Info Attribute
by Tom Jay
Hello,
I'm trying to add the 'info' attribute to an entry and am getting the following:
ldap_modify: Object class violation (65)
additional info: attribute 'info' not allowed
If you look at the Cosine schema, the info attribute is defined, but with no object class (pilotObject has been commented out). If I try and add the 'top' object class, this is successful, but still prevents me from adding the info attribute. Currently, the only object class assigned to the entry is inetOrgPerson.
Has anyone got any idea why this may be the case?
Thanks.
Tom
6 years, 1 month
OpenLDAP + MySQL BackEnd
by Alexandre Vilarinho
Hello all,
Recently I've donwload the OpenLDAP 2.4.44 and enable mysql as followed.
apt-get install libssl-dev libdb-dev unixodbc-dev time
wget ftp://ftp.openldap.org/pub/OpenLDAP/openldap-release/openldap-2.4.26.tgz
tar xvfz openldap-*.tgz
cd openldap-*
./configure --enable-sql
make depend
make
make install
apt-get install mysql-server libmyodbc
# put mysql root password and confirm password that you want
mysql -u root -p
# put mysql root password
CREATE USER 'openldap'@'localhost' IDENTIFIED BY 'yourpassword';
CREATE DATABASE IF NOT EXISTS openldap;
GRANT ALL PRIVILEGES ON openldap.* TO 'openldap'@'localhost';
FLUSH PRIVILEGES;
exit
edit /etc/odbc.ini
[openldap]
Description = Example for OpenLDAP's back-sql
Driver = MySQL
Trace = No
Database = openldap
Servername = localhost
UserName = openldap
Password = yourpassword
ReadOnly = No
RowVersioning = No
ShowSystemTables = No
ShowOidColumn = No
FakeOidIndex = No
ConnSettings =
SOCKET = /var/run/mysqld/mysqld.sock
/etc/odbcinst.ini
[MySQL]
Description = ODBC for MySQL
Driver = /usr/lib/x86_64-linux-gnu/odbc/libmyodbc.soo
FileUsage = 1
cd servers/slapd/back-sql/rdbms_depend/mysql/
mysql -u openldap -p openldap < backsql_create.sql
mysql -u openldap -p openldap < testdb_create.sql
mysql -u openldap -p openldap < testdb_data.sql
mysql -u openldap -p openldap < testdb_metadata.sql
/usr/local/etc/openldap/slapd.conf
# $OpenLDAP$
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
# Define global ACLs to disable default read access.
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /usr/local/var/slapd.pid
argsfile /usr/local/var/slapd.args
#######################################################################
# sql database definitions
#######################################################################
database sql
suffix "dc=example,dc=com"
rootdn "cn=root,dc=example,dc=com"
rootpw rootpassword
dbname openldap
dbuser openldap
dbpasswd yourpassword
subtree_cond "ldap_entries.dn LIKE CONCAT('%',?)"
insentry_stmt "INSERT INTO ldap_entries (dn,oc_map_id,parent,keyval) VALUES (?,?,?,?)"
has_ldapinfo_dn_ru no
When I execute the following command
/usr/local/libexec/slapd -d 1
I receive the following information
58eba756 backsql_db_open(): entry deletion SQL statement not specified (use "renentry_stmt" directive in slapd.conf)58eba756 backsql_db_open(): setting "UPDATE ldap_entries SET dn=?,parent=?,keyval=? WHERE id=?" by default58eba756 backsql_db_open(): objclasses deletion SQL statement not specified (use "delobjclasses_stmt" directive in slapd.conf)58eba756 backsql_db_open(): setting "DELETE FROM ldap_entry_objclasses WHERE entry_id=?" by default58eba756 ==>backsql_get_db_conn()58eba756 ==>backsql_open_db_handle()Floating point exception (core dumped)
Apparently there is no error.
When I execute the following command
ldapsearch -x -D cn=root,dc=example,dc=com -w rootpassword -s sub -b "dc=example,dc=com" "(objectClass=*)"
I receive the following error
root@DNS-TESTE:~# ldapsearch -x -D cn=root,dc=example,dc=com -w teste -s sub -b "dc=example,dc=com" "(objectClass=*)"ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
Apparently after the installation of the ldap, the sldap demon wasn't created.
I'm doing something wrong? Is there another way to configure LDAP to support MySQL?
