openldap-technical May 2022

openldap-technical@openldap.org

24 participants
27 discussions

Win32 file size
by Søren Holm 04 May '22

04 May '22

Hi Mapsize on windows apparently creates a database file of the exact size of map-size. This is inconvenient. But I can see that Howard has been nice and done the commit below back in 2015 - it is not in any tag however. What are your recommendations - is mdb.master safe for productions? commit fb5a768a77ca5330e15a3a34ceb694bc11cb216a Author: Howard Chu <hyc(a)openldap.org> Date: Mon Nov 30 18:46:19 2015 +0000 ITS#8324 incremental DB file growth for Windows

1 0

Re: Migrating from Debian 6 to Ubuntu 20
by Tan Mientras 03 May '22

03 May '22

just figure it out whats going on: a comment line (starting with #) in the middle of a ACL breaks the ACL. On Tue, May 3, 2022 at 11:52 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Tuesday, May 3, 2022 10:05 AM +0200 Tan Mientras > <tanimientras(a)gmail.com> wrote: > > > > > > > OLD SERVER:ii ldap-utils > > 2.4.23-7.3 OpenLDAP utilities > > ii ldapscripts 1.9.0-2 > > Add and remove user and groups (stored in a LDAP > > directory) > > ii libldap-2.4-2 2.4.23-7.3 > > OpenLDAP libraries > > ii libnet-ldap-perl 1:0.4001-2 > > client interface to LDAP servers > > ii libnss-ldap 264-2.2 > > NSS module for using LDAP as a naming service > > ii libpam-ldap 184-8.5 > > Pluggable Authentication Module for LDAP > > > > ii postfix-ldap 2.7.1-1+squeeze1 > > LDAP map support for Postfix > > > > > > vs > > > > > > NEW SERVER: > > > > ii ldap-utils > > 2.4.49+dfsg-2ubuntu1.8 amd64 OpenLDAP > > utilities > > ii ldapscripts 2.0.8-1ubuntu1 > > all Add and remove users and > > groups (stored in a LDAP directory) > > ii libldap-2.4-2:amd64 > > 2.4.49+dfsg-2ubuntu1.8 amd64 OpenLDAP > > libraries > > ii libldap-common > > 2.4.49+dfsg-2ubuntu1.8 all OpenLDAP > > common files for libraries > > None of the above shows what the slapd version is, but I'll assume 2.4.23 > to 2.4.49. Are you using the exact same OpenLDAP slapd.conf with both? > > Regards, > Quanah > > > >

1 0

Re: Migrating from Debian 6 to Ubuntu 20
by Tan Mientras 03 May '22

03 May '22

OLD SERVER: ii ldap-utils 2.4.23-7.3 OpenLDAP utilities ii ldapscripts 1.9.0-2 Add and remove user and groups (stored in a LDAP directory) ii libldap-2.4-2 2.4.23-7.3 OpenLDAP libraries ii libnet-ldap-perl 1:0.4001-2 client interface to LDAP servers ii libnss-ldap 264-2.2 NSS module for using LDAP as a naming service ii libpam-ldap 184-8.5 Pluggable Authentication Module for LDAP ii postfix-ldap 2.7.1-1+squeeze1 LDAP map support for Postfix vs NEW SERVER: ii ldap-utils 2.4.49+dfsg-2ubuntu1.8 amd64 OpenLDAP utilities ii ldapscripts 2.0.8-1ubuntu1 all Add and remove users and groups (stored in a LDAP directory) ii libldap-2.4-2:amd64 2.4.49+dfsg-2ubuntu1.8 amd64 OpenLDAP libraries ii libldap-common 2.4.49+dfsg-2ubuntu1.8 all OpenLDAP common files for libraries On Fri, Apr 29, 2022 at 5:16 PM Quanah Gibson-Mount <quanah(a)fast-mail.org> wrote: > > > --On Friday, April 29, 2022 3:06 PM +0200 Tan Mientras > <tanimientras(a)gmail.com> wrote: > > > > > > > Hello. > > > > > > Trying to migrate our ldap from one server to a new one I did: > > What OpenLDAP release was the old server running? What OpenLDAP release is > the new server running? > > --Quanah > > > >

