Unable to create partition in LDAP ApacheDS - ldap

I'm newbie on LDAP and I'd like to create my first schema using an LDIF file. Here is the first part of the LDIF file:
dn: dc=demo,dc=com
objectclass: top
objectclass: domain
dc: demo
dn: ou=Users,dc=demo,dc=com
objectClass: organizationalUnit
objectClass: top
ou: Users
description: demo.Com Users
dn: uid=bob,ou=Users,dc=demo,dc=com
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
cn: User Test
sn: Test
displayName: User Test
givenName: User
mail: bob#demo.com
ou: Users
uid: bob
userPassword:: e1NTSEF9MGhuUjhnWkFNZFpKVUNwZXFwcFEzeUQ2YkJNOTVQUVo4WU9JSUE9P
Q==
Even if the LDIF declares the top domain "demo.com" the following error is raised:
"Entry
dn[n]: dc=demo,dc=com
objectclass: top
objectclass: domain
dc: demo : ERR_268 Cannot find a partition for dc=demo,dc=com]"
On the other hand, creating the partition "demo.com" manually with ApacheDS studio UI (and removing the first dn block) it works. I'm a bit confused! Any help to sort out the problem?

Importing your LDIF file into ApacheDS will just create the entries not the partition. Since all your entries have to be stored in a partition you get the below error when the partition doesn't exist:
ERR_268 Cannot find a partition for dc=demo,dc=com
Every partition has a suffix or base DN associated with it which will act as the parent entry for all the other entries stored in the same partition. In your case the suffix will be:
dc=demo,dc=com
Notice that the suffix is also an entry (just like any other entry in your directory).
Creating a new DIT (Directory Information Tree) involves the following steps:
Create a new partition.
Create suffix entry.
Create additional entries.
Some utilities (like Apache Studio) will create the suffix entry automatically when you create the partition (I think that's what's confusing you) but in reality they are two different operations.
You can read more about ApacheDS partitions here.

Related

Openfire LDAP configuration for groups

I've got LDAP working with OpenFire, at least for users and authentication, but I'm having some trouble getting it to see my group's members.
A sample group in our LDAP schema (which is IPA-based) looks like:
dn: cn=infrastructure,cn=groups,cn=accounts,dc=our,dc=net
member: uid=bretw,cn=users,cn=accounts,dc=our,dc=net
member: uid=bobs,cn=users,cn=accounts,dc=our,dc=net
:
objectClass: top
objectClass: groupofnames
objectClass: nestedgroup
objectClass: ipausergroup
objectClass: ipaobject
objectClass: posixgroup
cn: infrastructure
description: Infrastructure group
ipaUniqueId: <blah>
gidNumber: 9590000048
My group settings are default, except that I added a group filter of "(objectClass=ipausergroup)" to catch the actual groups and screen out the ones that are just for individual users. I'm using "cn=accounts,dc=our,dc=net" as our base DN.
What should I be doing to ensure that OpenFire 4.5.1 can see into our groups? It finds them, but says each has 0 members, which we know to not be true.
Turns out using anonymous logins don't work for filling out groups. Once I set an administrator DN, groups populated properly.

Adding initial entries in openldap returns- ldap_add: No such object (32)

I'm trying to add two entries in ldap just below one another. But it's not letting me add. Error-
adding new entry "dc=R2D2"
ldap_add: No such object (32)
additional info: Unable to add entry 'dc=R2D2' because its parent entry 'null' does not exist in the server.
This is a new openLDAP server running on a Feora29. I've tried many modifications to my ldif file but it's still not working.
The LDAP expected structure:
dc=R2D2 -> o=TD
I have added objectClass: country on line 4 because it said:
adding new entry "dc=R2D2"
ldap_add: Object class violation (65)
additional info: Unable to add entry 'dc=R2D2' because it violates the provided schema: The entry does not have a structural object class.
This is the ldif i'm trying to add via ldapadd
dn: dc=R2D2
dc: R2D2
objectClass: dcObject
objectClass: country
objectClass: top
c=DE
dn: o=TD,dc=R2D2
o: TD
objectClass: organization
objectClass: top
The LDAP result code noSuchObject (32) returned for a failed add operation means that the parent entry was not found.
If dc=R2D2 is really the full DN of the entry to be added, then you have to define a database with this particular DN used as database suffix.
For static OpenLDAP config method this would look like:
[..]
database mdb
suffix dc=R2D2
[..]
See also: OpenLDAP Software 2.4 Administrator's Guide
I guess this is because your ldif has an unnecessary space character at line 4 (after "country" like "country ").
I have been able to successfully execute ldapadd command with the following ldif that has no unnecessary space character after "country":
dn: dc=R2D2
dc: R2D2
objectClass: dcObject
objectClass: country
objectClass: top
c: DE
dn: o=TD,dc=R2D2
o: TD
objectClass: organization
objectClass: top

How to create LDAP aliases in Openldap and Phpldapadmin?

I am trying to do this example with an email field :
https://coderwall.com/p/c0w6-q/create-ldap-aliases-in-openldap
This is the .ldif that should create both :
# this is the user
dn: uid=aka,c=VN,ou=users,ou=school,o=vdm,dc=domain,dc=com
objectclass: top
objectClass: extensibleObject
objectclass: posixAccount
objectclass: inetOrgPerson
cn: Alexander Fake
employeetype: developer
gecos: Alexander Fake
gidnumber: 14564103
homedirectory: /home/aka
loginshell: /bin/bash
mail: alexander.fake#domain.com
sn: Fake
uid: aka
uidnumber: 14583105
userpassword: {SSHA}SgmdndrPR5UVLOAmDs5JOJvqr3WmPYob
# this is the alias
dn: mail=alexander.Fake#domain.com,dc=mailAccount,dc=domain.com,dc=mail,dc=domain,dc=com
changetype: add
objectClass: alias
objectClass: top
objectClass: extensibleObject
objectclass: inetOrgPerson
uid: aka
aliasedObjectName: uid=aka,c=VN,ou=users,ou=school,o=vdm,dc=domain,dc=com
I can only import/export ldif, I use phpldapadmin for administration.
When the aliases is craeted it produce the following error :
This update has been or will be cancelled, it would result in an attribute value not being unique. You might like to search the LDAP server for the offending entry.
Does anyone know how to create aliases on openldap and phpldapadmin ?
This is basically correct. Just:
Remove the uid=aka attribute from the aliasedObject. It doesn't need it. It refers to another object which has that UID value.
Also remove inetOrgPerson from the alias. It isn't a person, it's an alias for a person.
The objectClass attribute only needs to contain top and alias; and extensibleObject so you can provide a cn or whatever attribute you like as part of the DN, if you want to do that: it doesn't seem to be necessary judging by my DIT.
Poor quality source material. Don't rely on arbitrary Internet junk. Use the official documentation.

Adding an entry to OpenLDAP

I just Installed OpenLDAP on Ubuntu Server 12.10, and I added an ldif file using slapadd -c -l init.ldif as the following :
dn:dc=tpw,dc=uca,dc=ma
dc: tpw
objectClass: dcObject
objectClass: top
objectClass: domain
dn: ou=people,dc=tpw,dc=uca,dc=ma
ou: people
objectClass: organizationalUnit
objectClass: top
dn: ou=groupes,dc=tpw,dc=uca,dc=ma
ou: groupes
objectClass: organizationalUnit
objectClass: top
dn: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
uid: admin
sn: Admin
cn: Admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9
mail: admin#uca.ma
givenName: admin
dn: cn=GI,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GI
objectClass: groupOfUniqueNames
objectClass: top
dn: cn=GP,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GP
objectClass: groupOfUniqueNames
objectClass: top
dn: cn=GT,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GT
objectClass: groupOfUniqueNames
objectClass: top
Now my ldap tree looks like this :
Then I tried to add a new inetOrgPerson using Apache Directory Studio, but I got this error :
[LDAP: error code 80 - index generation failed]
Then I tried the same thing using phpLDAPadmin, but I got this error :
Impossible d'ajouter l'objet au serveur LDAP.
LDAP dit :: Other (e.g., implementation specific) error
Erreur numéro :: 0x50 (LDAP_OTHER)
Then I created a file which I named xx.ldif :
dn: uid=xx,ou=people,dc=tpw,dc=uca,dc=ma
cn: XX
givenname: xx
mail: xx#edu.uca.ma
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
sn: XX
uid: xx
userpassword: toor
And I tried to add this entry using this command via terminal :
sudo ldapadd -x -D cn=Manager,dc=tpw,dc=uca,dc=ma -W -f xx.ldif
But I got this error :
ldap_add: Other (e.g., implementation specific) error (80)
additional info: index generation failed
How can I solve this problem ?
PS : In another scenario I deleted my database and I modified the file init.ldif wich contains all the entries I want to add, and I added the entry xx, then I imported my file using the slapadd command, but In this way I have to delete the database every time I want to add a new entry, which is not practical.
Edit1 :
This is the output of the command slapindex :
WARNING!
Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!
5370d6f9 /etc/ldap/slapd.conf: line 95: rootdn is always granted unlimited privileges.
5370d6f9 /etc/ldap/slapd.conf: line 112: rootdn is always granted unlimited privileges.
5370d6f9 hdb_db_open: database "dc=tpw,dc=uca,dc=ma": database already in use.
5370d6f9 backend_startup_one (type=hdb, suffix="dc=tpw,dc=uca,dc=ma"): bi_db_open failed! (-1)
slap_startup failed
The first thing is that init.ldif file seems to be misconfigured :
domainComponent "uca" (dc=uca) is missing, there should be an entry (dcObject or domain objectClass) to define this attribute that holds a component of the domain name.
dcObject is intended to be used in entries for which there is an appropriate structural object class. For example, if the domain represents a particular organization, the entry would have as its structural object class 'organization', and the 'dcObject' class would be an auxiliary class.
domain is a structural object class used for entries in which no other information is being stored. The domain object class is typically used for entries that are placeholders or whose domains do not correspond to real-world entities.
In your .ldif file you can replace the first entry "dn: dc=tpw,dc=uca,dc=ma" with these 2 (then delete your database again and redo the slapadd command) :
dn: dc=uca,dc=ma
objectClass: top
objectClass: organization
objectClass: dcObject
dc: uca
o: an organization name (mandatory with 'organization' objectClass)
dn: dc=tpw,dc=uca,dc=ma
objectClass: top
objectClass: domain
dc: tpw
Second thing : obviously you have landed into an index issue. I think you do want to use indexes but if not, find and remove any line beginning with index from slapd.conf, e.g. :
index objectClass eq.
Remember to stop slapd and run slapindex after every change comitted to the index definitions in slapd.conf, and ensure all ldap clients have been disconnected before running slap commands to prevent database already in use messages.
So take the hints given you by slapindex. Don't run slapd as root, fix lines 95 and 112, and don't run slapd twice, or fix whatever is causing it to think the database is already in use.
While this isn't relevant to the OP's question, I ran into a similar error of:
bdb_db_open: database already in use
or
hdb_db_open: database "dc=XXX,dc=XXX,dc=XXX": database already in use.
One of our Openshift nodes went down and the PVC's (mount) /var/lib/ldap/ __db.001, __db.002 and __db.003 had become locked. After googling for hours, the only solution I found was to perform the following (and note, since it was OpenShift, I had to use a debug pod to get a shell).
mkdir /var/lib/ldap/backup
mv /var/lib/ldap/__db.* /var/lib/ldap/backup
Try and restart slapD, if it still fails as it did with one of OpenLDap instances, then move the alock file
mv /var/lib/ldap/__db.* /var/lib/ldap/backup
Restart slapD or in our instance delete the OpenShift pod and let it be recreated. Everything may now be working as it did for us - hope this might help anyone else running into the same issue.

Adding certificate in userSMIMECertificate attribute of inetOrgPerson

I'm going to publish a certificate for my email using LDAP.
I already have a LDAP up and running (AD LDS) on windows 2012.
I'm going to add records using ldif file.
Here its contents
dc: dc=mysubdomain,dc=mydomain,dc=com
dn: dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: domain
dc: mydomain
dc: mysubdomain
description: Some root stuff
dn: ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: mysubdomaincertificates
dn: Mail=test#mysubdomain.mydomain.com,ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Test Test
sn: Test
Mail: test#mysubdomain.mydomain.com
userSMIMECertificate: #<What to put?>
I'm stuck in compiling my ldif file. As I understand, I need to put some binary encoded in Base64 with some prefix {CERT} or something.
My questions are
Will this ldif file make modifications into the directory?
Do I have problems except userSMIMECertificate field?
For example I'm using dc twice in the domain object, is it ok?
Am I missing some other important line?
What is exact syntax of putting certificate content in the userSMIMECertificate? (I've made a search, but could not find the examples)
Here is your LDIF with the appropriate changes:
dn: dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: domain
dc: mysubdomain
description: Some root stuff
dn: ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: mysubdomaincertificates
description: Provide some descriptive text here.
dn: Mail=test#mysubdomain.mydomain.com,ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Test Test
sn: Test
Mail: test#mysubdomain.mydomain.com
userSMIMECertificate: file:///path-cert-file
As a useful supplement to the existing answer from Terry Gardner
To avoid that your ldif depends on an external file, you might want to specify the userSMIMECertificate in such a way:
userSMIMECertificate:: Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsKCWZpbGVuY
W1lPXNtaW1lLnA3cwpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3BrY3M3LXNpZ25hdHVyZTsK
[...]
This is basically the base64-encoded file contents.
In order to get rid of file dependencies, it's easiest to import the ldif with the file dependencies, then export the object to a new ldif. The export should create above format.