Re: dynlist overlay, memberURL not working on spcified attribiutes
by Bog Dan
Thanks for your reply, I try to explain.
Populating memberOf attribiute to users entry working well using this:
*olcDynListAttrSet: {1}inetOrgPerson labeledURI memberOf*
User entry look as follow:
*dn: uid=test1,ou=people,dc=test,dc=comsambaAcctFlags: [U
]sambaPwdLastSet: 9999999999sambaNTPassword: passo: testsambaSID:
S-1-5-21-3945181060-1826002392-430723570pwdPolicySubentry:
cn=noexpire,ou=ppolicy,dc=test,dc=comcreateTimestamp:
20220529070624.324Zdescription: User accountuserPassword::
passsambaPwdCanChange: 1528009736sambaPwdMustChange: 0mail: test1(a)test.com
<test1(a)test.com>loginShell: /bin/bashgivenName: Test1sambaLogonTime: 0sn:
Testcn: Test1 TestobjectClass: posixAccountobjectClass: topobjectClass:
inetOrgPersonobjectClass: personobjectClass:
organizationalPersonobjectClass: sambaSamAccountobjectClass:
shadowAccounthomeDirectory: /home/test1pwdChangedTime:
20220529070856.504ZgidNumber: 1002uidNumber: 1002uid:
test1structuralObjectClass: inetOrgPersonentryUUID:
348cd83e-7c6a-103c-8612-1918ce7a0bc4creatorsName:
cn=admin,dc=test,dc=comlabeledURI:
ldap:///ou=groups,dc=test,dc=com??sub?(|(&(objectclass=groupOfUniqueNames)(uniqueMember=uid=test1,ou=people,dc=test,dc=com))(&(objectClass=posixGroup)(memberUid=test1)))entryCSN:
20220609180738.487916Z#000000#001#000000modifiersName:
cn=admin,dc=test,dc=commodifyTimestamp: 20220609180738ZmemberOf:
cn=devops,ou=groups,dc=test,dc=comentryDN:
uid=test1,ou=people,dc=test,dc=comsubschemaSubentry:
cn=SubschemahasSubordinates: FALSE*
Static group entry:
*cn=devops,ou=groups,dc=test,dc=comcn: devopsobjectClass:
groupOfUniqueNamesobjectClass: topdescription: devops groupuniqueMember:
uid=test1,ou=people,dc=test,dc=comuniqueMember:
uid=test2,ou=people,dc=test,dc=com*
Next what I want to do is agregate multiple groups to one virtual using
this:
*olcDynListAttrSet: {0}groupOfURLs memberURL member*
Then I create appropiate group:
*cn=testluri,ou=groups,dc=test,dc=comcn: testluriobjectClass:
topobjectClass: groupOfURLsdescription: test groupmemberURL:
ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=test,dc=com)*
but this don't add memeber entry to this group. When I changing memberURL
as follow:
*memberURL: ldap:///ou=people,dc=test,dc=com??sub?(|(uid=test1)(uid=test2))*
member attribute was added to testluri group:
*cn=testluri,ou=groups,dc=test,dc=comcn: testluriobjectClass:
topobjectClass: groupOfURLsdescription: test groupmemberURL:
ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=test,dc=com)*
*member: uid=test1,ou=people,dc=test,dc=com*
*member: uid=test2,ou=people,dc=test,dc=com*
but this is not the goal. As I mentioned I want to agregate multiple group
to one using memberOf attribute in memberURL:
*memberURL:
ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=test,dc=com)*
but this not working. What I'm doing wrong?
Reagrds
BS
śr., 29 cze 2022 o 19:17 Quanah Gibson-Mount <quanah(a)fast-mail.org>
napisał(a):
>
>
> --On Tuesday, June 28, 2022 12:18 PM +0200 Bog Dan <bsiara.cgi(a)gmail.com>
> wrote:
>
> >
> > Hi All,
> > I have problem with dynlist overlay, this is my configuration:
> >
> >
> >
> > olcOverlay={1}dynlist,olcDatabase={1}mdb,cn=config
> > objectClass: olcOverlayConfig
> > objectClass: olcDynListConfig
> > olcOverlay: {1}dynlist
> > olcDynListAttrSet: {0}groupOfURLs memberURL member
> > olcDynListAttrSet: {1}inetOrgPerson labeledURI memberOf
> >
> >
> >
> > First I create static group:
> >
> >
> > cn=devops,ou=groups,dc=test,dc=com
> > cn: devops
> > objectClass: groupOfUniqueNames
> > objectClass: top
> > description: devops group
> > uniqueMember: uid=test1,ou=people,dc=test,dc=com
> > uniqueMember: uid=test2,ou=people,dc=test,dc=com
> >
> >
> >
> > When I create new dynamic group:
> >
> > cn=testluri,ou=groups,dc=test,dc=com
> > cn: testluri
> > objectClass: top
> > objectClass: groupOfURLs
> > description: test group
> > memberURL:
> > ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=te
> > st,dc=com)
> >
> >
> >
> > I don't get any member of group. Users test1 and test2 already have
> > memberOf attribute:
> >
> > memberOf: cn=devops,ou=groups,dc=test,dc=com
> >
> >
> >
> > When I change memberURL to use not dynamic attributes (memberOf):
> >
> >
> > memberURL:
> ldap:///ou=people,dc=test,dc=com??sub?(|(uid=test1)(uid=test2))
> >
> >
> >
> > users added to testluri group and dynlist works well.
