openldap-technical August 2015

openldap-technical@openldap.org

55 participants
62 discussions

New Listmember with a olcAccess question
by Fischer, Johannes 06 Aug '15

06 Aug '15

Hi @all, I've tried to implement a olcAccess via regex for multiple directory entries. The goal was to group different users in two standard groups. Each group does have other access rules. I didn't what to do such a thing for every entry, so I thought that I'm able to do that with regexes. But my olcAccess rules doesn't work. I've already posted the question to stackoverflow, but no answers till now. Here the link: http://stackoverflow.com/questions/31693040/ldap-olcaccess-regex-are-not-wo… And here the rule for a regex access: olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none Does somebody can help me? Or is such a thing not possible to do? Greetings John PS: the content from Stackoverflow: ---------------------------------------------------------------------------------------- I have a LDAP server runnign with the Structure: dc=example,dc=ldap dc=organisations o=orga1 (objectClasses top/organisation/dcObject) cn=ADMINS (objectClasses top/groupOfNames) cn=USER o=orga2 cn=ADMIN cn=USER cn=users (objectClasses top/organisation/dcObject) cn=user1 (objectClasses top/person) cn=user2 Now I whant to add some rules that only the users in the organisation groups are able to see the organisation. the hard coded approach was quite easy to implement: olcAccess: {1}to dn.subtree="o=orga1,dc=organizations,dc=example,dc=ldap" by group.exact="cn=ADMINS,o=orga1,dc=organizations,dc=example,dc=ldap" write by group.exact="cn=USER,o=orga1,dc=organizations,dc=example,dc=ldap" read by * none (It is important to write TWO spaces in front of the 'by' [It was an problem for a long time for me]) But I don't whant to implement these rules for every new organisation, so I tried to implement the rule with some regex magig. But I failed misserably: olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none This rule affects nothing. So does someone have some idea to fix my problematic? Or is it not possible to group the members like I did? Thanks again -- Johannes Fischer Research Fellow Fraunhofer Institute for Manufacturing Engineering and Automation IPA Competence Centre Digital Tools for Manufactoring Nobelstrasse 12 │ 70569 Stuttgart | Germany Phone +49 711 970-1217 Johannes.Fischer(a)ipa.fraunhofer.de<mailto:Johannes.Fischer@ipa.fraunhofer.de> www.ipa.fraunhofer.de<http://www.ipa.fraunhofer.de/> [cid:image001.png@01D0D01E.D4211AC0]

3 2

build ldap tree with same meta and db suffix
by Aleks 06 Aug '15

06 Aug '15

Hi dear list members. I need to create the following ldap-tree #### dc=example dc=customers-ext,dc=example dc=MetaOrgTree01,dc=customers-ext,dc=example dc=MetaOrgTree02,dc=customers-ext,dc=example ... dc=MetaOrgTree0n dc=customers,dc=example dc=MetaOrgTree01,dc=customers,dc=example dc=MetaOrgTree02,dc=customers,dc=example ... dc=MetaOrgTree0n dc=appuser,dc=example # < this is a mdb uid=bindUser ############### I was able to create the base setup with the following commands. export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/local/BDB/lib /opt/local/openldap-2.4.41/sbin/slapadd -F /opt/local/conf/openldap/ldap.example.at/ -l ldifs/initial_ldap.example.at.ldif -n0 /opt/local/openldap-2.4.41/libexec/slapd -l local5 -F /opt/local/conf/openldap/ldap.example.at/ -h "ldap://0.0.0.0:10689 ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock" /opt/local/openldap-2.4.41/bin/ldapmodify -D 'cn=config' -w <PASSWORD> -H ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock -v -f meta-ldifs/MetaOrgTree01_meta.ldif and now I'm not able to create the dc tree ( add_and_build_root_dc_tree.ldif ) /opt/local/openldap-2.4.41/bin/ldapmodify -D 'cn=config' -w <PASSWORD> -H ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock -v -f add_and_build_root_dc_tree.ldif ldap_initialize( ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock/??base ) add objectClass: top dcObject organization add o: example add description: MyOrg add dc: parent adding new entry "dc=example" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge ################## When I create a "olcDatabase=mdb,cn=config" with olcSuffix: dc=example I'm able to create everything but when I try to add another meta target in the db suffix I get the message following message adding new entry "olcDatabase={5}meta,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcSuffix> namingContext "dc=MetaOrgTree02,dc=customers,dc=example" already served by a preceding mdb database Which is clear as the doc say this. http://www.openldap.org/software/man.cgi?query=slapd-meta&sektion=5&apropos… ######### These slapd.conf options apply to the META backend database. That is, they must follow a "database meta" line and come before any subsequent "backend" or "database" lines. ######### But how was expected to add another meta entry in a running and working system? Please can anyone help me to find a working solution. The used ldifs: http://download.none.at/initial_ldap.example.at.ldif http://download.none.at/MetaOrgTree01_meta.ldif http://download.none.at/add_and_build_root_dc_tree.ldif openldap: ##### openldap-2.4.41 ./configure --enable-bdb --enable-ldap --enable-meta --prefix=/opt/local/openldap-2.4.41 --enable-dynlist --enable-memberof --with-tls=openssl --enable-rwm --enable-accesslog --enable-syncprov LDFLAGS="-L/opt/local/BDB/lib -L/usr/sfw/lib -R/usr/sfw/lib" CPPFLAGS="-I/opt/local/BDB/include -I/opt/local/build/openssl-0.9.7a/include/" SunOS 5.10 sun4v sparc SUNW,Sun-Fire-T200 ########### I hope I have explained the setup and the question understandable. Maybe I think not ldap-isch enough Thanks everybody for help. Best regards Aleks

1 0

Re: Manager Attribute
by mlstarling31＠hotmail.com 06 Aug '15

06 Aug '15

------ Original message------From: Michael StröderDate: Thu, Aug 6, 2015 12:52 PMTo: Michael;openldap;Subject:Re: Manager Attribute Michael wrote:> Looking at the OpenLDAP schema it appears to use the "manager" attribute> the filed requires the dn: of the object.Yes.> Is there another attribute similar to the manager attribute that will take> a simple syntax such as "John Doe".AFAIK not in schema shipped with OpenLDAP.> There are a good deal of managers in our organization that don't have LDAP> accounts and therefore naturally don't have a DN to specify in this field.> I don't want the extra overhead of creating these DN's just for the sake of> using this this attribute if I don't have to.Think twice:- namespace- obsolete information, referential integrityetc.If you really need a freeform text field for arbitrary names then simplydefine your own schema:http://www.openldap.org/faq/data/cache/219.htmlCiao, Michael. Thanks Michael.Could you expound on your statement below?"Think twice: - namespace - obsolete information, referential integrity etc."

2 1

Re: About issues with syncprov configuration
by Édnei Rodrigues 06 Aug '15

06 Aug '15

Ahh, right. Understood. Thank you for your explanation. Good day. Em 06/08/2015 13:59, "Quanah Gibson-Mount" <quanah(a)zimbra.com> escreveu: > --On Thursday, August 06, 2015 2:01 PM -0300 Édnei Rodrigues < > ednei.felipe.rodrigues(a)gmail.com> wrote: > > >> Thank you for your answer. >> >> So, I need to enable the lastmod overlay in the primary db? Why? >> > > Lastmod overlay? no. > > Lastmod? yes > > olcLastMod: TRUE | FALSE > Controls whether slapd will automatically maintain > the > modifiersName, modifyTimestamp, creatorsName, and > createTimestamp attributes for entries. It also controls > the > entryCSN and entryUUID attributes, which are needed by > the > syncrepl provider. By default, olcLastMod is TRUE. > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

Re: About issues with syncprov configuration
by Édnei Rodrigues 06 Aug '15

06 Aug '15

Thank you for your answer. So, I need to enable the lastmod overlay in the primary db? Why? Em 06/08/2015 12:44, "Quanah Gibson-Mount" <quanah(a)zimbra.com> escreveu: > --On Thursday, August 06, 2015 9:40 AM -0300 Édnei Rodrigues < > ednei.felipe.rodrigues(a)gmail.com> wrote: > > 55c25369 syncprov_db_open: invalid config, lastmod must be enabled >> 55c25369 backend_startup_one (type=mdb, suffix="dc=br"): bi_db_open >> failed! (-1) >> slap_startup failed (test would succeed using the -u switch) >> >> >> >> What is wrong ? >> > > It says you need to enable lastmod, that seems fairly plain? > > --Quanah > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

Manager Attribute
by Michael 06 Aug '15

06 Aug '15

Looking at the OpenLDAP schema it appears to use the "manager" attribute the filed requires the dn: of the object. Is there another attribute similar to the manager attribute that will take a simple syntax such as "John Doe". There are a good deal of managers in our organization that don't have LDAP accounts and therefore naturally don't have a DN to specify in this field. I don't want the extra overhead of creating these DN's just for the sake of using this this attribute if I don't have to. Thanks.

2 1

ldap proxy to AD with local ACLs
by Meike Stone 06 Aug '15

06 Aug '15

Hello, it is me again regarding the ldap-backend. As told, I've installed a openldap as proxy in a DMZ for authentication forwarding to an Active Directoy. The Proxy is used by a VPN gateway. That all works very well. But now, I want to protect the AD from modifying. Only password changes from the user by self should be allowed. But as I see or understand, ACLs from a backend are used, AFTER the result from remote LDAP (AD) are coming back?! See second sentence from http://www.openldap.org/faq/data/cache/532.html: "It allows the common configuration directives as suffix, which is used to select it when a request is received by the server, *ACLs, which are applied to search results*, size and time limits, and so on. " So is it (and how is it) possible, to "switch" the ldap-backend in "read only mode" and only pass the the password change (modify: DEL/ADD)? Thanks Meike

