Re: Migrating from Debian 6 to Ubuntu 20
by Tan Mientras
just figure it out whats going on:
a comment line (starting with #) in the middle of a ACL breaks the ACL.
On Tue, May 3, 2022 at 11:52 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Tuesday, May 3, 2022 10:05 AM +0200 Tan Mientras
> <tanimientras(a)gmail.com> wrote:
>
> >
> >
> > OLD SERVER:ii ldap-utils
> > 2.4.23-7.3 OpenLDAP utilities
> > ii ldapscripts 1.9.0-2
> > Add and remove user and groups (stored in a LDAP
> > directory)
> > ii libldap-2.4-2 2.4.23-7.3
> > OpenLDAP libraries
> > ii libnet-ldap-perl 1:0.4001-2
> > client interface to LDAP servers
> > ii libnss-ldap 264-2.2
> > NSS module for using LDAP as a naming service
> > ii libpam-ldap 184-8.5
> > Pluggable Authentication Module for LDAP
> >
> > ii postfix-ldap 2.7.1-1+squeeze1
> > LDAP map support for Postfix
> >
> >
> > vs
> >
> >
> > NEW SERVER:
> >
> > ii ldap-utils
> > 2.4.49+dfsg-2ubuntu1.8 amd64 OpenLDAP
> > utilities
> > ii ldapscripts 2.0.8-1ubuntu1
> > all Add and remove users and
> > groups (stored in a LDAP directory)
> > ii libldap-2.4-2:amd64
> > 2.4.49+dfsg-2ubuntu1.8 amd64 OpenLDAP
> > libraries
> > ii libldap-common
> > 2.4.49+dfsg-2ubuntu1.8 all OpenLDAP
> > common files for libraries
>
> None of the above shows what the slapd version is, but I'll assume 2.4.23
> to 2.4.49. Are you using the exact same OpenLDAP slapd.conf with both?
>
> Regards,
> Quanah
>
>
>
>
2 months
Re: Migrating from Debian 6 to Ubuntu 20
by Tan Mientras
OLD SERVER:
ii ldap-utils 2.4.23-7.3
OpenLDAP utilities
ii ldapscripts 1.9.0-2 Add
and remove user and groups (stored in a LDAP directory)
ii libldap-2.4-2 2.4.23-7.3
OpenLDAP libraries
ii libnet-ldap-perl 1:0.4001-2 client
interface to LDAP servers
ii libnss-ldap 264-2.2 NSS
module for using LDAP as a naming service
ii libpam-ldap 184-8.5
Pluggable Authentication Module for LDAP
ii postfix-ldap 2.7.1-1+squeeze1 LDAP
map support for Postfix
vs
NEW SERVER:
ii ldap-utils 2.4.49+dfsg-2ubuntu1.8
amd64 OpenLDAP utilities
ii ldapscripts 2.0.8-1ubuntu1
all Add and remove users and groups (stored in a LDAP directory)
ii libldap-2.4-2:amd64 2.4.49+dfsg-2ubuntu1.8
amd64 OpenLDAP libraries
ii libldap-common 2.4.49+dfsg-2ubuntu1.8
all OpenLDAP common files for libraries
On Fri, Apr 29, 2022 at 5:16 PM Quanah Gibson-Mount <quanah(a)fast-mail.org>
wrote:
>
>
> --On Friday, April 29, 2022 3:06 PM +0200 Tan Mientras
> <tanimientras(a)gmail.com> wrote:
>
> >
> >
> > Hello.
> >
> >
> > Trying to migrate our ldap from one server to a new one I did:
>
> What OpenLDAP release was the old server running? What OpenLDAP release is
> the new server running?
>
> --Quanah
>
>
>
>
2 months
LMDB compaction
by Søren Holm
Hi
I know that LMDB currently does not support compaction, but I'm
interested in knowing if such a feature is being worked on. And if not,
is it a feature that can be merged into LMDB if implemented?
