role based authorization -> dynacl module?
by Daniel Tröder
Hello everyone,
I am in the process of implementing a role concept via ACLs and hope for
a hint so that I don't invent the wheel a second time.
Specifically, it is about identity management for schools. A user
(object) can have several roles in multiple schools. Permissions on
other LDAP objects can thus differ depending on the role(s) the user and
the object have in the same school(s).
For example, a user could have been assigned the following roles that
are scattered over several schools:
→ "Teacher" in school 1
→ "School admin" in school 2
→ "Parent" in school 3
→ both "Teacher" and "Staff" in school 4
ACLs should now be defined accordingly, e.g.
→ the role "teacher" at school X can reset the password for the role
"student" at school X
→ the role "teacher" at school X *cannot* reset the password for the
role "student" of school Y
→ the role "school administrator" at school X can reset the password for
the roles "student" and "teacher" at school X
→ ...
So far I have not seen any way to map such a construct via groups or
sets without including a separate ACL for each group, which is a
performance issue.
Is there another way to map the role concept besides implementing an own
dynacl module?
Greetings,
Daniel
4 years, 8 months
issues with equality matching and slapd death
by Christopher Paul
Hello Fellow OpenLDAP Techs,
I'm having an issue with equality matching and slapd death (just another
day in the life of an LDAP guy...).
version info:
OpenLDAP: slapd 2.4.44
Red Hat Enterprise Linux Server release 7.5 (Maipo)
RH package: openldap-servers-2.4.44-15.el7_5.x86_64
While planning for a migration, I ran into the following error:
$ ldapmodify -x -y ~/.ldappw
dn: uid=cs5555,ou=testPrimary,ou=mailhosts,dc=test,dc=com
changetype: modify
add: mailAlternateAddress
mailAlternateAddress: cs5555(a)test.com
[CTRL-D]
modifying entry "uid=cs5555,ou=testPrimary,ou=mailhosts,dc=test,dc=com"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: mailAlternateAddress: no equality
matching rule
I tried to fix this by updating the schema to add "EQUALITY
caseIgnoreMatch" to the attribute definition for mailAlternateAddress.
dn: cn={5}inetLocalMailRecipient,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {5}inetLocalMailRecipient
olcAttributeTypes: {0}( 2.16.840.1.113730.3.1.24 NAME
'mailRoutingAddress' DES
C 'iPlanet defined attribute type' SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 X-ORI
GIN 'iPlanet Messaging Server' )
olcAttributeTypes: {1}( 2.16.840.1.113730.3.1.18 NAME 'mailHost' DESC
'iPlanet
defined attribute type' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 X-ORIGIN
'iPlan
et Messaging Server' )
olcAttributeTypes: {2}( 2.16.840.1.113730.3.1.13 NAME
'mailAlternateAddress' D
ESC 'iPlanet defined attribute type'EQUALITY caseIgnoreMatchSYNTAX
1.3.6.1.
4.1.1466.115.121.1.15 X-ORIGIN 'iPlanet Messaging Server' )
olcObjectClasses: {0}( 2.16.840.1.113730.3.2.4 NAME
'inetLocalMailRecipient' D
ESC 'iPlanet defined objectclass' AUXILIARY MAY ( mailAlternateAddress
$ mail
Host $ mailRoutingAddress ) X-ORIGIN 'iPlanet Messaging Server' )
Now, after the schema change, the same ldapmodify kills slapd.
$ ldapmodify -x -y ~/.ldappw
dn: uid=cs5555,ou=testPrimary,ou=mailhosts,dc=test,dc=com
changetype: modify
add: mailAlternateAddress
mailAlternateAddress: cs5555(a)test.com
modifying entry "uid=cs5555,ou=testPrimary,ou=mailhosts,dc=test,dc=com"
ldap_result: Can't contact LDAP server (-1)
Trying this with slapd running with olcLogLevel=-1, I get the following
output before slapd death:
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
connection_get(11)
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
connection_get(11): got connid=1008
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
connection_read(11): checking for input on id=1008
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
op tag 0x60, time 1537906659
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
conn=1008 op=0 do_bind
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
>>> dnPrettyNormal: <cn=manager,dc=test,dc=com>
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
<<< dnPrettyNormal: <cn=manager,dc=test,dc=com>, <cn=manager,dc=test,dc=com>
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
conn=1008 op=0 BIND dn="cn=manager,dc=test,dc=com" method=128
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
do_bind: version=3 dn="cn=manager,dc=test,dc=com" method=128
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
==> hdb_bind: dn: cn=manager,dc=test,dc=com
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
conn=1008 op=0 BIND dn="cn=manager,dc=test,dc=com" mech=SIMPLE ssf=0
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
do_bind: v3 bind: "cn=manager,dc=test,dc=com" to "cn=manager,dc=test,dc=com"
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
send_ldap_result: conn=1008 op=0 p=3
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
send_ldap_result: err=0 matched="" text=""
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
send_ldap_response: msgid=1 tag=97 err=0
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
conn=1008 op=0 RESULT tag=97 err=0 text=
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
daemon: activity on 1 descriptor
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
daemon: activity on:
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
daemon: epoll: listen=8 active_threads=0 tvp=NULL
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal slapd[22363]:
daemon: epoll: listen=9 active_threads=0 tvp=NULL
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal systemd[1]:
slapd.service: main process exited, code=killed, status=6/ABRT
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal systemd[1]:
Unit slapd.service entered failed state.
Sep 25 20:17:39 ip-172-31-94-0.ap-south-1.compute.internal systemd[1]:
slapd.service failed.
Does anyone have any insight into this issue? somehow I've never run
into this one before.
Many thanks,
CP
--
Rex ConsultingChris Paul
Rex Consulting, Inc
5652 Florence Terrace, Oakland, CA 94611
email: chris.paul(a)rexconsulting.net
web: http://www.rexconsulting.net
phone, toll-free: +1 (888) 403-8996 ext 1
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited.
Rex Consulting, Inc. has been a California Corporation since 2001.
4 years, 8 months
Re: slapo-memberof and Replication
by Dave Macias
>
> It means that you run it in a replicated environment at your own risk.
> Unfortunately, there is no defined standard for the "memberOf"
> functionality (it's a MS hack) and so there's nothing that details how it
> should or shouldn't behave with replication. In general, things work fine
> as long as:
>
Does the same apply to the rfc2307bis schema which gives your the
groupOfMembers objectclass?
Out of curiosity.
Thanks!
4 years, 8 months
olcTLSCACertificateFile and olcTLSCertificateFile displayed as encrypted?
by Jean-Francois Malouin
Hi,
Not a very important question, just a little puzzled by this...
Is there a reason why the olcTLSCACertificateFile and olcTLSCertificateFile
paths show up as encrypted in this cn=config search?
slapd 2.4.46 on Debian 9.5 (Stretch)
ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b 'cn=config' -s base
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: stats
olcLogLevel: sync
olcPidFile: /var/run/slapd/slapd.pid
olcServerID: 1
olcTLSCACertificateFile:: IC9ldGMvbGRhcC9zc2wvQ09NT0RPX0NBX2J1bmRsZS5jcnQ=
olcTLSCertificateFile:: ICAgL2V0Yy9sZGFwL3NzbC9TVEFSX2JpY19tbmlfbWNnaWxsX2NhLmNydA==
olcTLSCertificateKeyFile: /etc/ldap/ssl/STAR_bic_mni_mcgill_ca.key
olcTLSCipherSuite: NORMAL
olcTLSVerifyClient: allow
olcToolThreads: 1
There is an extra ':' ...
When I edit/display the cn=config with ldapvi (old fart here!) they show up as:
olcTLSCACertificateFile:; /etc/ldap/ssl/COMODO_CA_bundle.crt
olcTLSCertificateFile:; /etc/ldap/ssl/STAR_bic_mni_mcgill_ca.crt
again, notice the ';' this time...
Just curious!
Thanks,
jf
4 years, 8 months
slapo-memberof and Replication
by Meike Stone
Hello,
I need the memberof Attribute on users, and I configured it with the
memberof overlay. Every thing ist working fine. I like to deploy a
second server for redundancy reason., but the manual page of the
overlay says:
" .. Replica servers should be configured with their
own instances of the memberOf overlay if it is desired to maintain
these memberOf attributes on the replicas. Note that slapo-memberOf
is not compatible with syncrepl based replication, and should not be
used in a replicated environment. ..."
That confuses me a little bit.
All replication on openLDAP are based on syncreplication (slurpd is
vanished a long time ago)
So what kind of replication means the manual page (-> "Replica servers")?
Thanks Meike
4 years, 8 months
SASL EXTERNAL olcRootDN and ACLs
by linux nuse
https://www.openldap.org/doc/admin24/access-control.html says:
Regardless of what access control policy is defined, the rootdn is always allowed full rights (i.e. auth, search, compare, read and write) on everything and anything.
As a consequence, it's useless (and results in a performance penalty) to explicitly list the rootdn among the <by> clauses.
"Well", said I and set olcRootDN to gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth.
Then I've tried to add an entry with
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// ....
and OpenLDAP told that I don't have permission to modify the DB.
I had to grant gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth access to everything in the backend's ACL to make it working.
Is it expected that gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth rootdn does not have full rights without explicit permission or I need to recheck because I could get something wrong (didn't restart slapd or something like that)?
4 years, 8 months
RE: Restarting syncrepl based provider / consumer setup trawls through whole DIT - why?
by Ole Nomann Thomsen
> --On Monday, September 24, 2018 2:51 PM +0000 Ole Nomann Thomsen
> <ole.nomann(a)stil.dk> wrote:
>
> > 2018-09-12T16:25:41.526574+02:00 nonpresent_callback: rid=001 present
> > UUID 9b99ec5a-4cfe-1029-9a2e-80309636f032, dn
> > ou=Authentication,o=UNI-C,c=DK
>
> This is the presence phase.
>
>
> > I'm guessing that that the Consumer is looking up every entry to decide
> > if it has changed.
>
> It is confirming each entry is still present (not deleted).
>
>
> > But why is it not persistent? Am a missing some obvious explanation as to
> > why this is not possible, or have I just misconfigured something? Any
> > hints where I should look?
> >
> > Is there a better way to set up replication to avoid this?
>
> a) Use delta-syncrepl
> b) Ensure you have a large sessionlog setting (See ITS#8125, ITS#8486)
>
> Warm regards,
> Quanah
Thanks - You too.
In my case, the present-phase is not really useful, since this particulat ldap-instance only ever adds and modifies entries, never deletes. Would it then be possible to skip it ?
- Ole.
4 years, 8 months
Slapd generate SQL by PostgreSQL based syntax
by 横山善行
Hi
I use openldap slapd 2.4.40 + MySQL5.5 as back-sql on CentoS 6.9
It seems slapd generate PostgreSQL based syntax SQL
Here is the error message for ldapsearch -x -b "dc=example,dc=com"
'(objectClass=*)'
5b70e25c <==backsql_srch_query() returns SELECT DISTINCT
ldap_entries.id,eduperson.id,text('inetOrgPerson') AS
objectClass,ldap_entries.dn AS dn FROM ldap_entries,eduperson WHERE
eduperson.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND
3=3
5b70e25c Constructed query: SELECT DISTINCT
ldap_entries.id,eduperson.id,text('inetOrgPerson') AS
objectClass,ldap_entries.dn AS dn FROM ldap_entries,eduperson WHERE
eduperson.id=ldap_entries.keyval AND ldap_entries.oc_map_id=? AND 9=9 AND
3=3
5b70e25c id: '3'
5b70e25c backsql_oc_get_candidates(): error executing query
5b70e25c Return code: -1
5b70e25c nativeErrCode=1064 SQLengineState=37000
msg="[unixODBC][MySQL][ODBC 5.1 Driver][mysqld-5.5.57]You have an error in
your SQL syntax; check the manual that corresponds to your MySQL server
version for the right syntax to use near '('inetOrgPerson') AS
objectClass,ldap_entries.dn AS dn FROM ldap_entries,edupers' at line 1"
5b70e25c send_ldap_result: conn=1000 op=1 p=3
5b70e25c send_ldap_result: err=80 matched="" text=""
5b70e25c send_ldap_response: msgid=2 tag=101 err=80
I take same message as I execute below from MySQL console.
I can see text('inetOrgPerson') in the SQL which was generated by slapd
however,MySQL doesn’t support text() function in its SQL.
When I use Postgeresql as back-sql it works properly
Is it a bug or setting error for some directives?
#########################################
一般財団法人
日本建設情報総合センター(JACIC:ジャシック)
建設副産物・発生土情報交換システム担当
国際土木委員会 事務局担当
システムエンジニアリング部
横山 善行
電話 03-3505-2661 FAX 03-3589-6258
mail yokoyamy(a)jacic.or.jp
########################################
4 years, 8 months
How to make ldap evaluate clear text password vs DES stored password
by yokoyamy@jacic.or.jp
Hi.
I have user information in RDB which include user-id and password set.
I’ve been trying to use this RDB as backend database for openldap server.
Now,I can find user information in RDB through openldap.
However, I recognized I can’t use this user information for ldap login certification process.
LDAP’s userPassowrd stored in the RDB has been already DES hashed by original app. On the other hand, input password from ldapseach command line is CREARTEXT.
Now I’d like my openldap to change CREATEXT input password into DES hassed text so that they'll match for certification.
I've asked this topic on stackoverflow web site how to do that by server settings.But I couldn’t find proper directives to set.
How to make ldap evaluate clear text password vs DES stored password
Since then,I’ve been searching LDAP source files which is matching input password from ldapsearch command line against userPassword stored in backend RDB for slapd.
I’d like to change certification process of LDAP source file to make input password into DES hashed by using 2 characters of userPassword as its SALT.
I've already known that 2 characters at the beginning of userPasswordwas used as its SALT when it was hashed.
So the fact is ,my slapd can read userPassword from the RDB. I think I'll be able to find out what will be SALT to make input password into DES hashed text.
If I can make opeldap to act this way,I can use user's infomation in the RDB to ldap login inforomation wiht seamless.
4 years, 8 months
Restarting syncrepl based provider / consumer setup trawls through whole DIT - why?
by Ole Nomann Thomsen
Hi, my problem is this:
Whenever I restart a Consumer in our single-provider, multi-consumer syncrepl setup, type=refreshAndPersist (OpenLdap 2.4.45), It spends about half an hour running through the whole DIT (about 5.5 million entries), doing this for each:
2018-09-12T16:25:41.526574+02:00 nonpresent_callback: rid=001 present UUID 9b99ec5a-4cfe-1029-9a2e-80309636f032, dn ou=Authentication,o=UNI-C,c=DK
I'm guessing that that the Consumer is looking up every entry to decide if it has changed. This has the unfortunate effect that the Consumer is deemed out-of-sync in the timespan (referring to the contextCSN in the root entry), even if only one entry has actually changed in the master. And it cannot be let back into the serverfarm before it is synchronized, thus making every restart of a Consumer require at least 30 mins downtime for that Consumer.
If I read the docs correctly (https://www.openldap.org/doc/admin24/replication.html), there should be a synchronization cookie set after the refresh stage (and during the persist-stage). It looks to me like at least in my case, that cookie is not persistent - it seems that when the Consumer is restarted, this cookie is either lost or reset, causing the whole DIT to be read, and not just those entries, younger than the cookie.
But why is it not persistent? Am a missing some obvious explanation as to why this is not possible, or have I just misconfigured something? Any hints where I should look?
Is there a better way to set up replication to avoid this?
Thanks - Ole N Thomsen
4 years, 8 months
