I'm having problems with finding a specific entry in LDAP tree, given a filter defined on a custom attribute.
I.e. (search by samaccountname=jpa)
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "samaccountname=jpa" does not work (returns no result)
whereas (search sn=jpa):
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "sn=jpa" works
even (check for existence of samaccountname):
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "samaccountname=*" works
Any ideas what can be wrong here? My intention is to find the given user using sub (samaccountname=jpa) filter
My config is (using osixia/openldap docker image):
schema:
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
objectclass ( 2.5.6.30 NAME 'extendedUser'
SUP person
STRUCTURAL
MUST ( sAMAccountName ) )
ACL's:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to * by * read
LDIF:
DN: OU=My Users,DC=my,DC=com
OU: My Users
objectClass: organizationalUnit
DN: CN=jpa,OU=My Users,DC=my,DC=com
CN: jpa
sn: jpa
sAMAccountName: jpa
objectClass: extendedUser
userPassword: xxx
You need to define an EQUALITY on your attribute. LDAP doesn't currently know how to perform the search on that attribute.
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SINGLE-VALUE
USAGE userApplications )
OpenLDAP Schema Specification
Related
I'm trying to set ACL for Manager user by I understand where is my syntax error.
Is it correct to modify the "olcDatabase={2}hdb" file??
My Terminal command:
ldapmodify -a -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
And this is the error:
ldapmodify: invalid format (line 5) entry: "olcDatabase={2}hdb"
acl.ldif:
dn: olcDatabase={2}hdb
changetype: modify
add: olcAccess
olcAccess:{0} to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage by * break
{1} to attrs=userPassword by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self write by anonymous none by users none
{2} to attrs=loginShell by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self read by anonymous none by users none to attrs=uid,sn,homeDirectory by self write
{3} to dn.subtree="dc=gruppo6,dc=labreti,dc=it" by * read
olcDatabase={2}hdb.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0c9c7626
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 05c622d2-9007-1039-808a-1106615e0d2d
creatorsName: cn=config
createTimestamp: 20191031084858Z
olcRootPW:: e1NTSEF9QXNRTGdiYjZ0RTltMjMwbHdFcW5VeE5ETzNxcE1qSXE=
olcSuffix: dc=gruppo6,dc=labreti,dc=it
olcRootDN: cn=Manager,dc=gruppo6,dc=labreti,dc=it
entryCSN: 20191031122732.077139Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20191031122732Z
Thanks for every help guys
There are 2 issues :
You are trying to modify olcDatabase={2}hdb using the wrong dn in acl.ldif, this entry should be in the subtree of cn=config. You can grab the target olcDatabase using this command :
slapcat -n 0 -a olcDatabase=hdb
# Output
dn: olcDatabase={2}hdb,cn=config
...
Since you are modifying an existing entry, you don't need the -a flag (ldapadd) in ldapmodify command :
ldapmodify -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
If your ldap manager precisely cannot modify this config entry due to insufficient permissions (reading from this directive to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage), you can still use external binding (unix user) to perform that kind of operation :
ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
I have the following entry in LDAP directory:
dn: ou=Users,dc=itau,dc=co
objectClass: organizationalUnit
ou: Users
Unfortunately, I forgot to add the gid attribute. Because of this, I had created the following LDIF file called "modify.ldif":
dn: ou=Users,dc=itau,dc=co
changetype: modify
add: gid
gid: 20000
But when I run the command
ldapmodify -x -D "cn=admin,dc=itau,dc=co" -w <PASSWORD> -H ldap:// -f modify.ldif
I get the error:
ldap_modify: Undefined attribute type (17)
additional info: gid: attribute type undefined
It's important to say that I had checked for blank spaces at the end of each line, but this error didn't desappear.
Why I'm getting this error?.
Thank you.
I'm trying to add 'mail' attribute to users on my openldap server but somehow it fails.
I tried using ldapmodify but I get this:
ldap_modify: Object class violation (65)
additional info: attribute 'mail' not allowed
Here's how my schema looks like:
# LDIF Export for ou=users,dc=mydomain,dc=com
# Server: (ldap.mydomain.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 63
version: 1
# Entry 1: ou=users,dc=mydomain,dc=com
dn: ou=users,dc=mydomain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users
# Entry 2: uid=tom.hanks,ou=users,dc=mydomain,dc=com
dn: uid=tom.hanks,ou=users,dc=mydomain,dc=com
cn: tom.hanks
description: User account
gecos: tom.hanks
gidnumber: 100
homedirectory: /home/tom.hanks
loginshell: /bin/bash
objectclass: account
objectclass: posixAccount
uid: tom.hanks
uidnumber: 1005
userpassword: blahblah
Include objectclass: iNetOrgPerson to add the mail attribute.
In order to give the user the Attribute mail you first have to add the mail attribute to the user's olcObjectClasses.
This can be done by a modification via an ldif like this:
dn: cn={12345}someName,cn=schema,cn=config
changetype: modify
delete: olcObjectClasses
olcObjectClasses: {1}
-
add: olcObjectClasses
olcObjectClasses: {1}( 1.3.6.1.4.1.12344556.1.1.1 NAME 'yourObjectClassEGAccount' DESC 'some description' SUP inetOrgPerson STRUCTURAL MUST ( requiredparam1 $ requiredParam2 $ reqParam3 ) MAY ( optionalParam1 $ optionalParam2 ) ) )
-
See the documentation for ldapmodify for details: Oracle ldapmodify Doc
The modification is then given to ldap via the following command (command line):
sudo ldapmodify -f filename.ldif
make sure to read the documentation on whether you need further parameters like eg. -h for hostname or -Y for a proxyDN: lmodify Doc
I have some user within a uid within uniquemember.
How to create a show that only the ldapsearch uid?
If today I run the command below, the Results is the entire contents of uniquemember and I just want to return the uid:
ldapsearch -x -h serverldap.com -p 389 -D uid=pdi00usr,ou=bind,ou=users,ou=access,o=com,c=br -W -b o=com,c=br -s sub "(&(uniqueMember=F)(cn=pdi*))"
# pdiasc01, pdi, aplic, groups, access, com, br
dn: cn=pdiasc01,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Administrator
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiasc01
uniquemember: uid=dummy
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
# pdiapf02, pdi, aplicacao, grupos, acesso, bb, br
dn: cn=pdiapf02,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Aprover
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiapf02
uniquemember: uid=dummy
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=bb,c=br
i need a resulta like this:
uid=f3799300
uid=f6802561
You've got two options as far as I can see.
First would be to simply pipe your output through grep and do some sed (or awk) magic to remove everything after the first comma or
Second use the returned uid for a second query for the entry with the dn returned by uid and query for the uid of that object (which should be what you are looking for)
I'm confused! :)
I've got a dynamic group in OpenLDAP:
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
When I search for it, it gets expanded (the dynlist module is set up correctly):
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'cn= DynamicGroup'
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
member: cn=User One,ou=People,dc=MyDomain
member: cn=User Two,ou=People,dc=MyDomain
Brilliant. Exactly what I'd expect.
However, if I search on it by member I get nothing!
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=cn=User One,ou=People,dc=MyDomain' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
But, no cn: DynamicGroup ! :(
Nothing! :(
Does anyone have an hint for me as to why that might not be working?
Update:
I thought that it might be that the member attribute was not formally mentioned in the dynlist schema. I've added it, but it still doesn't work:
dn: cn={6}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {6}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I
dentifies an URL associated with each member of a group. Any type of labeled
URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use
when processing the memberURL' SUP distinguishedName SINGLE-VALUE )
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza
tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a
uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S
TRUCTURAL MUST cn MAY ( member $ memberURL $ businessCategory $ description $
o $ ou $ owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY
( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 997a529e-a081-1033-8148-81c0722e60ba
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140715153657Z
entryCSN: 20140715153657.339934Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140715153657Z
It looks like from an attribute search perspective the member attribute either isn't matching, or it's doing the search prior to the dynlist expansion:
root#auth-new:/vagrant/LDAP# /usr/bin/ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=*' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
Update: using an auto group it now works:
dn: olcOverlay=autogroup,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutomaticGroups
olcOverlay: autogroup
olcAGattrSet: {0}groupOfURLs memberURL member
olcAGmemberOfAd: memberOf
The dynlist overlay doesn't implement the feature you're looking for. You're correct about the expansion happening later than the search filter. See for example the thread starting at http://www.openldap.org/lists/openldap-software/200708/msg00250.html
You may want to look at the contributed autogroup overlay, which maintains membership info in the database (where it can be searched and filtered) but updates it automatically when needed.