> > What I should do to configure dynlist with memberOf?
>
> I've read your email multiple times, and quite frankly I don't understand
> what your end goal is.
>
> If your end goal is to have static groups, where memberOf is dynamically
> populated on the user entries (which is the usual use case for replacing
> the 2.4 memberOf), then your configs are clearly incorrect.
>
> Can you better explain what your end goal is?
>
> Thanks,
> Quanah
>
>
>
>
5 days, 21 hours
dynlist overlay, memberURL not working on spcified attribiutes
by Bog Dan
Hi All,
I have problem with dynlist overlay, this is my configuration:
olcOverlay={1}dynlist,olcDatabase={1}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: {1}dynlist
olcDynListAttrSet: {0}groupOfURLs memberURL member
olcDynListAttrSet: {1}inetOrgPerson labeledURI memberOf
First I create static group:
cn=devops,ou=groups,dc=test,dc=com
cn: devops
objectClass: groupOfUniqueNames
objectClass: top
description: devops group
uniqueMember: uid=test1,ou=people,dc=test,dc=com
uniqueMember: uid=test2,ou=people,dc=test,dc=com
When I create new dynamic group:
cn=testluri,ou=groups,dc=test,dc=com
cn: testluri
objectClass: top
objectClass: groupOfURLs
description: test group
memberURL:
ldap:///ou=people,dc=test,dc=com??sub?(memberOf=cn=devops,ou=groups,dc=test,dc=com)
I don't get any member of group. Users test1 and test2 already have
memberOf attribute:
memberOf: cn=devops,ou=groups,dc=test,dc=com
When I change memberURL to use not dynamic attributes (memberOf):
memberURL: ldap:///ou=people,dc=test,dc=com??sub?(|(uid=test1)(uid=test2))
users added to testluri group and dynlist works well.
What I should do to configure dynlist with memberOf?
Openldap 2.5.12
Regards
BS
6 days, 13 hours
role manage can bypass pwdCheckQuality with MOD but not with ADD op
by tempo@net-c.com
Hi,
I'm doing some testing on userPassword management actually with openldap 2.5.9
I noticed that I could MOD a userPassword without checking quality if my admin role was "manage"
However, if I try to ADD a user with its attribute userPassword set, then quality is checked although the role "manage"
ppolicy in both cases are the default one (policy subentry not set)
Is it normal behavior ?
Regards,
1 week
setting slapd logging to STDOUT only
by Alceu Rodrigues de Freitas Junior
Greetings,
My name is Alceu and I'm new to this list.
I'm experimenting with OpenLDAP at a Google Cloud, running it as a Pod
inside a GKE cluster.
I've being struggling to setup slapd to send it's logs to STDOUT only,
but it seems in most cases the logs are sent to STDERR. The problem is,
for GCP Log Explorer, everything that is sent to STDERR is considered an
error, even when it's not. :-)
Here is a reference:
https://stackoverflow.com/questions/71158475/gcp-log-explorer-shows-wrong....
I'm using this open source project
<https://github.com/osixia/docker-openldap> to deploy OpenLDAP as a
Docker container, but there is no configuration option for that. I would
like to make it clear that this project is not using the latest OpenLDAP
stable version.
AFAIK, slapd will use syslog facility for logging and will write to the
terminal if the "-d" option is in use, which in fact it is:
$ docker exec -ti openldap /bin/bash
root@56529dea5931:/# ps aux
USER PID %CPU %MEM VSZ RSS TTY STAT START TIME COMMAND
root 1 0.7 0.2 76528 47232 ? Ss 20:54 0:00
/usr/bin/python -u /container/tool/run --loglevel debug
openldap 21 0.1 0.0 294932 14844 ? Sl 20:54 0:00
/usr/sbin/slapd -h ldap://56529dea5931 ldaps://56529dea5931 ldapi:/// -u
openldap -g openldap -d 256
root 25 1.0 0.0 19868 3600 pts/0 Ss 20:54 0:00 /bin/bash
root 32 0.0 0.0 38312 3364 pts/0 R+ 20:54 0:00 ps aux
Is there any way to configure slapd to use STDOUT for everything,
besides using shell redirection (2>&1)?
Thanks in advance,
Alceu
1 week, 2 days
Setting to suppress "connection_read(XXX): no connection!"
by Uwe Sauter
Dear list,
is there a way to configure slapd to not emit messages regarding "connection_read(XXX): no connection!"?
Currently the configuration contails "loglevel none" but these messages are sent to syslog
local4.debug regardless.
In case the version is relevant, this is 2.4.59 on RHEL 8.4. slapd is started with URL list
"ldap:/// ldaps:/// ldapi:///"
Thanks,
Uwe
1 week, 4 days
rwm bindDN context and ppolicy issues
by Kartik Subbarao
I'm able to specify rwm bindDN rules without password-policy enabled
just fine, like this one:
rwm-rewriteContext bindDN
rwm-rewriteRule
"^([^=]+)=([^@]+)@olddomain.com(.+),dc=olddomain,dc=com$"
"$1=$2(a)newdomain.com$3,dc=newdomain,dc=com" ":@"
However, when I enable password policy (which also works fine on its
own), slapd segfaults. From doing a backtrace and stepping through the
code, it looks like the crux of the issue is that the mdb_info struct
ends up with garbage data:
struct mdb_info *mdb = (struct mdb_info *) op->o_bd->be_private;
mi_dbenv_home and mi_monitor have random stuff in them.
I'm mulling over how much additional time to spend on this. rwm is a
very elegant solution to a current issue that could save me a bunch of
time to set up additional LDAP servers with the renamed data. If this is
an isolated bug for which a quick fix might be possible, I might
investigate further.
But if it's a thorny issue or just the tip of the iceberg of things
where rwm might break unexpectedly, then it may be better for me to
consider other options. OpenLDAP developers, what do your instincts say
on this?
Regards,
-Kartik
1 week, 5 days
Re: LDAP over TLS not doing hostname verification in version 2.4.59
by radiatejava
Anyone of these issues could be responsible? Just checking
OpenLDAP 2.4.46 Release (2018/03/22)
Fixed libldap connection delete callbacks when TLS fails to
start (ITS#8717)
Fixed libldap to not reuse tls_session if TLS hostname check
fails (ITS#7373)
Thanks
On Wed, Jun 22, 2022 at 7:51 AM Quanah Gibson-Mount
<quanah(a)fast-mail.org> wrote:
>
> --On Tuesday, June 21, 2022 11:29 PM -0700 radiatejava
> <radiatejava(a)gmail.com> wrote:
>
> > I raised the issue https://bugs.openldap.org/show_bug.cgi?id=9869 but
> > it has been set to verified/invalid state now. However, I do not know
> > which version addresses the issue. Can anyone tell me which version
> > would still verify the hostname when doing LDAP over TLS.
>
> The OpenLDAP 2.4 series is historic, no bug reports for it will be
> considered.
>
> No changes have been made to OpenLDAP 2.4 series to disable hostname
> verification by the OpenLDAP project. If you are using libraries provided
> by downstream distributions, they may have made unauthorized changes to how
> libldap functions in regards to TLS. Additionally, if you were using an
> OpenSSL linked libldap and are now using a GnuTLS linked libldap, then some
> behaviors are different as documented in the man pages.
>
> Generally I'd advise starting with a supported version of OpenLDAP.
>
> Regards,
> Quanah
>
>
>
>
1 week, 5 days
How to relay read and write requests to different ldap servers
by nagamani.chinnapaiyan@viasat.com
Hi,
I am new to ldap. We have 4 ldap servers, 2 of them are in mirror-mode providers, 2 of them are just consumers/replicas.
I am working on loadbalancer for these 4 ldap servers using ldap/meta backend.
I want to the ldap proxy/loadbalancer to,
redirect write requests to one of the 2 mirror-mode providers.
redirect read requests to any of the 2 replicas/consumers.
I know ldap backend has uri list which can be used to redirect to mirror-mode providers. But I want to redirect only the write requests.
Regards,
Nagamani Chinnapaiyan
1 week, 6 days
LDAP over TLS not doing hostname verification in version 2.4.59
by radiatejava
My software was using openldap client 2.4.44 to talk to the LDAP
server. We have shifted to 2.4.59 now to address some issues. Ever
since we shifted, the new version is allowing LDAP over TLS without
hostname verification.
In the older ver 2.4.44, I always got this error if hostname did not
match the CN value:
return code -1 - Can't contact LDAP server) diagnostic message TLS:
hostname does not match CN in peer certificate
But after the lib update, no such error even if I am using LDAP server
IP to do LDAP bind while LDAP server certificate has CN set as some
FQDN (say test.ldap.com). Our client side code has not changed while
we updated the ldap lib. For our client, we are only doing these
settings:
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTDIR, lCertsDir)
ldap_set_option(NULL, LDAP_OPT_X_TLS_CACERTFILE, lCert)
Has there been any change in this regard? How do I enforce hostname
verification now?
I raised the issue https://bugs.openldap.org/show_bug.cgi?id=9869 but
it has been set to verified/invalid state now. However, I do not know
which version addresses the issue. Can anyone tell me which version
would still verify the hostname when doing LDAP over TLS.
Thanks.
1 week, 6 days