Re: Syncrepl and multipe values
by Quanah Gibson-Mount
--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio
Morais <matheus_morais(a)sicredi.com.br> wrote:
>
>
>
> Issue 8559 opened.
>
>
>
> I'm trying to work on a patch but I'm not sure if the best solution is to
> fix accesslog to avoid duplicated values or if the sample LDIF (in its
> description) should result in a constraint violation. What do you think?
The accesslog should never write an operation that can't be replicated. If
the MOD is a valid LDAP operation (which I think it is), then it should be
accepted at the frontend. The issue may be more in delta-syncrepl's
handling of the write op than anything else.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 3 months
How to enable memberOf overlay with posixGroup?
by MegaBrutal
Hi all,
I've spent days trying to figure out how could I enable the memberOf
overlay, and it doesn't seem to be easy for an LDAP-noob. I've read
like 50+ tutorials which didn't help me get it working.
Use case: I want to have 2 main groups which control access to
different services on my network. A "unixusers" which is a minimum to
log in to Linux servers (having a hostObject entry for the user is
another requirement, which is irrelevant to this question, as I
already solved that problem); and a "cloudusers" group which enables
log in to my ownCloud instance.
The groups should enforce the following rules:
– Only users in "cloudusers" should be allowed to log in to ownCloud.
– Users in "unixusers" are allowed to log in to a set of Linux servers
controlled by "host" (hostObject) entries.
– Users not in the "unixusers" group may not log in to any Linux
systems, even if they have "host" entries.
Problems:
– ownCloud complains that the memberOf overlay is not enabled, hence
it doesn't let me restrict access to the "cloudusers" group. It would
allow any users regardless of any group memberships, which is not
acceptable.
– I have a similar problem on Linux with PAM: I can't really get it to
consider "unixusers" membership for user logins, although I got the
"host" entries working correctly, so at least I can already restrict
access with that.
My guess is that it all boils down to the lack of memberOf overlay. I
also figured that memberOf would need groupOfNames groups, while I
need posixGroup type groups. I evaluated the possibility to use
groupOfNames, but it lacks the necessary gidNumber attribute which is
a requirement for Unix groups. But anyway, I can't enable memberOf
even for groupOfNames. I can't enable memberOf by any means.
My OpenLDAP uses the new configuration method and it completely
ignores slapd.conf, so the config must be injected with ldapadd to
cn=config.
Could you please help me with this?
Regards,
MegaBrutal
5 years, 9 months
[Q] "selective" ACL
by Zeus Panchenko
hi,
I'm trying to configure a not complex (as I believe) ACL ... but have some
difficulties
I have two posixGroup groups
cn=admins,ou=group,dc=foo
cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and
it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * break
but in addition I need to allow my coadmins to do the same things except
manipulations upon the objects which belong to admins (
...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
please, advise
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
5 years, 10 months
Dogtag CA with OpenLDAP?
by Turbo Fredriksson
I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page)
with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for years).
But it’s failing because of:
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking other subtrees using database Domain.TLD-CA.
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: populateDB: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: Error in populating database: Failed to check database mapping: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config
Dogtag is only (officially) supporting 389ds, but installing (and maintaining!) another
LDAP/Krb5 server(s) on the network just seems … “wrong”! :)
The code looks like:
https://github.com/dogtagpki/pki/blob/DOGTAG_10_2_6_BRANCH/base/server/cm...
Basically, it looks for “nssldap-backend=Domain.TLD-CA” below “cn=mapping tree,cn=config”
(which don’t exists in OpenLDAP of course).
Is there any “389ds compatibility module” or possibly a DN rewrite hack I could use
for this? I’ve never used “389ds” before, so I’m unsure what that object is supposed
to look like, or what “cn=mapping tree” is for exactly..
6 years, 1 month
[openldap-technical] OpenLDAP custom schema [dummy question]
by Alexandru Ocheana
Hi all,
My name is Alex and I recently joined this list because I can't find
some straight forward guidelines and nothing seems to work for me. Of
course it is a dummy question and I know you saw it many time but I am
sure that I'm missing something very very simple in fact. If you want,
please help me because I am a bit lost and I don't know how to move forward.
I am trying to setup an OpenLDAP server on Centos 7. This is my first
time, so please take me easy :))
I will try to reproduce my steps because being my first time error may
occur at any moment but I strongly want to learn OpenLDAP.
My goal is to add some custom fields (atributeType) into Ldap DB. I know
there can be a workaround for this, like add the data into inetOrgPerson
schema but I want a new Schema, defined for what I need. Basically this
schema will contain supplementary informations about students like
(ID-Number, University Assigned Number, contact email, address, name
after marriage, etc).
