openldap-technical

openldap-technical@openldap.org

7 participants
9965 discussions

pwdPolicySubentry: value #0 already exists
by Douglas Duckworth 25 Oct '17

25 Oct '17

Hi I am trying to make sure my bind Service Account's password does not expire. I set this in ou=Policies with the intention that the policy would only be applied to this user: # Policies, domain dn: ou=Policies,domain ou: Policies objectClass: organizationalUnit # CustomBindAccountPolicy, Policies, domain dn: cn=CustomBindAccountPolicy,ou=Policies,domain objectClass: person objectClass: top cn: passwordDefault cn: CustomBindAccountPolicy sn: passwordDefault pwdAttribute: userPassword pwdMinAge: 0 pwdMaxAge: 0 pwdLockout: FALSE However, I do not see this dn referenced on the user: # importantuser, Service Accounts, domain dn: uid=importantuser,ou=Service Accounts,domain objectClass: top objectClass: account objectClass: posixAccount objectClass: extensibleObject uid: binduser cn: bind sn: user givenName: binduser title: Account loginShell: /dev/null uidNumber: 123 gidNumber: 456 homeDirectory: /dev/null description: Service Account userPassword:: password123 When I try to add using ldapadd and this ldif: dn: uid=importantuser,ou=Service Accounts,domain changetype: modify add: pwdPolicySubentry pwdPolicySubentry: cn=CustomBindAccountPolicy,ou=Policies,dc=davinci,dc=med,dc=cornell,dc=edu I get this error: me@nsa[~/ldap]$ ladd server.ldif Enter LDAP Password: modifying entry "uid=importantuser,ou=Service Accounts,domain" ldap_modify: Type or value exists (20) additional info: modify/add: pwdPolicySubentry: value #0 already exists Do you have any idea what could be happening? My ACL's allow the binduser to see everything so I don't understand what's happening. Thank you very much! Thanks, Douglas Duckworth, MSc, LFCS HPC System Administrator Scientific Computing Unit Physiology and Biophysics Weill Cornell Medicine E: doug(a)med.cornell.edu O: 212-746-6305 F: 212-746-8690

2 1

How do internet-facing, multi-domain ldap servers handle TLS?
by John Lewis 20 Oct '17

20 Oct '17

How do internet-facing, multi-domain ldap servers handle TLS? Do they go multi-port or do they use one TLS certificate that covers all of the domains, or do they get more IP addresses that are all on different domains?

1 0

Re: Antw: Re: [Q] amendments to schemes existent
by Zeus Panchenko 20 Oct '17

20 Oct '17

Ulrich Windl <Ulrich.Windl(a)rz.uni-regensburg.de> wrote: > But you are basically changing the semantics of attribute authorizedService: > Before "*" was literal, after it is magic (substring match). > > The discussion on which variant is more useful is a different issue ;-) for *my* flow, the variant of original schema is unusable since I have pleny of values and to hardcode all of them for all available searches is not good idea, to my mind ... if to return to the starting question: is there other way to get originally SUBSTR-less attributes to be matchable by substring, except hacking the scheme? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 4

ldapsearch and inherit attributes
by Sylvain 19 Oct '17

19 Oct '17

Hi, If "AAA" is the superior attribute of "BBB" and if I do ldapsearch uid=sylvain AAA. Results will include BBB attributes. Is this possible for ldapsearch to return only AAA ? Thanks, Sylvain

1 0

[Q] amendments to schemes existent
by Zeus Panchenko 18 Oct '17

18 Oct '17

greetings, I'm wondering of search possibility lack for some attributes my question is: is it correct/good/sane/e.t.c. to patch them this way? is there other way to get those attributes searchable? for example I have to patch some schemes like this: ---[ PATCH SAMPLES START ]--------------------------------------------------- --- dhcp.schema.orig 2017-08-25 13:14:26.691570000 +0300 +++ dhcp.schema 2017-08-25 13:15:56.558980000 +0300 @@ -14,6 +14,7 @@ attributetype ( 2.16.840.1.113719.1.203. NAME 'dhcpStatements' EQUALITY caseIgnoreIA5Match DESC 'Flexible storage for specific data depending on what object this exists in. Like conditional statements, server parameters, etc. This allows the standard to evolve without needing to adjust the schema.' + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113719.1.203.4.4 @@ -38,6 +39,7 @@ attributetype ( 2.16.840.1.113719.1.203. NAME 'dhcpOption' EQUALITY caseIgnoreIA5Match DESC 'Encoded option values to be sent to clients. Each value represents a single option and contains (OptionTag, Length, OptionValue) encoded in the format used by DHCP.' + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) attributetype ( 2.16.840.1.113719.1.203.4.8 @@ -199,6 +201,7 @@ attributetype ( 2.16.840.1.113719.1.203. attributetype ( 2.16.840.1.113719.1.203.4.34 NAME 'dhcpHWAddress' EQUALITY caseIgnoreIA5Match + SUBSTR caseIgnoreIA5SubstringsMatch DESC 'The clients hardware address that requested this IP address.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) --- ldapns.schema.orig 2014-09-15 23:47:56.135989000 +0300 +++ ldapns.schema 2015-02-15 23:50:53.714906292 +0200 @@ -1,6 +1,7 @@ attributetype ( 1.3.6.1.4.1.5322.17.2.1 NAME 'authorizedService' DESC 'IANA GSS-API authorized service name' EQUALITY caseIgnoreMatch + SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{256} ) objectclass ( 1.3.6.1.4.1.5322.17.1.1 NAME 'authorizedServiceObject' --- nis.schema.orig 2017-02-11 21:38:48.984906000 +0200 +++ nis.schema 2017-10-02 13:20:52.140691000 +0300 @@ -55,6 +55,7 @@ attributetype ( 1.3.6.1.1.1.1.2 NAME 'ge attributetype ( 1.3.6.1.1.1.1.3 NAME 'homeDirectory' DESC 'The absolute path to the home directory' EQUALITY caseExactIA5Match + SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE ) attributetype ( 1.3.6.1.1.1.1.4 NAME 'loginShell' ---[ PATCH SAMPLES STOP ]--------------------------------------------------- -- IT dpt., I.B.S. LLC

