Hi all, I am trying to access LDAP search using email address instead of DN. For that I am using overlay rwm, and relay. When I gave relay "dc=example,dc=com", slapd give me error like(unknown directive <relay> inside backend database definition). I all ready enabled modules for relay(back_relay.so) and rwm(rwm.so).
openLDAP => 2.4.15 Backend => bdb (Berkeley Database)
Regards
venish khant writes:
I am trying to access LDAP search using email address instead of DN. For that I am using overlay rwm, and relay. When I gave relay "dc=example,dc=com", slapd give me error like(unknown directive <relay> inside backend database definition). I all ready enabled modules for relay(back_relay.so) and rwm(rwm.so).
I can only guess since you don't show your slapd.conf, but it sounds like you didn't put database relay above relay "dc=example,dc=com" but instead put the relay directive under some other database.
Hallvard B Furuseth wrote:
I can only guess since you don't show your slapd.conf, but it sounds like you didn't put database relay above relay "dc=example,dc=com" but instead put the relay directive under some other database.
Thanks for replay. I all ready define database relay in slapd.conf.
This my slapd configuration. You can get much clear picture using slapd configuration.
------------------------------------------------------------- allow bind_v2 allow bind_anon_dn loglevel 0
include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/ppolicy.schema include /etc/ldap/schema/myschema.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args
#Database module loading #moduleload /usr/lib/ldap/back_hdb.so moduleload /usr/lib/ldap/back_bdb.so moduleload /usr/lib/ldap/rwm.so moduleload /usr/lib/ldap/back_relay.so
database bdb database relay overlay rwm suffix "dc=example,dc=com" relay "dc=example,dc=com" rootdn "uid=support,ou=people,dc=example,dc=com"
password-hash {SSHA} directory /var/lib/ldap index objectClass eq
rwm-rewriteEngine on rwm-suffixmassage "dc=example,dc=com"
rwm-rewriteMap ldap mail2uid ldap://localhost/ou=people,dc=example,dc=com?uid?sub rwm-rewriteMap ldap uid2mail ldap://localhost/ou=people,dc=example,dc=com?mail?sub rwm-rewriteContext searchEntryDN rwm-rewriteRule "^(.+,)?(mail=[^,]+),.example.com$" "$1uid=${mail2uid($2)},ou=people,dc=example,dc=com" ":@I"
rwm-rewriteContext searchEntryUID2Mail rwm-rewriteRule "^(.+,)?(uid=[^,]+),ou=people,dc=example,dc=com$" "$1mail=${uid2mail($2)},exmple.com" ":@I"
access to attrs="userPassword,sambaLMPassword,sambaNTPassword" by dn="uid=support,ou=people,dc=example,dc=com" write by anonymous auth by self write by * none
access to dn.subtree="dc=example,dc=com" by dn="uid=dc=support,dc=com,ou=people,dc=example,dc=com" read by self write by users read
access to dn.subtree="ou=people,dc=example,dc=com" by dn="uid=dc=support,dc=com,ou=people,dc=example,dc=com" read by users read
access to dn.subtree="ou=group,dc=example,dc=com" by dn="uid=dc=support,dc=com,ou=people,dc=example,dc=com" read by users read
access to dn.subtree="ou=addressbook,dc=example,dc=com" by dn="uid=dc=support,dc=com,ou=people,dc=example,dc=com" read by users read
access to dn.subtree="dc=example,dc=com" by none
cachesize 1500 sizelimit 1500 --------------------------------------------------
Venish Khant writes:
database bdb database relay
No. You need to put the bdb configuration under "database bdb", e.g. "suffix" and "directory" below.
overlay rwm
Put that after the "relay" keyword. Don't know if that is the problem you reported, but after all "relay" is for the database, not the overlay.
suffix "dc=example,dc=com" relay "dc=example,dc=com"
You are now relaying dc=example,dc=com to itself, in an eternal loop. Except I thought the config catches that. Anyway, I expect example.com is for the database bdb while database relay should have some other suffix.
rootdn "uid=support,ou=people,dc=example,dc=com" (...) directory /var/lib/ldap index objectClass eq (...) cachesize 1500
These should likely be under database bdb, not relay.
(...) rwm-rewriteMap ldap mail2uid ldap://localhost/ou=people,dc=example,dc=com?uid?sub rwm-rewriteMap ldap uid2mail ldap://localhost/ou=people,dc=example,dc=com?mail?sub
Indent the lines with URLs, so the become continuation lines of the rwm-rewriteMap directives. (Note, I don't know rwm so I don't know if these lines are OK otherwise.)
password-hash {SSHA} (...) access to attrs="userPassword,sambaLMPassword,sambaNTPassword" (...) sizelimit 1500
Since these are under "database relay" they only apply to requests via back-relay. Put them where they affect bdb: either global or under bdb.
Note that you need access rules both for access via DNs ending with relay's suffix and for DNs ending with bdb's suffix. I haven't checked which rules apply when, but the slapd-relay manpage talks about it.
