openldap-technical

openldap-technical@openldap.org

3 participants
9937 discussions

hiding a naming context
by Craig White 26 May '15

26 May '15

Back with a further clarification and trying to solve a problem for our programmers. ldapsearch -x -H ldapi:/// -s base -b '' namingContext "*" + -D $ROOTDN -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: namingContext * + # # dn: objectClass: top objectClass: OpenLDAProotDSE structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: cn=accesslog namingContexts: dc=example,dc=com monitorContext: cn=Monitor supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: EXTERNAL entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 So our programmers want me to filter out 'namingContexts: cn=accesslog' for them (please don't ask). # cat naming_context.ldif dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcAccess olcAccess: {0}to dn.exact="" attrs=namingContext val/distinguishedNameMatch="cn=accesslog transitional" by * none ldapmodify -H ldapi:/// -Y EXTERNAL -f naming_context.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAccess> handler exited with 1 Anyone want to hit me with a clue stick so I can hide the 'cn=accesslog' database from my programmers so they don't have to rewrite code?

4 9

How to check the login history of users on openldap
by Peng Yu 25 May '15

25 May '15

Hi, I setup ubuntu servers to use an openldap for login authentication. I want to check who have logged in all the servers. A logic place to check is at the central openldap server. But I am not sure how to do. Could any of you let me know? -- Regards, Peng

3 5

How to add a user with root permission?
by Peng Yu 25 May '15

25 May '15

Hi, I using openldap to manage users of a number of ubnutu servers. But I don't find a way to give users root permission on these servers? Could anybody show me how to do this with openldap? Thanks. -- Regards, Peng

2 2

rfc2252 big integer
by Raffael Sahli 21 May '15

21 May '15

Hi Which syntax should I use if 1.3.6.1.4.1.1466.115.121.1.27 is not big enough? 1.3.6.1.4.1.1466.115.121.1.36? (I don't see a kind of big integer) Thanks -- Raffael Sahli

2 1

openldap: 3+ multi datacentre replication
by hab 19 May '15

19 May '15

Could you share any experience setting-up/expanding (large) ldap server to multi data centres(DC)? What strategy do you use - mesh or ring topology? Looking for examples where 3+ DCs with failover(master/master or master/slave) ldap setup in each DC. Is ring topology better than mesh as ldap has to only deal with less connections? Would be nice if you can mention any scaling issues?

2 1

Re: RE24 testing call (2.4.41)
by Jephte Clain 19 May '15

19 May '15

hello, it builds fine on debian squeeze LTS 64bits, and the tests are ok FYI, configure was run with the debian defaults: ./configure --prefix=/usr --libexecdir='${prefix}/lib' --sysconfdir=/etc --localstatedir=/var --mandir='${prefix}/share/man' --enable-debug --enable-dynamic --enable-syslog --enable-proctitle --enable-ipv6 --enable-local --enable-slapd --enable-dynacl --enable-aci --enable-cleartext --enable-crypt --disable-lmpasswd --enable-spasswd --enable-modules --enable-rewrite --enable-rlookups --enable-slapi --enable-slp --enable-wrappers --enable-backends=mod --disable-ndb --enable-overlays=mod --with-subdir=ldap --with-cyrus-sasl --with-threads --with-tls=openssl --with-odbc=unixodbc regards, 2015-05-01 0:21 GMT+04:00 Quanah Gibson-Mount <quanah(a)zimbra.com>: > If you know how to build OpenLDAP manually, and would like to participate in > testing the next set of code for the 2.4.41 release, please do so. > > Generally, get the code for RE24: > > <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> > > Configure & build. > > Execute the test suite (via make test) after it is built. > > Thanks! > > --Quanah > > -- > > Quanah Gibson-Mount > Platform Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration > -- Jephté CLAIN | Développeur, Intégrateur d'applications Service Système d'Information Direction des Systèmes d'Information Tél: +262 262 93 86 31 || Gsm: +262 692 29 58 24

1 0

syncrepl and memberof do not work well together
by John Alex. 18 May '15

18 May '15

I am not sure if this is by design or a bug so I am posting here first. I have a provider-consumer configuration (both at version 2.4.40) where the consumer uses simple syncrepl (no delta sync). I am using the memberof overlay in the provider, and, having read the slapo-memberof manpage and ITS#7400, I made sure to exclude "memberof" from the synced attributes, and configured the memberof overlay in the consumer too. When I add or remove a user from a group, the user entry is correctly updated in both provider and consumer with the addition or removal of the corresponding "memberof" value. The problem occurs when a user entry is modified in any way, e.g. by changing a password, adding a description, etc. From what I understand, when a change occurs in an entry, non-delta syncrepl causes the entire entry to be resynced, not just the modified attributes. The result is that the "memberof" attributes of this entry on the consumer are removed. Is this the intended behavior? Shouldn't the "memberOf" values be restored after the entry is updated, since no group membership was modified?

2 4

debugging
by Craig White 18 May '15

18 May '15

Trying to figure out if this search is being denied. I wouldn't think so but the last 3 lines at the end suggest otherwise. 5552876b conn=1000 fd=21 ACCEPT from IP=172.29.34.47:42310 (IP=0.0.0.0:389) 5552876b conn=1000 op=0 BIND dn="uid=an_admin,ou=People,dc=doesn't_matter,dc=com" method=128 5552876b => bdb_entry_get: found entry: "uid=an_admin,ou=people,dc=doesn't_matter,dc=com" 5552876b => bdb_entry_get: found entry: "cn=defaultpp,ou=policies,dc=doesn't_matter,dc=com" 5552876b => access_allowed: result not in cache (userPassword) 5552876b => access_allowed: auth access to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" "userPassword" requested 5552876b => acl_get: [1] attr userPassword 5552876b => acl_mask: access to entry "uid=an_admin,ou=People,dc=doesn't_matter,dc=com", attr "userPassword" requested 5552876b => acl_mask: to value by "", (=0) 5552876b <= check a_dn_pat: self 5552876b <= check a_dn_pat: anonymous 5552876b <= acl_mask: [2] applying auth(=xd) (stop) 5552876b <= acl_mask: [2] mask: auth(=xd) 5552876b => slap_access_allowed: auth access granted by auth(=xd) 5552876b => access_allowed: auth access granted by auth(=xd) 5552876b conn=1000 op=0 BIND dn="uid=an_admin,ou=People,dc=doesn't_matter,dc=com" mech=SIMPLE ssf=0 5552876b => bdb_entry_get: found entry: "uid=an_admin,ou=people,dc=doesn't_matter,dc=com" 5552876b conn=1000 op=0 RESULT tag=97 err=0 text= 5552876b conn=1000 op=1 BIND anonymous mech=implicit ssf=0 5552876b conn=1000 op=1 BIND dn="uid=an_admin,ou=People,dc=doesn't_matter,dc=com" method=128 5552876b => bdb_entry_get: found entry: "uid=an_admin,ou=people,dc=doesn't_matter,dc=com" 5552876b => bdb_entry_get: found entry: "cn=defaultpp,ou=policies,dc=doesn't_matter,dc=com" 5552876b => access_allowed: result not in cache (userPassword) 5552876b => access_allowed: auth access to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" "userPassword" requested 5552876b => acl_get: [1] attr userPassword 5552876b => acl_mask: access to entry "uid=an_admin,ou=People,dc=doesn't_matter,dc=com", attr "userPassword" requested 5552876b => acl_mask: to value by "", (=0) 5552876b <= check a_dn_pat: self 5552876b <= check a_dn_pat: anonymous 5552876b <= acl_mask: [2] applying auth(=xd) (stop) 5552876b <= acl_mask: [2] mask: auth(=xd) 5552876b => slap_access_allowed: auth access granted by auth(=xd) 5552876b => access_allowed: auth access granted by auth(=xd) 5552876b conn=1000 op=1 BIND dn="uid=an_admin,ou=People,dc=doesn't_matter,dc=com" mech=SIMPLE ssf=0 5552876b => bdb_entry_get: found entry: "uid=an_admin,ou=people,dc=doesn't_matter,dc=com" 5552876b conn=1000 op=1 RESULT tag=97 err=0 text= 5552876b begin get_filter 5552876b PRESENT 5552876b end get_filter 0 5552876b conn=1000 op=2 SRCH base="" scope=0 deref=0 filter="(objectClass=*)" 5552876b conn=1000 op=2 SRCH attr=* + altServer changelog firstChangeNumber lastChangeNumber lastPurgedChangeNumber namingContexts subschemaSubentry supportedAuthPasswordSchemes supportedControl supportedExtension supportedFeatures supportedLDAPVersion supportedSASLMechanisms vendorName vendorVersion 5552876b => test_filter 5552876b PRESENT 5552876b => access_allowed: search access to "" "objectClass" requested 5552876b => slap_access_allowed: backend default search access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: search access granted by read(=rscxd) 5552876b <= test_filter 6 5552876b => access_allowed: read access to "" "entry" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (objectClass) 5552876b => access_allowed: read access to "" "objectClass" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (objectClass) 5552876b => access_allowed: result not in cache (structuralObjectClass) 5552876b => access_allowed: read access to "" "structuralObjectClass" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (configContext) 5552876b => access_allowed: read access to "" "configContext" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (namingContexts) 5552876b => access_allowed: read access to "" "namingContexts" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (namingContexts) 5552876b => access_allowed: result not in cache (monitorContext) 5552876b => access_allowed: read access to "" "monitorContext" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (supportedControl) 5552876b => access_allowed: read access to "" "supportedControl" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result was in cache (supportedControl) 5552876b => access_allowed: result not in cache (supportedExtension) 5552876b => access_allowed: read access to "" "supportedExtension" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (supportedExtension) 5552876b => access_allowed: result was in cache (supportedExtension) 5552876b => access_allowed: result was in cache (supportedExtension) 5552876b => access_allowed: result not in cache (supportedFeatures) 5552876b => access_allowed: read access to "" "supportedFeatures" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result was in cache (supportedFeatures) 5552876b => access_allowed: result not in cache (supportedLDAPVersion) 5552876b => access_allowed: read access to "" "supportedLDAPVersion" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (supportedSASLMechanisms) 5552876b => access_allowed: read access to "" "supportedSASLMechanisms" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result not in cache (entryDN) 5552876b => access_allowed: read access to "" "entryDN" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (entryDN) 5552876b => access_allowed: result not in cache (subschemaSubentry) 5552876b => access_allowed: read access to "" "subschemaSubentry" requested 5552876b => slap_access_allowed: backend default read access granted to "uid=an_admin,ou=People,dc=doesn't_matter,dc=com" 5552876b => access_allowed: read access granted by read(=rscxd) 5552876b => access_allowed: result was in cache (subschemaSubentry) 5552876b conn=1000 op=2 SEARCH RESULT tag=101 err=0 nentries=1 text= 5552876b begin get_filter 5552876b EQUALITY 5552876b end get_filter 0 5552876b conn=1000 op=3 SRCH base="cn=accesslog" scope=2 deref=0 filter="(uid=global.admin)" 5552876b => access_allowed: search access to "cn=accesslog" "entry" requested 5552876b => acl_get: [1] attr entry 5552876b => acl_mask: access to entry "cn=accesslog", attr "entry" requested 5552876b => acl_mask: to all values by "uid=an_admin,ou=people,dc=doesn't_matter,dc=com", (=0) 5552876b <= check a_dn_pat: cn=admin,dc=doesn't_matter,dc=com 5552876b <= check a_dn_pat: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth 5552876b <= acl_mask: no more <who> clauses, returning =0 (stop) 5552876b => slap_access_allowed: search access denied by =0 5552876b => access_allowed: no more rules 5552876b conn=1000 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text= So the application is a java application and the developers haven't a clue on how to debug the java ldap side. I am not sure why it's looking at accesslog in the context of this connection, and it shouldn't have access to accesslog but it shouldn't matter anyway, accesslog is database{1} and the actual suffix to be searched is database{3} User uid=an_admin,ou=People,dc=doesn't_matter,dc=com is pretty much allowed to do anything in the suffixed database {dc=doesn't_matter,dc=com} My contention is that there isn't an error here but the application isn't happy with the new setup and as I said, they are not knowledgeable about how to debug from the java side. Does this log indicate an error? (I know err=32 is no such object) Craig

4 7

search in ldap from java is getting stuck
by PRATIK SINGAL 18 May '15

18 May '15

Hi can anyone help me with java code which will return all the number of data present in the object class. Currently search gets stuck when there are more than 3 lakh of data in the object class. The java thread becomes dead i guess. Regards, Pratik

1 0

ACL sanity check
by Brendan Kearney 17 May '15

17 May '15

i am looking to improve my access controls, and wanted to make sure the below passes muster and sanely implements what i am looking for. 0 - ldap admins get access to the entire directory {0}to dn.subtree="dc=bpk2,dc=com" by group.exact="cn=ldapAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by anonymous auth by * none 1 - kerberos id get only the access they need {1}to dn.subtree="cn=BPK2.COM,dc=bpk2,dc=com" by dn="cn=kadmin,dc=bpk2,dc=com" write by dn="cn=kdc,dc=bpk2,dc=com" read by * none 2 - dns engineers, admins and dns process accounts get access {2}to dn.subtree="cn=dns,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dnsEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dnsAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dnsProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" write by * none 3 - dhcp engineers, admins and dhcp process accounts get access {3}to dn.subtree="cn=DHCP Config,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" read by * none 4 - dhcp engineers, admins and dhcp process accounts get access {4}to dn.subtree="cn=DHCP Servers,ou=Daemons,dc=bpk2,dc=com" by group.exact="cn=dhcpEngineers,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" manage by group.exact="cn=dhcpAdmins,ou=domainGroups,ou=Groups,dc=bpk2,dc=com" write by group.exact="cn=dhcpProcesses,ou=processGroups,ou=Groups,dc=bpk2,dc=com" read by * none 5 - users can read this ou {5}to dn.subtree="ou=Computers,dc=bpk2,dc=com" by users read by * none 6 - users can read this ou {6}to dn.subtree="ou=Groups,dc=bpk2,dc=com" by users read by * none 7 - users can read this ou {7}to dn.subtree="ou=Networks,dc=bpk2,dc=com" by users read by * none 8 - users can read this ou {8}to dn.subtree="ou=Users,dc=bpk2,dc=com" by users read by * none are there any specific ACLs that i should have? are there any glaring issues with the above proposed ACLs?

3 2

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical