openldap-technical

openldap-technical@openldap.org

8 participants
9792 discussions

RE: I can't seem to find the answer to these olcAccess questions
by Quanah Gibson-Mount 14 Sep '17

14 Sep '17

--On Tuesday, September 12, 2017 10:40 PM -0500 Nick Gray <nick(a)graysaustin.com> wrote: > I read the man page, but I guess I understood that the first rule only > matched everything as a far as "what" to access. I thought it went what, > who, permissions > > My intent was to enable both of these to work. > > Access to all > dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage > and access to all dn.base=" cn=Manager,dc=local,dc=bob,dc=com" to manage > as well Then it is a single ACL: olcAccess: {0} to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by dn="cn=Manager,dc=local,dc=bob,dc=com" manage --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Olc deployment vs slapd.conf based deployment
by rammohan ganapavarapu 14 Sep '17

14 Sep '17

Hi, I am trying to see what is the best and recommended way of deploying/starting ldap, OLC or conf file based? i was in the impression that conf file based is easy and more controllable approach than OLC? Thanks, Ram

1 0

Import LDIF from old OpenLDAP Server
by Bänsch, Christian (TF) 14 Sep '17

14 Sep '17

Dear list members, My apologies in advance, if it´s not the right place to ask for. I´m an absolute beginner in OpenLDAP and my first job is to relieve our old OpenLDAP Servers installed onto SLES 10.x. and migrate it to new hard- and software. Therefore I´ve installed and configured a test machine with Ubuntu 16.04 LTS to test the migration, import and later login and so on. OpenLDAP is version 2.4.42, installed from package manager. Later OpenLDAP should be running as a "provider/comsumer" for replica. The provider on a new hardware, the consumer within a VM. Both OS should be Ubuntu 16.04 LTS. After initial configuration slapcat show the following entries onto the test machine. ***** dn: dc=ltm,dc=uni-erlangen,dc=de objectClass: top objectClass: dcObject objectClass: organization o: ltm dc: ltm structuralObjectClass: organization entryUUID: bfca1276-1852-1037-80bd-373544139e33 creatorsName: cn=admin,dc=ltm,dc=uni-erlangen,dc=de createTimestamp: 20170818111847Z entryCSN: 20170818111847.816167Z#000000#000#000000 modifiersName: cn=admin,dc=ltm,dc=uni-erlangen,dc=de modifyTimestamp: 20170818111847Z dn: cn=admin,dc=ltm,dc=uni-erlangen,dc=de objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9YUJ2VGF1YVgxODJpNE1zaTVwNkRnVWR2NDN1TnFzZUI= structuralObjectClass: organizationalRole entryUUID: bfd1af40-1852-1037-80be-373544139e33 creatorsName: cn=admin,dc=ltm,dc=uni-erlangen,dc=de createTimestamp: 20170818111847Z entryCSN: 20170818111847.866104Z#000000#000#000000 modifiersName: cn=admin,dc=ltm,dc=uni-erlangen,dc=de modifyTimestamp: 20170818111847Z ***** First I´ve tried with a copy from the original LDAP-Server DB.ldif file from the old server to import, but it fails. Here´s an "extract" from a few lines of DB.LDIF" ***** dn: o=ltm,dc=uni-erlangen,dc=de o: ltm objectClass: organization structuralObjectClass: organization entryUUID: c517ac96-315a-102c-8517-630622d96f14 creatorsName: cn=Administrator,o=ltm,dc=uni-erlangen,dc=de modifiersName: cn=Administrator,o=ltm,dc=uni-erlangen,dc=de createTimestamp: 20071127173437Z modifyTimestamp: 20071127173437Z entryCSN: 20071127173437Z#000000#00#000000 ... ***** After that I´ve created with ldapsearch created an save.ldif file to avoid those lines like creators and modifiers from the running LDAP-Server and tried to import into the new one but it also fails. The error was Server is unwilling to perform (53) additional info: no global superior knowledge Now I´m a little bit confused about import. So I tried to modify the new server entry like the old - my thougt was a conflict in the dn: o=ltm,dc=uni-erlangen,dc=de - but I´ve got no chance. Modifying the new entry onto the test machine says: " Strong(er) authentication required" Could you please give me any hint? Or is there another way? Any help would be greatly appreciated! If you need additional information, please let me know. Thanks in advance! -- Yours sincerely, Christian Baensch

1 0

Re: Where is the '-C' option to 'ldapsearch' documented?
by Howard Chu 13 Sep '17

13 Sep '17

Brian Reichert wrote: > On Tue, Sep 12, 2017 at 01:00:25PM -0700, Ryan Tandy wrote: >> On Tue, Sep 12, 2017 at 03:56:07PM -0400, Brian Reichert wrote: >>> Is this a supported option? Is it documented somewhere officially? >>> I couldn't find it after a quick search... >> >> According to http://www.openldap.org/its/?findid=7177 it is "deprecated >> and intentionally undocumented". > > Helpful pointer, thanks! > > If it's deprecated, what's the approved method of coercing ldapsearch > to pursue referrals? > ldapsearch shouldn't pursue referrals. The directory server you're using should chain requests for you instead of ever returning referrals. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 3

Re: Where is the '-C' option to 'ldapsearch' documented?
by Howard Chu 13 Sep '17

13 Sep '17

Brian Reichert wrote: > On Tue, Sep 12, 2017 at 10:07:29PM +0100, Howard Chu wrote: >> Brian Reichert wrote: >>> On Tue, Sep 12, 2017 at 01:00:25PM -0700, Ryan Tandy wrote: >>>> On Tue, Sep 12, 2017 at 03:56:07PM -0400, Brian Reichert wrote: >>>>> Is this a supported option? Is it documented somewhere officially? >>>>> I couldn't find it after a quick search... >>>> >>>> According to http://www.openldap.org/its/?findid=7177 it is "deprecated >>>> and intentionally undocumented". >>> >>> Helpful pointer, thanks! >>> >>> If it's deprecated, what's the approved method of coercing ldapsearch >>> to pursue referrals? >>> >> ldapsearch shouldn't pursue referrals. The directory server you're using >> should chain requests for you instead of ever returning referrals. > > Regrettably, the directory server, in this case, is Active Directory. > > https://technet.microsoft.com/en-us/library/cc978014.aspx > > Active Directory returns referrals in accordance with RFC 2251. > > https://social.technet.microsoft.com/Forums/ie/en-US/41d26e7a-a65c-47fe-b81… > > I don't see Microsoft changing their tune anytime soon. :/ > > I have to admit, this is the first I've heard of chaining a request. > > This might a way out for me: > > http://blog.heeresonline.com/2014/04/activedirectory-ldap-referrals-chasing/ > > In any event, it's clear that directory servers _can_ return > referrals, and as such, it surprises me that there isn't a supported > way for OpenLDAP's tool to honor such a configuration. > > I presume this has been discussed to death on this list, but I > couldn't find any historical threads on the topic. Can you provide > some references? The option was removed from the documentation back in 2002. Most likely any discussion would have been on the openldap-software mailing list, which was used before openldap-technical was created. I suggest you look at http://lmgtfy.com/?q=site:openldap.org+referral+ldapsearch -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

I can't seem to find the answer to these olcAccess questions
by Nick Gray 12 Sep '17

12 Sep '17

I have a very simple config that I can show with ldapsearch -LLLQY EXTERNAL -H ldapi:/// -b cn=config olcDatabase=\* dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig olcDatabase: {-1}frontend olcAccess: {0} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0} to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external l,cn=auth" manage olcAccess: {1} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage dn: olcDatabase={1}monitor,cn=config objectClass: olcDatabaseConfig olcDatabase: {1}monitor olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" read by dn.base="cn=Manager,dc=my-domain,dc=com" read by * none dn: olcDatabase={2}mdb,cn=config objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {2}mdb olcDbIndex: objectClass eq,pres olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub olcDbDirectory: /data/openldap olcRootDN: cn=Manager,dc=local,dc=bob,dc=com olcSuffix: dc=local,dc=bob,dc=com olcRootPW: {SSHA}3E+8/IcRHHTNez5QXlyRMP6mCZODN3LE olcAccess: {0} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage With this config,.shouldn't this work as well ldapsearch -x -W -D cn=Manager,dc=local,dc=bob,dc=com -b cn=config olcDatabase=\* My other question is where is there a reference to exactly what "gidNumber=0+uidNumber=0,cn=peercred,cn=external ,cn=auth" means. I can't seem to find one. Thanks Nick

2 2

Where is the '-C' option to 'ldapsearch' documented?
by Brian Reichert 12 Sep '17

12 Sep '17

I was debugging some random issue involving pursuing referrals, and found a note on this page: http://etutorials.org/Server+Administration/ldap+system+administration/Part… And it makes this assertion: By default, the ldapsearch tool shipped with OpenLDAP 2 prints information about referral objects but does not automatically follow them. ... To follow the search referral, give the -C (chase referrals) option when you invoke ldapsearch: And, by golly, it worked! I'm using the openldap-ltb-2.4.39-2.el6.x86_64 RPM package, and that package's manpage and 'ldapsearch --help' show nothing about this option. Is this a supported option? Is it documented somewhere officially? I couldn't find it after a quick search... -- Brian Reichert <reichert(a)numachi.com> BSD admin/developer at large

2 2

Re: OpenLDAP taker a long time (90s+) to shutdown
by Quanah Gibson-Mount 12 Sep '17

12 Sep '17

--On Tuesday, September 12, 2017 8:52 PM +0900 Alexandre Rosenberg <arekkusu(a)r42.ch> wrote: > dbnosync Why did you set this? > I was wondering what is the expected time for OpenLDAP to shutdown. > Also I am unsure if the checkpoiont setting could be related. It generally depends on how much information there is to flush out to disk, and that can depend on the speed of the disk subsystem. I would note, for example, that in some AWS environments, this can take an exceptionally long time. YMMV. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: I can't seem to find the answer to these olcAccess questions
by Quanah Gibson-Mount 12 Sep '17

12 Sep '17

--On Tuesday, September 12, 2017 1:38 PM -0700 Ryan Tandy <ryan(a)nardis.ca> wrote: > On Mon, Sep 11, 2017 at 04:18:20PM -0500, Nick Gray wrote: >> With this config,.shouldn't this work as well >> >> ldapsearch -x -W -D cn=Manager,dc=local,dc=bob,dc=com -b cn=config >> olcDatabase=\* > > The rules on your config database are: > > olcAccess: {0} to * by > dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage > olcAccess: {1} to * by dn="cn=Manager,dc=local,dc=bob,dc=com" manage > > The first matches everything (*), so the second is never consulted. Which is specifically noted in the slapd.access(5) man page: The optional field <control> controls the flow of access rule application. It can have the forms stop continue break where stop, the default, means access checking stops in case of match. So as noted in the man page, ACL processing stops at the first matching access rule. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Invalid credentials problem
by Quanah Gibson-Mount 12 Sep '17

12 Sep '17

--On Tuesday, September 12, 2017 2:34 PM +0000 JC <lovecraftesque(a)yahoo.com> wrote: > > > > Thanks. I now know. Perhaps OpenLDAP might return a somewhat less > misleading error diagnostic in situations like this? It is not misleading, it is as per RFC. The issue is more, being new to LDAP, you're not aware of what the message means. ;) Also, please keep replies on the -technical list. More specifically, invalid credentials simply means some part of the credentials supplied is incorrect. In your case it was the DN. Regards, Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical