openldap-technical April 2017

openldap-technical@openldap.org

27 participants
45 discussions

slapo-dds and MMR
by Michael Ströder 04 Apr '17

04 Apr '17

HI! Reading section REPLICATION of slapo-dds(5) makes me wonder whether somebody already tried to use slapo-dds with multi-master replication of dynamicObject entries. Any thoughts on this? Ciao, Michael.

1 0

Re: [Spam]No olcRootPW in olcDatabase=\{0\}config.ldif
by huret deffgok 03 Apr '17

03 Apr '17

Hi Sami, Yes there is a olcRootDN (and its password) for the mdb database. But if I understand correctly the olcRootDN is valid only for its database. Anyway this olcRootDN and associated password don't work with the config database. As for the ACL, again but maybe I'm wrong, from the documentation it seems that the RootDN is always allowed whatever are the ACLs. And I can't change them neither as I bump in the same problem as for the login level :( Thanks On Mon, Apr 3, 2017 at 5:30 PM, Sami <s.aitalioulahcen(a)cnrst.ma> wrote: > Hi Huret, > Could you check if the olcRootDN is in the db conf file > /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{x\}mdb.ldif ? > Also, your olcAccess could be the problem since you denied everything for > everyone. > I'm no openldap expert, so others can correct me if I'm wrong. > > - - > Sami > > > On 03/04/2017 11:04, huret deffgok wrote: > > Hi list, > > I have migrated my openldap installation from 2.3 (CentOS 5) to 2.4.40 > (CentOS 7). > So far so good the server is working, but then I found myself > systematicaly denied when I tried to ajust the log level (or anything else > in fact). > In my olcDatabase=\{0\}config.ldif I see that I dont have a olcRootPW set > for the olcRootDN of this DB (I guess I made an error with my slapd.conf > used for the migration with slaptest). The production db (on mdb, I hope it > is stable enough with the centos 7 shipped version btw) is running fine and > has a olcRootPW set and working. > > # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. > # CRC32 07bfeb05 > dn: olcDatabase={0}config > objectClass: olcDatabaseConfig > olcDatabase: {0}config > olcAccess: {0}to * by * none > olcAddContentAcl: TRUE > olcLastMod: TRUE > olcMaxDerefDepth: 15 > olcReadOnly: FALSE > olcRootDN: cn=config > olcSyncUseSubentry: FALSE > olcMonitoring: FALSE > structuralObjectClass: olcDatabaseConfig > > If I tried to just read the log level with: > > root@ldap /etc/openldap # ldapsearch -x -H ldaps://ldap.mydomain -b > 'cn=config' -D 'cn=config' -s base -LLL -W olcLoglevel > Enter LDAP Password: > ldap_bind: Server is unwilling to perform (53) > additional info: unauthenticated bind (DN with no password) > disallowed > > (and I dont have any password to feed it) > > Or: > root@ldap /etc/openldap # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > # extended LDIF > # > # LDAPv3 > # base <cn=config> with scope subtree > # filter: (objectclass=*) > # requesting: ALL > # > > # search result > search: 2 > result: 32 No such object > > # numResponses: 1 > > > My question is, and if it is indeed my problem, how can I add a olcRootPW > to the config database if it's possible at all ? > > Thank you, > kfx > > >

