Re: ACL on create questions
by Andrew Findlay
[ Keep copying to the openldap-technical(a)openldap.org list ]
On Thu, May 02, 2013 at 02:15:02PM +0000, Emmanuel Dreyfus wrote:
> It almost works. My only concern is that it is possible to create an
> object where LHS of DN is not in object's attributes. Like this:
>
> dn: foo=x,o=org
> objectClass: fooClass
> foo: y
There was some argument about that a few years ago. I am sure that the
intention of X.500 was for values in the RDN to be *chosen from*
values in the entry. X.501(1988) section 8.1(g) defines an RDN:
A set of attribute value assertions, each of which is true,
concerning the distinguished values of a particular entry.
Unfortunately, somewhere along the line one or more LDAP implementations
permitted values in the RDN to be *in addition to* the values in the
entry. This was a pain as it was not clear how search filters etc should
behave, but some people with loud voices apparently became dependent
on it. I remember someone (probably Kurt) saying at one point that the
behaviour was wrong but someone had written it into the standards so it
had to be supported.
However, LDAP is now defined by RFC4512 which says this:
2.3.1. Relative Distinguished Names
Each entry is named relative to its immediate superior. This
relative name, known as its Relative Distinguished Name (RDN)
[X.501], is composed of an unordered set of one or more attribute
value assertions (AVA) consisting of an attribute description with
zero options and an attribute value. These AVAs are chosen to match
attribute values (each a distinguished value) of the entry.
I read that as equivalent to the original X.501 definition, so maybe
we should now treat the behaviour you see as a bug.
Which version of slapd are you using? When I try this on 2.4.35 the
extra value from the RDN gets copied into the entry so although the
LDIF being loaded is not strictly correct it does result in a
conformant entry. What does your entry look like when you read it
back?
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
9 years, 9 months
Debian Squeeze: Slapd subtree disappears, but ldapsearch finds it | unable to allocate memory for mutex; resize mutex region
by Denny Schierz
hi,
on the last hour I had a very strange problem:
I have a Debian Squeeze with Slapd installed and it was working a long time, but today one subtree disappears completely from the ldap browser (Apache Directory Studio). I wasn't accessible anymore, but with ldapsearch I was able to see the tree. Also I tried to add the LDIF again to the LDAP, but slapd says: "... exists ...."
The only way to get it back working again, was to restore the plain BDB files from the backupjob yesterday.
I absolutely don't know, what happens. The only thing I changed, I reinstalled the second LDAP (n-way master) on a new host, with a config only and let the second ldap synchronize with the main LDAP. After ~20-40 minutes the job was done and the second was up to date. That was yesterday.
-
The subtree was also missing on the second LDAP ... so, the synchronizing did the same ...
So, I deleted all *dbd* *log* on ldap2 (after the restore from the main LDAP) and wanted to synchronizing again the full tree ... but I get many warnings:
dc=...... unable to allocate memory for mutex; resize mutex region
any suggestions?
cu denny
9 years, 9 months
ACL on create questions
by Emmanuel Dreyfus
HI
Two ACL questions:
1) Is it possible to allow entry creation on a branch while preventing
renaming? I understand I need to give write access to
- attrs=chidren on parent
- attrs=entry on created entry
- attrs=<the mandatory attributes for object>
Last item include the attributes used for RHS part of the DN. That suggests
renaming will always be possible
2) Is it possible to make some entry values mandatory for an entry creation?
e.g.: I want to enforce specific values of objectClass
--
Emmanuel Dreyfus
manu(a)netbsd.org
9 years, 9 months
How to configure ubuntu server with LDAP group based authentication
by Geo P.C.
By installing libnss-ldap we are able to integrate an Ubuntu server with
ldap (openldap). But we are unable to configure ldap group based
authentication.
We need to configure in such a way that user from a particular group need
only to login.
Please let me know is it possible configure it and please update us the
steps or any url.
Thanks
Geo
9 years, 9 months
Need help to configure OpenLDAP!!
by pradyumna dash
Hi,
Am facing an issue while configuring OpenLDAP. My suffix looks like below
in the *slapd.conf* file and apart from the default schema i have used
ppolicy.
database bdb
suffix "dc=example,dc=com,dc=in"
rootdn "cn=Manager,dc=example,dc=com,dc=in"
# SAG: 20100203
overlay ppolicy
ppolicy_default "cn=default,ou=policies,o=test,dc=example,dc=com,dc=in"
ppolicy_use_lockout
I have prepared the below LDIF to add
*test.ldif*
======
dn: dc=com,dc=in
dc: com
objectClass: top
objectClass: domain
dn: dc=example,dc=com,dc=in
dc: example
objectClass: top
objectClass: domain
dn: ou=People,dc=example,dc=com,dc=in
ou: People
objectClass: top
objectClass: organizationalUnit
dn: ou=Group,dc=example,dc=com,dc=in
ou: Group
objectClass: top
objectClass: organizationalUnit
Am using the below command to add this LDIF file:
*ldapadd -x -W -D "cn=Manager,dc=example,dc=com,dc=in" -f /opt/test.ldif*
But am getting the below error.
*
"adding new entry "dc=com,dc=in"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge**"*
Please help.
Regards,
/Neo
9 years, 9 months
The problem of BINDDN/BINDPW in ldap.conf (2nd time)
by Madas Pál
Earlier thread:
> Tianyin Xu asked, Howard Chu answered:
>
>
> ...
>
> This works quite fine. Then, I write the parameters into ldap.conf as follows:
>
> -----------------ldap.conf-----------------------
> BASE dc=ucsd,dc=edu
> BINDDN cn=admin,dc=ucsd,dc=edu
> BINDPW 12345
> -----------------------------------------------------
>
> Then only BASE has effect. According to the ldap.conf manual, BINDDN is a
>
> ...
>
> Those were not OpenLDAP's ldap.conf. BINDPW isn't mentioned in
> OpenLDAP documentation because it does not exist in OpenLDAP. Reading
> non-OpenLDAP documentation and attempting to apply it to OpenLDAP
> software is a pretty reliable means of confusing yourself.
My question:
It has been clearly stated, that BINDPW cannot be used in ldaprc (at least in the case of openldap).
But it is definitely stated in the manpage of ldap.conf, that BINDDN is a legal user-only option of openldap. My ldaprc says:
BASE ou=madas,dc=something
BINDDN cn=admin,dc=something
TLS_REQCERT allow
URI ldaps://ip1.ip2.ip3.ip4
BASE and URI has its effect, BINDDN has not. Did I make a mistake?
Thank you in advance.
man ldap.conf:
...
AUTHOR
Kurt Zeilenga, The OpenLDAP Project
ACKNOWLEDGEMENTS
OpenLDAP Software is developed and maintained by The OpenLDAP Project <http://www.openldap.org/>. OpenLDAP Software is derived
from University of Michigan LDAP 3.3 Release.
OpenLDAP 2011/11/24 LDAP.CONF(5)
...
9 years, 9 months