Open LDAP - How to define an additionnal "uid" like attribute equivalent to a RDMS unique key index
by pascal.foulon@orange.com
Hi all
1) The context
My team is working on a corporate directory using Open LDAP 2.4.38, managing about 200,000 employees.
Each employee is constructed using a specific object class named ftperson, based on parent object class inetOrgPerson
All the ftperson objects are are stored in an branch named ou=people .
We use the standard uid attribute for he RDN 's ftperson object to identify an employee.
So far, the full DN of an employee is something like : uid=CUID,ou=people,dc=intrannuaire,dc=orange,dc=com
with CUID representing an alphanumeric string
Precision : the CUID value is precalculated and provisioned by another corporate identity management system
that checks and ensures the CUID value is unique.
We have a new requirement consisting of adding an additionnal "uid" like attribute named xuid
The value of xuid will also precalculated et provisioned by the corporate identity management system
that will check and ensure the xuid value is unique.
At first, we have choosen to simply add a new attribute to the ftperson object structrure
using the following attribute definition :
olcAttributeTypes: {76}( ORANGE-AT:77 NAME 'xuid' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUE )
2) My question
We'd like to harden the xuid management policy on our Open LDAP server by adding an unicity constraint rule for the xuid attribute equivalent to a RDMS unique key index.
I've found and read several LDAP documentations including :
=> uid attribute définition
https://ldapwiki.com/wiki/0.9.2342.19200300.100.1.1
=> extented flags
https://ldapwiki.com/wiki/Extended%20Flags
I've tried several configurations such as :
- define xuid attribute using uid as a parent attribute type
olcAttributeTypes: {76}( ORANGE-AT:77 NAME 'xuid' SUP uid EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
- define xuid attribute using uid as a parent attribute type with additional extended flags
olcAttributeTypes: {76}( ORANGE-AT:77 NAME 'xuid' SUP uid EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE X-NDS_NAME 'uniqueID' X-NDS_LOWER_BOUND '1' X-NDS_UPPER_BOUND '64' X-NDS_PUBLIC_READ '0' X-NDS_NONREMOVABLE '0' )
Where injecting the modified configurations , the Open LDAP server seems to accept them (no error message).
When we add the xuid attribute to an existing ftperson object, it works
But the same xuid value can be set for different ftperson objects and so, the unicity constraint rule for xuid is not respected. :-(
Any idea that idea that could help to fix this issue ?
Regards
[logo Orange]<http://www.orange.com/>
Pascal Foulon
Concepteur Développeur
Responsable Technique / MOE portail Intranet France Mobile
Expert technique VMPAL-E / Quartz / Web Admin / IFM / Annuaire Groupe
Orange/TGI/OLS/SOFT/IDF-NANCY/DPI
fixe : +33 3 90 31 25 79 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoic...>
mobile : +33 6 82 57 28 73 <https://monsi.sso.francetelecom.fr/index.asp?target=http%3A%2F%2Fclicvoic...>
pascal.foulon(a)orange.com<mailto:pascal.foulon@orange.com>
EDS Océane 58H « Annuaire Groupe » : BJC031
EDS Océane IFM « Intranet France Mobile » : BJC038
_________________________________________________________________________________________________________________________
Ce message et ses pieces jointes peuvent contenir des informations confidentielles ou privilegiees et ne doivent donc
pas etre diffuses, exploites ou copies sans autorisation. Si vous avez recu ce message par erreur, veuillez le signaler
a l'expediteur et le detruire ainsi que les pieces jointes. Les messages electroniques etant susceptibles d'alteration,
Orange decline toute responsabilite si ce message a ete altere, deforme ou falsifie. Merci.
This message and its attachments may contain confidential or privileged information that may be protected by law;
they should not be distributed, used or copied without authorisation.
If you have received this email in error, please notify the sender and delete this message and its attachments.
As emails may be altered, Orange is not liable for messages that have been modified, changed or falsified.
Thank you.
4 years, 1 month
Multiple memberOf overlays
by John C. Pfeifer
I am in the process of converting an existing LDAP infrastructure to OpenLDAP. I have a case where it would be convenient for two different objectClasses to map into the memberOf attribute. Is it possible to define two overlay configs or will they end up fighting each other over the memberOf attribute? For instance:
dn: olcOverlay={5}memberofA,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {5}memberofA
olcMemberOfDangling: error
olcMemberOfRefInt: FALSE
olcMemberOfGroupOC: objectClassA
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
dn: olcOverlay={6}memberofB,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {6}memberofB
olcMemberOfDangling: error
olcMemberOfRefInt: FALSE
olcMemberOfGroupOC: objectClassB
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
//
John Pfeifer
Division of Information Technology
University of Maryland, College Park
4 years, 1 month
Re: OpenLdap with Zimbra Objectclasses
by Quanah Gibson-Mount
--On Thursday, April 25, 2019 3:49 PM +0200 Aidar Y�s�n
<ajdar.yuesuen(a)in-factory.com> wrote:
> Hello,
>
> Thanks for you help. I installed Zimbra the latest version but i couldn't
> finde a Schema Data. Is there a other way?
Hello,
Please keep replies on the list if you would like assistance.
You will need to search harder, as Zimbra always installs the schema file
on a zimbra LDAP node. You may want to read over the zmldapschema script,
particularly the "installZimbraSchema" function in that script, which
clearly denotes where the schema file lives in the deployment.
--Quanah
--
Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
<http://www.symas.com>
4 years, 1 month
reverse search in dymanic group ?
by Olivier -
Hi all,
I'm testing static group and dynamic group.
* Dynmaic group : is it possible to do reverse search in dynamic group ? I reead something about the "ismemberof" attribute and ds-virtual-static-group. But i'm not sure we can do it with openldap
* Static group seems to be fine for me. I have a newbie's question :
can we have , for example, the mail attribute of all members of service Y in only one request ?
I mean : make a request on service Y to have member's list and , in the same action , have the member's mail.
Thanks all.
4 years, 1 month
Implementing additional passwords with limited scope / "app passwords"
by Christoph Biedl
Hello,
looking for a way to implement alternative passwords for a given object
(i.e. account information). The tricky part, such passwords should not
be usable in every application but e.g. for mail access only, not for
interactive login. Such a feature can be seen in the nextcloud
application where such "app passwords" may be unusable for accessing
files while the calendar can still be read and written. The idea behind
this is obviously being able to store such a password on a mobile
device that might got stolen or lost otherwise - without compromising
all other services the account credentials are be valid for. The global
(or default) password should still be usable in any place - although
users should avoid that.
The "restriction to an application" logic could possibly be implemented
using an attribute I'd call "capability", but I have no clue how to
handle the passwords.
Findings so far: It is possible to store more than one userPassword in
an account object, but now I cannot see how to tell apart which of the
ones was used for successful binding, and I reckon this is not possible
at all in a sane way.
Enhancing the schema I might store the the extra password/capabilities
combos in separate objects. But this creates the question how to deal
with applications that don't allow to enter the entire request string.
Another idea I could think of was to have separate objects
("cn=john.doe", "cn=john.doe+login") - but I consider that ugly.
Other ideas? Or even solutions that already exist?
Christoph
4 years, 1 month
OpenLdap with Zimbra Objectclasses
by Aidar Y�s�n
Hello,
I'm trying to import Data to my Server and need for the the Entries Objectclasses wich contains Zimbra Attributes. Is there a way to implement a Schema which include Zimbra Objectclasses?
best wishes
Ajdar
4 years, 1 month
Is there any directory server in public use?
by Tankman 六四
Hi everyone
Can you give an example of directory server used by governments or
certain authorities as to the source of truth? E.g. whether or not the
person named so exists, or whether or not the land registered at
certain street address belong to a Mr Smith?
I'm asking for this because I'm researching how the source of truth is
made publically available in a public database with a set of open
query method (like openldap filter) before the invention of
blockchain. I personally also want to see such effort being made by
willing authorities.
Thanks in advance!
4 years, 1 month
Experimenting with a password plugin
by dee heffem
Is there a way to obtain the username (CN or UID attribute?) being
authenticated when a LUTIL_PASSWD_CHK_FUNC function is called?
I'd like to call a 2FA provider from within a password plugin but
not sure how to get the user tied to the sc, passwd, or cred
bervals.
Thanks
4 years, 1 month
Re: Strange slapadd behavior
by Ezsra McDonald
Yes, I did!!
Thank you for the assistance everyone.
-Ez
On Mon, Apr 15, 2019 at 2:49 PM Quanah Gibson-Mount <quanah(a)symas.com>
wrote:
> --On Monday, April 15, 2019 3:44 PM -0500 Ezsra McDonald
> <ezsra.mcdonald(a)gmail.com> wrote:
>
> > I figured it out. I had missed a attribute when I built my root object.
>
> Hi Ezsra,
>
> Glad you got it figured out! Hopefully you migrated the configuration
> over
> to using the new LMDB based backend (back-mdb) during the process.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Product Architect
> Symas Corporation
> Packaged, certified, and supported LDAP solutions powered by OpenLDAP:
> <http://www.symas.com>
>
>
4 years, 1 month
