Hello,
This is my first post here, so if I'm going over old ground, please let me know (I have searched).
I have looked through the archives and reached the conclusion that there isn't a convenient means of searching for groups based on a dynamic entry. For example, if I have a dynlist entry containing
olcDlAttrSet: {0}groupOfURLs memberURL uniqueMember
uniqueMember is dynamically added to search results, but can't be part of the search.
Is this conclusion correct?
I am migrating a client over from Sun's directory manager (which does allow searching on dynamic attributes) to OpenLDAP, so I have to support all the client applications that currently authenticate against and use LDAP. For example:
filter="(&(objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company))" attrs="gidNumber"
Ian Collins wrote:
Hello,
This is my first post here, so if I'm going over old ground, please let me know (I have searched).
I have looked through the archives and reached the conclusion that there isn't a convenient means of searching for groups based on a dynamic entry. For example, if I have a dynlist entry containing
olcDlAttrSet: {0}groupOfURLs memberURL uniqueMember
uniqueMember is dynamically added to search results, but can't be part of the search.
Is this conclusion correct?
Yes.
I am migrating a client over from Sun's directory manager (which does allow searching on dynamic attributes) to OpenLDAP, so I have to support all the client applications that currently authenticate against and use LDAP. For example:
filter="(&(objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company))" attrs="gidNumber"
Don't use dynamic groups then. Use autogroups.
On 05/23/10 09:21 PM, Howard Chu wrote:
Ian Collins wrote:
I am migrating a client over from Sun's directory manager (which does allow searching on dynamic attributes) to OpenLDAP, so I have to support all the client applications that currently authenticate against and use LDAP. For example:
filter="(&(objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company))"
attrs="gidNumber"
Don't use dynamic groups then. Use autogroups.
Thanks, I hadn't looked at the contrib modules.
On 05/23/10 09:21 PM, Howard Chu wrote:
Don't use dynamic groups then. Use autogroups.
Is there any documentation of autogroup or how to debug it?
I've read the README, build the module and updated my config thus:
dn: cn={8}dyngroup,cn=schema,cn=config <stuff> olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ description $ o $ ou $ owner $ seeAlso $ member ) )
dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /opt/local/libexec/openldap olcModuleLoad: {0}dynlist.la olcModuleLoad: {1}memberof.la olcModuleLoad: {2}auditlog.la olcModuleLoad: {3}autogroup.la
dn: olcOverlay={2}autogroup,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcAutomaticGroups olcOverlay: {2}autogroup olcAGattrSet: {0}groupOfURLs memberURL member
But it doesn't appear to be working.
Thanks,
Ian Collins wrote:
On 05/23/10 09:21 PM, Howard Chu wrote:
Don't use dynamic groups then. Use autogroups.
Is there any documentation of autogroup or how to debug it?
I've read the README, build the module and updated my config thus:
dn: cn={8}dyngroup,cn=schema,cn=config
<stuff> olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ description $ o $ ou $ owner $ seeAlso $ member ) )
dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /opt/local/libexec/openldap olcModuleLoad: {0}dynlist.la olcModuleLoad: {1}memberof.la olcModuleLoad: {2}auditlog.la olcModuleLoad: {3}autogroup.la
dn: olcOverlay={2}autogroup,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcAutomaticGroups olcOverlay: {2}autogroup olcAGattrSet: {0}groupOfURLs memberURL member
But it doesn't appear to be working.
What have you done to test it? As the README says, it operates when a write operation occurs that may affect the membership of a given group.
On 05/24/10 01:11 PM, Howard Chu wrote:
Ian Collins wrote:
On 05/23/10 09:21 PM, Howard Chu wrote:
Don't use dynamic groups then. Use autogroups.
Is there any documentation of autogroup or how to debug it?
I've read the README, build the module and updated my config thus:
dn: cn={8}dyngroup,cn=schema,cn=config
<stuff> olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ description $ o $ ou $ owner $ seeAlso $ member ) )
dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /opt/local/libexec/openldap olcModuleLoad: {0}dynlist.la olcModuleLoad: {1}memberof.la olcModuleLoad: {2}auditlog.la olcModuleLoad: {3}autogroup.la
dn: olcOverlay={2}autogroup,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcAutomaticGroups olcOverlay: {2}autogroup olcAGattrSet: {0}groupOfURLs memberURL member
But it doesn't appear to be working.
What have you done to test it? As the README says, it operates when a write operation occurs that may affect the membership of a given group.
Yes it does, I was was using the wrong search (searching on uniqueMember, not member).
The README states the <member-ad> part of the olcAGattrSet is fixed, this appears to be the case as I can't get uniqueMember to work.
Hello everyone,
I would like to know if any of you. has had experience of integration of AD with LDAP. My idea is to have a core LDAP and AD users consume.
"I have a concern would be the root domain and AD ldap.sitio.int eg ad.sitio.int would not?
LDAP (sitio.int) -------> AD (sitio.int)
I have understood that you can import / export an LDIF from OpenLDAP to AD.
I am implementing this scheme for a unified authentication issue, working through cross-platform and I must be based on an LDAP.
Sincerely, Sebastián Veloso Vars
"Veloso Varas, Sebastián (TECH-IT)" wrote:
I would like to know if any of you. has had experience of integration of AD with LDAP. My idea is to have a core LDAP and AD users consume.
Not sure what you really want. If you want simple replication from OpenLDAP to AD this is not possible out-of-the-box.
"I have a concern would be the root domain and AD ldap.sitio.int eg ad.sitio.int would not?
LDAP (sitio.int) -------> AD (sitio.int)
You're mixing AD and pure LDAPv3 terms here. Probably because with AD the DNS domain name and the LDAP naming context are tightly coupled. Anyway this is the least of the problem.
I am implementing this scheme for a unified authentication issue, working through cross-platform and I must be based on an LDAP.
What authentication mechanism do you want to use. Simple bind with password? Kerberos (SASL/GSSAPI)? Etc....
You should really try to explain in more detail what you want to achieve.
Ciao, Michael.
l 25-05-2010 1:50, Michael Ströder escribió:
"Veloso Varas, Sebastián (TECH-IT)" wrote:
I would like to know if any of you. has had experience of integration of AD with LDAP. My idea is to have a core LDAP and AD users consume.
Not sure what you really want. If you want simple replication from OpenLDAP to AD this is not possible out-of-the-box.
OpenLDAP need to have a root domain that has the "sitio.int." I have a Windows 2003 Server Active Directory that has the root domain "Ad.int." I need the AD users are housed in the OpenLDAP. Is it possible to replicate the users? Or both must have the same domain name? Can they live together in a single LDAP server domain "sitio.int" and "ad.int"
"I have a concern would be the root domain and AD ldap.sitio.int eg ad.sitio.int would not?
LDAP (sitio.int) -------> AD (sitio.int)
You're mixing AD and pure LDAPv3 terms here. Probably because with AD the DNS domain name and the LDAP naming context are tightly coupled. Anyway this is the least of the problem.
I am implementing this scheme for a unified authentication issue, working through cross-platform and I must be based on an LDAP.
What authentication mechanism do you want to use. Simple bind with password? Kerberos (SASL/GSSAPI)? Etc....
To avoid problems with passwords, I made a web application. NET is able to change the key in OpenLDAP and AD, therefore, the user is given the password and change it with this application.
You should really try to explain in more detail what you want to achieve.
Ciao, Michael.
On 05/24/10 03:34 PM, Ian Collins wrote:
On 05/24/10 01:11 PM, Howard Chu wrote:
What have you done to test it? As the README says, it operates when a write operation occurs that may affect the membership of a given group.
Yes it does, I was was using the wrong search (searching on uniqueMember, not member).
The README states the <member-ad> part of the olcAGattrSet is fixed, this appears to be the case as I can't get uniqueMember to work.
So, going back to my original problem, is there anyway OpenLDAP can support this search with dynamic/auto groups?
filter="(&(objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company))" attrs="gidNumber"
autogroup would work if the search were changed to:
filter="(&(objectClass=posixGroup)(member=cn=Admins,ou=groups,o=staff,dc=company))" attrs="gidNumber"
But I am unable to modify these searches as they are from third party applications which assume group members are identified by uniqueMember rather than member.
openldap-technical@openldap.org
-
"Veloso Varas, Sebastián (TECH-IT)" -
Howard Chu -
Ian Collins -
Michael Ströder