2 1

LMDB compaction
by Søren Holm 03 May '22

03 May '22

Hi I know that LMDB currently does not support compaction, but I'm interested in knowing if such a feature is being worked on. And if not, is it a feature that can be merged into LMDB if implemented? /Søren Holm

2 4

cannot use RootDN to modify cn=config: Insufficient access
by butterfly-cry＠qq.com 02 May '22

02 May '22

Hi guys, I have google a lot to modify cn=config but all failed. Hope someone can help. Thanks. [openldap2.6.1 CentOS7.9] My initial ldif is like below: `[root@rayc01 openldap]# more slapd.ldif |grep -v ^# dn: cn=config objectClass: olcGlobal cn: config olcArgsFile: /usr/local/openldap-2.6.1/var/run/slapd.args olcPidFile: /usr/local/openldap-2.6.1/var/run/slapd.pid dn: cn=module,cn=config objectClass: olcModuleList cn: module olcModulepath: /usr/local/openldap-2.6.1/libexec/openldap olcModuleload: back_mdb.la dn: cn=schema,cn=config objectClass: olcSchemaConfig cn: schema include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/core.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/collective.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/corba.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/cosine.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/dsee.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/duaconf.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/dyngroup.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/inetorgperson.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/java.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/misc.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/namedobject.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/nis.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/openldap.ldif include: file:///usr/local/openldap-2.6.1/etc/openldap/schema/pmi.ldif dn: olcDatabase=frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: frontend dn: olcDatabase=mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: mdb olcDbMaxSize: 1073741824 olcSuffix: dc=domain,dc=com olcRootDN: cn=root,dc=domain,dc=com olcRootPW: {SSHA}N/Zg9jqjoL1E4xEHc1dGdyTzZiOlEsrs olcDbDirectory: /usr/local/openldap-2.6.1/var/openldap-data olcDbIndex: objectClass eq dn: olcDatabase=monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: monitor olcRootDN: cn=config olcMonitoring: FALSE [root@rayc01 openldap]# ` After import by slapadd and after slapd start, i can add my ou with cn=root by ldapadd. like below: `[root@rayc01 ~]# more base.ldif dn: dc=domain,dc=com dc: domain objectClass: top objectClass: domain dn: ou=People,dc=domain,dc=com objectClass: organizationalUnit ou: People dn: ou=Group,dc=domain,dc=com objectClass: organizationalUnit ou: Group dn: ou=Mounts,dc=domain,dc=com objectClass: organizationalUnit ou: Mounts` But when I try to modify olcLogLevel and olcIdleTimeout in cn=config, I get errors: [root@rayc01 ~]# more log.ldif dn: cn=config changeType: modify replace: olcIdleTimeout olcIdleTimeout: 60 dn: cn=config changeType: modify replace: olcLogLevel olcLogLevel: 256 [root@rayc01 ~]# ldapmodify -Y external -H ldapi:/// -f 1.ldif ldap_sasl_interactive_bind: Can't contact LDAP server (-1) [root@rayc01 ~]# ldapmodify -x -D cn=root,dc=domain,dc=com -w "xxx@123" -f log.ldif modifying entry "cn=config" ldap_modify: Insufficient access (50) [root@rayc01 ~]# ldapmodify -x -D cn=config -f log.ldif ldap_bind: Server is unwilling to perform (53) additional info: unauthenticated bind (DN with no password) disallowed [root@rayc01 ~]# [root@rayc01 ~]# more 1.ldif dn: olcDatabase={0}config,cn=config #olcRootDN: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth changetype: modify replace: olcAccess olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by dn.base="cn=r oot,dc=huawei,dc=com" read by * none [root@rayc01 ~]# ldapmodify -Y external -H ldapi:/// -f 1.ldif ldap_sasl_interactive_bind: Can't contact LDAP server (-1) [root@rayc01 ~]#

3 6

RE26 testing call #2 (OpenLDAP 2.6.2)
by Quanah Gibson-Mount 02 May '22

02 May '22

This is the second testing call for OpenLDAP 2.6.2. Depending on the results, this may be the final testing call. Generally, get the code for RE26: <https://git.openldap.org/openldap/openldap/-/archive/OPENLDAP_REL_ENG_2_6/o…> Extract, configure, and build. Execute the test suite (via make test) after it is built. Optionally, cd tests && make its to run through the regression suite. Fixes since last testing call: ITS#9802 (further fixes) ITS#9820 ITS#9825 ITS#9831 ITS#9832 Thanks! OpenLDAP 2.6.2 Engineering Added libldap support for OpenSSL 3.0 (ITS#9436) Added slapd support for OpenSSL 3.0 (ITS#9436) Fixed ldapdelete to prune LDAP subentries (ITS#9737) Fixed libldap to drop connection when non-LDAP data is received (ITS#9803) Fixed libldap to allow newlines at end of included file (ITS#9811) Fixed slapd slaptest conversion of olcLastBind (ITS#9808) Fixed slapd to correctly init global_host earlier (ITS#9787) Fixed slapd bconfig locking for cn=config replication (ITS#9584) Fixed slapd usage of thread local counters (ITS#9789) Fixed slapd to clear runqueue task correctly (ITS#9785) Fixed slapd idletimeout handling (ITS#9820) Fixed slapd syncrepl handling of new sessions (ITS#9584) Fixed slapd to clear connections on bind (ITS#9799) Fixed slapd to correctly advance connections index (ITS#9831) Fixed slapd syncrepl ODSEE replication of unknown attr (ITS#9801) Fixed slapd-asyncmeta memory leak in keepalive setting (ITS#9802) Fixed slapd-ldap memory leak in keepalive setting (ITS#9802) Fixed slapd-meta SEGV on config rewrite (ITS#9802) Fixed slapd-meta ordering on config rewrite (ITS#9802) Fixed slapd-meta memory leak in keepalive setting (ITS#9802) Fixed slapd-monitor SEGV on shutdown (ITS#9809) Fixed slapd-monitor crash when hitting sizelimit (ITS#9832) Added slapo-autoca support for OpenSSL 3.0 (ITS#9436) Added slapo-otp support for OpenSSL 3.0 (ITS#9436) Fixed slapo-dynlist dynamic group regression (ITS#9825) Fixed slapo-pcache SEGV on shutdown (ITS#9809) Fixed slapo-ppolicy operation handling to be consistent (ITS#9794) Fixed slapo-translucent to correctly duplicate substring filters (ITS#9818) Build Enviornment Add ability to override default compile time paths (ITS#9675) Fix compiliation with certain versions of gcc (ITS#9790) Fix compilation with openssl exclusions (ITS#9791) Fix warnings from make jobserver (ITS#9788) Contrib Update ppm module to the 2.1 release (ITS#9814) Documentation admin26 Document new lloadd features (ITS#9780) Fixed slapd.conf(5)/slapd-config(5) syncrepl sizelimit/timelimit documentation (ITS#9804) Fixed slapd-sock(5) to clarify "sockresps result" behavior (ITS#8255)

2 4

How to allow openldap searches for all just one group
by gerson.garcia＠itron.com 01 May '22

01 May '22

All, I am inheriting the support of small openldap deployment and I am new to it. I have a request to create a security group to this implementation and only users in this group should have access to manage objects in the ldap. We have something like this: +-dc=nocinbox,dc=com +---ou=groups +---cn=admin +---cn=app-admin +---cn=sec-admin +---ou=users +---cn=admin +---cn=appadmin +---cn=appadmin2 +---cn=secadmin In the olcDatabase configuration I have the following: olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.subtree="dc=nocinbox,dc=inc" by set="[cn=sec-admin,ou=groups,dc=nocinbox,dc=inc]/memberUid & user/uid" write by * read And only secadmin can make changes in the LDAP, that is great. However, all other users can ldapsearch: $ ldapsearch -x -v -H ldaps://openldap:636 -b "dc=nocinbox,dc=inc" -D "cn=admin,ou=users,dc=nocinbox,dc=inc" -W | grep numResponses ldap_initialize( ldaps://openldap:636/??base ) Enter LDAP Password: filter: (objectclass=*) requesting: All userApplication attributes # numResponses: 29 Is there any olcAccess configuration I can used to not allow any user to run ldapsearch but still able to authenticate them? They still need to ssh and access some web servers. Thank you very much, Gerson

3 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2022