2 3

About issues with syncprov configuration
by Édnei Rodrigues 06 Aug '15

06 Aug '15

Hey Guys, how are you doing ? Well, I have the follow environment: **Server 1: /etc/openldap/slapd.conf ( Port 389 ) modulepath /usr/local/openldap/lib64/ moduleload back_ldap moduleload translucent moduleload dynlist moduleload back_monitor backend mdb backend ldap allow bind_v2 allow bind_anon_dn database mdb directory /usr/local/openldap/var/openldap-translucent suffix "dc=br" rootdn "ZZZZZZ" rootpw ZZZZZZZ maxsize 4294967296 sizelimit 100000 overlay translucent uri "ldap://localhost:1389/" translucent_bind_local on translucent_pwmod_local on translucent_local XXXXX idassert-bind bindmethod=none overlay dynlist dynlist-attrset groupOfURLs memberURL member:uniqueMember In the port 1389: /etc/openldap/slapd-syncrepl.conf # syncrepl directives syncrepl rid=0 provider=ldap://Production_Server:389 bindmethod=simple binddn="ZZZZZZZZZZZZZZZ" credentials=XXXXXXXXX searchbase="dc=br" logbase="cn=accesslog" logfilter="(&(objectClass=auditWriteObject)(reqResult=0))" type=refreshAndPersist retry="60 +" syncdata=accesslog # Refer updates to the master updateref ldap://Production_Server:389 **Server 2: Same Configuration Now, I need to add a new server, but without a translucent configuration, only a consumer. So, I tried this: modulepath /usr/local/openldap/lib64/ moduleload back_ldap moduleload translucent moduleload dynlist moduleload back_monitor backend mdb backend ldap allow bind_v2 allow bind_anon_dn # Modulos para Delta-syncrepl modulepath /usr/local/openldap/lib64 moduleload accesslog moduleload syncprov moduleload dynlist moduleload back_hdb database hdb suffix cn=accesslog directory /usr/local/openldap/var/openldap-accesslog rootdn cn=accesslog rootpw XXXXXXXXXXXXXXXXXXXXXXXXX checkpoint 256 30 index default eq index entryCSN,objectClass,reqEnd,reqResult,reqStart # Replication overlay syncprov syncprov-nopresent TRUE syncprov-reloadhint TRUE limits dn.exact="XXXXXXXX" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited database mdb directory /usr/local/openldap/var/openldap-translucent suffix "dc=br" rootdn "XXXXXXXXXXXXX" rootpw XXXXXXXXXXXXXXXXXXXXX maxsize 4294967296 sizelimit 100000 checkpoint 256 30 overlay translucent uri "ldap://localhost:1389/" translucent_bind_local on translucent_pwmod_local on translucent_local XXXXXXXXXXXXXXXXXXXXXXXXX idassert-bind bindmethod=none overlay dynlist dynlist-attrset groupOfURLs memberURL member:uniqueMember # syncrepl Provider for primary db overlay syncprov syncprov-checkpoint 1000 60 # accesslog overlay definitions for primary db overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logpurge 07+00:00 01+00:00 But, I got this error: 55c25369 hdb_db_open: "cn=accesslog" 55c25369 hdb_db_open: database "cn=accesslog": unclean shutdown detected; attempting recovery. 55c25369 hdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/openldap/var/openldap-accesslog: (2). Expect poor performance for suffix "cn=accesslog". 55c25369 hdb_db_open: database "cn=accesslog": recovery skipped in read-only mode. Run manual recovery if errors are encountered. 55c25369 mdb_db_open: "dc=br" 55c25369 syncprov_db_open: invalid config, lastmod must be enabled 55c25369 backend_startup_one (type=mdb, suffix="dc=br"): bi_db_open failed! (-1) slap_startup failed (test would succeed using the -u switch) What is wrong ?

2 1

Issues about replication
by Édnei Rodrigues 05 Aug '15

05 Aug '15

1 0

search with a wildcard works, with exactly matching string it doesn't
by Gregory House 05 Aug '15

05 Aug '15

Hi If I run a query against my directory with this filter: "(myDeviceId=ZZZ-07430.08.12345678*)" it returns a match showing precisely that myDeviceId = "ZZZ-07430.08.12345678" If I use this filter, without the wildcard and just the actual value "(myDeviceId=ZZZ-07430.08.12345678)" it returns no match. Even if I change the attribute value to something very simple like "x" I still need to include a wildcard in my filter to get any match. This works however: "(myDeviceId:caseExactMatch:=ZZZ-07430.08.12345678)" What gives here? The specific attribute is defined in the schema file as follows: attributetype ( 1.3.6.1.4.1.36200.255.0.17 NAME 'myDeviceId' DESC 'Identifies a device' SUP uid EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE ) I am no expert, but this makes no sense to me? I feel I am missing something, but what? I am using openldap on CentOS 6 and workign via command-line tools (e.g. ldapsearch). The backend is mdb if that matters. # rpm -qa | grep openldap openldap-clients-2.4.39-8.el6.x86_64 openldap-2.4.39-8.el6.x86_64 openldap-servers-2.4.39-8.el6.x86_64 Thanks for any ideas/suggestions. Best, GH

2 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2015