1 0

No olcRootPW in olcDatabase=\{0\}config.ldif
by huret deffgok 03 Apr '17

03 Apr '17

Hi list, I have migrated my openldap installation from 2.3 (CentOS 5) to 2.4.40 (CentOS 7). So far so good the server is working, but then I found myself systematicaly denied when I tried to ajust the log level (or anything else in fact). In my olcDatabase=\{0\}config.ldif I see that I dont have a olcRootPW set for the olcRootDN of this DB (I guess I made an error with my slapd.conf used for the migration with slaptest). The production db (on mdb, I hope it is stable enough with the centos 7 shipped version btw) is running fine and has a olcRootPW set and working. # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 07bfeb05 dn: olcDatabase={0}config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by * none olcAddContentAcl: TRUE olcLastMod: TRUE olcMaxDerefDepth: 15 olcReadOnly: FALSE olcRootDN: cn=config olcSyncUseSubentry: FALSE olcMonitoring: FALSE structuralObjectClass: olcDatabaseConfig If I tried to just read the log level with: root@ldap /etc/openldap # ldapsearch -x -H ldaps://ldap.mydomain -b 'cn=config' -D 'cn=config' -s base -LLL -W olcLoglevel Enter LDAP Password: ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed (and I dont have any password to feed it) Or: root@ldap /etc/openldap # ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 # extended LDIF # # LDAPv3 # base <cn=config> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 My question is, and if it is indeed my problem, how can I add a olcRootPW to the config database if it's possible at all ? Thank you, kfx

1 0

[openldap-technical] OpenLDAP custom schema [dummy question]
by Alexandru Ocheana 01 Apr '17

01 Apr '17

Hi all, My name is Alex and I recently joined this list because I can't find some straight forward guidelines and nothing seems to work for me. Of course it is a dummy question and I know you saw it many time but I am sure that I'm missing something very very simple in fact. If you want, please help me because I am a bit lost and I don't know how to move forward. I am trying to setup an OpenLDAP server on Centos 7. This is my first time, so please take me easy :)) I will try to reproduce my steps because being my first time error may occur at any moment but I strongly want to learn OpenLDAP. My goal is to add some custom fields (atributeType) into Ldap DB. I know there can be a workaround for this, like add the data into inetOrgPerson schema but I want a new Schema, defined for what I need. Basically this schema will contain supplementary informations about students like (ID-Number, University Assigned Number, contact email, address, name after marriage, etc). Here are all steps I've done (successfully I believe): install and configure OpenLDAP from here: https://www.server-world.info/en/note?os=CentOS_7&p=openldap&f=1 ---- I've tried to create my new schema like this (I have my private IANA OID): ----------------------------------- info.schema ---- attributetype ( 1.3.6.1.4.1.49565.1.1.1 NAME 'cnp' DESC 'Cod Numeric Personal' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) attributetype ( 1.3.6.1.4.1.49565.1.1.2 NAME 'emailContact' DESC 'Email for external user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) objectclass ( 1.3.6.1.4.1.49565.1.2.1 NAME 'infoVCard' DESC 'Extra Information Card' AUXILIARY ) ----------------------------------- * Moved to /tmp/slapd folder and created an info.conf file: include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/info.schema * transformed info.schema to ldif slaptest -f info.conf -F . config file testing succeeded * moved to cn=config/cn=schema and all 5 files are here: -rw-------. 1 root root 15546 Mar 31 22:15 cn={0}core.ldif -rw-------. 1 root root 11363 Mar 31 22:15 cn={1}cosine.ldif -rw-------. 1 root root 6495 Mar 31 22:15 cn={2}nis.ldif -rw-------. 1 root root 2857 Mar 31 22:15 cn={3}inetorgperson.ldif -rw-------. 1 root root 890 Mar 31 22:15 cn={4}info.ldif -------------------------------------------- * edited cn={4}info.ldif like so: -------------------------------------------- # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 bc62c5f1 dn: cn=info,cn=schema,cn=config objectClass: olcSchemaConfig cn: info olcAttributeTypes: {0}( 1.3.6.1.4.1.49565.1.1.1 NAME 'cnp' DESC 'Cod Numeric Personal' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) olcAttributeTypes: {1}( 1.3.6.1.4.1.49565.1.1.2 NAME 'emailContact' DESC 'Em ail for external user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) olcObjectClasses: {0}( 1.3.6.1.4.1.49565.1.2.1 NAME 'infoVCard' DESC 'Extra Information Card' AUXILIARY ) ------------------------------------------- * copied info.ldif from /tmp to /etc/openldap/schema/info.ldif * load info.ldif into OpenLDAP ldapadd -Y EXTERNAL -H ldapi:/// -f info.ldif OUTPUT of above command: SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 adding new entry "cn=info,cn=schema,cn=config" ------------------------------------ I suppose everything is correct because at /etc/openldap/slapd.d/cn=config/cn=schema now appears my cn={4}info.ldif file with the following content: # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 a48aaa49 dn: cn={4}info objectClass: olcSchemaConfig cn: {4}info olcAttributeTypes: {0}( 1.3.6.1.4.1.49565.1.1.1 NAME 'cnp' DESC 'Cod Numeric Personal' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) olcAttributeTypes: {1}( 1.3.6.1.4.1.49565.1.1.2 NAME 'emailContact' DESC 'Em ail for external user' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstrings Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{32768} ) olcObjectClasses: {0}( 1.3.6.1.4.1.49565.1.2.1 NAME 'infoVCard' DESC 'Extra Information Card' AUXILIARY ) structuralObjectClass: olcSchemaConfig entryUUID: 9d56682a-aa93-1036-9882-31e47bf02dae creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth createTimestamp: 20170331192559Z entryCSN: 20170331192559.397549Z#000000#000#000000 modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth modifyTimestamp: 20170331192559Z --------------------------------------- Now, till here everything worked smooth but from this step forward everything turns into a nightmare. How do I add data using this new schema? I've tried this: ldapuser.ldif --- dn: uid=alex,ou=People,dc=info,dc=uaic,dc=ro objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount cn: Alexandru sn: Ocheana userPassword: {SSHA}BBxUpzvO93HlFEFPSkexvXA7G06UBYO4 loginShell: /bin/bash uidNumber: 2000 gidNumber: 2000 homeDirectory: /home/alex ## ------------------------- ## HERE I BELIEVE IS AN ERROR BUT WHICH IS THE CORRECT WAY TO ADD IT? ## THIS PART IS TO ADD DATA TO THAT NEW SCHEMA ## ------------------------- dn: uid=alex,ou=People,dc=info,dc=uaic,dc=ro objectClass: infoVCard cnp: myCNP emailContact: otheremail(a)gmail.com dn: cn=alex,ou=Group,dc=info,dc=uaic,dc=ro objectClass: posixGroup cn: Alex gidNumber: 2000 memberUid: alex ---- I am trying to add this to OpenLDAP like so: ldapadd -x -D cn=Manager,dc=info,dc=uaic,dc=ro -W -f ldapuser.ldif After asking for password I am getting this output: adding new entry "uid=alex,ou=People,dc=info,dc=uaic,dc=ro" adding new entry "uid=alex,ou=People,dc=info,dc=uaic,dc=ro" ldap_add: Object class violation (65) additional info: no structural object class provided My logic tells me that my infoVCard should be bound somehow to first set as inetPersonOrg (I've read about this but I don't know how to really achieve this ... I know about SUP but I am lost at this point). Can you bring some light into my head please? What I am missing? Thank you very much for your time! Regards, Alexandru Ocheana

2 1

OpenLDAP Tutorial on YouTube Channel
by Rajesh R 01 Apr '17

01 Apr '17

Hello, At the outset, thank you to each member of the OpenLDAP project for all the hard work in developing a great LDAP Server. I'm Rajesh Rajasekharan, and have spent a great deal of my time in various Organizations teaching several Products, including their LDAP Servers. While searching for good OpenLDAP resources, I couldn't really find a systematic tutorial for the same, so thought of making one myself. As a result, I have a playlist of 19 vidoes on OpenLDAP on my YouTube channel. If/when you've some time to spare, request you to please take a look at it and kindly advise if I could contribute in any other ways to this great Project. https://www.youtube.com/playlist?list=PLfO6SFqcY2PrDR5yct96n4qfgMmh6g0eP kind regards, --R Rajesh Sent from my iPhone

4 5

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2017