/Søren Holm
2 months
cannot use RootDN to modify cn=config: Insufficient access
by butterfly-cry@qq.com
Hi guys, I have google a lot to modify cn=config but all failed. Hope someone can help. Thanks.
[openldap2.6.1 CentOS7.9]
My initial ldif is like below:
`[root@rayc01 openldap]# more slapd.ldif |grep -v ^#
dn: cn=config
objectClass: olcGlobal
cn: config
olcArgsFile: /usr/local/openldap-2.6.1/var/run/slapd.args
olcPidFile: /usr/local/openldap-2.6.1/var/run/slapd.pid
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulepath: /usr/local/openldap-2.6.1/libexec/openldap
olcModuleload: back_mdb.la
dn: cn=schema,cn=config
objectClass: olcSchemaConfig
cn: schema
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/core.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/collective.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/corba.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/cosine.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/dsee.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/duaconf.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/dyngroup.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/inetorgperson.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/java.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/misc.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/namedobject.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/nis.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/openldap.ldif
include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/pmi.ldif
dn: olcDatabase=frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: frontend
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcDbMaxSize: 1073741824
olcSuffix: dc=domain,dc=com
olcRootDN: cn=root,dc=domain,dc=com
olcRootPW: {SSHA}N/Zg9jqjoL1E4xEHc1dGdyTzZiOlEsrs
olcDbDirectory: /usr/local/openldap-2.6.1/var/openldap-data
olcDbIndex: objectClass eq
dn: olcDatabase=monitor,cn=config
objectClass: olcDatabaseConfig
olcDatabase: monitor
olcRootDN: cn=config
olcMonitoring: FALSE
[root@rayc01 openldap]#
`
After import by slapadd and after slapd start, i can add my ou with cn=root by ldapadd. like below:
`[root@rayc01 ~]# more base.ldif
dn: dc=domain,dc=com
dc: domain
objectClass: top
objectClass: domain
dn: ou=People,dc=domain,dc=com
objectClass: organizationalUnit
ou: People
dn: ou=Group,dc=domain,dc=com
objectClass: organizationalUnit
ou: Group
dn: ou=Mounts,dc=domain,dc=com
objectClass: organizationalUnit
ou: Mounts`
But when I try to modify olcLogLevel and olcIdleTimeout in cn=config, I get errors:
[root@rayc01 ~]# more log.ldif
dn: cn=config
changeType: modify
replace: olcIdleTimeout
olcIdleTimeout: 60
dn: cn=config
changeType: modify
replace: olcLogLevel
olcLogLevel: 256
[root@rayc01 ~]# ldapmodify -Y external -H ldapi:/// -f 1.ldif
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
[root@rayc01 ~]# ldapmodify -x -D cn=root,dc=domain,dc=com -w "xxx@123" -f log.ldif
modifying entry "cn=config"
ldap_modify: Insufficient access (50)
[root@rayc01 ~]# ldapmodify -x -D cn=config -f log.ldif
ldap_bind: Server is unwilling to perform (53)
additional info: unauthenticated bind (DN with no password) disallowed
[root@rayc01 ~]#
[root@rayc01 ~]# more 1.ldif
dn: olcDatabase={0}config,cn=config
#olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
changetype: modify
replace: olcAccess
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=r
oot,dc=huawei,dc=com" read by * none
[root@rayc01 ~]# ldapmodify -Y external -H ldapi:/// -f 1.ldif
ldap_sasl_interactive_bind: Can't contact LDAP server (-1)
[root@rayc01 ~]#
2 months
RE26 testing call #2 (OpenLDAP 2.6.2)
by Quanah Gibson-Mount
This is the second testing call for OpenLDAP 2.6.2. Depending on the
results, this may be the final testing call.
Generally, get the code for RE26:
<https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6...>
Extract, configure, and build.
Execute the test suite (via make test) after it is built. Optionally, cd
tests && make its to run through the regression suite.
Fixes since last testing call:
ITS#9802 (further fixes)
ITS#9820
ITS#9825
ITS#9831
ITS#9832
Thanks!
OpenLDAP 2.6.2 Engineering
Added libldap support for OpenSSL 3.0 (ITS#9436)
Added slapd support for OpenSSL 3.0 (ITS#9436)
Fixed ldapdelete to prune LDAP subentries (ITS#9737)
Fixed libldap to drop connection when non-LDAP data is received
(ITS#9803)
Fixed libldap to allow newlines at end of included file (ITS#9811)
Fixed slapd slaptest conversion of olcLastBind (ITS#9808)
Fixed slapd to correctly init global_host earlier (ITS#9787)
Fixed slapd bconfig locking for cn=config replication (ITS#9584)
Fixed slapd usage of thread local counters (ITS#9789)
Fixed slapd to clear runqueue task correctly (ITS#9785)
Fixed slapd idletimeout handling (ITS#9820)
Fixed slapd syncrepl handling of new sessions (ITS#9584)
Fixed slapd to clear connections on bind (ITS#9799)
Fixed slapd to correctly advance connections index (ITS#9831)
Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801)
Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802)
Fixed slapd-ldap memory leak in keepalive setting (ITS#9802)
Fixed slapd-meta SEGV on config rewrite (ITS#9802)
Fixed slapd-meta ordering on config rewrite (ITS#9802)
Fixed slapd-meta memory leak in keepalive setting (ITS#9802)
Fixed slapd-monitor SEGV on shutdown (ITS#9809)
Fixed slapd-monitor crash when hitting sizelimit (ITS#9832)
Added slapo-autoca support for OpenSSL 3.0 (ITS#9436)
Added slapo-otp support for OpenSSL 3.0 (ITS#9436)
Fixed slapo-dynlist dynamic group regression (ITS#9825)
Fixed slapo-pcache SEGV on shutdown (ITS#9809)
Fixed slapo-ppolicy operation handling to be consistent (ITS#9794)
Fixed slapo-translucent to correctly duplicate substring filters
(ITS#9818)
Build Enviornment
Add ability to override default compile time paths
(ITS#9675)
Fix compiliation with certain versions of gcc (ITS#9790)
Fix compilation with openssl exclusions (ITS#9791)
Fix warnings from make jobserver (ITS#9788)
Contrib
Update ppm module to the 2.1 release (ITS#9814)
Documentation
admin26 Document new lloadd features (ITS#9780)
Fixed slapd.conf(5)/slapd-config(5) syncrepl
sizelimit/timelimit documentation (ITS#9804)
Fixed slapd-sock(5) to clarify "sockresps result" behavior
(ITS#8255)
2 months
How to allow openldap searches for all just one group
by gerson.garcia@itron.com
All,
I am inheriting the support of small openldap deployment and I am new to it. I have a request to create a security group to this implementation and only users in this group should have access to manage objects in the ldap.
We have something like this:
+-dc=nocinbox,dc=com
+---ou=groups
+---cn=admin
+---cn=app-admin
+---cn=sec-admin
+---ou=users
+---cn=admin
+---cn=appadmin
+---cn=appadmin2
+---cn=secadmin
In the olcDatabase configuration I have the following:
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by set="[cn=sec-admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid" write by * read
And only secadmin can make changes in the LDAP, that is great.
However, all other users can ldapsearch:
$ ldapsearch -x -v -H ldaps://openldap:636 -b "dc=nocinbox,dc=inc" -D "cn=admin,ou=users,dc=nocinbox,dc=inc" -W | grep numResponses
ldap_initialize( ldaps://openldap:636/??base )
Enter LDAP Password:
filter: (objectclass=*)
requesting: All userApplication attributes
# numResponses: 29
Is there any olcAccess configuration I can used to not allow any user to run ldapsearch but still able to authenticate them? They still need to ssh and access some web servers.
Thank you very much,
Gerson
2 months