How to Modify TDS userid(uid) value using java API - ldap

I am trying to modify uid value in Tivoli directory server using API. Please review the below user structure.
dn: uid=user1,cn=demo,o=evault
uid: user1
userPassword: {AES256}mIJFA1UiEMYP6J2dVt3vcg==
objectclass: top
objectclass: demoObjectClass
objectclass: ePerson
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
sn: user1
cn: user1
ibm-entryuuid: 134f18c0-b251-1034-8575-a2f4cc94f892
Here i am trying yo change the uid. Is it possible?? Please guide me on this

You must perform a rename on the entry as uid is the "naming attribute".

Related

Why is Apacheds not importing users with the top attribute set in the ldif file?

Apacheds apacheds-2.0.0.AM26.exe. Importing ldif file with Apache Directory Studio 2.0.0.v20210213-M16
When "objectClass: top" is included in my ldif file I get an invalidAttributeSyntax error. Full error below.
I have deduced that it is the top attribute because all the other attributes show up normally in the log. The top one shows up as objectClass:: dG9wIA==.
If I remove top it works. If I put top back and import again with the update option it works.
Error:
#!RESULT ERROR
#!CONNECTION ldap://myhost:10389
#!DATE 2021-05-27T11:13:27.212
#!ERROR [LDAP result code 21 - invalidAttributeSyntax] INVALID_ATTRIBUTE_SYNTAX: failed for MessageType : ADD_REQUEST Message ID : 17 Add Request : Entry dn: uid=jsmith,ou=Users, dc=example,dc=com objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetorgperson uid: jsmith givenName: Jerry sn: Smith cn: Jerry Smith userPassword: 0x52 0x61 0x74 0x31 0x6F 0x6E 0x61 0x6C : ERR_13246_INVALID_VALUE_PER_SYNTAX Invalid upValue per syntax dn: uid=jsmith,ou=Users, dc=example,dc=com changetype: add uid: jsmith givenName: Jerry sn: Smith cn: Jerry Smith objectClass:: dG9wIA== objectClass: person objectClass: organizationalPerson objectClass: inetorgperson userPassword:: UmF0MW9uYWw=
Ldif data:
User:
dn: uid=jsmith,ou=Users,dc=example,dc=com
givenName: Jerry
sn: Smith
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
uid: jsmith
cn: Jerry Smith
userPassword: MyPasswordInClearText
Ldif to create the Group and Users objects which I have tested both as part of the larger ldif file and as two separate imports. This part first then the users second.
dn: ou=Groups,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Groups
dn: ou=Users,dc=example,dc=com
objectClass: organizationalunit
objectClass: top
ou: Users

How to create LDAP aliases in Openldap and Phpldapadmin?

I am trying to do this example with an email field :
https://coderwall.com/p/c0w6-q/create-ldap-aliases-in-openldap
This is the .ldif that should create both :
# this is the user
dn: uid=aka,c=VN,ou=users,ou=school,o=vdm,dc=domain,dc=com
objectclass: top
objectClass: extensibleObject
objectclass: posixAccount
objectclass: inetOrgPerson
cn: Alexander Fake
employeetype: developer
gecos: Alexander Fake
gidnumber: 14564103
homedirectory: /home/aka
loginshell: /bin/bash
mail: alexander.fake#domain.com
sn: Fake
uid: aka
uidnumber: 14583105
userpassword: {SSHA}SgmdndrPR5UVLOAmDs5JOJvqr3WmPYob
# this is the alias
dn: mail=alexander.Fake#domain.com,dc=mailAccount,dc=domain.com,dc=mail,dc=domain,dc=com
changetype: add
objectClass: alias
objectClass: top
objectClass: extensibleObject
objectclass: inetOrgPerson
uid: aka
aliasedObjectName: uid=aka,c=VN,ou=users,ou=school,o=vdm,dc=domain,dc=com
I can only import/export ldif, I use phpldapadmin for administration.
When the aliases is craeted it produce the following error :
This update has been or will be cancelled, it would result in an attribute value not being unique. You might like to search the LDAP server for the offending entry.
Does anyone know how to create aliases on openldap and phpldapadmin ?
This is basically correct. Just:
Remove the uid=aka attribute from the aliasedObject. It doesn't need it. It refers to another object which has that UID value.
Also remove inetOrgPerson from the alias. It isn't a person, it's an alias for a person.
The objectClass attribute only needs to contain top and alias; and extensibleObject so you can provide a cn or whatever attribute you like as part of the DN, if you want to do that: it doesn't seem to be necessary judging by my DIT.
Poor quality source material. Don't rely on arbitrary Internet junk. Use the official documentation.

Query LDAP for all entries without given objectClass

I have several entries in my LDAP directory with different object class specified
dn: uid=user1,ou=users,dc=exampleCompany,dc=com
uid: user1
objectClass: user
objectClass: developer
cn: User1 User
dn: uid=user2,ou=users,dc=exampleCompany,dc=com
uid: user2
objectClass: user
objectClass: administrator
cn: User2 User
dn: uid=user3,ou=users,dc=exampleCompany,dc=com
uid: user3
objectClass: user
objectClass: developer
objectClass: administrator
cn: User3 User
dn: uid=user4,ou=users,dc=exampleCompany,dc=com
uid: user4
objectClass: anotherClass
cn: User4 User
I want to query all that don't have objectClass: developer, regardless of other object classes they have.
I tried
ldapsearch -x -b ou=users,dc=exampleCompany,dc=com "(&(objectClass=*)(!(objectClass=developer)))"
but I got
dn: ou=users,dc=exampleCompany,dc=com
objectClass: organizationalUnit
ou: users
# search result
search: 2
result: 0 Success
What would be the correct query?
As you have but without the & and the (objectClass=*) part.
You also need to specify a subtree search.

Adding certificate in userSMIMECertificate attribute of inetOrgPerson

I'm going to publish a certificate for my email using LDAP.
I already have a LDAP up and running (AD LDS) on windows 2012.
I'm going to add records using ldif file.
Here its contents
dc: dc=mysubdomain,dc=mydomain,dc=com
dn: dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: domain
dc: mydomain
dc: mysubdomain
description: Some root stuff
dn: ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: organizationalUnit
ou: mysubdomaincertificates
dn: Mail=test#mysubdomain.mydomain.com,ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Test Test
sn: Test
Mail: test#mysubdomain.mydomain.com
userSMIMECertificate: #<What to put?>
I'm stuck in compiling my ldif file. As I understand, I need to put some binary encoded in Base64 with some prefix {CERT} or something.
My questions are
Will this ldif file make modifications into the directory?
Do I have problems except userSMIMECertificate field?
For example I'm using dc twice in the domain object, is it ok?
Am I missing some other important line?
What is exact syntax of putting certificate content in the userSMIMECertificate? (I've made a search, but could not find the examples)
Here is your LDIF with the appropriate changes:
dn: dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: domain
dc: mysubdomain
description: Some root stuff
dn: ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: organizationalUnit
ou: mysubdomaincertificates
description: Provide some descriptive text here.
dn: Mail=test#mysubdomain.mydomain.com,ou=mysubdomaincertificates,dc=mysubdomain,dc=mydomain,dc=com
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: Test Test
sn: Test
Mail: test#mysubdomain.mydomain.com
userSMIMECertificate: file:///path-cert-file
As a useful supplement to the existing answer from Terry Gardner
To avoid that your ldif depends on an external file, you might want to specify the userSMIMECertificate in such a way:
userSMIMECertificate:: Q29udGVudC1EaXNwb3NpdGlvbjogYXR0YWNobWVudDsKCWZpbGVuY
W1lPXNtaW1lLnA3cwpDb250ZW50LVR5cGU6IGFwcGxpY2F0aW9uL3BrY3M3LXNpZ25hdHVyZTsK
[...]
This is basically the base64-encoded file contents.
In order to get rid of file dependencies, it's easiest to import the ldif with the file dependencies, then export the object to a new ldif. The export should create above format.