Regards
Alex
6 years, 1 month
Re: Is there directory schema for storing information on States and Corporations?
by John Lewis
On Fri, 2017-04-07 at 11:29 +1200, Kevin Buckley wrote:
> Apologies for replying out of the thread but I had binned the
> original one, and then had the thoughts !
>
> If you post my content (assuming you want to reply!), in to the
> thread then I'll get to see the thread continue, when that messgae
> appears.
I'm putting this back on the list.
>
> John Lewis <oflameo2(a)gmail.com> wrote:
>
> > I am bouncing around a couple of projects that involve collecting and
> > storing information about Corporations and States.
> >
> > Is there a already existing schema that will kind of fit this data in
> > general? Of hand, the closest one I can think of is inetOrgPerson is the
> > closest thing, but it is probably a stretch.
> >
> > The kind of data is going to be like taking the the top of of
> > Corporations and State's inetOrgPerson data and stuffing it under one
> > tree and bundling public data with it such as contracts a company have with a state on record.
> Have you considered using a domain component (dc=,dc=) based tree,
> using dot-us as the root, and the two-letter states sub-domains below it
>
> dc=ca,dc=us
>
> and then putting your corporation in below that, for example
>
> o=mycorp,dc=ca,dc=us
>
> for the Californian content, in which you "pretend" that the
> Californian "branch"
> of your Corporation actually "owns" the mycorp,ca.us domain name?
>
> I take the point made by other respondents about not replying on geographical
> info, however a number of corporations do make use of country-based domain
> names, for operationsin various theatres, so there is a kind of
> precedent, within
> the dc= approach.
That is what I am thinking about doing. I can probably get away with
just using an ou because it is not necessarily a new
directory/database.
Alternatively I could just make the whole thing flat and put an entry in
to describe where it is to be filtered later but I think I like the
former better.
6 years, 1 month
Re: OT: Security management/distribution in "The Cloud" (Was: Dogtag CA with OpenLDAP?)
by Howard Chu
Turbo Fredriksson wrote:
> On 28 Mar 2017, at 11:22, Howard Chu <hyc(a)symas.com> wrote:
>
>> We had a module for OpenLDAP 2.0, way back when. It hasn't been maintained in years.
>
> Ok, I see :(. What did that do exactly? Name?
I've dug it up and gotten it working again.
http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=commit;h=2b920e...
Basically it's an overlay that generates certificates for users and servers
residing in the directory. A single Search request across the entire directory
can trigger generation of certs for every relevant entry.
>
>
>
> Sorry for the OT (although it’s _slightly_ relevant to OpenLDAP I guess).
>
> But how do people handle secrets (key/value, certificates etc) in a cloud
> environment? With bare metal, you usually don’t spinup/down machines
> that often, so distributing stuff like that is “easy”. But with the cloud and
> “resources are cattle, not pets”, how to do that there!?
>
> This have been racking my brain (and several of my friends and colleagues)
> for months now!
>
>
> I’m using OpenLDAP and MIT Kerberos V for users and passwords, but
> I’m not sure how I could (if I should) utilise that to keep “secrets”.
>
>
> I’ve looked at Hashicorp Vault, but that’s extremely immature and not any
> where near ready a “production” environment (not to mention that it lacks
> very important functions etc).
>
>
> Dogtag is apparently good enough (although huge - might not need all that
> functionality), but maintaining an additional LDAP/KerberosV setup is seriously
> unappealing!
>
> But what else is there?
>
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 1 month
Is there directory schema for storing information on States and Corporations?
by John Lewis
I am bouncing around a couple of projects that involve collecting and
storing information about Corporations and States.
Is there a already existing schema that will kind of fit this data in
general? Of hand, the closest one I can think of is inetOrgPerson is the
closest thing, but it is probably a stretch.
The kind of data is going to be like taking the the top of of
Corporations and State's inetOrgPerson data and stuffing it under one
tree and bundling public data with it such as contracts a company have with a state on record.
6 years, 1 month
Dogtag CA with OpenLDAP?
by Turbo Fredriksson
I’m trying to implement Dogtag (http://pki.fedoraproject.org/wiki/PKI_Main_Page)
with my existing OpenLDAP/MIT Kerberos V installation (that’s been running for years).
But it’s failing because of:
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: confirmMappings: Checking other subtrees using database Domain.TLD-CA.
