Re: Syncrepl and multipe values
by Quanah Gibson-Mount
--On Friday, January 06, 2017 6:50 PM +0000 Matheus Eduardo Bonifacio
Morais <matheus_morais(a)sicredi.com.br> wrote:
>
>
>
> Issue 8559 opened.
>
>
>
> I'm trying to work on a patch but I'm not sure if the best solution is to
> fix accesslog to avoid duplicated values or if the sample LDIF (in its
> description) should result in a constraint violation. What do you think?
The accesslog should never write an operation that can't be replicated. If
the MOD is a valid LDAP operation (which I think it is), then it should be
accepted at the frontend. The issue may be more in delta-syncrepl's
handling of the write op than anything else.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
5 years, 7 months
How to enable memberOf overlay with posixGroup?
by MegaBrutal
Hi all,
I've spent days trying to figure out how could I enable the memberOf
overlay, and it doesn't seem to be easy for an LDAP-noob. I've read
like 50+ tutorials which didn't help me get it working.
Use case: I want to have 2 main groups which control access to
different services on my network. A "unixusers" which is a minimum to
log in to Linux servers (having a hostObject entry for the user is
another requirement, which is irrelevant to this question, as I
already solved that problem); and a "cloudusers" group which enables
log in to my ownCloud instance.
The groups should enforce the following rules:
– Only users in "cloudusers" should be allowed to log in to ownCloud.
– Users in "unixusers" are allowed to log in to a set of Linux servers
controlled by "host" (hostObject) entries.
– Users not in the "unixusers" group may not log in to any Linux
systems, even if they have "host" entries.
Problems:
– ownCloud complains that the memberOf overlay is not enabled, hence
it doesn't let me restrict access to the "cloudusers" group. It would
allow any users regardless of any group memberships, which is not
acceptable.
– I have a similar problem on Linux with PAM: I can't really get it to
consider "unixusers" membership for user logins, although I got the
"host" entries working correctly, so at least I can already restrict
access with that.
My guess is that it all boils down to the lack of memberOf overlay. I
also figured that memberOf would need groupOfNames groups, while I
need posixGroup type groups. I evaluated the possibility to use
groupOfNames, but it lacks the necessary gidNumber attribute which is
a requirement for Unix groups. But anyway, I can't enable memberOf
even for groupOfNames. I can't enable memberOf by any means.
My OpenLDAP uses the new configuration method and it completely
ignores slapd.conf, so the config must be injected with ldapadd to
cn=config.
Could you please help me with this?
Regards,
MegaBrutal
6 years, 1 month
Re: mdb_dbi_open and threads
by Howard Chu
Hallvard Breien Furuseth wrote:
> On 22. mai 2017 14:00, Howard Chu wrote:
>> Muhammed Muneer wrote:
>>> Hallvard wrote
>>
>>> "With threads 1 and 2 coexisting? When thread 2 called mdb_dbi_open(),
>>> thread 1's prospect of using mdb_dbi_open() at all was lost."
>>>
>>> Yeah with both coexisting. Thats what I thought.
>
> Sorry, I should have said with _transactions_ #1 and #2 coexisting,
> _transaction_ #1's prospect of using mdb_dbi_open() at all was lost.
> Transaction #3 in thread #1 can use it if it stared after txn#2 ended.
>
> Anyway, just forget about being clever with DBIs. LMDB does not support
> DBI cleverness, that's one of its trade-offs for speed and simplicity.
Exactly.
>> If you want to use dbi_open in multiple threads then put it in your own
>> wrapper function, protected by a mutex.
>
> Wait, what? mdb_dbi_open() isn't coded to handle concurrent txns
> calling it, regardless of any mutexes the caller has. In particular,
> it does not use nor update the environment's numdbs, so the two
> transactions could end up creating the same DBI for different DBs.
Yes. This is only safe if you also close the dbi in the same txn that opened
it. Which you are probably doing, if you are opening and closing on the fly.
>
>> Naturally you will also have to wrap dbi_close the same way.
>
> If we did support this, txn_commit() of the txn which used dbi_open()
> would also need the mutex.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 1 month
[Q] "selective" ACL
by Zeus Panchenko
hi,
I'm trying to configure a not complex (as I believe) ACL ... but have some
difficulties
I have two posixGroup groups
cn=admins,ou=group,dc=foo
cn=coadmins,ou=group,dc=foo
my users resides in ou=People,dc=foo
so, in subtree ou=People,dc=foo I need to allow anything to admins (and
it is not difficult of course)
for example this works for me:
access to dn.subtree="ou=People,dc=foo"
by set="[cn=admin,ou=group,dc=foo]/memberUid & user/uid" manage
by self write
by users read
by * break
but in addition I need to allow my coadmins to do the same things except
manipulations upon the objects which belong to admins (
...anyobject,uid=adminuser,ou=People,dc=foo )
so, the question is: how? (if it is possible at all) :(
please, advise
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
6 years, 2 months
Re: How wold you go about writing a new OpenLDAP backend?
by Howard Chu
Prentice Bisbal wrote:
> On 05/31/2017 12:37 AM, John Lewis wrote:
>
>> What if I wanted to write a OpenLDAP backend for a systemd journal file
>> or Elasticsearch so I can present my logs as an LDAP subtree so I can
>> use my LDAP tools to filter my logs? Should I use back-shell for
>> prototyping? If so, what is the usual work flow?
> This sounds like the wrong tool for this job.
Really? Can you give a point by point comparison against what you think is the
"right" tool for the job?
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 3 months
How wold you go about writing a new OpenLDAP backend?
by John Lewis
What if I wanted to write a OpenLDAP backend for a systemd journal file
or Elasticsearch so I can present my logs as an LDAP subtree so I can
use my LDAP tools to filter my logs? Should I use back-shell for
prototyping? If so, what is the usual work flow?
6 years, 4 months
OpenLDAP / Active directory cohabitation
by Alexandre Rosenberg
Hello,
I am in a environment where we use both OpenLDAP and Active Directory.
All Linux servers authenticate against OpenLDAP where we have user
group, unix group (...)
I would like to keep everything the same except that when the user bind
to OpenLDAP the credential should be checked against Active Directory.
There is no need to retrieve/return any information from Active
Directory except for the authentication.
This means that if perform a BIND and a search, the BIND should be
performed against the AD but the search result should from OpenLDAP.
(anonymous search is fine)
One complication is that we have 2 times of usernames:
short username: john01
long username: john.smith(a)example.com
The short username are used in in OpenLDAP like this:
uid=john01,ou=People,dc=example,dc=com
While the AD uses the long username. From my test when binding to AD,
only the "DN" is simply set to the username.
john.smith(a)example.com
I am starting to seriously look at the various OpenLDAP overlay and
proxy functionality but I am a bit confused on how to archive this.
Best regards,
Alexandre
6 years, 4 months
Re: SIGPIPE on OS X fix still pending (ITS#8590)
by Quanah Gibson-Mount
--On Wednesday, May 31, 2017 12:11 PM +0100 Lorenz Bauer
<lmb(a)cloudflare.com> wrote:
> Hello Quanah,
>
> On 26 May 2017 at 20:36, Quanah Gibson-Mount <quanah(a)symas.com> wrote:
>> Generally, we need secondary confirmation on the patch.
>
> That makes sense. I've written a test program which exercises the
> different ways of generating SIGPIPE, available at [1]. This should
> make verifying the patch easier. I'll also update the ITS.
>
> Best,
> Lorenz
>
> 1: https://gist.github.com/lmb/a35e7b9566fa79e7bf971ac21bbb9efb
Thanks, I will discuss with the rest of the team about getting this
integrated into the LMDB test suite.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
Migration from ApacheDS to OpenLDAP
by Hongfu Huang
Hi all,
Is there an easy way to migrate an ApacheDS to an OpenLDAP?
Can just export everything in an ldif file from ApacheDS and then import
it into an OpenLDAP?
Or what should I definitely take care of here? For example, the schema
mapping? Should I create a separate DIT(DBs) in OpenLDAP for each
partition in ApacheDS?
Thanks for any suggestions!
Regards
Hongfu
--
Hongfu Huang, Senior System Integrator
M.Sc. Computer Science
AdNovum Informatik AG
Roentgenstrasse 22, 8005 Zurich, Switzerland
phone +41 44 272 6111, direct +41 44 270 5266
hongfu.huang(a)adnovum.ch, www.adnovum.ch
Locations: Zurich (HQ), Bern, Lausanne, Budapest, Ho Chi Minh City, Singapore
6 years, 4 months
Re: How wold you go about writing a new OpenLDAP backend?
by Howard Chu
Michael Ströder wrote:
> Howard Chu wrote:
>> John Lewis wrote:
>>> What if I wanted to write a OpenLDAP backend for a systemd journal file
>>> or Elasticsearch so I can present my logs as an LDAP subtree so I can
>>> use my LDAP tools to filter my logs? Should I use back-shell for
>>> prototyping? If so, what is the usual work flow?
>>
>> back-shell might work for rough prototyping. back-sock would be more reasonable these
>> days.
>
> For prototyping a back-sock listener in Python you could give module slapdsock a try:
>
> https://pypi.python.org/pypi/slapdsock
>
> Personally I use it for OATH-LDAP's bind listeners which seem to work fairly robust on
> moderate load. But the release 0.5.2 should also work with all other request types.
>
> If you have a non-trivial deployment the sheer amount of log data can cause some
> interesting performance issues.
Indeed. Still it's an interesting idea; I've often thought about writing an
ElasticSearch replacement on top of OpenLDAP. In a native backend it would be
orders of magnitude faster than their stuff.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 4 months
