How to enable memberOf overlay with posixGroup?
by MegaBrutal
Hi all,
I've spent days trying to figure out how could I enable the memberOf
overlay, and it doesn't seem to be easy for an LDAP-noob. I've read
like 50+ tutorials which didn't help me get it working.
Use case: I want to have 2 main groups which control access to
different services on my network. A "unixusers" which is a minimum to
log in to Linux servers (having a hostObject entry for the user is
another requirement, which is irrelevant to this question, as I
already solved that problem); and a "cloudusers" group which enables
log in to my ownCloud instance.
The groups should enforce the following rules:
– Only users in "cloudusers" should be allowed to log in to ownCloud.
– Users in "unixusers" are allowed to log in to a set of Linux servers
controlled by "host" (hostObject) entries.
– Users not in the "unixusers" group may not log in to any Linux
systems, even if they have "host" entries.
Problems:
– ownCloud complains that the memberOf overlay is not enabled, hence
it doesn't let me restrict access to the "cloudusers" group. It would
allow any users regardless of any group memberships, which is not
acceptable.
– I have a similar problem on Linux with PAM: I can't really get it to
consider "unixusers" membership for user logins, although I got the
"host" entries working correctly, so at least I can already restrict
access with that.
My guess is that it all boils down to the lack of memberOf overlay. I
also figured that memberOf would need groupOfNames groups, while I
need posixGroup type groups. I evaluated the possibility to use
groupOfNames, but it lacks the necessary gidNumber attribute which is
a requirement for Unix groups. But anyway, I can't enable memberOf
even for groupOfNames. I can't enable memberOf by any means.
My OpenLDAP uses the new configuration method and it completely
ignores slapd.conf, so the config must be injected with ldapadd to
cn=config.
Could you please help me with this?
Regards,
MegaBrutal
6 years, 1 month
[Q] "selective" ACL
by Zeus Panchenko
hi,
I'm trying to configure a not complex (as I believe) ACL ... but have some
difficulties
I have two posixGroup groups
cn=admins,ou=group,dc=foo
cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and
it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * break
but in addition I need to allow my coadmins to do the same things except
manipulations upon the objects which belong to admins (
...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
please, advise
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
6 years, 2 months
Re: help with ACL
by Quanah Gibson-Mount
--On Friday, December 23, 2016 11:16 AM +0100 Alberto Aldrigo
<alberto.aldrigo(a)h-farm.com> wrote:
> uid=user1 and uid=user6 are company1's administrators, so they can write
> in whole o=company1 subtree
Might be best to make an LDAP group with those users as members, and then
write an ACL based off of that group for its specific privileges.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 8 months
Re: ppolicy overlay unable to set pwdAccountLockedTime on to-be-locked users due to ACLs
by Quanah Gibson-Mount
--On Thursday, December 22, 2016 11:23 AM +0100 Matthieu Cerda
<kegeruneku+openldap(a)ironflake.org> wrote:
> Hello Howard and Ozgur,
>
> My answers are inlined in the following text.
>
> I attached a copy of the slapd.conf if you would like to take a look.
Your slapd.conf has no rootdn configured. You need to configure it if you
want ppolicy to function correctly.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 9 months
Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
by Quanah Gibson-Mount
Ok good to know! The issue I created occurred when deleting the group, which I believe is the original complaint in the ITS as well. So I will add individual membership deletes as a part of that test too.
--Quanah
> On Dec 30, 2016, at 9:31 PM, Paul B. Henson <henson(a)acm.org> wrote:
>
>> On Fri, Dec 30, 2016 at 02:41:06PM -0800, Quanah Gibson-Mount wrote:
>>
>> Well, it seems to be some sort of race condition.
>
> Yes, I'd agree; probably also load dependent as I never triggered it on
> my dev systems which are mostly idle other than my test load. It only
> showed up on my prod systems which tend to have continuous load from
> various other things.
>
>> I did want to confirm that you see this on servers that are long running
>> (I.e., they've been running for a long time, and had other group deletes
>> that went through w/o issue during that time). If so, then I can modify
>> the test to randomly add and delete groups as a part of the test,
>> increasing the likelyhood of triggering the issue within the test.
>
> I don't have too many deletions of group objects themselves in
> production, mostly just deletions of the members of groups. I didn't see
> any issues with group deletions in dev, or during some basic initial
> testing in prod. I'll go ahead and make a new test group, add some
> members to it, and then delete it and see what happens now that I've
> been running this code for about 3 weeks...
>
> I didn't see any errors deleting a group, although there were these
> syncrepl messages that I don't believe used to show up:
>
> Dec 30 21:23:29 themis slapd[2607]: syncrepl_message_to_op: rid=001 be_delete uid=ldaptest5,ou=group,dc=cpp,dc=edu (32)
> Dec 30 21:23:29 themis slapd[2607]: syncrepl_message_to_op: rid=003 be_delete uid=ldaptest5,ou=group,dc=cpp,dc=edu (32)
> Dec 30 21:23:29 themis slapd[2607]: syncrepl_message_to_op: rid=002 be_delete uid=ldaptest5,ou=group,dc=cpp,dc=edu (32)
>
> The group and memberOf attributes are gone on all four servers, so other
> than noise in the logs I'm not sure what these messages meant.
>
>
6 years, 9 months
Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
by Quanah Gibson-Mount
--On Thursday, December 29, 2016 7:55 PM -0800 "Paul B. Henson"
<henson(a)acm.org> wrote:
> On Thu, Dec 29, 2016 at 04:48:42PM -0800, Quanah Gibson-Mount wrote:
>
>> I'm able to reproduce the problem with my test script, so I think things
>> are set from here.
>
> Excellent; in that case please let me know when there is a fix available
> :). Thanks much...
Well, it seems to be some sort of race condition. I've only had it occur
one time out of some 700+ attempts. I don't think it is really related to
4-way MMR at all, but it may be the larger the number of consumers of the
accesslog, the more likely it is to occur (so you'll see it more often in
4-way MMR).
I did want to confirm that you see this on servers that are long running
(I.e., they've been running for a long time, and had other group deletes
that went through w/o issue during that time). If so, then I can modify
the test to randomly add and delete groups as a part of the test,
increasing the likelyhood of triggering the issue within the test.
Thanks,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 9 months
Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
by Quanah Gibson-Mount
--On Wednesday, December 28, 2016 4:44 PM -0800 "Paul B. Henson"
<henson(a)acm.org> wrote:
> On Wed, Dec 28, 2016 at 09:53:23AM -0800, Quanah Gibson-Mount wrote:
>
>> I'm going to see if I can create a test that reproduces the issue.
>> I've been working on expanding the test suite so we can ensure we
>> avoid regressions etc.
>
> Cool, thanks. Let me know if there's anything I can do to help.
I'm able to reproduce the problem with my test script, so I think things
are set from here.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 9 months
Re: memberOf overlay issues with 2.4.44 + ITS 8432 patch
by Quanah Gibson-Mount
--On Thursday, December 22, 2016 6:12 PM -0800 "Paul B. Henson"
<henson(a)acm.org> wrote:
>> Probably worth adding to ITS#8444.
>
> Ok, will do. Although it seems there's been no response to that ticket
> for six months :(? Anything else I can provide to help debug this?
> Unfortunately it doesn't seem to be a straight "always happens" bug, I
> didn't see it all in my dev environment under a test load, it only
> popped up in production under a full load.
I'm going to see if I can create a test that reproduces the issue. I've
been working on expanding the test suite so we can ensure we avoid
regressions etc.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 9 months
Re: 2.4.44 segfault in modify_add_values
by Quanah Gibson-Mount
--On Sunday, December 25, 2016 8:19 AM -0800 "Paul B. Henson"
<henson(a)acm.org> wrote:
> Woke up this morning to an unwanted Christmas present :(, one of my ldap
> servers had crashed with a segfault:
> I restarted it and it synced right back up from the failover master and
> seems to be ok now. Does this pop out as anything known and possibly
> resolved in head? Thanks...
Doesn't ring a bell, and unfortunately it looks like your binaries are
stripped, so the backtrace doesn't contain useful information. :(
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 9 months
Re: Bulk change user's attribute
by Quanah Gibson-Mount
--On Friday, December 23, 2016 11:39 AM +0000 Bruno Miguel Martins
<bruno.miguel.martins(a)iten.pt> wrote:
>
>
> Hello guys,
>
>
>
> I am running slapd 2.3.30 and I need to bulk modify one LDAP attribute
> (sambaHomePath) for all of my users, like:
>
>
>
> Current value = \\oldserver\username
>
> New value = \\newserver\username
>
>
>
> Can this be done? Basically I need a partial change of that attribute –
> "oldserver" which is variable, changed with "newserver" which is
> fixed.
Other than the fact that 2.3.30 is ancient and unsupported... You should be
able to do this, yes. You could use a scripting module such as Net::LDAP
in Perl. If it is possible to do a substring query on the attribute in
question, you could use a filter of "(attr=*oldserver*)" to get a set of
entries back, and then iterate over them and do the update in the script.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 9 months