openldap-technical

openldap-technical@openldap.org

9 participants
9902 discussions

Is Openldap a Authorization or Authentication system?
by Kaushal Shriyan 11 Aug '15

11 Aug '15

Hi, I am not sure if i understand the difference between Authorization and Authentication. Does Openldap support both or it supports or configured as Authorization or Authentication server? I will appreciate if somebody can help me understand with some examples. Regards, Kaushal

5 5

When using the rwm, openldap down
by デージーネット大野公善 07 Aug '15

07 Aug '15

Hi. When I changed configuration for openldap, openldap stopped. (Aborted) I was carried out the following operations. (1) I created the following environment. ---- ---- ---- ---- # ldapsearch -LLL -Y EXTERNAL -b 'olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config' -H ldapi:/// SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 dn: olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmRewrite: {0}rwm-rewriteEngine on olcRwmRewrite: {1}rwm-rewriteContext searchFilter olcRwmRewrite: {2}rwm-rewriteRule "aaa" "111" ":@" olcRwmRewrite: {3}rwm-rewriteRule "bbb" "222" ":@" ---- ---- ---- ---- (2) I created the following ldif file. ---- ---- ---- ---- dn: olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config changetype: modify delete: olcRwmRewrite olcRwmRewrite: rwm-rewriteRule "aaa" "111" ":@" - ---- ---- ---- ---- (3) I was carried out ldapmodify. ---- ---- ---- ---- # ldapmodify -Y EXTERNAL -H ldapi:/// -f down.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config" ldap_result: Can't contact LDAP server (-1) ---- ---- ---- ---- In this case, openldap has stopped. : : 55c45c8b connection_get(16) 55c45c8b ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 55c45c8b SASL Canonicalize [conn=1000]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 55c45c8b slap_sasl_getdn: conn 1000 id=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth [len=55] 55c45c8b SASL Canonicalize [conn=1000]: slapAuthcDN="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 55c45c8b SASL proxy authorize [conn=1000]: authcid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" authzid="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" 55c45c8b connection_get(16) 55c45c8b conn=1000 op=1 do_modify: dn (olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config) => ldap_bv2dn(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config,0) <= ldap_bv2dn(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0 => ldap_dn2bv(272) <= ldap_dn2bv(olcOverlay={0}rwm,olcDatabase={1}bdb,cn=config)=0 55c45c8b conn=1000 op=1 modifications: 55c45c8b delete: olcRwmRewrite 55c45c8b one value, length 32 55c45c8b [slapd:0] unknown command '' slapd: rwm.c:2195: rwm_cf_gen: Assertion `rc == 0' failed. Aborted Is this openldap BUG? -- Regards, Kimiyoshi Ohno DesigNET.INC.

3 2

Re: Manager Attribute
by mlstarling31＠hotmail.com 06 Aug '15

06 Aug '15

------ Original message------From: Michael StröderDate: Thu, Aug 6, 2015 2:30 PMTo: mlstarling31@hotmail.com;openldap-technical@openldap.org;Subject:Re: Manager Attribute mlstarling31(a)hotmail.com wrote:> could you expound on your statement below?"Think twice:> - namespace> - obsolete information, referential integrity> etc."Pretty soon free-form text fields tend to contain malformed and obsolete dataand hence are pretty unuseful.Ciao, Michael.I see. Thank you.

1 0

New Listmember with a olcAccess question
by Fischer, Johannes 06 Aug '15

06 Aug '15

Hi @all, I've tried to implement a olcAccess via regex for multiple directory entries. The goal was to group different users in two standard groups. Each group does have other access rules. I didn't what to do such a thing for every entry, so I thought that I'm able to do that with regexes. But my olcAccess rules doesn't work. I've already posted the question to stackoverflow, but no answers till now. Here the link: http://stackoverflow.com/questions/31693040/ldap-olcaccess-regex-are-not-wo… And here the rule for a regex access: olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none Does somebody can help me? Or is such a thing not possible to do? Greetings John PS: the content from Stackoverflow: ---------------------------------------------------------------------------------------- I have a LDAP server runnign with the Structure: dc=example,dc=ldap dc=organisations o=orga1 (objectClasses top/organisation/dcObject) cn=ADMINS (objectClasses top/groupOfNames) cn=USER o=orga2 cn=ADMIN cn=USER cn=users (objectClasses top/organisation/dcObject) cn=user1 (objectClasses top/person) cn=user2 Now I whant to add some rules that only the users in the organisation groups are able to see the organisation. the hard coded approach was quite easy to implement: olcAccess: {1}to dn.subtree="o=orga1,dc=organizations,dc=example,dc=ldap" by group.exact="cn=ADMINS,o=orga1,dc=organizations,dc=example,dc=ldap" write by group.exact="cn=USER,o=orga1,dc=organizations,dc=example,dc=ldap" read by * none (It is important to write TWO spaces in front of the 'by' [It was an problem for a long time for me]) But I don't whant to implement these rules for every new organisation, so I tried to implement the rule with some regex magig. But I failed misserably: olcAccess: {1}to dn.regex="^o(.+),dc=organizations,dc=example,dc=ldap$" attrs=children by group.exact="cn=ADMINS,o=[$1],dc=organizations,dc=example,dc=ldap$" write by group.exact="cn=USER,o=[$1],dc=organizations,dc=example,dc=ldap$" read by * none This rule affects nothing. So does someone have some idea to fix my problematic? Or is it not possible to group the members like I did? Thanks again -- Johannes Fischer Research Fellow Fraunhofer Institute for Manufacturing Engineering and Automation IPA Competence Centre Digital Tools for Manufactoring Nobelstrasse 12 │ 70569 Stuttgart | Germany Phone +49 711 970-1217 Johannes.Fischer(a)ipa.fraunhofer.de<mailto:Johannes.Fischer@ipa.fraunhofer.de> www.ipa.fraunhofer.de<http://www.ipa.fraunhofer.de/> [cid:image001.png@01D0D01E.D4211AC0]

3 2

build ldap tree with same meta and db suffix
by Aleks 06 Aug '15

06 Aug '15

Hi dear list members. I need to create the following ldap-tree #### dc=example dc=customers-ext,dc=example dc=MetaOrgTree01,dc=customers-ext,dc=example dc=MetaOrgTree02,dc=customers-ext,dc=example ... dc=MetaOrgTree0n dc=customers,dc=example dc=MetaOrgTree01,dc=customers,dc=example dc=MetaOrgTree02,dc=customers,dc=example ... dc=MetaOrgTree0n dc=appuser,dc=example # < this is a mdb uid=bindUser ############### I was able to create the base setup with the following commands. export LD_LIBRARY_PATH=$LD_LIBRARY_PATH:/opt/local/BDB/lib /opt/local/openldap-2.4.41/sbin/slapadd -F /opt/local/conf/openldap/ldap.example.at/ -l ldifs/initial_ldap.example.at.ldif -n0 /opt/local/openldap-2.4.41/libexec/slapd -l local5 -F /opt/local/conf/openldap/ldap.example.at/ -h "ldap://0.0.0.0:10689 ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock" /opt/local/openldap-2.4.41/bin/ldapmodify -D 'cn=config' -w <PASSWORD> -H ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock -v -f meta-ldifs/MetaOrgTree01_meta.ldif and now I'm not able to create the dc tree ( add_and_build_root_dc_tree.ldif ) /opt/local/openldap-2.4.41/bin/ldapmodify -D 'cn=config' -w <PASSWORD> -H ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock -v -f add_and_build_root_dc_tree.ldif ldap_initialize( ldapi://%2fvar%2fopt%2fopenldap%2frun%2fslapd-ldap.sock/??base ) add objectClass: top dcObject organization add o: example add description: MyOrg add dc: parent adding new entry "dc=example" ldap_add: Server is unwilling to perform (53) additional info: no global superior knowledge ################## When I create a "olcDatabase=mdb,cn=config" with olcSuffix: dc=example I'm able to create everything but when I try to add another meta target in the db suffix I get the message following message adding new entry "olcDatabase={5}meta,cn=config" ldap_add: Other (e.g., implementation specific) error (80) additional info: <olcSuffix> namingContext "dc=MetaOrgTree02,dc=customers,dc=example" already served by a preceding mdb database Which is clear as the doc say this. http://www.openldap.org/software/man.cgi?query=slapd-meta&sektion=5&apropos… ######### These slapd.conf options apply to the META backend database. That is, they must follow a "database meta" line and come before any subsequent "backend" or "database" lines. ######### But how was expected to add another meta entry in a running and working system? Please can anyone help me to find a working solution. The used ldifs: http://download.none.at/initial_ldap.example.at.ldif http://download.none.at/MetaOrgTree01_meta.ldif http://download.none.at/add_and_build_root_dc_tree.ldif openldap: ##### openldap-2.4.41 ./configure --enable-bdb --enable-ldap --enable-meta --prefix=/opt/local/openldap-2.4.41 --enable-dynlist --enable-memberof --with-tls=openssl --enable-rwm --enable-accesslog --enable-syncprov LDFLAGS="-L/opt/local/BDB/lib -L/usr/sfw/lib -R/usr/sfw/lib" CPPFLAGS="-I/opt/local/BDB/include -I/opt/local/build/openssl-0.9.7a/include/" SunOS 5.10 sun4v sparc SUNW,Sun-Fire-T200 ########### I hope I have explained the setup and the question understandable. Maybe I think not ldap-isch enough Thanks everybody for help. Best regards Aleks

1 0

Re: Manager Attribute
by mlstarling31＠hotmail.com 06 Aug '15

06 Aug '15

------ Original message------From: Michael StröderDate: Thu, Aug 6, 2015 12:52 PMTo: Michael;openldap;Subject:Re: Manager Attribute Michael wrote:> Looking at the OpenLDAP schema it appears to use the "manager" attribute> the filed requires the dn: of the object.Yes.> Is there another attribute similar to the manager attribute that will take> a simple syntax such as "John Doe".AFAIK not in schema shipped with OpenLDAP.> There are a good deal of managers in our organization that don't have LDAP> accounts and therefore naturally don't have a DN to specify in this field.> I don't want the extra overhead of creating these DN's just for the sake of> using this this attribute if I don't have to.Think twice:- namespace- obsolete information, referential integrityetc.If you really need a freeform text field for arbitrary names then simplydefine your own schema:http://www.openldap.org/faq/data/cache/219.htmlCiao, Michael. Thanks Michael.Could you expound on your statement below?"Think twice: - namespace - obsolete information, referential integrity etc."

2 1

Re: About issues with syncprov configuration
by Édnei Rodrigues 06 Aug '15

06 Aug '15

Ahh, right. Understood. Thank you for your explanation. Good day. Em 06/08/2015 13:59, "Quanah Gibson-Mount" <quanah(a)zimbra.com> escreveu: > --On Thursday, August 06, 2015 2:01 PM -0300 Édnei Rodrigues < > ednei.felipe.rodrigues(a)gmail.com> wrote: > > >> Thank you for your answer. >> >> So, I need to enable the lastmod overlay in the primary db? Why? >> > > Lastmod overlay? no. > > Lastmod? yes > > olcLastMod: TRUE | FALSE > Controls whether slapd will automatically maintain > the > modifiersName, modifyTimestamp, creatorsName, and > createTimestamp attributes for entries. It also controls > the > entryCSN and entryUUID attributes, which are needed by > the > syncrepl provider. By default, olcLastMod is TRUE. > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

Re: About issues with syncprov configuration
by Édnei Rodrigues 06 Aug '15

06 Aug '15

Thank you for your answer. So, I need to enable the lastmod overlay in the primary db? Why? Em 06/08/2015 12:44, "Quanah Gibson-Mount" <quanah(a)zimbra.com> escreveu: > --On Thursday, August 06, 2015 9:40 AM -0300 Édnei Rodrigues < > ednei.felipe.rodrigues(a)gmail.com> wrote: > > 55c25369 syncprov_db_open: invalid config, lastmod must be enabled >> 55c25369 backend_startup_one (type=mdb, suffix="dc=br"): bi_db_open >> failed! (-1) >> slap_startup failed (test would succeed using the -u switch) >> >> >> >> What is wrong ? >> > > It says you need to enable lastmod, that seems fairly plain? > > --Quanah > > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

2 1

Manager Attribute
by Michael 06 Aug '15

06 Aug '15

Looking at the OpenLDAP schema it appears to use the "manager" attribute the filed requires the dn: of the object. Is there another attribute similar to the manager attribute that will take a simple syntax such as "John Doe". There are a good deal of managers in our organization that don't have LDAP accounts and therefore naturally don't have a DN to specify in this field. I don't want the extra overhead of creating these DN's just for the sake of using this this attribute if I don't have to. Thanks.

2 1

ldap proxy to AD with local ACLs
by Meike Stone 06 Aug '15

06 Aug '15

Hello, it is me again regarding the ldap-backend. As told, I've installed a openldap as proxy in a DMZ for authentication forwarding to an Active Directoy. The Proxy is used by a VPN gateway. That all works very well. But now, I want to protect the AD from modifying. Only password changes from the user by self should be allowed. But as I see or understand, ACLs from a backend are used, AFTER the result from remote LDAP (AD) are coming back?! See second sentence from http://www.openldap.org/faq/data/cache/532.html: "It allows the common configuration directives as suffix, which is used to select it when a request is received by the server, *ACLs, which are applied to search results*, size and time limits, and so on. " So is it (and how is it) possible, to "switch" the ldap-backend in "read only mode" and only pass the the password change (modify: DEL/ADD)? Thanks Meike

2 3

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical