Q: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
by Ulrich Windl
Hi!
After systemd tearing down one of our LDAP servers I noticed the following message when the server was restarted:
slapd[10525]: UNKNOWN attributeDescription "AUDITCONTEXT" inserted.
The next line logged was:
slapd[10525]: olcServerID: value #1: SID=0x002 (listener=ldap://...:389)
(the server is that of SLES12 SP4, 2.4.41 from opensuse-buildservice)
The server is one of three MM servers that all have the same configuration and the same version.
The schema knows in olcAttributeTypes (olcSchemaConfig):
( 1.3.6.1.4.1.4203.666.11.5.1.30 NAME 'auditContext' DESC 'DN of auditContainer' SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 SINGLE-VALUE NO-USER-MODIFICATION USAGE dSAOperation )
What I'l like to know: Is there any thing I could fix in the configuration to make the message go away, or is it some software issue in slapd?
Regards,
Ulrich
3 years, 2 months
Question about OpenLDAP and rwm overlay
by Vandenburgh, Steve Y
I'm attempting to use OpenLDAP as a proxy to an Active Directory domain. Using the ldap backend, I'm able to configure the proxy and that configuration seems to be working well. But account entries are frequently moved from ou to ou in a domain and Microsoft permits the bind DN to be a userPrincipalName attribute value of the entry instead of the full DN of the account; this features avoids having to make many bind DN application configuration changes.
With just the ldap backend configured, OpenLDAP rejects the userPrincipalName (UPN) bind DN as an invalid DN. To work around this error, I was trying to see if I could use the rwm overlay to detect the UPN and convert to the actual domain entry DN using an attribute map. If I use the form
mail=UPN
the map works as expected; however, if I only provide the UPN as the bind DN, OpenLDAP still rejects it as an invalid DN. I suspect that the rwm overlay manipulations to not take effect until after the bind DN syntax is checked. I wanted to confirm my suspicion and see if any one else has been able to get a UPN-based bind to work through OpenLDAP.
For reference my slapd.conf configuration is below:
### Schema includes ###########################################################
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
## Module paths ##############################################################
modulepath /usr/lib64/openldap/
moduleload rwm
# Main settings ###############################################################
loglevel 8
sizelimit unlimited
idletimeout 600
writetimeout 30
allow bind_v2
pidfile /var/openldap/mycompany/var/slapd.pid
argsfile /var/openldap/mycompany/var/slapd.args
logfile /var/openldap/mycompany/logs/access
TLSCertificateFile /var/openldap/mycompany/certs/Server.pem
TLSCertificateKeyFile /var/openldap/mycompany/certs/Server.key
TLSCACertificateFile /var/openldap/mycompany/certs/ServerCA.pem
### Rewrite rules #############################################################
# Bind with UPN instead of full DN: we first need
# an ldap map that turns attributes into a DN (the
# argument used when invoking the map is appended to
# the URI and acts as the filter portion)
overlay rwm
rwm-suffixMassage "" "dc=mycompany,dc=com"
rwm-rewriteMap ldap attr2dn "ldaps://mycompany.com/ou=Domain%20Users,dc=mycompany,dc=com?dn?sub" bindwhen=now version=3 binddn="CN=mybindacct,ou=Domain Users,DC=mycompany,DC=com" credentials=******
# Then we need to detect UPN DN
# note that the rule in case of match stops rewriting
# In case we are mapping virtual
# to real naming contexts, we also need to rewrite
# regular DNs, because the definition of a bindDN
# rewrite context overrides the default definition.
rwm-rewriteContext bindDN
rwm-rewriteRule "^[^=,]+(a)mycompany.com$" "mail=$0" ":"
rwm-rewriteRule "^mail=[^,]+(a)mycompany.com$" "${attr2dn($0)}" ":@"
### Database definition (Proxy to AD) #########################################
database ldap
readonly yes
protocol-version 3
rebind-as-user
uri "ldaps://mycompany.com"
suffix "dc=mycompany,dc=com"
Thanks,
Steve Vandenburgh
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
3 years, 8 months
Postgres and Attributes
by Mark Murawski
Hi!
Attachments:
www.kobaz.net/misc/slapd.zip
www.kobaz.net/misc/ldap.sql
www.kobaz.net/misc/attributes.png
Disclaimer: Let me first start out saying that this isn't my first run
around the block. I understand that this is experimental and I accept
the risks and issues that might come with back-sql.
I started with the backend examples located in:
servers/slapd/back-sql/rdbms_depend/pgsql
... and then started adding support for things like organizationUnit
that are not included in the test db
Attached is my ldap postgres database.
Attached is my ldap /etc/ldap/slapd
I'm aware that passwords/etc are in there, but it's not a big deal. It's
just testing stuff on an internal system.