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: populateDB: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config
[27/Mar/2017:15:49:17][http-bio-8443-exec-3]: Error in populating database: Failed to check database mapping: netscape.ldap.LDAPException: error result (32); matchedDN = cn=config
Dogtag is only (officially) supporting 389ds, but installing (and maintaining!) another
LDAP/Krb5 server(s) on the network just seems … “wrong”! :)
The code looks like:
https://github.com/dogtagpki/pki/blob/DOGTAG_10_2_6_BRANCH/base/server/cm...
Basically, it looks for “nssldap-backend=Domain.TLD-CA” below “cn=mapping tree,cn=config”
(which don’t exists in OpenLDAP of course).
Is there any “389ds compatibility module” or possibly a DN rewrite hack I could use
for this? I’ve never used “389ds” before, so I’m unsure what that object is supposed
to look like, or what “cn=mapping tree” is for exactly..
6 years, 1 month
Re: [Spam]No olcRootPW in olcDatabase=\{0\}config.ldif
by Quanah Gibson-Mount
--On Monday, April 03, 2017 7:01 PM +0200 huret deffgok <kadafax(a)gmail.com>
wrote:
>
>
> Hi Sami,
>
> Yes there is a olcRootDN (and its password) for the mdb database. But if
> I understand correctly the olcRootDN is valid only for its database.
> Anyway this olcRootDN and associated password don't work with the config
> database. As for the ACL, again but maybe I'm wrong, from the
> documentation it seems that the RootDN is always allowed whatever are the
> ACLs. And I can't change them neither as I bump in the same problem as
> for the login level :(
How to access cn=config may vary depending on if you're using vendor
provided packages (RH, Debian, etc). As noted in the slapd.conf(5) man
page, the default olcRootDN is "cn=config" unless otherwise specified. If
you are not using your own build of OpenLDAP, I would advise reading the
documentation that came with your specific distribution.
Hope that helps.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
Re: slapo-dds and MMR
by Quanah Gibson-Mount
--On Tuesday, April 04, 2017 4:20 PM +0200 Michael Ströder
<michael(a)stroeder.com> wrote:
> HI!
>
> Reading section REPLICATION of slapo-dds(5) makes me wonder whether
> somebody already tried to use slapo-dds with multi-master replication of
> dynamicObject entries.
>
> Any thoughts on this?
There are some open ITSes I've come across relating to slapo-dds and
various issues as I clean up the ITS incoming queue. You might want to
look there. ;)
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
Re: Multiple olcDbIndex for the same attribute
by Quanah Gibson-Mount
--On Tuesday, April 04, 2017 10:19 AM +0200 "PenguinWhispererThe ."
<th3penguinwhisperer(a)gmail.com> wrote:
>
>
>
>
> Thanks for the response Quanah.
>
>> I'm not really sure it's the job of the admin guide or the man pages to
>> cover all the multitudes of ways in which one can misconfigure the
>> server, or what the results of such a misconfiguration will be.
> So the above configuration is a misconfiguration? It just might be handy
> to have an idea how the indexes work. That might give an idea if this
> actually invalid, keeps 2 indexes or doesn't make a difference.
>
> The openldap server seems to take the ldif so therefor I don't see it as
> invalid. If it already exists openldap does throw an error. Question is
> if the above has a negative impact on the openldap service.
>
> I understand man pages and documentation can't cover all. That's why I'm
> asking here to perhaps have someone who has internal knowledge about this.
Please keep replies on the list.
I would say that configuring multiple duplicate indicies for the same
attribute is a configuration error. Your example shows "eq" being
configured for objectClass twice, once coupled with pres. I would /hope/
that would end up as pres,eq only. What it does end up as, I've no idea.
It should be fairly trivial to discover via slapadd and using mdb_stat (if
using back-mdb) to see the size of the generated indices in both cases.
Then you'd have an exact answer. If the resulting index sub-db is the same
for objectClass with either configuration, then the extra "eq" is ignored,
etc. I would probably try with something like "sub, eq" rather than "pres,
eq" for testing purposes.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 1 month
slapo-dds and MMR
by Michael Ströder
HI!
Reading section REPLICATION of slapo-dds(5) makes me wonder whether somebody already
tried to use slapo-dds with multi-master replication of dynamicObject entries.
Any thoughts on this?
Ciao, Michael.
6 years, 1 month