Here are all steps I've done (successfully I believe):
install and configure OpenLDAP from here:
https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1
----
I've tried to create my new schema like this (I have my private IANA OID):
-----------------------------------
info.schema
----
attributetype ( 1.3.6.1.4.1.49565.1.1.1
NAME 'cnp'
DESC 'Cod Numeric Personal'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
attributetype ( 1.3.6.1.4.1.49565.1.1.2
NAME 'emailContact'
DESC 'Email for external user'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
objectclass (
1.3.6.1.4.1.49565.1.2.1
NAME 'infoVCard'
DESC 'Extra Information Card'
AUXILIARY )
-----------------------------------
* Moved to /tmp/slapd folder and created an info.conf file:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/info.schema
* transformed info.schema to ldif
slaptest -f info.conf -F .
config file testing succeeded
* moved to cn=config/cn=schema and all 5 files are here:
-rw-------. 1 root root 15546 Mar 31 22:15 cn={0}core.ldif
-rw-------. 1 root root 11363 Mar 31 22:15 cn={1}cosine.ldif
-rw-------. 1 root root 6495 Mar 31 22:15 cn={2}nis.ldif
-rw-------. 1 root root 2857 Mar 31 22:15 cn={3}inetorgperson.ldif
-rw-------. 1 root root 890 Mar 31 22:15 cn={4}info.ldif
--------------------------------------------
* edited cn={4}info.ldif like so:
--------------------------------------------
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 bc62c5f1
dn: cn=info,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: info
olcAttributeTypes: {0}( 1.3.6.1.4.1.49565.1.1.1 NAME 'cnp' DESC 'Cod Numeric
Personal' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcAttributeTypes: {1}( 1.3.6.1.4.1.49565.1.1.2 NAME 'emailContact' DESC 'Em
ail for external user' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstrings
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcObjectClasses: {0}( 1.3.6.1.4.1.49565.1.2.1 NAME 'infoVCard' DESC 'Extra
Information Card' AUXILIARY )
-------------------------------------------
* copied info.ldif from /tmp to /etc/openldap/schema/info.ldif
* load info.ldif into OpenLDAP
ldapadd -Y EXTERNAL -H ldapi:/// -f info.ldif
OUTPUT of above command:
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
adding new entry "cn=info,cn=schema,cn=config"
------------------------------------
I suppose everything is correct because at
/etc/openldap/slapd.d/cn=config/cn=schema now appears my cn={4}info.ldif
file with the following content:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 a48aaa49
dn: cn={4}info
objectClass: olcSchemaConfig
cn: {4}info
olcAttributeTypes: {0}( 1.3.6.1.4.1.49565.1.1.1 NAME 'cnp' DESC 'Cod Numeric
Personal' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch
SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcAttributeTypes: {1}( 1.3.6.1.4.1.49565.1.1.2 NAME 'emailContact' DESC 'Em
ail for external user' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstrings
Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcObjectClasses: {0}( 1.3.6.1.4.1.49565.1.2.1 NAME 'infoVCard' DESC 'Extra
Information Card' AUXILIARY )
structuralObjectClass: olcSchemaConfig
entryUUID: 9d56682a-aa93-1036-9882-31e47bf02dae
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20170331192559Z
entryCSN: 20170331192559.397549Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20170331192559Z
---------------------------------------
Now, till here everything worked smooth but from this step forward
everything turns into a nightmare. How do I add data using this new
schema? I've tried this:
ldapuser.ldif
---
dn: uid=alex,ou=People,dc=info,dc=uaic,dc=ro
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
cn: Alexandru
sn: Ocheana
userPassword: {SSHA}BBxUpzvO93HlFEFPSkexvXA7G06UBYO4
loginShell: /bin/bash
uidNumber: 2000
gidNumber: 2000
homeDirectory: /home/alex
## -------------------------
## HERE I BELIEVE IS AN ERROR BUT WHICH IS THE CORRECT WAY TO ADD IT?
## THIS PART IS TO ADD DATA TO THAT NEW SCHEMA
## -------------------------
dn: uid=alex,ou=People,dc=info,dc=uaic,dc=ro
objectClass: infoVCard
cnp: myCNP
emailContact: otheremail(a)gmail.com
dn: cn=alex,ou=Group,dc=info,dc=uaic,dc=ro
objectClass: posixGroup
cn: Alex
gidNumber: 2000
memberUid: alex
----
I am trying to add this to OpenLDAP like so:
ldapadd -x -D cn=Manager,dc=info,dc=uaic,dc=ro -W -f ldapuser.ldif
After asking for password I am getting this output:
adding new entry "uid=alex,ou=People,dc=info,dc=uaic,dc=ro"
adding new entry "uid=alex,ou=People,dc=info,dc=uaic,dc=ro"
ldap_add: Object class violation (65)
additional info: no structural object class provided
My logic tells me that my infoVCard should be bound somehow to first set
as inetPersonOrg (I've read about this but I don't know how to really
achieve this ... I know about SUP but I am lost at this point).
Can you bring some light into my head please? What I am missing?
Thank you very much for your time!
Regards,
Alexandru Ocheana
6 years, 2 months
OpenLDAP Tutorial on YouTube Channel
by Rajesh R
Hello,
At the outset, thank you to each member of the OpenLDAP project for all the hard work in developing a great LDAP Server.
I'm Rajesh Rajasekharan, and have spent a great deal of my time in various Organizations teaching several Products, including their LDAP Servers. While searching for good OpenLDAP resources, I couldn't really find a systematic tutorial for the same, so thought of making one myself. As a result, I have a playlist of 19 vidoes on OpenLDAP on my YouTube channel. If/when you've some time to spare, request you to please take a look at it and kindly advise if I could contribute in any other ways to this great Project.
https://www.youtube.com/playlist?list=PLfO6SFqcY2PrDR5yct96n4qfgMmh6g0eP
kind regards,
--R Rajesh
Sent from my iPhone
6 years, 2 months
Re: Multiple olcDbIndex for the same attribute
by Quanah Gibson-Mount
--On Friday, March 31, 2017 12:24 PM +0200 "PenguinWhispererThe ."
<th3penguinwhisperer(a)gmail.com> wrote:
> So for example:
> olcDbIndex: objectClass pres,eq
> olcDbIndex: objectClass eq
>
> Is this the same as if you'd only have:
> olcDbIndex: objectClass pres,eq
> ?
>
> Or does it really make a difference?
>
>
>
> I've checked http://www.openldap.org/doc/admin24/slapdconf2.html but I
> couldn't find an answer to this.
I'm not really sure it's the job of the admin guide or the man pages to
cover all the multitudes of ways in which one can misconfigure the server,
or what the results of such a misconfiguration will be. My *guess* is that
the end result will be that it will have both a "pres" and an "eq" index.
YMMV.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 2 months
Re: "Dynamic" authentication passthrough?
by Quanah Gibson-Mount
--On Friday, March 31, 2017 1:52 PM -0400 Curtiss Howard
<curtiss.howard(a)gmail.com> wrote:
> Is there a way to do this?
>
>
> Just use slapo-pbind.
>
>
>
>
>
> Ah nice, this sounds more like it. However, I have two AD servers that
> I'm proxying -- is there a concept of using this overlay multiple times?
Doesn't seem like it, but I've never set it up. I suppose if each AD
server had a different base for its DIT, it would be possible to add an
option to direct auth requests to different AD servers based off of that.
But that would be an enhancement to the existing functionality. May be
worth filing an ITS to request it.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 2 months
Re: "Dynamic" authentication passthrough?
by Howard Chu
Curtiss Howard wrote:
> Hi,
>
> I've got two Active Directory servers that are being proxied through OpenLDAP
> and their respective trees are being merged into one. So far, so good.
>
> Now I want to allow users to bind to the OpenLDAP server and pass the
> authentication through to the appropriate AD and let it do the password checking.
>
> I see a lot of documentation on using SASL for passthrough, but where I'm
> stuck is that this requires every user to have an account in the OpenLDAP
> server in order to see if the userPassword attribute is specially formatted.
> In my case, this isn't really a palatable solution because I'm using the
> OpenLDAP server with the meta backend and using it as a "live view" into the
> data contained in the ADs. Other applications can talk directly to the ADs
> and in order to do the SASL approach there'd have to be some syncing from the
> ADs to the OpenLDAP server every time a user is created/deleted.
>
> I would think that surely there must be some way to pass through the
> authentication in a more obvious manner -- i.e., if the user doesn't exist
> locally, try to bind against each proxied server in succession. But I can't
> seem to find a way to do this, all references point to the SASL approach.
>
> Is there a way to do this?
Just use slapo-pbind.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 2 months
"Dynamic" authentication passthrough?
by Curtiss Howard
Hi,
I've got two Active Directory servers that are being proxied through
OpenLDAP and their respective trees are being merged into one. So far, so
good.
Now I want to allow users to bind to the OpenLDAP server and pass the
authentication through to the appropriate AD and let it do the password
checking.
I see a lot of documentation on using SASL for passthrough, but where I'm
stuck is that this requires every user to have an account in the OpenLDAP
server in order to see if the userPassword attribute is specially
formatted. In my case, this isn't really a palatable solution because I'm
using the OpenLDAP server with the meta backend and using it as a "live
view" into the data contained in the ADs. Other applications can talk
directly to the ADs and in order to do the SASL approach there'd have to be
some syncing from the ADs to the OpenLDAP server every time a user is
created/deleted.
I would think that surely there must be some way to pass through the
authentication in a more obvious manner -- i.e., if the user doesn't exist
locally, try to bind against each proxied server in succession. But I
can't seem to find a way to do this, all references point to the SASL
approach.
Is there a way to do this?
Thanks in advance.
6 years, 2 months