Add 'memberOf' attribute to ApacheDS

I am trying to simulate Active Directory's memberOf attribute in Apache Directory. I have added the following entry for memberOf to my LDIF file:
dn: m-oid=1.3.6.1.4.1.18060.0.4.3.2.1,ou=attributeTypes,cn=other,ou=schema
m-usage: USER_APPLICATIONS
m-equality: distinguishedNameMatch
objectClass: metaAttributeType
objectClass: metaTop
objectClass: top
m-name: memberOf
m-oid: 1.3.6.1.4.1.18060.0.4.3.2.1
m-obsolete: FALSE
m-noUserModification: FALSE
m-syntax: 1.3.6.1.4.1.1466.115.121.1.27
When I start ApacheDS the following warning is logged:
WARN [ContainerBackgroundProcessor[StandardEngine[Catalina]]] entry.ServerStringValue - Cannot normalize the value :Encountered name based id of memberOf which was not found in the OID registry
This causes problems later on because my application tries to user the memberOf attribute as a search filter.
Is anything wrong with the way I specified the LDIF entry?
For my integration test cases on top of embedded Apache Directory Server I've added both memberOf and sAMAccountName attributes defined in Microsoft Active Directory server.
#########################################################
# MICROSOFT SCHEMA for sAMAccountName and memberOf
# these two attributes are not defined in Apache Directory Server
#########################################################
dn: cn=microsoft, ou=schema
objectclass: metaSchema
objectclass: top
cn: microsoft
dn: ou=attributetypes, cn=microsoft, ou=schema
objectclass: organizationalUnit
objectclass: top
ou: attributetypes
dn: m-oid=1.2.840.113556.1.4.221, ou=attributetypes, cn=microsoft, ou=schema
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.4.221
m-name: sAMAccountName
m-equality: caseIgnoreMatch
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-singleValue: TRUE
dn: m-oid=1.2.840.113556.1.4.222, ou=attributetypes, cn=microsoft, ou=schema
objectclass: metaAttributeType
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.4.222
m-name: memberOf
m-equality: caseIgnoreMatch
m-syntax: 1.3.6.1.4.1.1466.115.121.1.15
m-singleValue: FALSE
dn: ou=objectclasses, cn=microsoft, ou=schema
objectclass: organizationalUnit
objectclass: top
ou: objectClasses
dn: m-oid=1.2.840.113556.1.5.6, ou=objectclasses, cn=microsoft, ou=schema
objectclass: metaObjectClass
objectclass: metaTop
objectclass: top
m-oid: 1.2.840.113556.1.5.6
m-name: simulatedMicrosoftSecurityPrincipal
m-supObjectClass: top
m-typeObjectClass: AUXILIARY
m-must: sAMAccountName
m-may: memberOf
#######################################################
# Megacorp employees
#######################################################
dn: cn=EmployeeABC,ou=nl_users,DC=corp,DC=megacorp,DC=COM
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectclass: simulatedMicrosoftSecurityPrincipal
cn: EmployeeABC
sn: EmployeeABC
givenName: EmployeeABC
mail: EmployeeABC#megacorp.com
MEMBEROF: CN=just-users,OU=mc_groups,DC=corp,DC=megacorp,DC=com
MEMBEROF: CN=best-users,OU=mc_groups,DC=corp,DC=megacorp,DC=com
SAMACCOUNTNAME: employeeabc
The ApacheDS team is aware of the desire for the memberOf virtual attribute. They mention that it will be part of the 2.1.0 release:
Le 5/20/13 5:53 PM, Danielsen, Jay a écrit :
I see from the January 2013 archives that memberOf virtual attribute is not yet supported.
Are there any plans or work-in-progress to support memberOf in an upcoming release ? Morst certainly in 2.1.0.
We are currently busy cleaning the 150 remaining issues before a
2.0.0-RC1 release, so I think this is something we can have in the next 6 months.
You can create a JIRA to request such a feature.
Thanks !
-- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
And here is the JIRA request.
You may need to add the schema that contains 'memberOf' into the ApacheDS configuration.