openldap-technical July 2014

openldap-technical@openldap.org

28 participants
24 discussions

Re: creating a cn=config modules
by Greg Treantos 09 Jul '14

09 Jul '14

Here is what the cn=config directory looks like. As you can see there is no olcDatabase={x}module.ldif file so my question is how do you create one. olcDatabase={2}hdb.ldif olcDatabase={1}monitor.ldif olcDatabase={0}config.ldif cn=schema olcDatabase={-1}frontend.ldif cn=schema.ldif I created this compliant ldif dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: {0}/usr/lib64/openldap/memberof.la but when I try an use ldapmodify -Y EXTERNAL -H ldapi:/// -v -f ldapMdynalist.ldif I get ldap_initialize( ldapi:///??base ) SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 add olcModuleLoad: {0}/usr/lib64/openldap/memberof.la modifying entry "cn=module{0},cn=config" ldap_modify: No such object (32) matched DN: cn=config So how do you create a ldif in cn=config. I've read the docs but it is not clear to me how to do this. Once the file is created I'm sure ldapmodify will work. Do I just touch the file? On Wed, Jul 9, 2014 at 4:54 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Wednesday, July 09, 2014 2:10 PM -0400 Greg Treantos < > gtreanto(a)gmail.com> wrote: > > 1 dn: cn=module{0},cn=config >> 2 changetype: modify >> 3 add:olcModuleList >> 4 objectClass: olcModuleList >> 5 olcModulePath: /usr/lib64/openldap/ >> 6 cn: module{0} >> 7 changetype: modify >> 8 add: olcModuleLoad >> 9 olcModuleLoad: {0}accesslog.la >> 10 olcModuleLoad: {1}auditlog.la >> 11 olcModuleLoad: {2}constraint.la >> 12 olcModuleLoad: {3}dynlist.la >> 13 olcModuleLoad: {4}memberof.la >> 14 olcModuleLoad: {5}ppolicy.la >> 15 olcModuleLoad: {6}refint.la >> 16 olcModuleLoad: {7}seqmod.la >> 17 olcModuleLoad: {8}syncprov.la >> 18 olcModuleLoad: {9}sssvlv.la >> 19 olcModuleLoad: {10}translucent.la >> 20 olcModuleLoad: {11}unique.la >> 21 olcModuleLoad: {12}back_monitor.la >> > > The above LDIf is clearly invalid. I'm not surprised at all that it gets > rejected. I'd suggest re-reading the documentation on how to use > ldapmodify and the LDIF format. > > --Quanah > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Greg http://www.linkedin.com/in/gregtreantos

2 1

creating a cn=config modules
by Greg Treantos 09 Jul '14

09 Jul '14

I have openldap server version I am trying to create a cn=module{0} I created an ldif but can't seem to get the proper syntax. I've spent a lot of time searching but haven't found a solution. Any suggestions are appreciated. the ldif I am using, The line numbers are for reference only 1 dn: cn=module{0},cn=config 2 changetype: modify 3 add:olcModuleList 4 objectClass: olcModuleList 5 olcModulePath: /usr/lib64/openldap/ 6 cn: module{0} 7 changetype: modify 8 add: olcModuleLoad 9 olcModuleLoad: {0}accesslog.la 10 olcModuleLoad: {1}auditlog.la 11 olcModuleLoad: {2}constraint.la 12 olcModuleLoad: {3}dynlist.la 13 olcModuleLoad: {4}memberof.la 14 olcModuleLoad: {5}ppolicy.la 15 olcModuleLoad: {6}refint.la 16 olcModuleLoad: {7}seqmod.la 17 olcModuleLoad: {8}syncprov.la 18 olcModuleLoad: {9}sssvlv.la 19 olcModuleLoad: {10}translucent.la 20 olcModuleLoad: {11}unique.la 21 olcModuleLoad: {12}back_monitor.la here is the error ldapmodify -Y EXTERNAL -H ldapi:/// -vn -f ldapMdynalist.ldif ldapmodify: wrong attributeType at line 4, entry "cn=module{0},cn=config" -- Greg http://www.linkedin.com/in/gregtreantos

2 1

Addressbook in LDAP ... should be simple right?
by Adam Goryachev 09 Jul '14

09 Jul '14

I've been messing with LDAP for the past couple of days, and following various online tutorials on how to create an addressbook for Thunderbird in openldap. Sure, this isn't too difficult, and I have it working as a proof of concept. I can use phpldapadmin to create new entries in my addressbook, and these will show up in Thunderbird's addressbook. I've also spent the day reading most of the openldap admin guide (250 pages), which eventually I noticed is missing section E, where I'm sure something simple like this would appear. However, now I want to organise the addresses into groups. eg, say we have the following staff: John Smith works in the head office and is the CEO Ann Johnson works in the head office and is a general admin person Mary Brown works in the branch office and is the state manager Jane Martin works in the branch office and is a general admin person I want everybody to be listed in a People group... I want all four people listed in a Staff group... I want John Smith and Mary Brown in a Managers group I want John Smith and Ann Johnson in a Head Office group I want Mary Brown and Jane Martin in a Branch Office group So, I could do this like this: dn: dc=example,dc=com objectClass: top objectClass: dcObject objectClass: organization o: My Organization dc: example dn: ou=People,dc=example,dc=com objectClass: top objectClass: organizationalUnit ou: People description: All the people dn: ou=Staff,dc=example,dc=com objectClass: organizationalUnit objectClass: top ou: Staff dn: cn=John Smith+mail=jsmith(a)example.com,ou=People,dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: mozillaAbPersonAlpha givenName: John sn: Smith cn: John Smitih mail: jsmith(a)example.com etc for other people Then I can configure the groups like this: dn: cn=Managers,dc=example,dc=com cn: Managers of example.com objectclass: groupofNames member: cn=John Smith+mail=jsmith(a)example.com,ou=People,dc=example,dc=com member: cn=Mary Brown+mail=mbrown(a)example.com,ou=People,dc=example,dc=com However, thunderbird doesn't seem to have any smart way to show this group... So, I thought, maybe I could duplicate the "People" and put complete addressbook records into the Managers ou, but then it complains that the same CN already exists, besides the fact that this just seems like a kludge, and not a very "nice" way to achieve this. PS, the context is to try and replace MS Outlook with Mozilla Thunderbird. With email in IMAP4, that works well. I can share the calendar from thunderbird to iphones/android phones with http://calendarserver.org/. Now I'm just trying to resolve the "shared contacts" issue, which is currently solved by copying (at login) a pst file from a share to the local users profile, and having that configured to open in outlook (add pst data file). I'd prefer to replace all that with ldap, since thunderbird supports ldap for an addressbook, and it would then update immediately (instead of after next login). Also, long term it would be useful to use ldap for other web based login authentication, squid proxy auth, and/or even windows authentication, but, one step/problem at a time. Thank you for any advise or suggestions, or pointers to documentation. Regards, Adam -- Adam Goryachev Website Managers www.websitemanagers.com.au

6 8

sizelimit issue in openldap + lmdb environment
by Ajit K Jena 08 Jul '14

08 Jul '14

Hi, We have been openldap user for long time with BDB backend. Now I am trying to migrate to LMDB backend. In our environment we are trying to enforce a limit specified below: sizelimit size.soft=54 size.hard=100 size.unchecked=150 This works properly in the BDB environment. In the LMDB environment we cant get even one query answered. We get error 11 (administrative limit exceeded). The query is for (objectclass=*) for a single user (uid=xxx). Has anyone see this before ? The property "sizelimit" is concerned with ldap. How is it getting affected with change of storage backend ? Pl guide me as to how to fix this problem. --ajit --------------------------------------------------------------------- Ajit K. Jena Phone :+91-22-25768750 Computer Centre +91-22-25767751 Indian Institute of Technology POWAI, Mumbai-400 076 Fax : +91-22-25721210 PIN 400076, India Email : ajit(a)iitb.ac.in ---------------------------------------------------------------------

3 2

Trying to get ACLs to work ...
by Philip Colmer 08 Jul '14

08 Jul '14

We have a setup whereby a group of users are able to create accounts in specific OUs. This is handled by ACLs like this one: add: olcAccess olcAccess: to dn.exact="ou=team1,ou=accounts,dc=example,dc=org" attrs=children by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org" write by users read by * none - add: olcAccess olcAccess: to dn.sub="ou=team1,ou=accounts,dc=example,dc=org" attrs=entry by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org" write by users read by * none - I've been asked if the people who create those accounts can edit the passwords after the accounts have been created. I tried to do that by changing the second access line to read: add: olcAccess olcAccess: to dn.sub="ou=team1,ou=accounts,dc=example,dc=org" attrs=entry,userPassword,shadowLastChange by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org" write by users read by * none - Now, my problem is that this is clashing with the rule that we have for authentication: # Allow LDAP admin and the account concerned to modify their password, anonymous to authenticate. add: olcAccess olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=org" write by anonymous auth by self write by * none Initially, that rule as the first of the olcAccess rules. I thought in advance that that was going to block the writes to userPassword & shadowLastChange in subsequent rules, so I moved it to after the rules that covered creating those accounts. Authentication then broke :-( I can't just add by group/groupOfUniqueNames/uniqueMember="cn=account-mgrs-non-staff,ou=mailing,ou=groups,dc=example,dc=org" write to the primary olcAccess rule because that will allow members of "account-mgrs-non-staff" to change the password on ANY account, which I cannot allow. It must only be to specific OUs. How do I fix this clash between the rules, please? Thanks. Philip

1 0

Distributing a list of users across multiple servers
by Carlo Santos 08 Jul '14

08 Jul '14

Hi all, I'm trying to create an OpenLDAP service where the amount of users are distributed across multiple servers. For example, I have the users under "ou=users,dc=cloudtop,dc=ph" and I have all my users under it without any hierarchy (let's say a million). How do I distribute them to different OpenLDAP servers without hierarchy? Do I use referrals or do I use subordinating?

2 1

capture password
by Rogério Augusto Rondini 04 Jul '14

04 Jul '14

Hi folks, I need to implement password sync between AD and OpenLDAP using an IDM tool. I want to know how to capture clear text password in OpenLDAP before encryption so that I can sync with AD and potentially with others user repositories. Kind Regards, Rogério Rondini

5 6

meta backend NOT working in parallel???
by Vishchers, Michael, SEVEN PRINCIPLES 04 Jul '14

04 Jul '14

Hi there, my goal was to use one openldap server as a proxy to a couple of ldap backends (targets) running on different hosts for user authentication. This works fine if all servers can be reached, there is either no answer or (usually) one from one of the backends. If one of these servers is not reachable due to e.g. a firewall, the meta_search_dobind_init hangs waiting to connect to this candidate, and after a timeout, retries one time. In the meantime, no other candidates are tried. >From the documentation and several discussions, I understood that meta would connect in parallel to all the candidates and return whatever answer it got. Am I mistaken, or are there any configuration parameters that I am unaware of to achieve the desired behaviour? Kind regards Michael

1 0

Openlda2.4.39 compling error
by Darouichi, Aziz 03 Jul '14

03 Jul '14

Hi, I am trying to compile Openldap-2.4.39 in RHEL 6.5 with DB -6-0.30, I run the configure with: env CPPFLAGS="-I/opt/local/db-6.0.30/include" LDFLAGS="-L/opt/local/db-6.0.30/lib" ./configure --enable-hdb --enable-bdb --enable-overlays=mod --enable-ppolicy=yes --enable-passwd --enable-syslog --enable-debug --with-tls --prefix=/opt/local - but when I get to run make test I get : make[1]: Entering directory `/root/Downloads/openldap-2.4.39/tests' make[2]: Entering directory `/root/Downloads/openldap-2.4.39/tests' Initiating LDAP tests for BDB... Running ./scripts/all for bdb... >>>>> Executing all LDAP tests for bdb >>>>> Starting test000-rootdse for bdb... running defines.sh Starting slapd on TCP/IP port 9011... Using ldapsearch to retrieve the root DSE... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... Waiting 5 seconds for slapd to start... ./scripts/test000-rootdse: line 66: kill: (10020) - No such process ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) >>>>> Test failed >>>>> test000-rootdse failed for bdb (exit 255) make[2]: *** [bdb-yes] Error 255 make[2]: Leaving directory `/root/Downloads/openldap-2.4.39/tests' make[1]: *** [test] Error 2 make[1]: Leaving directory `/root/Downloads/openldap-2.4.39/tests' make: *** [test] Error 2 make install fails with: /usr/bin/ld: /opt/local/lib/libssl.a(s23_meth.o): relocation R_X86_64_32 against `.rodata' can not be used when making a shared object; recompile with -fPIC /opt/local/lib/libssl.a: could not read symbols: Bad value collect2: ld returned 1 exit status libtool: install: error: relink `libldap.la' with the above command before installing it make[2]: *** [install-local] Error 1 make[2]: Leaving directory `/root/Downloads/openldap-2.4.39/libraries/libldap' make[1]: *** [install-common] Error 1 make[1]: Leaving directory `/root/Downloads/openldap-2.4.39/libraries' make: *** [install-common] Error 1 Please let me know if you need more info. Thanks

3 3

backend meta rwm rewrite attribute value that is not DNs
by Nicolas RENAULT 03 Jul '14

03 Jul '14

Hello, Questions from this first post http://www.openldap.org/lists/openldap-technical/201407/msg00002.html I want to know if there is an overlay like rwm that can rewrite attribut values that are not DNs ? Exactly I want to rewrite createTimestamp (and all attribute that contains this datetime output form) value from yyyyMMddhhmmss.0Z to yyyyMMddHHmmssZ Regards -- Nicolas

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2014