openldap-technical

openldap-technical@openldap.org

7 participants
9967 discussions

dhcp.schema attribute dhcpStatements value in filter
by Zeus Panchenko 02 Apr '14

02 Apr '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, I configured my isc-dhcpd servers to work with openldap, all works now when I want to find dn for some definite MAC or IP, I am unable to do that please, help to understand how can I ldapsearch by attribute dhcpStatements values? in dhcp.schema it is written: - ---[ quotation start ]------------------------------------------- ... attributetype ( 2.16.840.1.113719.1.203.4.3 NAME 'dhcpStatements' EQUALITY caseIgnoreIA5Match DESC 'Flexible storage for specific data depending on what object this exists in. Like conditional statements, server parameters, etc. This allows the standard to evolve without needing to adjust the schema.' SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) ... - ---[ quotation end ]------------------------------------------- so, when I use filter "(&(objectClass=dhcpHost)(dhcpStatements=*))" I successfully receive all objects but lets say I need to find this object: - ---[ quotation start ]------------------------------------------- dn: cn=ap01,cn=10.0.0.0,cn=officeXXX DHCP Config,ou=officeXXX,ou=DHCP, dc=allstuff cn: ap01 objectClass: top objectClass: dhcpHost dhcpHWAddress: ethernet 20:cf:30:88:5d:18 dhcpStatements: fixed-address 10.0.0.222 - ---[ quotation end ]------------------------------------------- I use filter: "(&(objectClass=dhcpHost)(dhcpStatements=fixed-address 10.0.0.222))" and receive empty result ... it is the same picture for anything except dhcpStatements=* ... so, how is it correct to write the filter to get all objects with IP like 10.0.0.2* ? - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlM6y1sACgkQr3jpPg/3oyqPvQCgq6w8K53fw+6zrsSLbI72sbMR 5k8AoOh0wWlYmeQyyNKfngyMQrP3TXrt =KYZt -----END PGP SIGNATURE-----

3 9

Re: dhcp.schema attribute dhcpStatements value in filter
by Harry Jede 02 Apr '14

02 Apr '14

Zeus Panchenko wrote: > hi, > > I configured my isc-dhcpd servers to work with openldap, all works > > now when I want to find dn for some definite MAC or IP, I am unable > to do that ... > I use filter: > "(&(objectClass=dhcpHost)(dhcpStatements=fixed-address 10.0.0.222))" > > and receive empty result ... Then you make a mistake :-( $ ldapsearch -xLLL -H ldap://10.100.0.1 '(&(objectclass=dhcphost) (dhcpStatements=fixed-address 10.100.0.102))' dn dhcpStatements dn: cn=DEBIAN,ou=hosts,cn=DHCP Config,dc=europa,dc=xx dhcpStatements: fixed-address 10.100.0.102 > it is the same picture for anything except dhcpStatements=* ... > > so, how is it correct to write the filter to get all objects with IP > like 10.0.0.2* ? By default, that's not possible. You need to modify the schema to make this work. step 1: find the dhcp schema # ldapsearch -LLLY external -H ldapi:/// -b cn=schema,cn=config dn|grep dhcp dn: cn={7}dhcp,cn=schema,cn=config step2: prepare a ldapmodify input file # echo 'dn: cn={7}dhcp,cn=schema,cn=config' > /tmp/dhcp_s.ldif # echo 'changetype: modify' >> /tmp/dhcp_s.ldif # echo 'replace: olcAttributeTypes' >> /tmp/dhcp_s.ldif step 3: retrieve the attributes from cn=config # ldapsearch -LLLY external -H ldapi:/// -b cn=schema,cn=config 'cn={7}dhcp' olcAttributeTypes >> /tmp/dhcp_s.ldif step 4.1: add Substring match to dhcpStatements with an editor this I have added "SUBSTR caseIgnoreIA5SubstringsMatch" to dhcpStatements. The result is: olcAttributeTypes: {2}( 2.16.840.1.113719.1.203.4.3 NAME 'dhcpStatements' DESC 'Flexible storage for specific data depending on what object this exists in. Like conditional statements, server parameters, etc. This allows the standard to evolve without needing to adjust the schema.' EQUALITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) step 4.2 remove line number 4 in my config 'dn: cn={7}dhcp,cn=schema,cn=config' step 5: update the server # ldapmodify -Y external -H ldapi:/// -f /tmp/dhcp_s.ldif step 6: be happy ;-) $ ldapsearch -xLLL -H ldap://10.100.0.1 '(&(objectclass=dhcphost) (dhcpStatements=fixed-address 10.100.0.*))' dn dhcpStatementsdn: cn=ainf-01,ou=hosts,cn=DHCP Config,dc=europa,dc=xx dhcpStatements: fixed-address 10.100.0.101 dn: cn=ainf-02,ou=hosts,cn=DHCP Config,dc=europa,dc=xx dhcpStatements: fixed-address 10.100.0.103 dhcpStatements: filename "pxelinux.0" dhcpStatements: next-server 10.100.0.1 dhcpStatements: broadcast-address 10.100.255.255 dn: cn=ainf-22,ou=hosts,cn=DHCP Config,dc=europa,dc=xx dhcpStatements: fixed-address 10.100.0.104 dn: cn=DEBIAN,ou=hosts,cn=DHCP Config,dc=europa,dc=xx dhcpStatements: fixed-address 10.100.0.102 hints: 1. modify an objectclass this way, will not work 2. an index on dhcpStatements is not required to make this work perhaps good for performance reasons 3. try it first on a test server :-) -- Harry Jede

2 2

Volunteers for Linuxtag 2014
by Dieter Klünter 02 Apr '14

02 Apr '14

Hi, The OpenLDAP Project will be present at Linuxtag 2014 in Berlin http://linuxtag.org/2014/ I am looking for volunteers to support the OpenLDAP booth. Prospective volunteers may contact me. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E

1 0

Re: Changing cert paths may cause openldap to stop
by Quanah Gibson-Mount 01 Apr '14

01 Apr '14

--On Thursday, March 27, 2014 1:52 PM +0200 Nick Milas <nick(a)eurobjects.com> wrote: > Hi, > > On 2.4.39 (CentOS 5.10 x86_64), I found that if I attempt to change > certificate values but there is an error in a path, openldap stops. > > I would expect this should be avoided. Openldap should reject the > modification and not stop. > > Running the modification below, it hungs; we press Ctrl-C (and we print a > full backtrace), then we find slapd is stopped. File an ITS. --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

Re: Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object
by Jonas Kellens 01 Apr '14

01 Apr '14

On 01-04-14 10:53, Terje Trane wrote: > On 01.04.2014 09:58, Jonas Kellens wrote: >> >> even if I add at the beginning of slapd.conf the following : >> >> access to * by * >> >> I still get no results with the user 'cn=U101001,ou=101001,dc=mydomain' >> >> I only get result with 'cn=Manager,dc=mydomain' >> > > Remember that ACLs are "first match used". > > If a database does not have an ACL the global ACL applies. > > But if it has a database specific ACL, that one is read first when > accessing that particular database, and the global then *only* used if > there is no match (or a control keyword like break or continue is > specified) I posted it before, but will post it again. This is the database specific ACL : database bdb suffix "dc=mydomain" rootdn "cn=Manager,dc=mydomain" rootpw {SSHA}blCAG/CNdFPY597Cf4Ssuj access to attrs=userPassword by * auth access to dn.regex="ou=tbook[12345],ou=contacten,ou=101001,dc=mydomain" attrs=children by group.exact="cn=admins,ou=101001,dc=mydomain" write by * none break access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read access to dn.one="ou=tbook2,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook2,ou=gebruikers,ou=101001,dc=mydomain" read access to dn.one="ou=tbook3,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook3,ou=gebruikers,ou=101001,dc=mydomain" read access to dn.one="ou=tbook4,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook4,ou=gebruikers,ou=101001,dc=mydomain" read access to dn.one="ou=tbook5,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook5,ou=gebruikers,ou=101001,dc=mydomain" read If user 'cn=U101001,ou=101001,dc=mydomain' is member of group "cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain", wouldn't you agree that it should be able to read the entries in dn "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" ?? Kind regards, Jonas.

