New Listmember with a olcAccess question
by Fischer, Johannes
Hi @all,
I've tried to implement a olcAccess via regex for multiple directory entries.
The goal was to group different users in two standard groups. Each group does have other access rules. I didn't what to do such a thing for every entry, so I thought that I'm able to do that with regexes.
But my olcAccess rules doesn't work.
I've already posted the question to stackoverflow, but no answers till now. Here the link:
http://stackoverflow.com/questions/31693040/ldap-olcaccess-regex-are-not-...
And here the rule for a regex access:
olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"
attrs=children
by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write
by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read
by * none
Does somebody can help me? Or is such a thing not possible to do?
Greetings
John
PS: the content from Stackoverflow:
----------------------------------------------------------------------------------------
I have a LDAP server runnign with the Structure:
dc=example,dc=ldap
dc=organisations
o=orga1 (objectClasses top/organisation/dcObject)
cn=ADMINS (objectClasses top/groupOfNames)
cn=USER
o=orga2
cn=ADMIN
cn=USER
cn=users (objectClasses top/organisation/dcObject)
cn=user1 (objectClasses top/person)
cn=user2
Now I whant to add some rules that only the users in the organisation groups are able to see the organisation.
the hard coded approach was quite easy to implement:
olcAccess: {1}to dn.subtree="o=orga1,dc=organizations,dc=example,dc=ldap"
by group.exact="cn=ADMINS,o=orga1,dc=organizations,dc=example,dc=ldap" write
by group.exact="cn=USER,o=orga1,dc=organizations,dc=example,dc=ldap" read
by * none
(It is important to write TWO spaces in front of the 'by' [It was an problem for a long time for me])
But I don't whant to implement these rules for every new organisation, so I tried to implement the rule with some regex magig. But I failed misserably:
olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$"
attrs=children
by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write
by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read
by * none
This rule affects nothing. So does someone have some idea to fix my problematic?
Or is it not possible to group the members like I did?
Thanks again
--
Johannes Fischer
Research Fellow
Fraunhofer Institute for
Manufacturing Engineering and Automation IPA
Competence Centre Digital Tools for Manufactoring
Nobelstrasse 12 │ 70569 Stuttgart | Germany
Phone +49 711 970-1217
Johannes.Fischer(a)ipa.fraunhofer.de<mailto:Johannes.Fischer@ipa.fraunhofer.de>
www.ipa.fraunhofer.de<http://www.ipa.fraunhofer.de/>
[cid:image001.png@01D0D01E.D4211AC0]
8 years, 1 month
build ldap tree with same meta and db suffix
by Aleks
Hi dear list members.
I need to create the following ldap-tree
####
dc=example
dc=customers-ext,dc=example
dc=MetaOrgTree01,dc=customers-ext,dc=example
dc=MetaOrgTree02,dc=customers-ext,dc=example
...
dc=MetaOrgTree0n
dc=customers,dc=example
dc=MetaOrgTree01,dc=customers,dc=example
dc=MetaOrgTree02,dc=customers,dc=example
...
dc=MetaOrgTree0n
dc=appuser,dc=example # < this is a mdb
uid=bindUser
###############
I was able to create the base setup with the following commands.
export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/local/BDB/lib
/opt/local/openldap-2.4.41/sbin/slapadd -F
/opt/local/conf/openldap/ldap.example.at/ -l
ldifs/initial_ldap.example.at.ldif -n0
/opt/local/openldap-2.4.41/libexec/slapd -l local5 -F
/opt/local/conf/openldap/ldap.example.at/ -h "ldap://0.0.0.0:10689
ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock"
/opt/local/openldap-2.4.41/bin/ldapmodify -D 'cn=config' -w <PASSWORD>
-H ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock -v -f
meta-ldifs/MetaOrgTree01_meta.ldif
and now I'm not able to create the dc tree (
add_and_build_root_dc_tree.ldif )
/opt/local/openldap-2.4.41/bin/ldapmodify -D 'cn=config' -w <PASSWORD>
-H ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock -v -f
add_and_build_root_dc_tree.ldif
ldap_initialize(
ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock/??base )
add objectClass:
top
dcObject
organization
add o:
example
add description:
MyOrg
add dc:
parent
adding new entry "dc=example"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
##################
When I create a "olcDatabase=mdb,cn=config"
with
olcSuffix: dc=example
I'm able to create everything but when I try to add another meta target
in the db suffix I get the message following message
adding new entry "olcDatabase={5}meta,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcSuffix> namingContext
"dc=MetaOrgTree02,dc=customers,dc=example" already served by a preceding
mdb database
Which is clear as the doc say this.
http://www.openldap.org/software/man.cgi?query=slapd-meta&sektion=5&aprop...
#########
These slapd.conf options apply to the META backend database. That is,
they must follow a "database meta" line and come before any
subsequent
"backend" or "database" lines.
