Hi,
I am new to LDAP. Hence kindly do excuse if any of my terminology is different.
Issue: ----- I installed the openldap server through debian package. ie. did NOT get the source. Was able to add the record and display them. ie. the slaptest worked fine and also could able to search the database with ldapsearch command also.
Also able to start and stop the daemon.
But i am having an issue regarding the retrieval of authFilterId attribute stored in the LDAP database.
Is authFilterId and FilterId attribute same?? Tried to retrieve both of them but unable to get the values of the attribute.
Added a schema by name auth.schema in the slapd.conf. This file was not present in the default installation of the openldap.
The below are the details of the configuration:
openldap server version: OpenLDAP: slapd 2.4.9 Operating System: Ubuntu 8.04
slapd.conf:
# This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options.
####################################################################### # Global Directives:
# Features to permit #allow bind_v2
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema #auth.schema added by me. Did not get installed by default include /etc/ldap/schema/auth.schema
# Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values loglevel none
# Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb
# The maximum number of entries that is returned for a search operation sizelimit 500
# The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 1
####################################################################### # Specific Backend Directives for hdb: # Backend specific directives apply to this backend until another # 'backend' directive occurs backend hdb
####################################################################### # Specific Backend Directives for 'other': # Backend specific directives apply to this backend until another # 'backend' directive occurs #backend <other>
####################################################################### # Specific Directives for database #1, of type hdb: # Database specific directives apply to this databasse until another # 'database' directive occurs database hdb
# The base of your directory in database #1 suffix "dc=example,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=example,dc=com" rootpw secret123 # Where the database file are physically stored for database #1 directory "/var/lib/ldap"
# The dbconfig settings are used to generate a DB_CONFIG file the first # time slapd starts. They do NOT override existing an existing DB_CONFIG # file. You should therefore change these settings in DB_CONFIG directly # or remove DB_CONFIG and restart slapd for changes to take effect.
# For the Debian package we use 2MB as default but be sure to update this # value if you have plenty of RAM dbconfig set_cachesize 0 2097152 0
# Sven Hartge reported that he had to set this value incredibly high # to get slapd running at all. See http://bugs.debian.org/303057 for more # information.
# Number of objects that can be locked at the same time. dbconfig set_lk_max_objects 1500 # Number of locks (both requested and granted) dbconfig set_lk_max_locks 1500 # Number of lockers dbconfig set_lk_max_lockers 1500
# Indexing options for database #1 index objectClass eq
# Save the time that the entry gets modified, for database #1 lastmod on
# Checkpoint the BerkeleyDB database periodically in case of system # failure and to speed slapd shutdown. checkpoint 512 30
# Where to store the replica logs for database #1 # replogfile /var/lib/ldap/replog
# The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=nodomain" write by anonymous auth by self write by * none
# Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read
# The admin dn has full write access, everyone else # can read everything. access to * by dn="cn=admin,dc=nodomain" write by * read
# For Netscape Roaming support, each user gets a roaming # profile for which they have write access to #access to dn=".*,ou=Roaming,o=morsnet" # by dn="cn=admin,dc=nodomain" write # by dnattr=owner write
####################################################################### end of slapd.conf
Auth.schema File
Auth.schema: Manually included by me in the slapd.conf. This schema file added by me. It did not come in the default installation. This is required as my proprietary ldap client needs it. I am not sure of its exact use. but i guess its related to radius.
attributetype ( 1.3.6.1.4.1.3317.4.3.1.9 NAME ( 'authFilterId' ) DESC 'radiusSchema: authFilterId' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
objectclass ( 2.16.840.1.113730.3.2.222 NAME 'auth' DESC 'Authentication database' SUP top STRUCTURAL MUST ( uid $ userPassword $ authFilterId))
######################################################## end of auth.schema
LDAP ldif file: init.ldif
dn: dc=example,dc=com objectClass: dcObject objectClass: organizationalUnit dc: example ou: Example Dot Com
dn: cn=admin,dc=example,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword: secret123
dn: ou=people,dc=example,dc=com objectClass: organizationalUnit ou: people
dn: ou=groups,dc=example,dc=com objectClass: organizationalUnit ou: groups
dn: uid=fsmith,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: radiusprofile uid: fsmith sn: Smith givenName: Fred cn: Fred Smith displayName: Fred Smith uidNumber: 1001 gidNumber: 1001 userPassword: secret123 gecos: Fred Smith loginShell: /bin/bash homeDirectory: /home/fsmith shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: fsmith@example.com authFilterId: fsmith initials: FS
Added the above records using the command: $ slapadd -l init.ldif Added successfully no errors on the command line.
When i searched the database using the command $ ldapsearch -xLLL -b "dc=example,dc=com" '(objectclass=*)'
I was able to see all the details present in the init.ldif file except the FilterId field:
authFilterId: fsmith
When i issue the command, $ ldapsearch -xLLL -b "dc=example,dc=com" '(objectclass=*)' '(authFilterId=*)' then also it does not display the authFilterId attribute.
The slaptest when run in the debug level 16783 does not show any errors. The tail message of the slaptest o/p is: .... slaptest startup: initiated. backend_startup_one: starting "cn=config" config_back_db_open config_build_entry: "cn=config" config_build_entry: "cn=module{0}" config_build_entry: "cn=schema" config_build_entry: "cn={0}core" config_build_entry: "cn={1}cosine" config_build_entry: "cn={2}nis" config_build_entry: "cn={3}inetorgperson" config_build_entry: "cn={4}auth" config_build_entry: "olcDatabase={-1}frontend" config_build_entry: "olcDatabase={0}config" config_build_entry: "olcDatabase={1}hdb" backend_startup_one: starting "dc=example,dc=com" hdb_db_open: "dc=example,dc=com" hdb_db_open: database "dc=example,dc=com": dbenv_open(/var/lib/ldap). config file testing succeeded slaptest shutdown: initiated ====> bdb_cache_release_all slaptest destroy: freeing system resources.
Kindly do suggest of how to retrieve the authFilterId attribute value.
have a nice day, navin
Navin navin.kumar@freescale.com writes:
Hi,
I am new to LDAP. Hence kindly do excuse if any of my terminology is different.
Issue:
I installed the openldap server through debian package. ie. did NOT get the source. Was able to add the record and display them. ie. the slaptest worked fine and also could able to search the database with ldapsearch command also.
[...]
# The base of your directory in database #1 suffix "dc=example,dc=com"
# rootdn directive for specifying a superuser on the database. This is needed # for syncrepl. rootdn "cn=admin,dc=example,dc=com" rootpw secret123 # Where the database file are physically stored for database #1 directory "/var/lib/ldap"
[...]
# These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=nodomain" write
Is this the content of your slapd.conf? Because this access rule will have no effect, compare the 'by' rule with the suffix.
attributetype ( 1.3.6.1.4.1.3317.4.3.1.9 NAME ( 'authFilterId' ) DESC 'radiusSchema: authFilterId' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
objectclass ( 2.16.840.1.113730.3.2.222 NAME 'auth' DESC 'Authentication database' SUP top STRUCTURAL MUST ( uid $ userPassword $ authFilterId))
Note that objectclass auth is structural.
LDAP ldif file: init.ldif
[...]
dn: uid=fsmith,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: radiusprofile
objectclass radiusprofile is unknown, this should be auth.
uid: fsmith sn: Smith givenName: Fred cn: Fred Smith displayName: Fred Smith uidNumber: 1001 gidNumber: 1001 userPassword: secret123 gecos: Fred Smith loginShell: /bin/bash homeDirectory: /home/fsmith shadowExpire: -1 shadowFlag: 0 shadowWarning: 7 shadowMin: 8 shadowMax: 999999 shadowLastChange: 10877 mail: fsmith@example.com authFilterId: fsmith initials: FS
Added the above records using the command: $ slapadd -l init.ldif Added successfully no errors on the command line.
When i searched the database using the command $ ldapsearch -xLLL -b "dc=example,dc=com" '(objectclass=*)'
I was able to see all the details present in the init.ldif file except the FilterId field:
authFilterId: fsmith
[...]
When adding this entry you should have received an error, because authFilterId is not an attribute type of the object classes assigned to this entry. Please be aware, that due to the fact that objectclass auth is structural you cannot add the objectclass to this entry.
-Dieter
Dieter Kluenter wrote:
Navin navin.kumar@freescale.com writes:
Issue:
I installed the openldap server through debian package. ie. did NOT get the source. Was able to add the record and display them. ie. the slaptest worked fine and also could able to search the database with ldapsearch command also. [..] attributetype ( 1.3.6.1.4.1.3317.4.3.1.9 NAME ( 'authFilterId' ) DESC 'radiusSchema: authFilterId' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VALUE )
objectclass ( 2.16.840.1.113730.3.2.222 NAME 'auth' DESC 'Authentication database' SUP top STRUCTURAL MUST ( uid $ userPassword $ authFilterId))
Note that objectclass auth is structural.
LDAP ldif file: init.ldif
[...]
dn: uid=fsmith,ou=people,dc=example,dc=com objectClass: inetOrgPerson objectClass: posixAccount objectClass: shadowAccount objectClass: radiusprofile
objectclass radiusprofile is unknown, this should be auth.
I'd strongly recommend to use exactly the schema file shipped with the RADIUS server software. Is that FreeRADIUS? Then watch out file in FreeRADIUS source distribution:
doc/examples/openldap.schema
Ciao, Michael.
openldap-technical@openldap.org
-
Dieter Kluenter -
Michael Ströder -
Navin