The issue I'm having:
- Attributes are not coming back when requesting ldap information or
doing ldap search (Screenshot)
Also noted is that the sample inetOrgPerson entries do not show any
attributes like surname, despite them being stored in the postgres
database in what looks like the correct format (exactly the same as the
test db import)
-- The organizationUnit has been added like this:
1-users-ou.ldif
-----
dn: ou=users,dc=directory, dc=pbx, dc=local
ou: users
description: holds users of the directory
objectClass: organizationalUnit
-----
ldapadd -x -D "cn=admin,dc=directory, dc=pbx, dc=local" -w 'asdf' -v -f
1-users-ou.ldif
Despite having specified 'description', this has not been added to the
database as shown in the export. The organizational_unit table looks
like this:
id | ou | description
----+----+-------------
1 | |
Looking at the postgres query logs, slapd has made no attempt whatsoever
to set the description field, despite this field being mapped in the
attributes as shown in the export. Also here for quick reference:
Table: ldap_attr_mappings
-[ RECORD 16 ]+
id | 20
oc_map_id | 5
name | description
sel_expr | organizational_unit.description
sel_expr_u |
from_tbls | organizational_unit
join_where |
add_proc | UPDATE organizational_unit SET description=? WHERE id=?
delete_proc | SELECT 1 FROM organizational_unit WHERE ou = ? AND ID=?
param_order | 3
expect_return | 0
Can someone shed some light on what's wrong here?
3 years, 9 months
Is there a way to set a preference on entries with multiple userPassword attributes?
by Jeremy Diaz
Hello,
Currently I have ldap entries with 2 userPassword attributes. One is a regular SHA password which the other one delegates to sasl. However this results in all entries binding through sasl rather than locally. I need some entries to default to sasl and other entries to default to SHA but still failover to the other password entry. Is this possible through openldap?
Thanks,
Jeremy
--
Jeremy Diaz
Rex Consulting, Inc
5652 Florence Terrace, Oakland, CA 94611
email: jeremy.diaz(a)rexconsulting.net
web: [ http://www.rexconsulting.net/ | http://www.rexconsulting.net ]
phone, toll-free: +1 (888) 403-8996 EXT: 5
The information transmitted is intended only for the person or entity to
which it is addressed and may contain confidential and/or privileged
material. Any review, retransmission, dissemination or other use of,
or taking of any action in reliance upon, this information by persons
or entities other than the intended recipient is prohibited.
Rex Consulting, Inc. has been a California Corporation since 2001.
3 years, 9 months
acl help access to 'own' attributes
by Marc Roos
Can anyone help how I should make the acls that allows users[2] access
attributes of ldap entries[1] that have themselves listed in the
attribute value sendmailMTAMapValue
Something like:
Access to children? ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
filter=(sendmailMTAMapValue=VAR1) attrs=sendmailMTAKey
by uid=VAR1,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local read
[1]
dn:
sendmailMTAKey=test(a)example.com,ou=xxxx,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,
dc=local
objectClass: sendmailMTA
objectClass: sendmailMTAMap
objectClass: sendmailMTAMapObject
objectClass: ritAdditionalInfo
sendmailMTAMapName: virtuser
sendmailMTACluster: mail
sendmailMTAKey: test(a)example.com
sendmailMTAMapValue: testuser
[2]
uid=testuser,ou=yyyy,ou=dddd,ou=cccc,dc=bbbb,dc=aaaa,dc=local
3 years, 10 months
own dynamic posix-group
by Stefan Kania
Hello,
I try to set up my own posix-group to get a dynamic posix-group to use
it to give filesystempermission. So I did the following:
1. Create to new objectclasses:
------------
objectclass (1.3.6.1.4.1.23456.1.2.1 NAME 'stkaPosixGroup'
DESC 'advanced PosixGroup for dynamic use'
SUP top AUXILIARY
MUST ( cn $ gidNumber )
MAY ( userPassword $ memberUid $ description ) )
objectclass (1.3.6.1.4.1.23456.1.2.2 NAME 'stkaPosixAccount'
DESC 'advanced PosixAccount for dynamic use'
SUP posixAccount AUXILIARY
MAY ( memberUID ))
------------
YES I know 23456 is not my ODI. It's still a test!
2. Then I configured the dynlist-overlay in slad.conf
------------
overlay dynlist
dynlist-attrset groupOfURLs MemberURL
------------
3. I created a new dynamic group:
------------
dn: cn=dynposix,ou=groups,dc=example,dc=net
objectClass: groupOfURLs
objectClass: stkaPosixGroup
gidNumber: 5000
cn: dynposix
memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin)
------------
4. I added the new objectclass stkaPosixAccout to my users:
------------
dn: cn=Stefan Kania,ou=users,dc=example,dc=net
objectClass: posixAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: stkaPosixAccount
loginShell: /bin/bash
homeDirectory: /home/skania
uid: skania
cn: Stefan Kania
userPassword:: e1NTSEF9cVk4eDVEaVhmYTZxbEw4MDBnRTlkazdtVDd2TzVocUI=
uidNumber: 10000
gidNumber: 10000
sn: Kania
givenName: Stefan
memberUid: skania
title: admin
------------
5. I set the attribute "title" for two users to "admin" and got
------------
root@ldapserver:/# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL
'cn=dynposix'
dn: cn=dynposix,ou=groups,dc=example,dc=net
objectClass: groupOfURLs
objectClass: stkaPosixGroup
gidNumber: 5000
cn: dynposix
memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin)
memberUid: skania
memberUid: ktom
------------
So my users are member of the group.
5. I use the sssd as ldap-client so I changed the configuration to:
------------
[sssd]
config_file_version = 2
services = nss, pam
domains = EXAMPLE
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
offline_credentials_expiration = 2
offline_failed_login_attempts = 3
offline_failed_login_delay = 5
[domain/EXAMPLE]
ldap_schema=rfc2307
ldap_uri = ldap://ldapserver.example.net:389
ldap_search_base=dc=example,dc=net
ldap_default_bind_dn=uid=sssd-user,ou=users,dc=example,dc=net
ldap_default_authtok=geheim
id_provider=ldap
auth_provider=ldap
chpass_provider = ldap
ldap_chpass_uri = ldap://ldapserver.example.net:389
cache_credentials = True
ldap_tls_cacertdir = /etc/ssl/zertifikate/demoCA
ldap_tls_cacert = /etc/ssl/zertifikate/demoCA/cacert.pem
ldap_id_use_start_tls = True
ldap_group_object_class = stkaPosixGroup
enumerate = true
------------
I added the line "ldap_group_object_class = stkaPosixGroup"
I Know "enumerate = true" is not a good idea but it's still a test ;-)
Now the tests:
---------
getent group
.
.
dynposix:*:5000:
.
.
--------
The group will be listed but non of the members. So I did the following:
--------
root@ldapserver:~# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL
'cn=dynposix'
dn: cn=dynposix,ou=groups,dc=example,dc=net
objectClass: groupOfURLs
objectClass: stkaPosixGroup
gidNumber: 5000
cn: dynposix
memberURL: ldap:///dc=example,dc=net?memberuid?sub?(title=admin)
memberUid: skania
memberUid: ktom
--------
There are two memberUid entries.
Now I did another test searching for "memberuid"
--------
root@ldapserver:~# ldapsearch -x -D cn=admin,dc=example,dc=net -W -LLL
'memberuid=*' attrs dn
dn: cn=Stefan Kania,ou=users,dc=example,dc=net
dn: cn=Kater Tom,ou=users,dc=example,dc=net
--------
As you can see, I only get the two users but not my group "dynposix"
listed.
When i do a "id ktom" I got:
--------
root@ldapserver:~# id ktom
uid=10001(ktom) gid=10000 groups=10000
--------
Also no group "dynposix"
It looks like it is not possible to search for the attribute "memberUid"
if it's assigned to a groupOfUrls.
Does anyone has an idea where did something wrong?
--
Stefan Kania
3 years, 10 months
switching to containers, slapd tuning?
by Marc Roos
I have now setups with vm's with a local slapd and nscd for caching authentication requests. If I separate these processes eg. different container for slapd, different container for the application that does system authentication. I will not be able to share cache memory etc.
I was wondering if I would ever be able to come near this performance with direct communication between slapd and the application (thus without something like nscd) and how to tune slapd.
3 years, 10 months
SSL / TLS 1.0 - exposed in SSF?
by Aaron Bennett
Hi,
I'm looking to determine if clients connecting to my OpenLDAP directory are using obsolete protocols (such as SSL, TLS 1.0, etc). Are the connection details exposed in the SSF value of the connection, or exposed elsewhere the log?
Best,
Aaron
---
Aaron Bennett
Manager of Systems Administration
Clark University ITS
3 years, 10 months
Re:Re: It seems that the Tls cipher settings in ldap client and server not work.
by Quanah Gibson-Mount
--On Thursday, November 14, 2019 11:17 AM +0800 莫亚男 <nanmor(a)126.com>
wrote:
>
>
> Hi Quanah,
>
>
> Sorry for reply so late. We download the package and self-built.
> we used below commands:
> env CPPFLAGS=-I/usr/local/src/openssl-1.1.1/include
> LDFLAGS=-L/usr/local/ssl/lib ./configure
> make depend
> make
> make install
Hi Nancy,
Please keep replies on the technical list. Which OpenSSL 1.1.1 release are
you linking to?
Regards,
Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
3 years, 10 months
