LDAP multiple structural objectclasses - ldap

I am quite new in administering LDAP, but I have come quite far...
On my OpenLDAP server I am using phpLDAPadmin to do the following:
I have an entry with a structural objectclass account because I need the attribute host.
Now I want to add the attribute mail to this entry, but this does not appear in the list when selecting Add new attribute.
So I thought I could add the objectClass inetOrgPerson which has the attribute mail but this objectClass is not in the list of classes I can add to this entry; only non-structural classes are listed...
How can I add this attribute mail to a an entry with the structural class account ?
This is the current ldif for this user (with some parts changed/removed for privacy)
# Entry 1: cn=intrixius,ou=Admins,ou=Managed,dc=bla,dc=eu
dn: cn=intrixius,ou=Admins,ou=Managed,dc=bla,dc=eu
cn: intrixius
gecos: intrixius
gidnumber: 500
homedirectory: /home/intrixius
host: host1
host: host2
loginshell: /bin/bash
objectclass: top
objectclass: account
objectclass: posixAccount
objectclass: shadowAccount
objectclass: ldapPublicKey
sshpublickey: ssh-rsa ... intrixius#arch
uid: intrixius
uidnumber: 16859
userpassword: {CRYPT}$6$X...

You can't have multiple STRUCTURAL object classes unless they form a single inheritance hierarchy.

If you can modify the schema of your LDAP server, you could create a new auxiliary class with the attribute 'mail' and assign it to your account. Some implementations also support the 'extensibleObject' auxiliary class that allows adding all attributes that are defined in the schema.
A good overview about class types etc. can be found here

Related

Adding initial entries in openldap returns- ldap_add: No such object (32)

I'm trying to add two entries in ldap just below one another. But it's not letting me add. Error-
adding new entry "dc=R2D2"
ldap_add: No such object (32)
additional info: Unable to add entry 'dc=R2D2' because its parent entry 'null' does not exist in the server.
This is a new openLDAP server running on a Feora29. I've tried many modifications to my ldif file but it's still not working.
The LDAP expected structure:
dc=R2D2 -> o=TD
I have added objectClass: country on line 4 because it said:
adding new entry "dc=R2D2"
ldap_add: Object class violation (65)
additional info: Unable to add entry 'dc=R2D2' because it violates the provided schema: The entry does not have a structural object class.
This is the ldif i'm trying to add via ldapadd
dn: dc=R2D2
dc: R2D2
objectClass: dcObject
objectClass: country
objectClass: top
c=DE
dn: o=TD,dc=R2D2
o: TD
objectClass: organization
objectClass: top
The LDAP result code noSuchObject (32) returned for a failed add operation means that the parent entry was not found.
If dc=R2D2 is really the full DN of the entry to be added, then you have to define a database with this particular DN used as database suffix.
For static OpenLDAP config method this would look like:
[..]
database mdb
suffix dc=R2D2
[..]
See also: OpenLDAP Software 2.4 Administrator's Guide
I guess this is because your ldif has an unnecessary space character at line 4 (after "country" like "country ").
I have been able to successfully execute ldapadd command with the following ldif that has no unnecessary space character after "country":
dn: dc=R2D2
dc: R2D2
objectClass: dcObject
objectClass: country
objectClass: top
c: DE
dn: o=TD,dc=R2D2
o: TD
objectClass: organization
objectClass: top

Error on operational attribute creation in OpenLDAP

Actually, in my LDAP, I have a groups ou populated with groupOfNames objects and a roles ou populated with groupOfMembers objects.
I also configured the memberOf overlay to retrieve the groupOfMembers (ie roles) the user belong to in the memberof attribute.
My goal is to have also an attribute memberOfGroup with the list of groupOfNames (ie groups) the user belong to.
In order to do that I created an new schema with Attribute Type definition for memberOfGroup attribute :
cn={14}memberOfGroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {14}memberOfGroup
olcAttributeTypes: {0}( 1.3.6.1.4.1.51127.3.2.2.3
NAME 'memberOfGroup'
DESC 'The groups the user belong to'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
The problem I have is that when I try to set it as operational attribute is :
# ldapmodify -Y EXTERNAL -H ldapi:/// -f test.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "cn={14}memberOfGroup,cn=schema,cn=config"
ldap_modify: Other (e.g., implementation specific) error (80)
additional info: olcAttributeTypes: "1.3.6.1.4.1.51127.3.2.2.3" is operational
With test.ldif :
dn: cn={14}memberOfGroup,cn=schema,cn=config
changetype: modify
replace: olcAttributeTypes
olcAttributeTypes: ( 1.3.6.1.4.1.51127.3.2.2.3
NAME 'memberOfGroup'
DESC 'The groups the user belong to'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 NO-USER-MODIFICATION
USAGE DSAOperation )
In parallel, I also defined the second memberOf overlay.
The first for roles (work) :
dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfMembers
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
The second for groups (not work) :
dn: olcOverlay={1}memberof,olcDatabase={1}mdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOfGroup
Can someone explain me what is wrong with the creation of operational attribute and the error I have ?
In ldif you have USAGE DSAOperation
Operational attributes can be used only by the directory itself, and can't be added or modified by a user. OpenLDAP module memberof creates it automatically when a user is added to some group(and also removes when user is removed).
If you want some custom attribute for group membership tracking, then you can create a simple attribute(not operational), but in this case ldap server won't update users' membership automatically.

How to create LDAP aliases in Openldap and Phpldapadmin?

I am trying to do this example with an email field :
https://coderwall.com/p/c0w6-q/create-ldap-aliases-in-openldap
This is the .ldif that should create both :
# this is the user
dn: uid=aka,c=VN,ou=users,ou=school,o=vdm,dc=domain,dc=com
objectclass: top
objectClass: extensibleObject
objectclass: posixAccount
objectclass: inetOrgPerson
cn: Alexander Fake
employeetype: developer
gecos: Alexander Fake
gidnumber: 14564103
homedirectory: /home/aka
loginshell: /bin/bash
mail: alexander.fake#domain.com
sn: Fake
uid: aka
uidnumber: 14583105
userpassword: {SSHA}SgmdndrPR5UVLOAmDs5JOJvqr3WmPYob
# this is the alias
dn: mail=alexander.Fake#domain.com,dc=mailAccount,dc=domain.com,dc=mail,dc=domain,dc=com
changetype: add
objectClass: alias
objectClass: top
objectClass: extensibleObject
objectclass: inetOrgPerson
uid: aka
aliasedObjectName: uid=aka,c=VN,ou=users,ou=school,o=vdm,dc=domain,dc=com
I can only import/export ldif, I use phpldapadmin for administration.
When the aliases is craeted it produce the following error :
This update has been or will be cancelled, it would result in an attribute value not being unique. You might like to search the LDAP server for the offending entry.
Does anyone know how to create aliases on openldap and phpldapadmin ?
This is basically correct. Just:
Remove the uid=aka attribute from the aliasedObject. It doesn't need it. It refers to another object which has that UID value.
Also remove inetOrgPerson from the alias. It isn't a person, it's an alias for a person.
The objectClass attribute only needs to contain top and alias; and extensibleObject so you can provide a cn or whatever attribute you like as part of the DN, if you want to do that: it doesn't seem to be necessary judging by my DIT.
Poor quality source material. Don't rely on arbitrary Internet junk. Use the official documentation.

How can I add memberof attribute to ldap user via phpldapadmin

I am using openldap to create a simple user and simple group.
dn: cn=User2 Engineer,ou=users,dc=example,dc=net
cn: User2 Engineer
gidnumber: 501
givenname: User2
homedirectory: /home/users/u2engineer
loginshell: /bin/sh
objectclass: inetOrgPerson
objectclass: posixAccount
objectclass: top
sn: Engineer
uid: u2engineer
uidnumber: 1002
userpassword: {MD5}xxxxxxx
# Entry 1: cn=network engineers,ou=groups,dc=example,dc=net
dn: cn=network engineers,ou=groups,dc=example,dc=net
cn: network engineers
gidnumber: 501
memberuid: user1ene
memberuid: u2engineer
objectclass: posixGroup
objectclass: top
I would like to relate the user to the group by adding memberof attribute to user entry.
it mean i need to add groupOfNames objectclass to user, groupOfNames is in core.schema
but it can add that objectclass to user neither via phpldapadmin nor ldapmodify.
i got error:
LDAP said: Object class violation
Error number: 0x41 (LDAP_OBJECT_CLASS_VIOLATION)
I am sure that core.schema has been imported to openldap successfully.
What is the possible cause?
How can I add memberof attribute to users?
Thanks!
-SG-
You can't. The memberOf attribute is an operational attribute maintained automatically by the memberof overlay. You can't set it yourself.
Adding the groupOfNames object class to the user entry doesn't make sense either. That object class is for, err, groups of names, such as roles, and it has a member attribute to which you add the DN of the user. Then the memberOf attribute of the user is automatically updated to include the DN of the group.
You're doing this all back to front.

OpenLdap cannot use inetOrgPerson and residentialPerson together

Is it possible to use inetOrgPerson and residentialPerson together?
I have the following entry to add to ldap
dn: mail=james#email.com,ou=development,dc=company,dc=com
objectclass: inetOrgPerson
objectclass: residentialPerson
cn: James Lin
sn: Lin
l: the address
mail: james#email.com
in slapd.conf I have included the following schemas
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
when I try to add the entry via slapadd, I get the following error
additional info: invalid structural object class chain (residentialPerson/inetOrgPerson)
It's not possible to have both classes because they are both STRUCTURAL and neither inherits from the other. This is akin to 'class' in Java where multiple inheritance is also disallowed. You could have them both if either or both were AUXILIARY, which is akin to a Java interface.
Found this FAQ and it's not possible to have both classes because they are structurally different, so I have to choose one, which I think inetOrgPerson is a better option.