4 6

RE: Slave not able to update master pwdFailureTime via chain.
by serpent6877 31 Mar '14

31 Mar '14

Anyone else have an answer for this? Thanks, Brad -------- Original message -------- From: Brad dameron <serpent6877(a)hotmail.com> Date:03/24/2014 8:36 AM (GMT-08:00) To: Esteban Pereira <esteban.pereira(a)gepsit.fr>,openldap-technical(a)openldap.org Subject: RE: Slave not able to update master pwdFailureTime via chain. >From what I read I need to setup authzTo. But having problems understanding what I need to set in the slaps.conf and on the allowed user. -------- Original message -------- From: Esteban Pereira <esteban.pereira(a)gepsit.fr> Date:03/20/2014 10:55 AM (GMT-08:00) To: Brad dameron <serpent6877(a)hotmail.com>,openldap-technical(a)openldap.org Subject: Re: Slave not able to update master pwdFailureTime via chain. I've never configured this kind of architecture, but as far as I know the ppolicy, I think my first thought configuring this would have been to not rebind as user because the attribute modified is an operational one which need the manage right (not sure about that) So I should have configured this with the replication user with manage right and without rebinding as a user when chaining to the master. Hope this help On Thu, Mar 20, 2014 at 6:14 PM, Brad dameron <serpent6877(a)hotmail.com>wrote: > I understand what you are saying. But this is what the > ppolicy_forward_updates says: > > ppolicy_forward_updates > Specify that policy state changes that result from Bind operations (such as recording > failures, lockout, etc.) on a consumer should be forwarded to a master instead of > being written directly into the consumer’s local database. This setting is only use‐ > ful on a replication consumer, and also requires the updateref setting and chain > overlay to be appropriately configured. > > So when a password failure occurs "pwdFailureTime" it relays it to the master as the user doing a MOD > from what I have seen in my logs. And thus the user doesn't have access to modify this attribute. > > Brad > > > > ------------------------------ > Date: Thu, 20 Mar 2014 12:13:02 +0100 > Subject: Re: Slave not able to update master pwdFailureTime via chain. > From: esteban.pereira(a)gepsit.fr > To: serpent6877(a)hotmail.com > CC: openldap-technical(a)openldap.org > > > Hi Brad, > > pwdFailureTime is an operational attribute, I don't think any user can > modify it on any instance. May be you should try to modify it on the master > to see if it comes from this assumption. > > Esteban > > > On Thu, Mar 20, 2014 at 11:33 AM, Brad dameron <serpent6877(a)hotmail.com>wrote: > > OpenLDAP 2.4.23-26 on CentOS 5. I am trying to get the pwdFailureTime > updated on the master when the slave recieves a password failure. Here is > my config. It's pretty simple and basic. No TLS. > > Master: > > access to attrs=userPassword > by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write > by dn.exact="cn=replication,dc=test,dc=net" read > by self write > by anonymous auth > by * none > access to * > by group.exact="cn=ldapadmins,ou=Groups,dc=test,dc=net" write > by dn.exact="cn=replication,dc=test,dc=net" write > by self write > by users read > by anonymous read > by * none > > > > Slave: > > overlay chain > chain-uri ldap://172.16.0.84:389 > chain-rebind-as-user TRUE > chain-idassert-bind bindmethod=simple > binddn="cn=replication,dc=test,dc=net" > credentials="MyPasswd" > mode="self" > chain-return-error TRUE > > # Password Policy > overlay ppolicy > ppolicy_default "cn=default,ou=Policies,dc=test,dc=net > ppolicy_use_lockout > ppolicy_forward_updates > > > # Slave Replication > syncrepl rid=101 > provider=ldap://172.16.0.84:389 > type=refreshAndPersist > interval=00:00:01:00 > retry="60 10 300 +" > searchbase="dc=test,dc=net" > schemachecking=off > bindmethod=simple > binddn="cn=replication,dc=test,dc=net" > credentials="MyPasswd" > updateref "ldap://172.16.0.84:389" > > > > I see the connection on the master but it gives a permission error: > > > Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD > dn="cn=testuser,ou=People,dc=test,dc=net" > Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 MOD > attr=pwdFailureTime > Mar 20 09:47:46 LDAP-RADIUS-1 slapd[14288]: conn=1124 op=3 RESULT tag=103 > err=50 text= > > > I read that you maybe need authzTo added to the binddn for the chain? Or > is this only for TLS? > > I tried adding this ldif: > > dn: cn=replication,dc=test,dc=net > changetype: modify > add: authzTo > authzTo: * > > And even set the: > > chain-idassert-authzFrom "*" > > in the chain. But it always gives me the error code 50 not enough > permissions. I believe it is supposed to give access to the user to MOD the > pwdFailureTime tribute knowing it is coming from a relay. But I can't find > very specific docs on this or see what is wrong. Any help apreciated. > > Thanks, > Brad > > >

2 1

openldap for fedora
by Brendan Kearney 30 Mar '14

30 Mar '14

i hope to be getting some new machines and updating/upgrading my ldap instances in the process. i am looking to use the ltb-project.org rpms for the install, but have a couple of questions. first, i do not see any fedora versions in the repo. only redhat 5 and 6. are these packages binary compatible with fedora? second, it seems that the packages use the Sys V Init style, as i am sure the RH servers still use. although that is supported for legacy compatibility in fedora, does the new systemd init style work with these packages? third, is a package for fedora versions available through the ltb-project site? thank you, brendan

2 1

What is the replacement for /etc/ldap.conf?
by Peng Yu 30 Mar '14

30 Mar '14

Hi, http://ubuntuforums.org/showthread.php?t=1421998 The above link mentioned the following code. But /etc/ldap.conf is not available on ubuntu 13.10. Does anybody know what I should do instead? Thanks. sudo echo "index sudoUser eq" >> /etc/ldap.conf -- Regards, Peng

4 3

Why "ldapadd -x -D cn=admin, cn=config -W -f ~/sudoWork/cn\=sudo.ldif" does not work?
by Peng Yu 29 Mar '14

29 Mar '14

Hi, I followed the following instructions. http://ubuntuforums.org/showthread.php?t=1421998 I get the following error. pengy@openldapserver:~$ ldapadd -x -D cn=admin,cn=config -W -f ~/sudoWork/cn\=sudo.ldif Enter LDAP Password: ldap_bind: Invalid credentials (49) Here is the log. Does anybody know what the log means and how to fix the problem? Thanks. pengy@openldapserver:~$ tail -n 5 /var/log/syslog Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 fd=21 ACCEPT from IP=127.0.0.1:47481 (IP=0.0.0.0:389) Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 op=0 BIND dn="cn=admin,cn=config" method=128 Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 op=0 RESULT tag=97 err=49 text= Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 op=1 UNBIND Mar 28 22:20:07 openldapserver slapd[972]: conn=1460 fd=21 closed -- Regards, Peng

4 6

Re: What is the default of `-b`?
by Peng Yu 28 Mar '14

28 Mar '14

How to search for everything in the ldap database (such config)? On Fri, Mar 28, 2014 at 8:31 AM, Brad Hartlove <bradley.hartlove(a)g2-inc.com> wrote: > Peng > > The default of "-b" should be whatever you have specified in your > ldap.conf configuration file. In a fresh install, without any > configuration, I do not believe it will look for any base. The "-b" flag > is used to specify the base of the tree from where you wish to begin your > search. If you also pass the "-v" flag, it will spit out the base you are > using ex:" # base <dc=somedomain,dc=com> with scope subtree". In the > ldap.conf (typically located in your /etc/opendlap directory in linux), > the directive you want to set is "BASE". It natively comes with something > that is commented out ex: #BASE dc=example,dc=com. You need to > uncomment and add the appropriate base location from where you wish to > operate. Bear in mind that this affects the behavior of all your OpenLDAP > client calls if the "-b" is not specified in the command string. > > Regards, > Brad Hartlove > > -----Original Message----- > From: openldap-technical-bounces(a)OpenLDAP.org > [mailto:openldap-technical-bounces@OpenLDAP.org] On Behalf Of Peng Yu > Sent: Thursday, March 27, 2014 4:17 PM > To: openldap-technical(a)openldap.org > Subject: What is the default of `-b`? > > Hi, > > The man page says the following. > > `-b` *searchbase* > : Use *searchbase* as the starting point for the search instead of > the default. > > I'm wondering what is the default. If I don't specify -b, I will get an > error. Does anyone know how show all the contents from the database? > Thanks. > > $ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// -b cn=config dn > dn: cn=config > > dn: cn=module{0},cn=config > > dn: cn=schema,cn=config > > dn: cn={0}core,cn=schema,cn=config > > dn: cn={1}cosine,cn=schema,cn=config > > dn: cn={2}nis,cn=schema,cn=config > > dn: cn={3}inetorgperson,cn=schema,cn=config > > dn: olcBackend={0}hdb,cn=config > > dn: olcDatabase={-1}frontend,cn=config > > dn: olcDatabase={0}config,cn=config > > dn: olcDatabase={1}hdb,cn=config > > $ sudo ldapsearch -Q -LLL -Y EXTERNAL -H ldapi:/// dn No such object (32) > > -- > Regards, > Peng -- Regards, Peng

1 0

Jump to page:

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical