openldap-technical

openldap-technical@openldap.org

9 participants
9866 discussions

Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
by harry.jede＠arcor.de 26 Feb '14

26 Feb '14

Am Mittwoch, 26. Februar 2014 schrieb Jefferson Davis: > Sorry to be dense, but it appears I create my schema file from the > attribute definitions in the RFC, is that correct? Yes -- Harry Jede

1 0

Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
by Jefferson Davis 26 Feb '14

26 Feb '14

So I've read, however, there is very little documentation on implementation, at least that I've been able to find. ----- Original Message ----- From: "Dieter Klünter" <dieter(a)dkluenter.de> To: openldap-technical(a)openldap.org Sent: Friday, February 21, 2014 10:55:58 PM So I've read, however, there is very little documentation on implementation, at least that I've been able to find. Subject: Re: strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist? Am Fri, 21 Feb 2014 11:14:12 -0800 (PST) schrieb Jefferson Davis <jdavis(a)standard.k12.ca.us>: > This has been beating me like a red-headed stepchild... > > In the AD world, groupOfNames is expected (in combination with the > member attribute, provides for reverse group resolution, ie users by > group membership AND groups by member inclusion). This can be achieved by overlay memberOf, man slapo-memberof(5). > On the unix side of the fence, groups REQUIRE a gidNumber in order to > resolve group membership, using posixGroup structural OC in > conjunction with memberUID. The rfc2307bis.schema provides auxiliary object classes to solve this. In addition you may use the groupOfNames objectclass. > In attempting to future-proof our ldap services, and to accommodate > the AD-Focused nature of commercial products, I'm attempting to get > this to all work automatically, ie use the same group setup for both > (probably naive and ill-advised?). But you CANNOT have multiple > structural objectclasses in a single entry. So these requirements put > group structures in direct opposition of one another. > > Has anyone resolved this successfully, and if so, how? Overlays > (which ones, examples)? Schema mods (examples?) > > Splitting groups off as unix groups vs windows groups (sync could get > ugly) and could run into other issues with respect to file and dir > permissions. > > I also need to avoid breaking smbldap-tools, which at the moment > appears NOT to support the groupofnames model. > > Building this on CentOS 6, OpenLDAP 2.4.23-34, and migrating from > older OpenLDAP version. I'm somewhat open to considering a different > LDAP service (389/Apache/OpenDJ) though I've found java to be a > resource pig in the extreme, and would prefer to avoid if possible. > > If you have this working I would love to see the relevant > configuration files. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E -- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110 ext 120 (office) http://district.standard.k12.ca.us District Users: Click here to report technology issues

2 2

Replication from OpenLDAP to Fedora 389 DS
by Italo Valcy 26 Feb '14

26 Feb '14

Dear all, I`m trying to setup replication from OpenLDAP to Fedora 389 DS. It used to work by running slurpd in a push mode initiated by the provider. With OL 2.4 this seems to be replaced by syncrepl proxy mode [1], which works by defining a LDAP backend that will write updates on the consumer from data received from syncrepl engine (provider), acting as a proxy (examples in [1]). This is not working in case of sincronization from OL to 389 DS, because operational attributes (entryCSN, structuralObjectClass, entryUUID, etc.) is not accepted in 389 DS, giving the following error in 389 DS: [22/Feb/2014:18:17:25 -0300] - Entry "uid=XXX,dc=sub,dc=example,dc=com" -- attribute "entrycsn" not allowed I've tried to filter those operational attributes on synrepl, by using "exattrs='structuralObjectClass,entryUUID,entryCSN'" but it didnt help. Another approach (the right one, see bellow) would be disable "lastmod", but then syncprov overlay complains and don't starts (lastmod TRUE is required by syncprov). >From LDAP backend man pages, it already gives a feeling that when proxying, then lastmod should be OFF (and this is the default behavior): "Note: In early versions of back-ldap it was recommended to always set 'lastmod off' for ldap and meta databases. This was required because operational attributes related to entry creation and modification should not be proxied, as they could be mistakenly written to the target server(s), generating an error." So, is there any way to don't export the operational attributes from OL in the above scenario? Thanks for any help! [1] http://www.openldap.org/doc/admin24/replication.html#Syncrepl%20Proxy%20Mode -- Saudações, Italo Valcy :: http://wiki.dcc.ufba.br/Main/ItaloValcy

5 12

Excluding attributes fom reqOld
by Mundry, Marvin 26 Feb '14

26 Feb '14

Hi, the accesslog in my production environment is growing quite large which makes backing it up challenging. The reason is that there are plenty of accesslog entires which originate from slapo-ppolicy (users who can't remember their passwords): dn: reqStart=20140219033229.000000Z,cn=accesslog reqOld: pwdFailureTime: 20140218152927Z reqOld: pwdFailureTime: 20140218152957Z reqOld: pwdFailureTime: 20140218153027Z reqOld: pwdFailureTime: 20140218153057Z as I don't need pwdFailureTime in reqOld I would like to exclude this attribute form reqOld. I is my understanding that: * olcAccessLogOld only allows me to exclude whole user objects from appearing in reqOld (as I need reqOld info for users I can't do this) olcAccessLogOldAttr - only allows specifying a positive list of attributes that gets logged no matter whether they changed or not. what I need is something like: dn: olcOverlay={3}accesslog,olcDatabase={5}mdb,cn=config olcAccessLogOldAttr: !pwdFailureTime (a way to specify a list of attribs that never get logged even if they have changed) is there a way I can get rid of the pwdFailureTime in the accesslog? Best regards, Marvin Mundry University of Hamburg Regional Computer Center (RRZ) Division Zentrale Dienste Schlueterstrasse 70 20146 Hamburg +49 (0)40 42838-9109

1 0

Re: Cyrus IMAPD + virtual domains + SASL + OpenLDAP ldapdb
by Dan White 26 Feb '14

26 Feb '14

Forwarding to the list for posterity. On 02/25/14 15:22 -0700, Nels Lindquist wrote: >On 2/21/2014 1:45 PM, Dan White wrote: >> On 02/21/14 13:09 -0700, Nels Lindquist wrote: > ><snip> > >>> However, from what I can determine I'm not getting any realm component >>> in the searches coming through. The "default" realm configuration works >>> when I use a bare userid to authenticate, but when using a full e-mail >>> address, that comes through as >>> "uid=example(a)example.com,cn=[authmech],cn=auth". That said, I haven't >>> found a LogLevel which includes AuthzRegexp processing; I've tried >>> various settings, but the closest I've come is logging the resulting >>> bind requests (eg. BIND dn="uid=example,ou=people,dc=example,dc=com" >>> mech=DIGEST-MD5 sasl_ssf=128 ssf=128). >> >> I would not depend on realm being delivered in a consistent way from cyrus >> imapd/sasl. Different mechanisms will act in different ways. libsasl2 is >> responsible for providing the realm (or not). To maintain some consistency, >> create two sets of authz-regexp rules, such as: >> >> authz-regexp >> "uid=([^,]+),cn=([^,]+),cn=auth" >> "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1)(objectClass=person))" >> >> authz-regexp >> "uid=([^,]+),cn=([^,]+),cn=([^,]+),cn=auth" >> >> "ldap:///dc=eng,dc=example,dc=com??one?(&(uid=$1@$2)(objectClass=person))" >> >> And you may need a third rule which matches cases where both a fully >> qualified username AND a realm are provided. > >To be more clear, in my LDAP none of the objects have uids incorporating >e-mail addresses, but that's how Cyrus IMAP allows for virtual domain >logins. > >My base dn is actually "o=top", and then I have the various domains laid >out like: > >dc=example,dc=com,o=top >dc=example2,dc=ca,o=top > >... so my plan was to use the virtual domain information to translate >into which subtree I need to search against. The "fallthrough" default >domain just searches the bare uid against a particular subtree. > >It seems to be working using this (we're using LDAPRouting with >Sendmail, so all mailboxes must have inetLocalMailRecipient attributes): > ># Match e-mail address; map to correct subtree > >authz-regexp > "uid=([^,]+)(a)([^,\.]+)\.([^,]+),cn=[^,]*,cn=auth" > "ldap:///dc=$2,dc=$3,o=top??sub?(&(uid=$1)(mailLocalAddress=*))" > > ># Default domain > >authz-regexp > "uid=([^,]*),cn=[^,]*,cn=auth" > "ldap:///dc=example,dc=com,o=top??sub?(&(uid=$1)(mailLocalAddress=*))" > >> ldapwhoami is highly recommend for testing this setup. Include all of -Y, >> -U, and -X. > >Thanks very much for putting me on the right track! -- Dan White

1 0

How to assign a password policy to a group of users, in one go
by Rodrigo Coutinho 25 Feb '14

25 Feb '14

Hi again, I've finally managed to setup the password policy, but only statically (ran configure again). Have defined two password policies, one for all (default) and another for a specific group of users. The question now is: Can I assign a password policy to a group of users (cn=some_group,ou=groups,dc=xxx,dc=local)in one go, or must I assign to each user individualy the pwdPolicySubentry? I have searched, and although slapo states that it can be done, no example is provided. Thank you in advance A transmiss�o de mensagens por e-mail n�o � absolutamente segura ou livre de erros. A mensagem pode ser intercetada, alterada, perdida, destru�da, chegar ao destinat�rio com atraso, ou mesmo com v�rus, n�o obstante o IFAP utilizar software anti-v�rus. Esta mensagem, incluindo eventuais ficheiros anexos, pode conter informa��o confidencial ou privilegiada e destina-se a uso exclusivo dos seus destinat�rios. Se n�o for o destinat�rio pretendido, informamos que a recebeu por engano, pelo que, qualquer utiliza��o, distribui��o, reencaminhamento ou outra forma de revela��o a terceiros, impress�o ou c�pia s�o expressamente proibidos. Se recebeu esta mensagem por engano, por favor contacte imediatamente o remetente por e-mail, e apague de imediato a mensagem do seu sistema inform�tico. O IFAP declina qualquer responsabilidade por erros ou omiss�es na presente mensagem e eventuais consequ�ncias, que resultem das situa��es referidas.

3 3

libldap "Happy Eyeballs" support (aka Fast Fallback or ipv4/ipv6 dual-stack)
by Žarko Milenković 25 Feb '14

25 Feb '14

Hi all, I would like to have Happy Eyeballs<http://en.wikipedia.org/wiki/Happy_eyeballs> algorithm (more details here<http://tools.ietf.org/html/rfc6555>) implemented for all network communication in my application. Because I'm using libldap for searching openldap server I'm not quite sure does library already support this or would I need to implement it myself? To further clarify, I have following scenario: ldap server on myoldap.organization.org that listens for both ipv6 and ipv4 connections. Clients connect to it using libldap. Does libldap have support to automatically choose ipv6 over ipv4 or vice versa? If yes, how is choice made? Is ipv6 always preferred if available or does better connection win? If no, then I know the way I need to go. The only thing to add there is that I would be willing to add this support to libldap. Thanks, Žarko

2 1

dynlist groups not usable in ACLs?
by DRVTiny 25 Feb '14

25 Feb '14

OpenLDAP 2.4.39, amd64, debian 7 When i use the group with only static members in "by group/groupOfNames/member" clause - all works perfectly But when i'm trying to use in ACL definition dynamic members in 1:1 identicaly group - it doesnt work at all and in slapd debug output i see: --- 530b1a22 dnMatch -40 "dc=ru" "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" --- where "dc=ru" is one static member of this group (all others is dynamic members and it is not compared to "uid=konovalov-aa,ou=people,dc=svc,dc=ot,dc=ru" at all). It is very strange behavior, because official documentation says that: --- Dynamic Groups are also supported in Access Control. Please see slapo-dynlist(5) and the Dynamic Lists overlay section. --- Any comments? Can i use dynlist'ed groups in OpenLDAP ACL?

3 2

strategy for getting groupOfNames (AD) and posixAccount (Unix) to coexist?
by Jefferson Davis 24 Feb '14

24 Feb '14

This has been beating me like a red-headed stepchild... In the AD world, groupOfNames is expected (in combination with the member attribute, provides for reverse group resolution, ie users by group membership AND groups by member inclusion). On the unix side of the fence, groups REQUIRE a gidNumber in order to resolve group membership, using posixGroup structural OC in conjunction with memberUID. In attempting to future-proof our ldap services, and to accommodate the AD-Focused nature of commercial products, I'm attempting to get this to all work automatically, ie use the same group setup for both (probably naive and ill-advised?). But you CANNOT have multiple structural objectclasses in a single entry. So these requirements put group structures in direct opposition of one another. Has anyone resolved this successfully, and if so, how? Overlays (which ones, examples)? Schema mods (examples?) Splitting groups off as unix groups vs windows groups (sync could get ugly) and could run into other issues with respect to file and dir permissions. I also need to avoid breaking smbldap-tools, which at the moment appears NOT to support the groupofnames model. Building this on CentOS 6, OpenLDAP 2.4.23-34, and migrating from older OpenLDAP version. I'm somewhat open to considering a different LDAP service (389/Apache/OpenDJ) though I've found java to be a resource pig in the extreme, and would prefer to avoid if possible. If you have this working I would love to see the relevant configuration files. -- Jefferson K Davis Technology and Information Systems Manager Standard School District 1200 North Chester Ave Bakersfield, CA 93308 661.392.2110 ext 120 (office) http://district.standard.k12.ca.us District Users: Click here to report technology issues

7 9

Relay recipient postfix via ldap exception email address
by Rony 23 Feb '14

23 Feb '14

I make postfix relay recipient via ldap and I want an exception email addresses can not look up but have not been successful, my configuration server_host = 1.1.1.1.1 ldap_search_base = o = example, c = com bind = no query_filter = (| (mail =% s) (mailAlternateAddress =% s)) (! (mail = group(a)example.com))) result_attribute = mail I want group(a)example.com can not look up, but have not been successful, how correct configuration?

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical