Hi,
I sent this from my work email but its not appeared in the mailing list, am trying it from my hotmail acct to see if it's mroe successful.
Newbie post, let me know if you need any other info, inside leg measurement, blood type etc.
I wanted to restrict users to logging onto specific hosts, I.e. to keep developers away from Production hosts etc. I managed to do this on thread http://www.linuxquestions.org/questi...-users-789466/ using Sun's SDSCC.
We're now migrating to OpenLDAP and I need the same functionality. I found the 'ismemberof' attribute does not appear to be part of the default schemas that come with Redhat 5.3 RPM's, Openldap is V 2.3.43.
I found an interesting article at http://forums.devshed.com/ldap-progr...te-191444.html on how to create your own schema's. So I created a file called /etc/openldap/schema/memberof.schema and put in the following text:
# The isMemberOf attribute associated with an entity is a # collection of values each of which identifies a group to # which that entity belongs. attributetype ( 1.3.6.1.4.1.5923.1.5.1.1 NAME 'isMemberOf' DESC 'identifiers for groups to which containing entity belongs' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX '1.3.6.1.4.1.1466.115.121.1.15' )
Then I added this schema to the slapd.conf and restarted ldap.
In the client, I've used the same 'ismemberof' line from my previous thread, so it says:
nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?isMemberOf=cn=access,ou=auth,dc=ldn,dc=sw,dc=com
Having tried MANY combination's of ?, ( and ) it won't work.
So, can anyone comment on my schema, it right? is it complete sh!te? Does the nss_apsswd line need changing now I've moved to Openldap?
Comments on a postcard please.
BTW - I've been looking at LDAP books to cure my insomnia, and found http://www.amazon.co.uk/LDAP-Directo...2282151&sr=1-1. The books.google.com site had some useful pages from this book but the review on amazon is not great.
TIA
Stuart. _________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ Do you have a story that started on Hotmail? Tell us now
--On Tuesday, May 04, 2010 1:05 PM +0000 Stuart Cherrington stuart_cherrington@hotmail.co.uk wrote:
We're now migrating to OpenLDAP and I need the same functionality. I found the 'ismemberof' attribute does not appear to be part of the default schemas that come with Redhat 5.3 RPM's, Openldap is V 2.3.43.
OpenLDAP 2.3.43 is deprecated and no longer supported. I would advise you use a supported release of OpenLDAP. 2.4.21 is the current stable release. 2.4.22 is the current release.
I found an interesting article at http://forums.devshed.com/ldap-progr...te-191444.html on how to create your own schema's. So I created a file called /etc/openldap/schema/memberof.schema and put in the following text:
I would advise looking at the slapo-memberof overlay that ships with openldap. You may also wish to read up on slapo-dynlist for dynamic groups as well.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration
Sticking to 2.3.x is entirely RH/CentOS created issue. It's a shame that 2.4.x hasn't been introduced in RH/CentOS even two years after being released.
We rolled our own 2.4.x RPM for RH/CentOS using RH openldap spec files and upgraded. YMMV.
- Siddhartha
On 5/4/10 9:36 AM, Quanah Gibson-Mount wrote:
--On Tuesday, May 04, 2010 1:05 PM +0000 Stuart Cherrington stuart_cherrington@hotmail.co.uk wrote:
We're now migrating to OpenLDAP and I need the same functionality. I found the 'ismemberof' attribute does not appear to be part of the default schemas that come with Redhat 5.3 RPM's, Openldap is V 2.3.43.
OpenLDAP 2.3.43 is deprecated and no longer supported. I would advise you use a supported release of OpenLDAP. 2.4.21 is the current stable release. 2.4.22 is the current release.
I found an interesting article at http://forums.devshed.com/ldap-progr...te-191444.html on how to create your own schema's. So I created a file called /etc/openldap/schema/memberof.schema and put in the following text:
I would advise looking at the slapo-memberof overlay that ships with openldap. You may also wish to read up on slapo-dynlist for dynamic groups as well.
--Quanah
--
Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc
Zimbra :: the leader in open source messaging and collaboration
On Tuesday, 4 May 2010 20:18:31 Siddhartha Jain wrote:
Sticking to 2.3.x is entirely RH/CentOS created issue. It's a shame that 2.4.x hasn't been introduced in RH/CentOS even two years after being released.
We rolled our own 2.4.x RPM for RH/CentOS using RH openldap spec files and upgraded. YMMV.
For people who don't want to roll their own, and who don't want to invalidate any support, packages that install in parallel are available:
http://staff.telkomsa.net/packages/rhel5/openldap/
(repo file: http://staff.telkomsa.net/packages/OpenLDAP.repo)
Regards, Buchan
Buchan,
Thanks for these, I saw your email yesterday in reply to another thread so took them then :-)
I've started an upgrade process by doing the following:
shutdown ldap slapcat -f /etc/openldap/slapd.conf -b "dc=ldn,dc=sw,dc=com" -l /export/home/stuart/full_msldap01.ldif removed all files from /var/lib/ldap except DB_CONFIG file. I couldn't remove the ldap 2.3 version packages as they're dependencies are mad, so left them in place and did an Install of the 2.4 packages. lib64ldap2.4_2-2.4.22-1.el5.x86_64.rpm, openldap2.4-2.4.22-1.el5.x86_64.rpm, libldap2.4_2-2.4.22-1.el5.i386.rpm, openldap2.4-2.4.22-1.el5.i386.rpm, openldap2.4-clients-2.4.22-1.el5.x86_64.rpm, openldap2.4-servers-2.4.22-1.el5.x86_64.rpm, unixODBC-2.2.11-7.1.x86_64.rpm, openldap2.4-extra-schemas-1.3-10.el5.noarch.rpm, openldap2.4-servers-2.4.22-1.el5.x86_64.rpm. updated the /etc/openldap2.4/sladp.conf and slapd.access.conf files to remove unwanted references to SAMBA, change domain, passwd etc. Ran the service ldap check until it was OK. Trying to re-load the ldif gave me some errors though:
slapadd -f /etc/openldap2.4/slapd.conf -l /export/home/stuart/full_msldap01.ldif /usr/share/openldap2.4/schema/core.schema: line 100: AttributeType inappropriate SUPerior: "c"
I found this line and decided to hash it out but then it failed on another Country attribute and another then another in cosine.schema, so have stopped hashing and started typing.
Any reason why this would fail to like the 'c' AttributeType?
Thanks,
Stuart.
From: bgmilne@staff.telkomsa.net To: openldap-technical@openldap.org Subject: Re: OpenLDAP bespoke schema to use 'ismemberof' to restrict user access to hosts Date: Wed, 5 May 2010 08:42:05 +0100 CC: sjain@silverspringnet.com
On Tuesday, 4 May 2010 20:18:31 Siddhartha Jain wrote:
Sticking to 2.3.x is entirely RH/CentOS created issue. It's a shame that 2.4.x hasn't been introduced in RH/CentOS even two years after being released.
We rolled our own 2.4.x RPM for RH/CentOS using RH openldap spec files and upgraded. YMMV.
For people who don't want to roll their own, and who don't want to invalidate any support, packages that install in parallel are available:
http://staff.telkomsa.net/packages/rhel5/openldap/
(repo file: http://staff.telkomsa.net/packages/OpenLDAP.repo)
Regards, Buchan
_________________________________________________________________ http://clk.atdmt.com/UKM/go/197222280/direct/01/ We want to hear all your funny, exciting and crazy Hotmail stories. Tell us now
On Wednesday, 5 May 2010 09:54:34 Stuart Cherrington wrote:
Buchan,
Thanks for these, I saw your email yesterday in reply to another thread so took them then :-)
I've started an upgrade process by doing the following:
shutdown ldap slapcat -f /etc/openldap/slapd.conf -b "dc=ldn,dc=sw,dc=com" -l /export/home/stuart/full_msldap01.ldif removed all files from /var/lib/ldap except DB_CONFIG file.
I would rather keep them, and use a version-specific directory path in the slapd.conf.
I couldn't remove the ldap 2.3 version packages as they're dependencies are mad,
No, most likely you have some packages that depend on libldap-2.3.so.0 (have been linked to it). This is precisely the reason I make the packages install in parallel.
so left them in place and did an Install of the 2.4 packages. lib64ldap2.4_2-2.4.22-1.el5.x86_64.rpm, openldap2.4-2.4.22-1.el5.x86_64.rpm, libldap2.4_2-2.4.22-1.el5.i386.rpm, openldap2.4-2.4.22-1.el5.i386.rpm, openldap2.4-clients-2.4.22-1.el5.x86_64.rpm, openldap2.4-servers-2.4.22-1.el5.x86_64.rpm, unixODBC-2.2.11-7.1.x86_64.rpm, openldap2.4-extra-schemas-1.3-10.el5.noarch.rpm, openldap2.4-servers-2.4.22-1.el5.x86_64.rpm. updated the /etc/openldap2.4/sladp.conf and slapd.access.conf files to remove unwanted references to SAMBA, change domain, passwd etc. Ran the service ldap check until it was OK. Trying to re-load the ldif gave me some errors though:
slapadd -f /etc/openldap2.4/slapd.conf -l /export/home/stuart/full_msldap01.ldif /usr/share/openldap2.4/schema/core.schema: line 100: AttributeType inappropriate SUPerior: "c"
Did you over-write schema files from 2.4 with files from your 2.3 installation? The 2.4 schema file has the attribute c on line 100 commented out, as it is most likely built-in.
I found this line and decided to hash it out but then it failed on another Country attribute and another then another in cosine.schema, so have stopped hashing and started typing.
Any reason why this would fail to like the 'c' AttributeType?
Depends what you did to the schema files.
$ rpm -Va openldap2.4-servers
should not show any schema files having been modified ....
