Re: Syncrepl and multipe values
by Quanah Gibson-Mount
--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio
Morais <matheus_morais(a)sicredi.com.br> wrote:
>
>
>
> Issue 8559 opened.
>
>
>
> I'm trying to work on a patch but I'm not sure if the best solution is to
> fix accesslog to avoid duplicated values or if the sample LDIF (in its
> description) should result in a constraint violation. What do you think?
The accesslog should never write an operation that can't be replicated. If
the MOD is a valid LDAP operation (which I think it is), then it should be
accepted at the frontend. The issue may be more in delta-syncrepl's
handling of the write op than anything else.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 7 months
How to enable memberOf overlay with posixGroup?
by MegaBrutal
Hi all,
I've spent days trying to figure out how could I enable the memberOf
overlay, and it doesn't seem to be easy for an LDAP-noob. I've read
like 50+ tutorials which didn't help me get it working.
Use case: I want to have 2 main groups which control access to
different services on my network. A "unixusers" which is a minimum to
log in to Linux servers (having a hostObject entry for the user is
another requirement, which is irrelevant to this question, as I
already solved that problem); and a "cloudusers" group which enables
log in to my ownCloud instance.
The groups should enforce the following rules:
– Only users in "cloudusers" should be allowed to log in to ownCloud.
– Users in "unixusers" are allowed to log in to a set of Linux servers
controlled by "host" (hostObject) entries.
– Users not in the "unixusers" group may not log in to any Linux
systems, even if they have "host" entries.
Problems:
– ownCloud complains that the memberOf overlay is not enabled, hence
it doesn't let me restrict access to the "cloudusers" group. It would
allow any users regardless of any group memberships, which is not
acceptable.
– I have a similar problem on Linux with PAM: I can't really get it to
consider "unixusers" membership for user logins, although I got the
"host" entries working correctly, so at least I can already restrict
access with that.
My guess is that it all boils down to the lack of memberOf overlay. I
also figured that memberOf would need groupOfNames groups, while I
need posixGroup type groups. I evaluated the possibility to use
groupOfNames, but it lacks the necessary gidNumber attribute which is
a requirement for Unix groups. But anyway, I can't enable memberOf
even for groupOfNames. I can't enable memberOf by any means.
My OpenLDAP uses the new configuration method and it completely
ignores slapd.conf, so the config must be injected with ldapadd to
cn=config.
Could you please help me with this?
Regards,
MegaBrutal
6 years, 1 month
[Q] "selective" ACL
by Zeus Panchenko
hi,
I'm trying to configure a not complex (as I believe) ACL ... but have some
difficulties
I have two posixGroup groups
cn=admins,ou=group,dc=foo
cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and
it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * break
but in addition I need to allow my coadmins to do the same things except
manipulations upon the objects which belong to admins (
...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
please, advise
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
6 years, 2 months
RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount
For this testing call, we particularly need folks to test OpenLDAP with
startTLS/LDAPS when compiled against OpenSSL (both pre 1.1 series and with
the 1.1 series). There is currenly nothing in the test suite that covers
encrypted connections (Although it's on my todo list). To build against
OpenSSL 1.1 may also require cyrus-sasl HEAD out of the cyrus-sasl GIT
repository, depending on your build options as the current cyrus-sasl
release does not support the OpenSSL 1.1 series. It can be found at
<https://github.com/cyrusimap/cyrus-sasl>. If you build with GSSAPI and
use Heimdal, you will also need the Heimdal 7.1.0 or later release (as that
is where OpenSSL 1.1 support was added). It can be obtained from
<http://h5l.org/>.
Also new with this release is the ability to run "make its" in the tests/
directory. This will run a specific set of tests around past bugs to
ensure there are no regressions. While I've tested this with modular
openldap builds, it has not been tested with the modules and backends built
into slapd, so there could be some issues in that scenario.
Generally, get the code for RE24:
<http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...>
Configure & build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its run through the regression suite.
Thanks!
OpenLDAP 2.4.45 Engineering
Added slapd support for OpenSSL 1.1.0 series (ITS#8353, ITS#8533)
Fixed libldap handling of Diffie-Hellman parameters (ITS#7506)
Fixed libldap GnuTLS use after free (ITS#8385)
Fixed slapd sasl SEGV rebind in same session (ITS#8568)
Fixed slapd syncrepl filter handling (ITS#8413)
Fixed slapd syncrepl infinite looping mods with delta-sync MMR
(ITS#8432)
Fixed slapd callback struct so older modules without writewait
should function.