#########
But how was expected to add another meta entry in a running and working
system?
Please can anyone help me to find a working solution.
The used ldifs:
http://download.none.at/initial_ldap.example.at.ldif
http://download.none.at/MetaOrgTree01_meta.ldif
http://download.none.at/add_and_build_root_dc_tree.ldif
openldap:
#####
openldap-2.4.41
./configure --enable-bdb --enable-ldap --enable-meta
--prefix=/opt/local/openldap-2.4.41 --enable-dynlist --enable-memberof
--with-tls=openssl --enable-rwm --enable-accesslog --enable-syncprov
LDFLAGS="-L/opt/local/BDB/lib -L/usr/sfw/lib -R/usr/sfw/lib"
CPPFLAGS="-I/opt/local/BDB/include
-I/opt/local/build/openssl-0.9.7a/include/"
SunOS 5.10 sun4v sparc SUNW,Sun-Fire-T200
###########
I hope I have explained the setup and the question understandable.
Maybe I think not ldap-isch enough
Thanks everybody for help.
Best regards
Aleks
8 years, 1 month
Re: Manager Attribute
by mlstarling31@hotmail.com
------ Original message------From: Michael StröderDate: Thu, Aug 6, 2015 12:52 PMTo: Michael;openldap;Subject:Re: Manager Attribute
Michael wrote:> Looking at the OpenLDAP schema it appears to use the "manager" attribute> the filed requires the dn: of the object.Yes.> Is there another attribute similar to the manager attribute that will take> a simple syntax such as "John Doe".AFAIK not in schema shipped with OpenLDAP.> There are a good deal of managers in our organization that don't have LDAP> accounts and therefore naturally don't have a DN to specify in this field.> I don't want the extra overhead of creating these DN's just for the sake of> using this this attribute if I don't have to.Think twice:- namespace- obsolete information, referential integrityetc.If you really need a freeform text field for arbitrary names then simplydefine your own schema:http://www.openldap.org/faq/data/cache/219.htmlCiao, Michael.
Thanks Michael.Could you expound on your statement below?"Think twice:
- namespace
- obsolete information, referential integrity
etc."
8 years, 1 month
Re: About issues with syncprov configuration
by Édnei Rodrigues
Ahh, right. Understood.
Thank you for your explanation.
Good day.
Em 06/08/2015 13:59, "Quanah Gibson-Mount" <quanah(a)zimbra.com> escreveu:
> --On Thursday, August 06, 2015 2:01 PM -0300 Édnei Rodrigues <
> ednei.felipe.rodrigues(a)gmail.com> wrote:
>
>
>> Thank you for your answer.
>>
>> So, I need to enable the lastmod overlay in the primary db? Why?
>>
>
> Lastmod overlay? no.
>
> Lastmod? yes
>
> olcLastMod: TRUE | FALSE
> Controls whether slapd will automatically maintain
> the
> modifiersName, modifyTimestamp, creatorsName, and
> createTimestamp attributes for entries. It also controls
> the
> entryCSN and entryUUID attributes, which are needed by
> the
> syncrepl provider. By default, olcLastMod is TRUE.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
8 years, 1 month
Re: About issues with syncprov configuration
by Édnei Rodrigues
Thank you for your answer.
So, I need to enable the lastmod overlay in the primary db? Why?
Em 06/08/2015 12:44, "Quanah Gibson-Mount" <quanah(a)zimbra.com> escreveu:
> --On Thursday, August 06, 2015 9:40 AM -0300 Édnei Rodrigues <
> ednei.felipe.rodrigues(a)gmail.com> wrote:
>
> 55c25369 syncprov_db_open: invalid config, lastmod must be enabled
>> 55c25369 backend_startup_one (type=mdb, suffix="dc=br"): bi_db_open
>> failed! (-1)
>> slap_startup failed (test would succeed using the -u switch)
>>
>>
>>
>> What is wrong ?
>>
>
> It says you need to enable lastmod, that seems fairly plain?
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Platform Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
8 years, 1 month
Manager Attribute
by Michael
Looking at the OpenLDAP schema it appears to use the "manager" attribute the filed requires the dn: of the object.
Is there another attribute similar to the manager attribute that will take a simple syntax such as "John Doe". There are a good deal of managers in our organization that don't have LDAP accounts and therefore naturally don't have a DN to specify in this field. I don't want the extra overhead of creating these DN's just for the sake of using this this attribute if I don't have to.
Thanks.
8 years, 1 month
ldap proxy to AD with local ACLs
by Meike Stone
Hello,
it is me again regarding the ldap-backend.
As told, I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy. The Proxy is used by a VPN gateway.
That all works very well. But now, I want to protect the AD from modifying.
Only password changes from the user by self should be allowed.
But as I see or understand, ACLs from a backend are used, AFTER the
result from remote LDAP (AD) are coming back?! See second sentence
from http://www.openldap.org/faq/data/cache/532.html:
"It allows the common configuration directives as suffix, which is
used to select it when a request is received by the server, *ACLs,
which are applied to search results*, size and time limits, and so on.
"
So is it (and how is it) possible, to "switch" the ldap-backend in
"read only mode" and only pass the the password change (modify:
DEL/ADD)?
Thanks Meike
8 years, 1 month
About issues with syncprov configuration
by Édnei Rodrigues
Hey Guys, how are you doing ?
Well, I have the follow environment:
**Server 1:
/etc/openldap/slapd.conf ( Port 389 )
modulepath /usr/local/openldap/lib64/
moduleload back_ldap
moduleload translucent
moduleload dynlist
moduleload back_monitor
backend mdb
backend ldap
allow bind_v2
allow bind_anon_dn
database mdb
directory /usr/local/openldap/var/openldap-translucent
suffix "dc=br"
rootdn "ZZZZZZ"
rootpw ZZZZZZZ
maxsize 4294967296
sizelimit 100000
overlay translucent
uri "ldap://localhost:1389/"
translucent_bind_local on
translucent_pwmod_local on
translucent_local XXXXX
idassert-bind bindmethod=none
overlay dynlist
dynlist-attrset groupOfURLs memberURL member:uniqueMember
In the port 1389:
/etc/openldap/slapd-syncrepl.conf
# syncrepl directives
syncrepl rid=0
provider=ldap://Production_Server:389
bindmethod=simple
binddn="ZZZZZZZZZZZZZZZ"
credentials=XXXXXXXXX
searchbase="dc=br"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the master
updateref ldap://Production_Server:389
**Server 2:
Same Configuration
Now, I need to add a new server, but without a translucent configuration,
only a consumer.
So, I tried this:
modulepath /usr/local/openldap/lib64/
moduleload back_ldap
moduleload translucent
moduleload dynlist
moduleload back_monitor
backend mdb
backend ldap
allow bind_v2
allow bind_anon_dn
# Modulos para Delta-syncrepl
modulepath /usr/local/openldap/lib64
moduleload accesslog
moduleload syncprov
moduleload dynlist
moduleload back_hdb
database hdb
suffix cn=accesslog
directory /usr/local/openldap/var/openldap-accesslog
rootdn cn=accesslog
rootpw XXXXXXXXXXXXXXXXXXXXXXXXX
checkpoint 256 30
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
# Replication
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
limits dn.exact="XXXXXXXX" time.soft=unlimited time.hard=unlimited
size.soft=unlimited size.hard=unlimited
database mdb
directory /usr/local/openldap/var/openldap-translucent
suffix "dc=br"
rootdn "XXXXXXXXXXXXX"
rootpw XXXXXXXXXXXXXXXXXXXXX
maxsize 4294967296
sizelimit 100000
checkpoint 256 30
overlay translucent
uri "ldap://localhost:1389/"
translucent_bind_local on
translucent_pwmod_local on
translucent_local XXXXXXXXXXXXXXXXXXXXXXXXX
idassert-bind bindmethod=none
overlay dynlist
dynlist-attrset groupOfURLs memberURL member:uniqueMember
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
But, I got this error:
55c25369 hdb_db_open: "cn=accesslog"
55c25369 hdb_db_open: database "cn=accesslog": unclean shutdown detected;
attempting recovery.
55c25369 hdb_db_open: warning - no DB_CONFIG file found in directory
/usr/local/openldap/var/openldap-accesslog: (2).
Expect poor performance for suffix "cn=accesslog".
55c25369 hdb_db_open: database "cn=accesslog": recovery skipped in
read-only mode. Run manual recovery if errors are encountered.
55c25369 mdb_db_open: "dc=br"
55c25369 syncprov_db_open: invalid config, lastmod must be enabled
55c25369 backend_startup_one (type=mdb, suffix="dc=br"): bi_db_open failed!
(-1)
slap_startup failed (test would succeed using the -u switch)
What is wrong ?
8 years, 1 month
Issues about replication
by Édnei Rodrigues
Hey Guys, how are you doing ?
Well, I have the follow environment:
**Server 1:
/etc/openldap/slapd.conf ( Port 389 )
modulepath /usr/local/openldap/lib64/
moduleload back_ldap
moduleload translucent
moduleload dynlist
moduleload back_monitor
backend mdb
backend ldap
allow bind_v2
allow bind_anon_dn
database mdb
directory /usr/local/openldap/var/openldap-translucent
suffix "dc=br"
rootdn "ZZZZZZ"
rootpw ZZZZZZZ
maxsize 4294967296
sizelimit 100000
overlay translucent
uri "ldap://localhost:1389/"
translucent_bind_local on
translucent_pwmod_local on
translucent_local XXXXX
idassert-bind bindmethod=none
overlay dynlist
dynlist-attrset groupOfURLs memberURL member:uniqueMember
In the port 1389:
/etc/openldap/slapd-syncrepl.conf
# syncrepl directives
syncrepl rid=0
provider=ldap://Production_Server:389
bindmethod=simple
binddn="ZZZZZZZZZZZZZZZ"
credentials=XXXXXXXXX
searchbase="dc=br"
logbase="cn=accesslog"
logfilter="(&(objectClass=auditWriteObject)(reqResult=0))"
type=refreshAndPersist
retry="60 +"
syncdata=accesslog
# Refer updates to the master
updateref ldap://Production_Server:389
**Server 2:
Same Configuration
Now, I need to add a new server, but without a translucent configuration,
only a consumer.
So, I tried this:
modulepath /usr/local/openldap/lib64/
moduleload back_ldap
moduleload translucent
moduleload dynlist
moduleload back_monitor
backend mdb
backend ldap
allow bind_v2
allow bind_anon_dn
# Modulos para Delta-syncrepl
modulepath /usr/local/openldap/lib64
moduleload accesslog
moduleload syncprov
moduleload dynlist
moduleload back_hdb
database hdb
suffix cn=accesslog
directory /usr/local/openldap/var/openldap-accesslog
rootdn cn=accesslog
rootpw XXXXXXXXXXXXXXXXXXXXXXXXX
checkpoint 256 30
index default eq
index entryCSN,objectClass,reqEnd,reqResult,reqStart
# Replication
overlay syncprov
syncprov-nopresent TRUE
syncprov-reloadhint TRUE
limits dn.exact="XXXXXXXX" time.soft=unlimited time.hard=unlimited
size.soft=unlimited size.hard=unlimited
database mdb
directory /usr/local/openldap/var/openldap-translucent
suffix "dc=br"
rootdn "XXXXXXXXXXXXX"
rootpw XXXXXXXXXXXXXXXXXXXXX
maxsize 4294967296
sizelimit 100000
checkpoint 256 30
overlay translucent
uri "ldap://localhost:1389/"
translucent_bind_local on
translucent_pwmod_local on
translucent_local XXXXXXXXXXXXXXXXXXXXXXXXX
idassert-bind bindmethod=none
overlay dynlist
dynlist-attrset groupOfURLs memberURL member:uniqueMember
# syncrepl Provider for primary db
overlay syncprov
syncprov-checkpoint 1000 60
# accesslog overlay definitions for primary db
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logpurge 07+00:00 01+00:00
But, I got this error:
55c25369 hdb_db_open: "cn=accesslog"
55c25369 hdb_db_open: database "cn=accesslog": unclean shutdown detected;
attempting recovery.
55c25369 hdb_db_open: warning - no DB_CONFIG file found in directory
/usr/local/openldap/var/openldap-accesslog: (2).
Expect poor performance for suffix "cn=accesslog".
55c25369 hdb_db_open: database "cn=accesslog": recovery skipped in
read-only mode. Run manual recovery if errors are encountered.
55c25369 mdb_db_open: "dc=br"
55c25369 syncprov_db_open: invalid config, lastmod must be enabled
55c25369 backend_startup_one (type=mdb, suffix="dc=br"): bi_db_open failed!
(-1)
slap_startup failed (test would succeed using the -u switch)
What is wrong ?
Thanks!
8 years, 1 month
search with a wildcard works, with exactly matching string it doesn't
by Gregory House
Hi
If I run a query against my directory with this filter:
"(myDeviceId=ZZZ-07430.08.12345678*)"
it returns a match showing precisely that myDeviceId =
"ZZZ-07430.08.12345678"
If I use this filter, without the wildcard and just the actual value
"(myDeviceId=ZZZ-07430.08.12345678)"
it returns no match.
Even if I change the attribute value to something very simple like "x" I
still need to include a wildcard in my filter to get any match.
This works however:
"(myDeviceId:caseExactMatch:=ZZZ-07430.08.12345678)"
What gives here?
The specific attribute is defined in the schema file as follows:
attributetype ( 1.3.6.1.4.1.36200.255.0.17
NAME 'myDeviceId'
DESC 'Identifies a device'
SUP uid
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
I am no expert, but this makes no sense to me? I feel I am missing
something, but what?
I am using openldap on CentOS 6 and workign via command-line tools (e.g.
ldapsearch). The backend is mdb if that matters.
# rpm -qa | grep openldap
openldap-clients-2.4.39-8.el6.x86_64
openldap-2.4.39-8.el6.x86_64
openldap-servers-2.4.39-8.el6.x86_64
Thanks for any ideas/suggestions.
Best,
GH
8 years, 1 month