2 2

[ldapmodify] multiple entries of the same attibute
by richard lucassen 18 Oct '17

18 Oct '17

Hello list, I've got records with e.g. multiple mail: entries per dn: dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=org [ 8< 8< 8< snip objectclasses and other stuff 8< 8< 8< ] mail: user1(a)example.com mail: user2(a)example.com mail: user3(a)example.com GUI ldap clients like jxplorer are able to change a single mail: entry. Using "ldapmodify" I replace the first mail: entry, but it will delete the other mail: antries: ################################################################# change.diff file: dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=com changetype: modify replace: mail mail: otheruser(a)example.com - ################################################################# invoke: ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f change.ldif ################################################################# result: dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=org [ 8< 8< 8< snip objectclasses and other stuff 8< 8< 8< ] mail: otheruser(a)example.com ################################################################# Is there a way to tell ldapmodify to change just a particular entry? R. -- richard lucassen http://contact.xaq.nl/

4 6

Re: Empty directory memory consumption
by Quanah Gibson-Mount 18 Oct '17

18 Oct '17

--On Wednesday, October 18, 2017 5:04 PM +1300 Ivan Kurnosov <zerkms(a)zerkms.ru> wrote: > I have found, that just installed slapd (2.4.42+dfsg-2ubuntu3.2) on > ubuntu 16.04 consumes 730MB+ or resident memory (RSS). Only consumes 12 MB on my Ubuntu 16.04 system. But I don't use the build supplied by Ubuntu, I use my own. So I cannot say what Ubuntu's done to cause this. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Empty directory memory consumption
by Ivan Kurnosov 17 Oct '17

17 Oct '17

Hi, I have found, that just installed slapd (2.4.42+dfsg-2ubuntu3.2) on ubuntu 16.04 consumes 730MB+ or resident memory (RSS). It's an empty database (with `cn=config` only and whatever comes by default), is it supposed to consume so much memory? -- With best regards, Ivan Kurnosov

1 0

Re: Admin roles by group membership per OU
by Quanah Gibson-Mount 16 Oct '17

16 Oct '17

--On Monday, October 16, 2017 6:05 PM +0200 Ervin Hegedüs <airween(a)gmail.com> wrote: >> Hm, yes, that's correct. You'll need to do something like utilize by * >> break appropriately, or have multiple "access to userPassword" ACLs by >> group, then a catchall after that. > > I'm sorry - could you give me an example? Sure, no problem. :) One way to do it is to have an access line per subtree for those attributes, adding the group permission, with a final access to just userPassword itself limiting off all other access for anything outside of those trees: dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write ... Addtional subtree ACLs with groups for userPassword/shadowLastChange access... olcAccess: {#}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {#}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read olcAccess: {#}to * by * read The other option is to use "by * break", which tells slapd to continue processing additional rules. If you do that, you'll need to be particularly careful not to give access beyond what you intended. For that purpose, I added a final ACL rule that says zero access to userPassword prior to the "* by * read" ACL. dn: olcDatabase={1}mdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymous auth by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read by * break olcAccess: {1}to dn.children="ou=ABC Customer,dc=core,dc=hdt,dc=hu" by self write by group.exact="cn=groupabcadmin,ou=ABC Customer,dc=core,dc=hdt,dc=hu" write by dn="uid=repuser,dc=core,dc=hdt,dc=hu" read ... Additional subtree ACLs with groups ... olcAccess: {#} to userPassword by * none olcAccess: {#}to * by * read --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

1 0

Re: Admin roles by group membership per OU
by Quanah Gibson-Mount 16 Oct '17

16 Oct '17

--On Monday, October 16, 2017 5:55 PM +0200 Ervin Hegedüs <airween(a)gmail.com> wrote: > without any real testing, I'm afraid that the rule{0} gives the > write access to cn=groupabcadmin to _all_ db, not just the ou=ABC > Cumstomer subtree. > > Em I right? Hm, yes, that's correct. You'll need to do something like utilize by * break appropriately, or have multiple "access to userPassword" ACLs by group, then a catchall after that. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical