Hi All!
I'm trying to enforce the fact that the mail attribute has to be unique. In order to do it I tried to enable the unique overlay. Unfortunately, OpenLDAP still allow to insert an object with the same mail value.
I cannot understand where the wrong configuration occurs.
My config is still based con slapd.conf . I've recompiled OpenLDAP with the following steps:
a) ./configure --enable-modules=yes --enable-rlookups=yes --with-tls --with-cyrus-sasl --enable-mdb=yes --enable-bdb=yes --enable-monitor=yes --enable-unique
b) make depend c) make d) make install
Then, I added those lines to my slapd.conf overlay unique unique_uri ldap:///?mail?sub
So, my develop slapd.conf looks like the one below now.
Thanks a lot for any hints you can give me!
Simone
=== slapd.conf ==== include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
database config rootdn "cn=admin,cn=config"
# Security - TLS section TLSCACertificateFile /certs/CA.pem TLSCertificateFile /certs/certificate.cer TLSCertificateKeyFile /certs/company.key TLSCipherSuite TLSv1+RSA:!NULL TLSVerifyClient never
# Use LMDB database. database mdb overlay unique suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq
# mail is a unique attribute unique_uri ldap:///?mail?sub?
access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth
access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth
access to dn.subtree="dc=com" by users read by anonymous auth
Le 24/08/2015 15:05, Simone Taliercio a écrit :
Hi All!
I'm trying to enforce the fact that the mail attribute has to be unique. In order to do it I tried to enable the unique overlay. Unfortunately, OpenLDAP still allow to insert an object with the same mail value.
I cannot understand where the wrong configuration occurs.
My config is still based con slapd.conf . I've recompiled OpenLDAP with the following steps:
a) ./configure --enable-modules=yes --enable-rlookups=yes --with-tls --with-cyrus-sasl --enable-mdb=yes --enable-bdb=yes --enable-monitor=yes --enable-unique
b) make depend c) make d) make install
Then, I added those lines to my slapd.conf overlay unique unique_uri ldap:///?mail?sub
So, my develop slapd.conf looks like the one below now.
Thanks a lot for any hints you can give me!
Simone
=== slapd.conf ==== include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
database config rootdn "cn=admin,cn=config"
# Security - TLS section TLSCACertificateFile /certs/CA.pem TLSCertificateFile /certs/certificate.cer TLSCertificateKeyFile /certs/company.key TLSCipherSuite TLSv1+RSA:!NULL TLSVerifyClient never
# Use LMDB database. database mdb overlay unique suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq
# mail is a unique attribute unique_uri ldap:///?mail?sub?
access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth
access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth
access to dn.subtree="dc=com" by users read by anonymous auth
Hi,
you should declare the overlay below the database, like this:
# Use LMDB database. database mdb suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq
access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth
access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth
access to dn.subtree="dc=com" by users read by anonymous auth
# mail is a unique attribute overlay unique unique_uri ldap:///?mail?sub?
Hi Clement,
Thanks for your quick answer!
I tried your suggestion, but it does not really like it:
/usr/local/etc/openldap/slapd.conf: line 90: unknown directive <unique_uri> inside backend database definition.
I'm going to try now to have only the unique_uri section at the end.
Stay tuned!
Simone
2015-08-24 15:18 GMT+02:00 Clément OUDOT <clement.oudot@savoirfairelinux.com
:
Le 24/08/2015 15:05, Simone Taliercio a écrit :
Hi All!
I'm trying to enforce the fact that the mail attribute has to be unique. In order to do it I tried to enable the unique overlay. Unfortunately, OpenLDAP still allow to insert an object with the same mail value.
I cannot understand where the wrong configuration occurs.
My config is still based con slapd.conf . I've recompiled OpenLDAP with the following steps:
a) ./configure --enable-modules=yes --enable-rlookups=yes --with-tls --with-cyrus-sasl --enable-mdb=yes --enable-bdb=yes --enable-monitor=yes --enable-unique
b) make depend c) make d) make install
Then, I added those lines to my slapd.conf overlay unique unique_uri ldap:///?mail?sub
So, my develop slapd.conf looks like the one below now.
Thanks a lot for any hints you can give me!
Simone
=== slapd.conf ==== include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
database config rootdn "cn=admin,cn=config"
# Security - TLS section TLSCACertificateFile /certs/CA.pem TLSCertificateFile /certs/certificate.cer TLSCertificateKeyFile /certs/company.key TLSCipherSuite TLSv1+RSA:!NULL TLSVerifyClient never
# Use LMDB database. database mdb overlay unique suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq
# mail is a unique attribute unique_uri ldap:///?mail?sub?
access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth
access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth
access to dn.subtree="dc=com" by users read by anonymous auth
Hi,
you should declare the overlay below the database, like this:
# Use LMDB database. database mdb suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq
access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth
access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth
access to dn.subtree="dc=com" by users read by anonymous auth
# mail is a unique attribute overlay unique unique_uri ldap:///?mail?sub?
-- Clément OUDOT Consultant en logiciels libres, Expert infrastructure et sécurité Savoir-faire Linux 87, rue de Turbigo - 75003 PARIS
Simone Taliercio wrote:
I tried your suggestion, but it does not really like it:
/usr/local/etc/openldap/slapd.conf: line 90: unknown directive <unique_uri> inside backend database definition.
Make sure the overlay module gets loaded with this configuration directive in the global section of your slapd.conf:
moduleload unique
The global section consists of all configuration directives *before* your first database directive.
Ciao, Michael.
Hi Michael,
I've also tried to add the "moduleload" and "modulepath" directives at the top of slapd.conf (but after the include schema block). Anyway before any database definition.
I either tried with moduleload unique and with moduleload unique.o
Unfortunately no success.
Might it be that my re-compiling procedure was incorrect ? I described it in my first post. Or, might it be that the root user is not "blocked" from that unique overlay ?
Thanks for the important support! I've run out of ideas :-/
Simone
2015-08-24 16:45 GMT+02:00 Michael Ströder michael@stroeder.com:
Simone Taliercio wrote:
I tried your suggestion, but it does not really like it:
/usr/local/etc/openldap/slapd.conf: line 90: unknown directive
<unique_uri> > inside backend database definition.
Make sure the overlay module gets loaded with this configuration directive in the global section of your slapd.conf:
moduleload unique
The global section consists of all configuration directives *before* your first database directive.
Ciao, Michael.
Hi Guys,
Finally I understood my errors and I got the unique overlay working. For posterity, I'm going to list them and fixes here:
1) I recompiled OpenLDAP with the flag --enable-unique . Checking "./configure --help" let me understood that I had to use --enable-unique *=yes*
2) For testing I was using *JXplorer* and *Apache Directory Studio*. At this point, I noticed a strange line in the slapd log:
"55dc142d unique_add: *administrative bypass, skipping*"
With a short google search I found a thread here in the group: http://www.openldap.org/lists/openldap-technical/201307/msg00193.html
3) So, I moved to ldapadd cmd line and finally I got:
ldap_add: Constraint violation (19) additional info: some attributes not unique
I do not completely understand the ManageDsaIT control, but I guess that it shouldn't happen (I mean, a way to workaround the server constraints such as attrinute uniqueness).
Fallback question: is there a way to prevent those Java tools to insert object with duplicate mails ?
Thanks a LOT for your help. I find OpenLDAP amazing!
Simone
2015-08-24 15:05 GMT+02:00 Simone Taliercio simonetaliercio@gmail.com:
Hi All!
I'm trying to enforce the fact that the mail attribute has to be unique. In order to do it I tried to enable the unique overlay. Unfortunately, OpenLDAP still allow to insert an object with the same mail value.
I cannot understand where the wrong configuration occurs.
My config is still based con slapd.conf . I've recompiled OpenLDAP with the following steps:
a) ./configure --enable-modules=yes --enable-rlookups=yes --with-tls --with-cyrus-sasl --enable-mdb=yes --enable-bdb=yes --enable-monitor=yes --enable-unique
b) make depend c) make d) make install
Then, I added those lines to my slapd.conf overlay unique unique_uri ldap:///?mail?sub
So, my develop slapd.conf looks like the one below now.
Thanks a lot for any hints you can give me!
Simone
=== slapd.conf ==== include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema
pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args
database config rootdn "cn=admin,cn=config"
# Security - TLS section TLSCACertificateFile /certs/CA.pem TLSCertificateFile /certs/certificate.cer TLSCertificateKeyFile /certs/company.key TLSCipherSuite TLSv1+RSA:!NULL TLSVerifyClient never
# Use LMDB database. database mdb overlay unique suffix "dc=com" rootdn "cn=Manager,dc=com" maxsize 16058941440 rootpw secret directory /usr/local/var/openldap-data/databases/com index mail eq index cn eq index objectClass eq
# mail is a unique attribute unique_uri ldap:///?mail?sub?
access to dn.subtree="ou=user,dc=company1,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company1,dc=com" search by anonymous auth
access to dn.subtree="ou=user,dc=company2,dc=com" attrs=cn,sn,givenName,mail,userPassword by dn.exact="cn=specificuser,ou=user,dc=company2,dc=com" write by anonymous auth
access to dn.subtree="dc=com" by users read by anonymous auth
Simone Taliercio wrote:
- For testing I was using *JXplorer* and *Apache Directory Studio*. At this
point, I noticed a strange line in the slapd log:
"55dc142d unique_add: *administrative bypass, skipping*"
With a short google search I found a thread here in the group: http://www.openldap.org/lists/openldap-technical/201307/msg00193.html [..] Fallback question: is there a way to prevent those Java tools to insert object with duplicate mails ?
You should use a decent LDAP client which does not send controls which circumvent slapd's internal checks. And you should not give normal users 'manage' right.
Ciao, Michael.
Hi Michael,
2015-08-25 10:11 GMT+02:00 Michael Ströder michael@stroeder.com:
You should use a decent LDAP client which does not send controls which circumvent slapd's internal checks.
You are right Michael, but having a UI is really comfortable. Which other client(s) would you suggest (with UI) ?
| And you should not give normal users 'manage' right.
OK, then I'll test with a user which has only write access.
Thanks!
Simone
Simone Taliercio wrote:
You are right Michael, but having a UI is really comfortable. Which other client(s) would you suggest (with UI) ?
Being the author of http://web2ldap.de I'm biased.
Ciao, Michael.
2015-08-25 13:42 GMT+02:00 Michael Ströder michael@stroeder.com:
Being the author of http://web2ldap.de I'm biased.
Ciao, Michael.
Great! Any plans to port on Mac OS X ? ;-)
I went through your website: any plan to visit Salzburg from Karlsruhe ? ;)
Thanks again, Simmo
Simone Taliercio wrote:
2015-08-25 13:42 GMT+02:00 Michael Ströder <michael@stroeder.com: Being the author of http://web2ldap.de I'm biased.
Great! Any plans to port on Mac OS X ? ;-)
Thanks to Python it should simply run on Mac OS X provided you have all the dependencies installed.
Ciao, Michael.
openldap-technical@openldap.org
-
Clément OUDOT -
Michael Ströder -
Simone Taliercio