Custom modules may need to be updated for sc_writewait
callback (ITS#8435)
Fixed slapd-mdb so it passes ITS6794 regression test (ITS#6794)
Fixed slapd-meta uninitialized diagnostic message (ITS#8442)
Fixed slapo-accesslog to honor pauses during purge for cn=config
update (ITS#8423)
Fixed slapo-relay to correctly initialize sc_writewait (ITS#8428)
Build Environment
Added test065 for proxyauthz (ITS#8571)
Fix test008 to be portable (ITS#8414)
Fix its4336 regression test (ITS#8534)
Fix its4337 regression test (ITS#8535)
Fix regression tests to execute on all backends (ITS#8539)
Contrib
Added slapo-autogroup(5) man page (ITS#8569)
Added passwd missing conversion scripts for apr1 (ITS#6826)
Fixed contrib modules where the writewait callback was not
correctly initialized (ITS#8435)
Fixed smbk5pwd to build with newer OpenSSL releases
(ITS#8525)
Documentation
admin24 fixed tls_cipher_suite bindconf option (ITS#8099)
admin24 fixed typo cn=config to be slapd.d (ITS#8449)
Fixed slapd-config(5), slapd.conf(5) clarification on
interval keyword for refreshAndPersist (ITS#8538)
Fixed slapo-ppolicy(5) to clearly note rootdn requirement
(ITS#8565)
Fixed various minor grammar issues in the man pages
(ITS#8544)
LMDB 0.9.20 Release Engineering
Fix mdb_load with escaped plaintext (ITS#8558)
Fix mdb_cursor_last / mdb_put interaction (ITS#8557)
LMDB 0.9.19 Release (2016/12/28)
Fix mdb_env_cwalk cursor init (ITS#8424)
Fix robust mutexes on Solaris 10/11 (ITS#8339)
Tweak Win32 error message buffer
Fix MDB_GET_BOTH on non-dup record (ITS#8393)
Optimize mdb_drop
Fix xcursors after mdb_cursor_del (ITS#8406)
Fix MDB_NEXT_DUP after mdb_cursor_del (ITS#8412)
Fix mdb_cursor_put resetting C_EOF (ITS#8489)
Fix mdb_env_copyfd2 to return EPIPE on SIGPIPE (ITS#8504)
Fix mdb_env_copy with empty DB (ITS#8209)
Fix behaviors with fork (ITS#8505)
Fix mdb_dbi_open with mainDB cursors (ITS#8542)
Fix robust mutexes on kFreeBSD (ITS#8554)
Fix utf8_to_utf16 error checks (ITS#7992)
Fix F_NOCACHE on MacOS, error is non-fatal (ITS#7682)
Build
Make shared lib suffix overridable (ITS#8481)
Documentation
Cleanup doxygen nits
Note reserved vs actual mem/disk usage
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 7 months
help troubleshooting
by scar
I have inherited an LDAP server and admittedly do not have all the
technical expertise to troubleshoot the problems we have.
We are using slapd 2.4.40.
The first problem is nobody but the rootdn can change passwords. We'd
like to use "passwd" utility on our servers to change our passwords but
the error is "LDAP password information update failed: Insufficient access"
In slapd.conf we have (i have removed our dc for privacy):
access to attrs=userPassword
by self write
by anonymous auth
by dn="cn=Manager,dc=X,dc=Y,dc=Z" write
by * none
access to *
by self write
by dn="cn=Manager,dc=X,dc=Y,dc=Z" write
by * read
by * auth
access to *
by dn="uid=ldapadmin,dc=X,dc=Y,dc=Z" read
"cn=Manager,dc=X,dc=Y,dc=Z" is our rootdn and i have enabled logleve 128
However, this brings me to the next problem: the contents of slapd.conf
do not match the slapd.d/cn\=config.ldif file, so it seems the fixes i
am trying to the ACL's don't have any effect, even when i restart slapd.
If i try "ldapmodify -nv" it just hangs. When i try to stop slapd and
remove slapd.d/* and then start slapd, the contents are recreated
according to the config file, but then users can't login (all i see in
the logfile is access_allowed and slap_access_allowed but no conn lines)
So some basic troubleshooting help would be appreciated!
Thanks
6 years, 8 months
Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount
--On Tuesday, January 31, 2017 12:05 PM -0800 Quanah Gibson-Mount
<quanah(a)symas.com> wrote:
>> ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)!
>> Error found after 1 of 1 iterations
>>>>>>> test061-syncreplication-initiation failed for mdb
>> (exit 1)
>> Makefile:310: recipe for target 'mdb-yes' failed
>> make: *** [mdb-yes] Error 1
>
> Interesting -- Can you tar up the testrun directory, ftp it up, and file
> an ITS with a pointer to the upload?
I was able to reproduce this as well with back-mdb.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 8 months
Re: RE24 testing call (2.4.45) LMDB RE0.9 testing call (0.9.20)
by Quanah Gibson-Mount
--On Tuesday, January 31, 2017 8:35 PM +0100 Dieter Klünter
<dieter(a)dkluenter.de> wrote:
> Am Mon, 30 Jan 2017 12:49:56 -0800
> schrieb Quanah Gibson-Mount <quanah(a)symas.com>:
> [...]
>
>> Generally, get the code for RE24:
>>
>> <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=re
>> fs/heads/OPENLDAP_REL_ENG_2_4;sf=tgz>
>>
>> Configure & build.
>>
>> Execute the test suite (via make test) after it is built.
>> Optionally, cd tests && make its run through the regression suite.
>
> [...]
>
> Starting test061-syncreplication-initiation for mdb...
> Running defines.sh
> ...
>
> ERROR: Entry 21 not replicated to ldap://localhost:9012/! (32)!
> Error found after 1 of 1 iterations
>>>>>> test061-syncreplication-initiation failed for mdb
> (exit 1)
> Makefile:310: recipe for target 'mdb-yes' failed
> make: *** [mdb-yes] Error 1
Interesting -- Can you tar up the testrun directory, ftp it up, and file an
ITS with a pointer to the upload?
Thanks,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 8 months
Mirror Inquiry
by Standalone Admin
Hi
Is there a need for more mirrors for OpenLDAP? If so we can host it on our
server in France @1GBPS connection.
Thanks,
Sam
6 years, 8 months
How to add index for "member" of ldap groups
by Axel Birndt
Hi @All,
i'am currently searching for a possibility to add an index in openldap
(cn=config backend) for the "member" of groups.
In my log i got the following message:
> 475 admin slapd: <= bdb_equality_candidates: (member) not indexed
I found, that "member" is an attribute from an ldap group.
> # Entry 1: cn=bind_users,ou=admins,ou=groups,dc=company,dc=de
> dn: cn=bind_users,ou=admins,ou=groups,dc=company,dc=de
> cn: bind_users
> member: cn=apachebind,ou=apache_technical,ou=users,dc=company,dc=de
> member: cn=wordpressbind1,ou=wordpress_bind,ou=users,dc=company,dc=de
> objectclass: groupOfNames
> objectclass: top
How could i add an index for this attribute?
I searched with google and found:
http://www.openldap.org/faq/data/cache/136.html
https://wiki.debian.org/LDAP/OpenLDAPSetup
http://www.openldap.org/doc/admin24/slapdconf2.html
and so on...
With this information i already added indices for
> # Entry 1: olcDatabase={1}hdb,cn=config
> dn: olcDatabase={1}hdb,cn=config
> objectclass: olcDatabaseConfig
> objectclass: olcHdbConfig
> olcdbindex: objectClass eq
> olcdbindex: cn pres,sub,eq
> olcdbindex: sn pres,sub,eq
> olcdbindex: uid pres,sub,eq
> olcdbindex: displayName pres,sub,eq
> olcdbindex: default sub
> olcdbindex: uidNumber eq
> olcdbindex: gidNumber eq
> olcdbindex: mail,givenName eq,subinitial
> olcdbindex: dc eq
If i try to add a new index "olcdbindex: member pres,sub,eq"
i got an failure
Could not perform ldap_modify operation.
LDAP said: Other (e.g., implementation specific) error
Error number: 0x50 (LDAP_OTHER)
Is anyone able to give me a hint, where i could find more information or
help me to find the right search key words?
--
Gruß/Kind regards
Axel
------------------------------
6 years, 8 months
Re: Antw: How to add index for "member" of ldap groups
by Axel Birndt
Am 27.01.2017 um 08:24 schrieb Ulrich Windl:
>>>> Axel Birndt <towerlexa(a)gmx.de> schrieb am 26.01.2017 um 22:17 in Nachricht
> <858439a0-ab4f-cea3-f5ea-9b8f3514d08b(a)gmx.de>:
>> Hi @All,
>>
>> i'am currently searching for a possibility to add an index in openldap
>> (cn=config backend) for the "member" of groups.
>>
>> In my log i got the following message:
>>
>> > 475 admin slapd: <= bdb_equality_candidates: (member) not indexed
>>
>> I found, that "member" is an attribute from an ldap group.
>>
>> > # Entry 1: cn=bind_users,ou=admins,ou=groups,dc=company,dc=de
>> > dn: cn=bind_users,ou=admins,ou=groups,dc=company,dc=de
>> > cn: bind_users
>> > member: cn=apachebind,ou=apache_technical,ou=users,dc=company,dc=de
>> > member: cn=wordpressbind1,ou=wordpress_bind,ou=users,dc=company,dc=de
>> > objectclass: groupOfNames
>> > objectclass: top
>>
>> How could i add an index for this attribute?
>
> Maybe via LDIF:
> dn: olcDatabase={1}hdb,cn=config
> changetype: modify
> add: olcDbIndex
> olcDbIndex: member eq
>
Hi Ulrich,
thanks for your hint! I could solve it with your LDIF snippet!
--------------
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: member eq
------------------
It is running fine:
--------------------------
abirndt@admin:~/openldap$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f
olcDbIndex_member.ldif
[sudo] password for abirndt:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
---------------------
--
Gruß/Kind regards
Axel
------------------------------
6 years, 8 months
