Re: Sometimes openldap messages are logged in incorrect order
by Howard Chu
Amit wrote:
> Hello,
>
> I find sometimes order of event in openldap logs as:
> BIND
> RESULT
> ACCEPT
> SRCH base
> SRCH attr=
> SEARCH RESULT
> closed
>
> Configured rsyslog as:
> $template myTemplate,"%timegenerated:::date-rfc3339%
> %timereported:::date-rfc3339% %msg%\n"
> local4.* /var/log/rsyslog.log;myTemplate
>
> But I believe correct order should be:
> Accept
> Bind
> result
> srch base
> unbind
> closed
>
> What cant be the reason, is it related to openldap logging mechanism or Logger
> rsyslog.
Sounds like an rsyslog issue.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
6 years, 4 months
Re: Limiting Search Results By Group Membership
by Douglas Duckworth
Thank you both for your guidance.
I will try this now.
Doug
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
On Mon, Jul 24, 2017 at 10:31 AM, Michael Ströder <michael(a)stroeder.com>
wrote:
> Douglas Duckworth wrote:
> > If OpenLDAP can run with this schema then why wasn't support for this
> feature created?
>
> There is a contrib/ overlay but I'd not use it.
>
> > What's the recommend schema?
>
> Simply start with groupOfNames.
>
> Ciao, Michael.
>
> > On Jul 21, 2017 1:44 PM, "Quanah Gibson-Mount" <quanah(a)symas.com
> > <mailto:quanah@symas.com>> wrote:
> >
> > --On Friday, July 21, 2017 2:24 PM -0400 Douglas Duckworth
> > <dod2014(a)med.cornell.edu <mailto:dod2014@med.cornell.edu>> wrote:
> >
> >
> > > Am I rfc2307 or rfc2307bis? According to sssd-ldap man page:
> >
> > Per nis.schema:
> >
> > # Definitions from RFC2307 (Experimental)
> > # An Approach for Using LDAP as a Network Information Service
> >
> >
> > so it is RFC2307 as opposed to RFC2307bis. Neither schema has ever
> made it
> > past experimental.
> >
> > --Quanah
>
>
6 years, 4 months
Re: Limiting Search Results By Group Membership
by Douglas Duckworth
If OpenLDAP can run with this schema then why wasn't support for this
feature created?
What's the recommend schema?
On Jul 21, 2017 1:44 PM, "Quanah Gibson-Mount" <quanah(a)symas.com> wrote:
> --On Friday, July 21, 2017 2:24 PM -0400 Douglas Duckworth
> <dod2014(a)med.cornell.edu> wrote:
>
>
> > Am I rfc2307 or rfc2307bis? According to sssd-ldap man page:
>
> Per nis.schema:
>
> # Definitions from RFC2307 (Experimental)
> # An Approach for Using LDAP as a Network Information Service
>
>
> so it is RFC2307 as opposed to RFC2307bis. Neither schema has ever made it
> past experimental.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__www.symas.com&d=DwIFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-
> RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=
> QjNwZbNvK3tkFCecwXFhz1ywKJbFr_zOd4L5bNHwKpc&s=
> M9eRNUisYljobqAKHQaLfans5QZ9DGU5Srnk8kR6mso&e= >
>
>
6 years, 4 months
Re: Limiting Search Results By Group Membership
by Quanah Gibson-Mount
--On Monday, July 24, 2017 10:23 AM -0400 Douglas Duckworth
<dod2014(a)med.cornell.edu> wrote:
>
> If OpenLDAP can run with this schema then why wasn't support for this
> feature created?
ldap groups have a specific meaning and it has nothing to do with either of
those schemas. The documentation is clear on what's required to use the
limits feature with groups, which is a DN type attribute such as "member".
I'm not sure what "feature" you feel support wasn't created for.
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
ppolicy and controls
by Côme Chilliet
Hello,
I’m trying to understand how to use controls and EXOP with ppolicy overlay.
I can get controls in the result from bind to get info like expired password.
I can use an exop to change the password in which case an invalid password will get refused, but I’m not sure how to get the ppolicy reason for the refusal.
There is ldap_parse_passwordpolicy_control but I don’t know how to get a control object to give to it.
ldap_passwd_s does not return a result object for which to search controls in.
It does take serverctrls and clientctrls as parameters but looking at the code it seems serversctrls is an input parameter, I’m not sure what it can be useful for.
And clientctrls seems ignored, is it unused or deprecated?
Côme
6 years, 4 months
Re: Limiting Search Results By Group Membership
by Quanah Gibson-Mount
--On Friday, July 21, 2017 2:24 PM -0400 Douglas Duckworth
<dod2014(a)med.cornell.edu> wrote:
> Am I rfc2307 or rfc2307bis? According to sssd-ldap man page:
Per nis.schema:
# Definitions from RFC2307 (Experimental)
# An Approach for Using LDAP as a Network Information Service
so it is RFC2307 as opposed to RFC2307bis. Neither schema has ever made it
past experimental.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
EXOPs for PHP LDAP
by Côme Chilliet
Hello,
I’m currently working on a PHP RFC to add EXOP handling to php-ldap.
The draft is here: https://wiki.php.net/rfc/ldap_exop
You are welcome to comment on any aspect of the RFC, but I would especially want to know:
- Which are the EXOPs actually used by people out there?
- Is there any EXOP using the responseName field?
In the RFCs I read there is always something like «an ExtendedResponse where the responseName field is absent» or «The responseName field contains the same string as that present in the request.»
Côme
6 years, 4 months
Re: Limiting Search Results By Group Membership
by Douglas Duckworth
In the old openldap-servers-2.2.13-4 from which I copied this data:
/etc/openldap/schema/nis.schema
objectclass ( 1.3.6.1.1.1.2.2 NAME 'posixGroup' SUP top STRUCTURAL
DESC 'Abstraction of a group of accounts'
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
In /etc/openldap/schema/core.schema I do see:
attributetype ( 2.5.4.31 NAME 'member'
DESC 'RFC2256: member of a group'
SUP distinguishedName )
As well as:
objectclass ( 2.5.6.9 NAME 'groupOfNames'
DESC 'RFC2256: a group of names (DNs)'
SUP top STRUCTURAL
MUST ( member $ cn )
MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
Am I rfc2307 or rfc2307bis? According to sssd-ldap man page:
ldap_group_member (string)
The LDAP attribute that contains the names of the group´s
members.
Default: memberuid (rfc2307) / member (rfc2307bis)
I am currently using memberuid obviously so my clients can talk to the old
server.
Thanks so much for your needed assistance!
Thanks,
Douglas Duckworth, MSc, LFCS
HPC System Administrator
Scientific Computing Unit
Physiology and Biophysics
Weill Cornell Medicine
E: doug(a)med.cornell.edu
O: 212-746-6305
F: 212-746-8690
On Fri, Jul 21, 2017 at 12:23 PM, Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Friday, July 21, 2017 10:53 AM -0400 Douglas Duckworth
> <dod2014(a)med.cornell.edu> wrote:
>
> > limits
> > group/posixGroup/memberUid="cn=admins,ou=group,dc=server,dc=domain"
> > size=unlimited time=unlimited
> >
> > Though I am still hitting the limit.
>
> Hi Douglas,
>
> It would probably be worthwhile to dig into LDAP schema to understand
> attribute definitions, matching rules, etc.
>
> To start, memberUid is a string type. It's not a DN type:
>
> attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
> EQUALITY caseExactIA5Match
> SUBSTR caseExactIA5SubstringsMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> As opposed to member, which is specifically a DN type:
>
> attributetype: ( 2.5.4.31 NAME 'member'
> DESC 'RFC2256: member of a group'
> SUP distinguishedName )
>
> attributetype: ( 2.5.4.49 NAME 'distinguishedName'
> EQUALITY distinguishedNameMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
>
> Regards,
> Quanah
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <https://urldefense.proofpoint.com/v2/url?u=http-
> 3A__www.symas.com&d=DwIFaQ&c=lb62iw4YL4RFalcE2hQUQealT9-
> RXrryqt9KZX2qu2s&r=2Fzhh_78OGspKQpl_e-CbhH6xUjnRkaqPFUS2wTJ2cw&m=
> kbjP16BBt5vXdPM9Whbvm854h6iISbROyp41L0OQ2lw&s=mC1OpgC-
> KwREoe7aDfE6We28klGIEg6GvZBSzx-DiQE&e= >
>
>
6 years, 4 months
Re: Limiting Search Results By Group Membership
by Quanah Gibson-Mount
--On Friday, July 21, 2017 10:53 AM -0400 Douglas Duckworth
<dod2014(a)med.cornell.edu> wrote:
> limits
> group/posixGroup/memberUid="cn=admins,ou=group,dc=server,dc=domain"
> size=unlimited time=unlimited
>
> Though I am still hitting the limit.
Hi Douglas,
It would probably be worthwhile to dig into LDAP schema to understand
attribute definitions, matching rules, etc.
To start, memberUid is a string type. It's not a DN type:
attributetype ( 1.3.6.1.1.1.1.12 NAME 'memberUid'
EQUALITY caseExactIA5Match
SUBSTR caseExactIA5SubstringsMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
As opposed to member, which is specifically a DN type:
attributetype: ( 2.5.4.31 NAME 'member'
DESC 'RFC2256: member of a group'
SUP distinguishedName )
attributetype: ( 2.5.4.49 NAME 'distinguishedName'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
6 years, 4 months
