I'm trying to set ACL for Manager user by I understand where is my syntax error.
Is it correct to modify the "olcDatabase={2}hdb" file??
My Terminal command:
ldapmodify -a -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
And this is the error:
ldapmodify: invalid format (line 5) entry: "olcDatabase={2}hdb"
acl.ldif:
dn: olcDatabase={2}hdb
changetype: modify
add: olcAccess
olcAccess:{0} to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage by * break
{1} to attrs=userPassword by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self write by anonymous none by users none
{2} to attrs=loginShell by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self read by anonymous none by users none to attrs=uid,sn,homeDirectory by self write
{3} to dn.subtree="dc=gruppo6,dc=labreti,dc=it" by * read
olcDatabase={2}hdb.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0c9c7626
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 05c622d2-9007-1039-808a-1106615e0d2d
creatorsName: cn=config
createTimestamp: 20191031084858Z
olcRootPW:: e1NTSEF9QXNRTGdiYjZ0RTltMjMwbHdFcW5VeE5ETzNxcE1qSXE=
olcSuffix: dc=gruppo6,dc=labreti,dc=it
olcRootDN: cn=Manager,dc=gruppo6,dc=labreti,dc=it
entryCSN: 20191031122732.077139Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20191031122732Z
Thanks for every help guys
There are 2 issues :
You are trying to modify olcDatabase={2}hdb using the wrong dn in acl.ldif, this entry should be in the subtree of cn=config. You can grab the target olcDatabase using this command :
slapcat -n 0 -a olcDatabase=hdb
# Output
dn: olcDatabase={2}hdb,cn=config
...
Since you are modifying an existing entry, you don't need the -a flag (ldapadd) in ldapmodify command :
ldapmodify -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
If your ldap manager precisely cannot modify this config entry due to insufficient permissions (reading from this directive to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage), you can still use external binding (unix user) to perform that kind of operation :
ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
Related
I created an OpenLDAP server on Ubuntu 22.04, and created users but forgot to add them to a organizational unit (ou). How can I associate them all to an ou now ?
The actual server looks like this:
dn=company
ou=Users
uid=user1
uid=user2
uid=user3
...
What I would like is:
dn=company
ou=Users
uid=user1
uid=user2
uid=user3
...
Concretely, I would like to go from this:
uid=user1,dc=example,dc=fr
to this:
uid=user1,ou=Users,dc=example,dc=fr
Adding an ou attribute to the entry is one thing, moving the entry in the DIT is another thing. For the latter, you need to use the newsuperior directive.
Using ldapmodify -f with changetype: (modrdn|moddn) :
dn: uid=user1,dc=example,dc=fr
changetype: modrdn
# rdn unchanged
newrdn: uid=user1
# deletes old entry
deleteoldrdn: 1
# adds to Users hierarchy
newsuperior: ou=Users,dc=example,dc=com
Using ldapmodrdn -r -s <newsuperior> <dn> <newrdn> :
ldapmodrdn -r -s "ou=Users,dc=example,dc=com" "uid=user1,dc=example,dc=fr" "uid=user1"
Actually I just found an answer on my own.
I simply did a LDIF file modify.ldif:
dn: uid=user1,dc=example,dc=fr
changetype: modify
add: ou
ou: Users
And then ldapmodify -x -D cn=admin,dc=example,dc=fr -W -f ./modify.ldif
I'm having problems with finding a specific entry in LDAP tree, given a filter defined on a custom attribute.
I.e. (search by samaccountname=jpa)
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "samaccountname=jpa" does not work (returns no result)
whereas (search sn=jpa):
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "sn=jpa" works
even (check for existence of samaccountname):
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "samaccountname=*" works
Any ideas what can be wrong here? My intention is to find the given user using sub (samaccountname=jpa) filter
My config is (using osixia/openldap docker image):
schema:
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
objectclass ( 2.5.6.30 NAME 'extendedUser'
SUP person
STRUCTURAL
MUST ( sAMAccountName ) )
ACL's:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to * by * read
LDIF:
DN: OU=My Users,DC=my,DC=com
OU: My Users
objectClass: organizationalUnit
DN: CN=jpa,OU=My Users,DC=my,DC=com
CN: jpa
sn: jpa
sAMAccountName: jpa
objectClass: extendedUser
userPassword: xxx
You need to define an EQUALITY on your attribute. LDAP doesn't currently know how to perform the search on that attribute.
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SINGLE-VALUE
USAGE userApplications )
OpenLDAP Schema Specification
I have the following entry in LDAP directory:
dn: ou=Users,dc=itau,dc=co
objectClass: organizationalUnit
ou: Users
Unfortunately, I forgot to add the gid attribute. Because of this, I had created the following LDIF file called "modify.ldif":
dn: ou=Users,dc=itau,dc=co
changetype: modify
add: gid
gid: 20000
But when I run the command
ldapmodify -x -D "cn=admin,dc=itau,dc=co" -w <PASSWORD> -H ldap:// -f modify.ldif
I get the error:
ldap_modify: Undefined attribute type (17)
additional info: gid: attribute type undefined
It's important to say that I had checked for blank spaces at the end of each line, but this error didn't desappear.
Why I'm getting this error?.
Thank you.
I'm confused! :)
I've got a dynamic group in OpenLDAP:
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
When I search for it, it gets expanded (the dynlist module is set up correctly):
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'cn= DynamicGroup'
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
member: cn=User One,ou=People,dc=MyDomain
member: cn=User Two,ou=People,dc=MyDomain
Brilliant. Exactly what I'd expect.
However, if I search on it by member I get nothing!
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=cn=User One,ou=People,dc=MyDomain' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
But, no cn: DynamicGroup ! :(
Nothing! :(
Does anyone have an hint for me as to why that might not be working?
Update:
I thought that it might be that the member attribute was not formally mentioned in the dynlist schema. I've added it, but it still doesn't work:
dn: cn={6}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {6}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I
dentifies an URL associated with each member of a group. Any type of labeled
URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use
when processing the memberURL' SUP distinguishedName SINGLE-VALUE )
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza
tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a
uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S
TRUCTURAL MUST cn MAY ( member $ memberURL $ businessCategory $ description $
o $ ou $ owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY
( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 997a529e-a081-1033-8148-81c0722e60ba
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140715153657Z
entryCSN: 20140715153657.339934Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140715153657Z
It looks like from an attribute search perspective the member attribute either isn't matching, or it's doing the search prior to the dynlist expansion:
root#auth-new:/vagrant/LDAP# /usr/bin/ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=*' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
Update: using an auto group it now works:
dn: olcOverlay=autogroup,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutomaticGroups
olcOverlay: autogroup
olcAGattrSet: {0}groupOfURLs memberURL member
olcAGmemberOfAd: memberOf
The dynlist overlay doesn't implement the feature you're looking for. You're correct about the expansion happening later than the search filter. See for example the thread starting at http://www.openldap.org/lists/openldap-software/200708/msg00250.html
You may want to look at the contributed autogroup overlay, which maintains membership info in the database (where it can be searched and filtered) but updates it automatically when needed.
I`ve installed OpenLdap v.2.4.39 for Debian 7. But during setup I have only 2 option for backend: BDB and HDB.
But I want to use MDB (http://www.openldap.org/doc/admin24/backends.html). AFAIK it is stable. How to choose it as backend?
Thank you!
PS. i can see mentions about hdb in below files:
/etc/ldap/slapd.d# grep -nr hdb *
cn=config/cn=module{0}.ldif:7:olcModuleLoad: {0}back_hdb
cn=config/olcBackend={0}hdb.ldif:3:dn: olcBackend={0}hdb
cn=config/olcBackend={0}hdb.ldif:5:olcBackend: {0}hdb
cn=config/olcDatabase={1}hdb.ldif:3:dn: olcDatabase={1}hdb
cn=config/olcDatabase={1}hdb.ldif:6:olcDatabase: {1}hdb
But I am not sure if I can edit them.
The module is there, the deconf template is not.
$ ls /usr/lib/ldap/back_mdb*
/usr/lib/ldap/back_mdb-2.4.so.2 /usr/lib/ldap/back_mdb-2.4.so.2.8.3 /usr/lib/ldap/back_mdb.la /usr/lib/ldap/back_mdb.so
To enable, we need to load the module first.
$ cat someEpicLdif.ldif
# we need to load the mdb module first
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_mdb
# now we configure our mdb backend
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=ldap_is_bananas,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=ldap_is_bananas,dc=org
olcRootPW: changeme
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbEnvFlags: writemap
olcDBNoSync: TRUE
olcAccess: to attrs=userPassword by dn="cn=admin,dc=ldap_is_bananas,dc=org" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=ldap_is_bananas,dc=org" write by * read
Please don't copy and paste man slapd-mdb and man slapd-config for the configuration options and supply your own.
Then add the new backend using ldapadd, if you're using SASL binds...
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldap_is_bananas.ldif
In Debian the MDB backend has been enabled since slapd-2.4.39 which is available since Debian jessie (the code-name for the current testing distro).
assuming, that you are using Debian/stable (aka wheezy), the answer is simple:
your version of slapd has been built without mdb support, so you cannot use it.
if you are using slapd>2.4.39 (which seems to be the case according to your comment), you must configure the backend manually (as there is no debconf template yet that supports MDB).
checkout man slapd-mdb