine storage usage percent? ((Number of pages used)-(Free pages))/(Max pages)*100 or just (Number of pages used)/(Max pages)*100 ? I mean is there possible a situation when (Number of pages used)==(Max pages) and (Free pages)!=0 ? root@log:~# mdb_stat -e /mnt/data/ldap/2 Environment Info Map address: (nil) Map size: 15032385536 Page size: 4096 Max pages: 3670016 Number of pages used: 1042935 Last transaction ID: 2802459 Max readers: 126 Number of readers used: 18 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 12 root@log:~# mdb_stat -f /mnt/data/ldap/2 Freelist Status Tree depth: 3 Branch pages: 7 Leaf pages: 673 Overflow pages: 1 Entries: 2745 Free pages: 140824 Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 12 root@log:~# -- WBR, Roman Rybalko

2 1

mdb_stat question
by Frank Swasey 16 Oct '12

16 Oct '12

If I've failed to find this on the mailinglist or in my google searches, I am sorry. However, as I'm experimenting with using mdb for the backend with OpenLDAP-2.4.33 on RHEL 6.3, I'm wondering what am I looking for when I run mdb_stat and it tells me: Page size: 4096 Tree depth: 2 Branch pages: 1 Leaf pages: 2 Overflow pages: 0 Entries: 59 -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900)

3 4

Three issues with rwm overlay and olcExtraAttrs
by k3kk0n3n k3kk0n3n 16 Oct '12

16 Oct '12

[Resending this as the first one didn't seem to appear on the mailing list, I apologize if this creates a duplicate.] Hi, I believe I have found 3 issues related to the rwm overlay and the extra_attrs (or olcExtraAttrs) setting written to fix the issues described in ITS#6513 ( http://www.openldap.org/its/index.cgi/Software%20Bugs?id=6513;selectid=6513…). The description is long but I tried to provide as much information as possible. I am hoping someone can test and confirm the issues or tell me what I'm doing wrong if there in fact is no issue. I'm running version 2.4.32 on Ubuntu 10 and Debian Squeeze. 1) The documentation in the slapd-config manpage is incorrect. The olcExtraAttrs setting is said to be a global configuration setting when in reality it seems to be database specific. In the slapd.conf manpage, the corresponding setting (extra_attrs) is listed as being database-specific. I believe that is correct although I have not checked it. 2) olcExtraAttrs does not seem to work with the rwm overlay (like in ITS#6513). With the rwm overlay present, ACIs are not evaluated when requesting a specific attribute, regardless of whether olcExtraAttrs is specified or not. In order to apply the ACI, you can pass the ACI attribute name in the search. I'm providing a configuration file that can be used to reproduce the problem as well as some search examples to demonstrate the issue. ----Configuration file---- dn: cn=config objectClass: olcGlobal cn: config olcPidFile: /usr/local/var/run/slapd.pid olcArgsFile: /usr/local/var/run/slapd.args #olcLogLevel: -1 olcToolThreads: 1 dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break olcAccess: {1}to dn.base="" by * read olcAccess: {2}to dn.base="cn=subschema" by * read olcRequires: authc dn: olcDatabase=config,cn=config objectClass: olcDatabaseConfig olcDatabase: config olcAccess: to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///usr/local/etc/openldap/schema/core.ldif dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModuleload: back_hdb olcModuleLoad: rwm dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcSuffix: dc=example,dc=com olcDbDirectory: /var/lib/ldap olcRootDN: cn=admin,dc=example,dc=com olcRootPW: pass olcDbConfig: set_cachesize 0 2097152 0 olcDbConfig: set_lk_max_objects 1500 olcDbConfig: set_lk_max_locks 1500 olcDbConfig: set_lk_max_lockers 1500 olcExtraAttrs: OpenLDAPaci olcAccess: to attrs=userpassword by anonymous auth olcAccess: to dn.base="dc=example,dc=com" by * search olcAccess: to * by self manage by dynacl/aci=OpenLDAPaci manage ----Note---- To disable the rwm overlay, comment the following 4 lines in the config: dn: olcOverlay=rwm,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm ----Test data---- dn: dc=example,dc=com objectClass: dcObject objectClass: top objectClass: organization dc: example o: example dn: cn=a,dc=example,dc=com objectClass: top objectClass: person cn: a sn: a userPassword: pass dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b userPassword: pass OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com ----Search examples---- Without rwm, requesting the whole object (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com # b, example.com dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b # numResponses: 2 # numEntries: 1 Without rwm, requesting an attribute (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn # b, example.com dn: cn=b,dc=example,dc=com sn: b # numResponses: 2 # numEntries: 1 With rwm, requesting the whole object (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com # b, example.com dn: cn=b,dc=example,dc=com objectClass: top objectClass: person cn: b sn: b # numResponses: 2 # numEntries: 1 With rwm, requesting an attribute (notice the object is not returned here): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn # numResponses: 1 With rwm, requesting an attribute and openldapaci (works as expected): ldapsearch -x -D cn=a,dc=example,dc=com -w pass -b cn=b,dc=example,dc=com sn openldapaci # b, example.com dn: cn=b,dc=example,dc=com sn: b OpenLDAPaci: 1#entry#grant;r,s,c;[all]#access-id#cn=a,dc=example,dc=com # numResponses: 2 # numEntries: 1 3) The last issue came up when I was attempting to set up a certain kind of access control logic. It is highly similar to the previous problem but it doesn't involve ACIs. The issue is caused by the rwm overlay somehow blocking the ACL from accessing unrequested attributes just like in the previous case. olcExtraAttrs was created to fix this issue but I assume it would not fully solve the problem in my case. I have naturally not been able to test it due to the fact that I haven't gotten olcExtraAttrs to work. The access control logic I was attempting to set up was such that objects could contain 2 new attributes: 'rights' and 'requiredRights', both being multivalued strings. 'requiredRights' tells what rights are required to access the object in question, and 'rights' tells what rights each object has. If the user's 'rights' and the target objects 'requiredRights' have at least one common string, access is granted. Fairly simple. The ACL used to evaluate access is as follows: to * by set="this/requiredRights & user/rights" read This method works unless I use the rwm overlay. I'm guessing the attributes required to evaluate the ACLs are somehow dropped and cannot be used. olcExtraAttrs would (if it worked) automatically add the needed attributes to the target object but, to my understanding, not to the user object. The user's attributes would however be needed to evaluate the set shown earlier. The trick used in the last of the previously shown search examples does not work in this case. I can provide requiredRights and rights as additional attributes in the search and I assume requiredRights is returned for access control to use but rights isn't as it is an attribute of the user object. I don't have a cleaned-up version of the config at this time but one could be created if needed.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2012