Since these are under "database relay" they only apply to requests via back-relay. Put them where they affect bdb: either global or under bdb.
Note that you need access rules both for access via DNs ending with relay's suffix and for DNs ending with bdb's suffix. I haven't checked which rules apply when, but the slapd-relay manpage talks about it.
I did these things that error solved.
moduleload /usr/lib/ldap/back_bdb.so database bdb suffix "dc=example,dc=com" rootdn "uid=demo,ou=people,dc=example,dc=com" password-hash {SSHA} directory /var/lib/ldap index objectClass eq
access to attrs="..........." (...................) cachesize 1500 sizelimit 1500
moduleload /usr/lib/ldap/back_relay.so database relay suffix "dc=play,dc=com relay "dc=example,dc=com" rootdn "uid=test,dc=example,dc=com" password-hash {SSHA}
access to attrs="............" (...................) sizelimit 1500
slapd is running perfectly. Now problem is that I want to add some entries in 'relay database'.
I tried to add some entries in relay database using this command. slapadd -b "dc=play,dc=com" -l ldap_relay.ldif -f /etc/ldap/slapd.conf
But, it's give me error. slapadd: database doesn't support necessary operations.
Venish Khant writes:
database relay suffix "dc=play,dc=com relay "dc=example,dc=com" (...) I tried to add some entries in relay database using this command. slapadd -b "dc=play,dc=com" -l ldap_relay.ldif -f /etc/ldap/slapd.conf
But, it's give me error. slapadd: database doesn't support necessary operations.
Right, Relay doesn't support slapadd. But you can use ldapadd to add the entries over the protocol.
Or you can slapadd to the bdb database. That is, use slapadd -b dc=example,dc=com and use entries ending with dc=example,dc=com.
Hallvard B Furuseth wrote:
Right, Relay doesn't support slapadd. But you can use ldapadd to add the entries over the protocol.
Or you can slapadd to the bdb database. That is, use slapadd -b dc=example,dc=com and use entries ending with dc=example,dc=com.
I tried to add base entry like,
ldapadd -xD uid=easypush,ou=public,dc=play,dc=com -w test dn: dc=play,dc=com o: play dc: play objectClass: top objectClass: organization objectClass: dcObject
it's give me error like
adding new entry "dc=play,dc=com" ldap_add: No such object (32)
This is the configuration of relay database
moduleload /usr/lib/ldap/back_relay.so database relay suffix "dc=play,dc=com" relay "dc=example,dc=com" rootdn "uid=test,ou=public,dc=play,dc=com" rootpw test
access to dn.subtree="dc=play,dc=com" by dn="uid=test,ou=public,dc=play,dc=com" write by self write by users read
On Wednesday 03 June 2009 13:13:34 Venish Khant wrote:
Hallvard B Furuseth wrote:
Right, Relay doesn't support slapadd. But you can use ldapadd to add the entries over the protocol.
Or you can slapadd to the bdb database. That is, use slapadd -b dc=example,dc=com and use entries ending with dc=example,dc=com.
I tried to add base entry like,
ldapadd -xD uid=easypush,ou=public,dc=play,dc=com -w test dn: dc=play,dc=com o: play dc: play objectClass: top objectClass: organization objectClass: dcObjectit's give me error like
adding new entry "dc=play,dc=com" ldap_add: No such object (32)This is the configuration of relay database
moduleload /usr/lib/ldap/back_relay.so database relay suffix "dc=play,dc=com" relay "dc=example,dc=com" rootdn "uid=test,ou=public,dc=play,dc=com" rootpw test
access to dn.subtree="dc=play,dc=com" by dn="uid=test,ou=public,dc=play,dc=com" write by self write by users read
You need to first create every parent entry, starting with the entry for the suffix (dc=play,dc=com), before you can create its children. There is no equivalent of 'mkdir -p' ...
So, you need to create dc=play,dc=com, then ou=public,dc=play,dc=com, then the entry above.
Regards, Buchan
Buchan Milne wrote:
On Wednesday 03 June 2009 13:13:34 Venish Khant wrote:
This is the configuration of relay database
moduleload /usr/lib/ldap/back_relay.so database relay suffix "dc=play,dc=com" relay "dc=example,dc=com" rootdn "uid=test,ou=public,dc=play,dc=com" rootpw test
access to dn.subtree="dc=play,dc=com" by dn="uid=test,ou=public,dc=play,dc=com" write by self write by users read
You need to first create every parent entry, starting with the entry for the suffix (dc=play,dc=com), before you can create its children. There is no equivalent of 'mkdir -p' ...
So, you need to create dc=play,dc=com, then ou=public,dc=play,dc=com, then the entry above.
Regards, Buchan
I am trying to create parent entry dc=play,dc=com, using rootdn in 'relay database'. I have one more 'bdb database' which is having parent entry dc=example,dc=com.
When I am trying to add parent(Base) entry using this rootdn it give me such kind of error
This is my 'bdb database' rootdn:
ldapadd -xD uid=test,ou=people,dc=example,dc=com -w test dn: dc=play,dc=com o: play dc: play objectClass: top objectClass: organization objectClass: dcObject
adding new entry "dc=play,dc=com" ldap_add: Naming violation (64) additional info: value of single-valued naming attribute 'dc' conflicts with value present in entry
This is my 'relay database' rootdn:
ldapadd -xD uid=test,ou=public,dc=play,dc=com -w test dn: dc=play,dc=com o: play dc: play objectClass: top objectClass: organization objectClass: dcObject
adding new entry "dc=play,dc=com" ldap_add: No such object (32)
On Thursday 04 June 2009 06:42:50 Venish Khant wrote:
Buchan Milne wrote:
On Wednesday 03 June 2009 13:13:34 Venish Khant wrote:
This is the configuration of relay database
moduleload /usr/lib/ldap/back_relay.so database relay suffix "dc=play,dc=com" relay "dc=example,dc=com" rootdn "uid=test,ou=public,dc=play,dc=com" rootpw test
access to dn.subtree="dc=play,dc=com" by dn="uid=test,ou=public,dc=play,dc=com" write by self write by users read
You need to first create every parent entry, starting with the entry for the suffix (dc=play,dc=com), before you can create its children. There is no equivalent of 'mkdir -p' ...
So, you need to create dc=play,dc=com, then ou=public,dc=play,dc=com, then the entry above.
Regards, Buchan
I am trying to create parent entry dc=play,dc=com, using rootdn in 'relay database'. I have one more 'bdb database' which is having parent entry dc=example,dc=com.
When I am trying to add parent(Base) entry using this rootdn it give me such kind of error
This is my 'bdb database' rootdn:
ldapadd -xD uid=test,ou=people,dc=example,dc=com -w test dn: dc=play,dc=com o: play dc: play objectClass: top objectClass: organization objectClass: dcObjectadding new entry "dc=play,dc=com" ldap_add: Naming violation (64) additional info: value of single-valued naming attribute 'dc' conflicts with value present in entry
This is my 'relay database' rootdn:
ldapadd -xD uid=test,ou=public,dc=play,dc=com -w test dn: dc=play,dc=com o: play dc: play objectClass: top objectClass: organization objectClass: dcObject adding new entry "dc=play,dc=com" ldap_add: No such object (32)
You should probably start by creating the dc=example,dc=com entry first, after that you should be able to populate entries under dc=play,dc=com (assuming your ACLs are working and your relay is working correctly).
Regards, Buchan
Buchan Milne wrote:
You should probably start by creating the dc=example,dc=com entry first, after that you should be able to populate entries under dc=play,dc=com (assuming your ACLs are working and your relay is working correctly).
Regards, Buchan
dc=example,dc=com is my old database that having so many entries. I tried to add entries in relay database but, still is not working.
My relay rwm is not worinkg. When I run slapd it's not give me any kind of error. But when I search using email it give me error like.
ldapsearch -xD "mail=test@eaxmple.com" -w admin -b dc=example,dc=com ldap_bind: Invalid credentials (49)
This is my overlay rwm configuration
moduleload /usr/lib/ldap/rwm.so overlay rwm rwm-rewriteEngine on rwm-suffixmassage "dc=example,dc=com"
rwm-rewriteMap ldap mail2uid ldap://localhost/example.com?uid?sub rwm-rewriteMap ldap uid2mail ldap://localhost/ou=public,dc=example,dc=com?mail?sub
rwm-rewriteContext default rwm-rewriteRule "^(.+,)?(mail=[^,]+),.example.com$" "$1uid=${mail2uid($2)},ou=public,dc=example,dc=com" ":@I" rwm-rewriteRule "^(.+,)?dc=play,dc=com$" "$1dc=example,dc=com" ":@I
rwm-rewriteContext searchEntryDN rwm-rewriteRule "^(.+,)?(uid=[^,]+),ou=public,dc=example,dc=com$" "$1mail=${uid2mail($2)},mail.com" ":@I" rwm-rewriteRule "^(.+,)?dc=example,dc=com$" "$1dc=play,dc=com" ":@I"
Hello, how can i put a non plain text password with chain-idassert-bind ?
for example not secret but an {SSHA}4CJU/1LXN0OoFA5QX9Rri password
overlay chain chain-rebind-as-user FALSE chain-uri ldap://ldap-v000/ chain-rebind-as-user TRUE chain-idassert-bind bindmethod=simple binddn="cn=Manager,dc=agriculture,dc=gouv,dc=fr" credentials="secret" mode=self chain-return-error TRUE
Regards
openldap-technical@openldap.org
-
Buchan Milne -
Hallvard B Furuseth -
paulpierre.brun@free.fr -
venish khant -
Venish Khant