Regards, Buchan
Buchan,
The power of Virtual environments, I roled back to my pre 2.4 upgrade snapshot and went through this again, steps I followed (for anyones ref) is:
service ldap stop slapcat -f /etc/openldap/slapd.conf -b "dc=ldn,dc=sw,dc=com" -l /export/home/stuart/full_msldap01.ldif Managed to rpm -ev openldap-servers-overlays-2.3.43-3.el5 openldap-clients-2.3.43-3.el5 openldap-servers-2.3.43-3.el5 Had to leave openldap-2.3.43-3.el5 32&64-bit versions as they're in too deep. Removed the empty /usr/lib64/openldap directory which held 2.3 schemas and mv /var/lib/ldap to var/lib/ldap.23, mv /etc/openldap /etc/openldap.23
installed the 2.4 packages rpm -ivh lib64ldap2.4_2-2.4.22-1.el5.x86_64.rpm openldap2.4-2.4.22-1.el5.x86_64.rpm libldap2.4_2-2.4.22-1.el5.i386.rpm openldap2.4-2.4.22-1.el5.i386.rpm openldap2.4-clients-2.4.22-1.el5.x86_64.rpm openldap2.4-servers-2.4.22-1.el5.x86_64.rpm unixODBC-2.2.11-7.1.x86_64.rpm openldap2.4-extra-schemas-1.3-10.el5.noarch.rpm openldap2.4-servers-2.4.22-1.el5.x86_64.rpm
vi /etc/openldap2.4/slapd.conf /etc/openldap2.4/slapd.access.conf and remov ed unrequired schemas and samba references.
Imported data with slapadd2.4 -f /etc/openldap2.4/slapd.conf -l /export/home/stuart/full_msldap01.ldif
service ldap2.4 check - OK service ldap2.4 start - OK
All works and I can login against this LDAP server.
Now - Onto attempting use of slapo-memberof overlay, as mentioned by Quanah.
Thanks guys, I'm sure I'll be back with more questions.
Stuart.
From: bgmilne@staff.telkomsa.net To: stuart_cherrington@hotmail.co.uk Subject: Re: OpenLDAP bespoke schema to use 'ismemberof' to restrict user access to hosts Date: Wed, 5 May 2010 10:47:38 +0100 CC: sjain@silverspringnet.com; openldap-technical@openldap.org
On Wednesday, 5 May 2010 09:54:34 Stuart Cherrington wrote:
Buchan,
Thanks for these, I saw your email yesterday in reply to another thread so took them then :-)
I've started an upgrade process by doing the following:
shutdown ldap slapcat -f /etc/openldap/slapd.conf -b "dc=ldn,dc=sw,dc=com" -l /export/home/stuart/full_msldap01.ldif removed all files from /var/lib/ldap except DB_CONFIG file.
I would rather keep them, and use a version-specific directory path in the slapd.conf.
I couldn't remove the ldap 2.3 version packages as they're dependencies are mad,
No, most likely you have some packages that depend on libldap-2.3.so.0 (have been linked to it). This is precisely the reason I make the packages install in parallel.
so left them in place and did an Install of the 2.4 packages. lib64ldap2.4_2-2.4.22-1.el5.x86_64.rpm, openldap2.4-2.4.22-1.el5.x86_64.rpm, libldap2.4_2-2.4.22-1.el5.i386.rpm, openldap2.4-2.4.22-1.el5.i386.rpm, openldap2.4-clients-2.4.22-1.el5.x86_64.rpm, openldap2.4-servers-2.4.22-1.el5.x86_64.rpm, unixODBC-2.2.11-7.1.x86_64.rpm, openldap2.4-extra-schemas-1.3-10.el5.noarch.rpm, openldap2.4-servers-2.4.22-1.el5.x86_64.rpm. updated the /etc/openldap2.4/sladp.conf and slapd.access.conf files to remove unwanted references to SAMBA, change domain, passwd etc. Ran the service ldap check until it was OK. Trying to re-load the ldif gave me some errors though:
slapadd -f /etc/openldap2.4/slapd.conf -l /export/home/stuart/full_msldap01.ldif /usr/share/openldap2.4/schema/core.schema: line 100: AttributeType inappropriate SUPerior: "c"
Did you over-write schema files from 2.4 with files from your 2.3 installation? The 2.4 schema file has the attribute c on line 100 commented out, as it is most likely built-in.
I found this line and decided to hash it out but then it failed on another Country attribute and another then another in cosine.schema, so have stopped hashing and started typing.
Any reason why this would fail to like the 'c' AttributeType?
Depends what you did to the schema files.
$ rpm -Va openldap2.4-servers
should not show any schema files having been modified ....
Regards, Buchan
_________________________________________________________________ http://clk.atdmt.com/UKM/go/195013117/direct/01/
openldap-technical@openldap.org
-
Buchan Milne -
Quanah Gibson-Mount -
Siddhartha Jain -
Stuart Cherrington