openldap add mail attribute to users - ldap

I'm trying to add 'mail' attribute to users on my openldap server but somehow it fails.
I tried using ldapmodify but I get this:
ldap_modify: Object class violation (65)
additional info: attribute 'mail' not allowed
Here's how my schema looks like:
# LDIF Export for ou=users,dc=mydomain,dc=com
# Server: (ldap.mydomain.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 63
version: 1
# Entry 1: ou=users,dc=mydomain,dc=com
dn: ou=users,dc=mydomain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users
# Entry 2: uid=tom.hanks,ou=users,dc=mydomain,dc=com
dn: uid=tom.hanks,ou=users,dc=mydomain,dc=com
cn: tom.hanks
description: User account
gecos: tom.hanks
gidnumber: 100
homedirectory: /home/tom.hanks
loginshell: /bin/bash
objectclass: account
objectclass: posixAccount
uid: tom.hanks
uidnumber: 1005
userpassword: blahblah

Include objectclass: iNetOrgPerson to add the mail attribute.

In order to give the user the Attribute mail you first have to add the mail attribute to the user's olcObjectClasses.
This can be done by a modification via an ldif like this:
dn: cn={12345}someName,cn=schema,cn=config
changetype: modify
delete: olcObjectClasses
olcObjectClasses: {1}
-
add: olcObjectClasses
olcObjectClasses: {1}( 1.3.6.1.4.1.12344556.1.1.1 NAME 'yourObjectClassEGAccount' DESC 'some description' SUP inetOrgPerson STRUCTURAL MUST ( requiredparam1 $ requiredParam2 $ reqParam3 ) MAY ( optionalParam1 $ optionalParam2 ) ) )
-
See the documentation for ldapmodify for details: Oracle ldapmodify Doc
The modification is then given to ldap via the following command (command line):
sudo ldapmodify -f filename.ldif
make sure to read the documentation on whether you need further parameters like eg. -h for hostname or -Y for a proxyDN: lmodify Doc

Related

Problem mapping LDAP configurations to Rundeck’s JAAS parameters

I am trying to integrate LDAP authentication to rundeck.
I can query the users using ldapsearch successfully like below
ldapsearch -v -x -D "some_address#myorg.lan" -b "dc=myorg,dc=lan" -H ldap://ldaphost.myorg.lan -w **** "uid=user_1"
which returns:
ldap_initialize( ldap://ldaphost.myorg.lan:389/??base )
filter: uid=user_1
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=myorg,dc=lan> with scope subtree
# filter: uid=user_1
# requesting: ALL
#
# user_1#myorg.lan, Users, myorg, Zones, Circular, warehouse, myorg
.lan
dn: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan
objectClass: top
objectClass: posixAccount
objectClass: leaf
objectClass: connectionPoint
objectClass: serviceConnectionPoint
cn: user_1#myorg.lan
distinguishedName: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan
instanceType: 4
whenCreated: 20190128081317.0Z
whenChanged: 20200128081329.0Z
displayName: $CimsUserVersion5
uSNCreated: 221081209
uSNChanged: 221081209
showInAdvancedViewOnly: TRUE
name: user_1#myorg.lan
objectGUID:: XG234o3+m0iVYGHHJKODVQ==
keywords: parentLink:S-1-5-21-******-*****-*****-1***3
objectCategory: CN=Service-Connection-Point,CN=Schema,CN=Configuration,DC=myorg,DC=lan
dSCorePropagationData: 20210805091319.0Z
dSCorePropagationData: 20210805084748.0Z
dSCorePropagationData: 20210921114113.0Z
dSCorePropagationData: 20210405111238.0Z
dSCorePropagationData: 16020914223649.0Z
uid: user_1
unixHomeDirectory: %{home}/%{user}
uidNumber: 763534041
gecos: %{u:displayName}
loginShell: /bin/bash
gidNumber: 20003
# search reference
ref: ldap://myorg.lan/CN=Configuration,DC=myorg,DC=lan
# search reference
ref: ldap://ForestDnsZones.myorg.lan/DC=ForestDnsZones,DC=myorg,DC=lan
# search reference
ref: ldap://DomainDnsZones.myorg.lan/DC=DomainDnsZones,DC=myorg,DC=lan
# search result
search: 2
result: 0 Success
# numResponses: 5
# numEntries: 1
# numReferences: 3
However, now I am confused which information maps to which parameter in Rundeck's JettyCachingLdapLoginModule. e.g. whether distinguishedName: CN=user_1#myorg.lan,CN=Users,CN=myorg,CN=Zones,OU=Circular,OU=warehouse,DC=myorg,DC=lan is a bindDn, userBaseDn or roleBaseDn?
I don't have direct access to the LDAP server, so only way to retrieve information is through ldapsearch.
It looks like the user name to access the LDAP binDn.
Here you can see all attributes explained.
bindDn: is optional. If not using "binding" authentication, set this to the root DN that should bind, e.g. "cn=Manager,dc=example,dc=com".
userBaseDn: is the base DN to search for users, example: "ou=People,dc=test1,dc=example,dc=com".
roleBaseDN: is the Base DN for role membership search, e.g. "ou=Groups,dc=test1,dc=example,dc=com".
Another great tool to check your LDAP server is Apache Directory Studio.

UnboundID LDAP memberof-overlay

I'm trying to get the dynamic memberOf attribute to work in my in-memory-ldap-server. I'm using the standard edition of UnboundID.
I tried with the following .ldif-files if it is activated by default:
base.ldif:
dn: dc=example,dc=com
objectclass: domain
dc: example
dn: ou=Group,dc=example,dc=com
objectclass: organizationalUnit
ou: Group
dn: ou=People,dc=example,dc=com
objectclass: organizationalUnit
ou: People
dn: uid=test1,ou=People,dc=example,dc=com
objectclass: account
uid: test1
#Group 1.1
dn: cn=testUndergroup,ou=Group,dc=example,dc=com
objectclass: groupOfNames
cn: testUndergroup
#Group 1
dn: cn=testgroup,ou=Group,dc=example,dc=com
objectclass: groupOfNames
cn: testgroup
modify.ldif:
dn: cn=testgroup,ou=Group,dc=example,dc=com
changetype: modify
add: member
member: uid=test1,ou=People,dc=example,dc=com
when i do this ldap-search:
seach:
ldapsearch --hostname localhost --port 3268 --baseDN dc=example,dc=com "(uid=test1)" memberOf
i dont get the memberof in the answer:
# Connected to localhost:3268
dn: uid=test1,ou=People,dc=example,dc=com
# The search operation was processed successfully.
# Entries returned: 1
# References returned: 0
# Disconnected from the server
So it isn't activated by default.
How can i activate the memberOf attribute in UnboundID?
BTW: i can not use dynamic groups like they are mentioned here
The in-memory directory server shipped with the LDAP SDK does not support groups. The document that you are referencing on our community portal refers to the UnboundID Directory Server - which is a commercial product and distinct from the in-memory directory server. You can request a free trial download to the UnboundID Directory Server through the main website (https://www.unboundid.com or https://www.pingidentity.com). I hope this helps.

search user uid in uniquemember - ldap

I have some user within a uid within uniquemember.
How to create a show that only the ldapsearch uid?
If today I run the command below, the Results is the entire contents of uniquemember and I just want to return the uid:
ldapsearch -x -h serverldap.com -p 389 -D uid=pdi00usr,ou=bind,ou=users,ou=access,o=com,c=br -W -b o=com,c=br -s sub "(&(uniqueMember=F)(cn=pdi*))"
# pdiasc01, pdi, aplic, groups, access, com, br
dn: cn=pdiasc01,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Administrator
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiasc01
uniquemember: uid=dummy
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
# pdiapf02, pdi, aplicacao, grupos, acesso, bb, br
dn: cn=pdiapf02,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Aprover
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiapf02
uniquemember: uid=dummy
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=bb,c=br
i need a resulta like this:
uid=f3799300
uid=f6802561
You've got two options as far as I can see.
First would be to simply pipe your output through grep and do some sed (or awk) magic to remove everything after the first comma or
Second use the returned uid for a second query for the entry with the dn returned by uid and query for the uid of that object (which should be what you are looking for)

OpenLDAP Dynamic Groups not searching by member

I'm confused! :)
I've got a dynamic group in OpenLDAP:
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
When I search for it, it gets expanded (the dynlist module is set up correctly):
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'cn= DynamicGroup'
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
member: cn=User One,ou=People,dc=MyDomain
member: cn=User Two,ou=People,dc=MyDomain
Brilliant. Exactly what I'd expect.
However, if I search on it by member I get nothing!
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=cn=User One,ou=People,dc=MyDomain' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
But, no cn: DynamicGroup ! :(
Nothing! :(
Does anyone have an hint for me as to why that might not be working?
Update:
I thought that it might be that the member attribute was not formally mentioned in the dynlist schema. I've added it, but it still doesn't work:
dn: cn={6}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {6}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I
dentifies an URL associated with each member of a group. Any type of labeled
URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use
when processing the memberURL' SUP distinguishedName SINGLE-VALUE )
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza
tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a
uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S
TRUCTURAL MUST cn MAY ( member $ memberURL $ businessCategory $ description $
o $ ou $ owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY
( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 997a529e-a081-1033-8148-81c0722e60ba
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140715153657Z
entryCSN: 20140715153657.339934Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140715153657Z
It looks like from an attribute search perspective the member attribute either isn't matching, or it's doing the search prior to the dynlist expansion:
root#auth-new:/vagrant/LDAP# /usr/bin/ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=*' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
Update: using an auto group it now works:
dn: olcOverlay=autogroup,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutomaticGroups
olcOverlay: autogroup
olcAGattrSet: {0}groupOfURLs memberURL member
olcAGmemberOfAd: memberOf
The dynlist overlay doesn't implement the feature you're looking for. You're correct about the expansion happening later than the search filter. See for example the thread starting at http://www.openldap.org/lists/openldap-software/200708/msg00250.html
You may want to look at the contributed autogroup overlay, which maintains membership info in the database (where it can be searched and filtered) but updates it automatically when needed.

Adding an entry to OpenLDAP

I just Installed OpenLDAP on Ubuntu Server 12.10, and I added an ldif file using slapadd -c -l init.ldif as the following :
dn:dc=tpw,dc=uca,dc=ma
dc: tpw
objectClass: dcObject
objectClass: top
objectClass: domain
dn: ou=people,dc=tpw,dc=uca,dc=ma
ou: people
objectClass: organizationalUnit
objectClass: top
dn: ou=groupes,dc=tpw,dc=uca,dc=ma
ou: groupes
objectClass: organizationalUnit
objectClass: top
dn: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
uid: admin
sn: Admin
cn: Admin
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: top
userPassword:: e1NIQX0wRFBpS3VOSXJyVm1EOElVQ3V3MWhReE5xWmM9
mail: admin#uca.ma
givenName: admin
dn: cn=GI,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GI
objectClass: groupOfUniqueNames
objectClass: top
dn: cn=GP,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GP
objectClass: groupOfUniqueNames
objectClass: top
dn: cn=GT,ou=groupes,dc=tpw,dc=uca,dc=ma
uniquemember: uid=admin,ou=people,dc=tpw,dc=uca,dc=ma
cn: GT
objectClass: groupOfUniqueNames
objectClass: top
Now my ldap tree looks like this :
Then I tried to add a new inetOrgPerson using Apache Directory Studio, but I got this error :
[LDAP: error code 80 - index generation failed]
Then I tried the same thing using phpLDAPadmin, but I got this error :
Impossible d'ajouter l'objet au serveur LDAP.
LDAP dit :: Other (e.g., implementation specific) error
Erreur numéro :: 0x50 (LDAP_OTHER)
Then I created a file which I named xx.ldif :
dn: uid=xx,ou=people,dc=tpw,dc=uca,dc=ma
cn: XX
givenname: xx
mail: xx#edu.uca.ma
objectclass: inetOrgPerson
objectclass: organizationalPerson
objectclass: person
objectclass: top
sn: XX
uid: xx
userpassword: toor
And I tried to add this entry using this command via terminal :
sudo ldapadd -x -D cn=Manager,dc=tpw,dc=uca,dc=ma -W -f xx.ldif
But I got this error :
ldap_add: Other (e.g., implementation specific) error (80)
additional info: index generation failed
How can I solve this problem ?
PS : In another scenario I deleted my database and I modified the file init.ldif wich contains all the entries I want to add, and I added the entry xx, then I imported my file using the slapadd command, but In this way I have to delete the database every time I want to add a new entry, which is not practical.
Edit1 :
This is the output of the command slapindex :
WARNING!
Runnig as root!
There's a fair chance slapd will fail to start.
Check file permissions!
5370d6f9 /etc/ldap/slapd.conf: line 95: rootdn is always granted unlimited privileges.
5370d6f9 /etc/ldap/slapd.conf: line 112: rootdn is always granted unlimited privileges.
5370d6f9 hdb_db_open: database "dc=tpw,dc=uca,dc=ma": database already in use.
5370d6f9 backend_startup_one (type=hdb, suffix="dc=tpw,dc=uca,dc=ma"): bi_db_open failed! (-1)
slap_startup failed
The first thing is that init.ldif file seems to be misconfigured :
domainComponent "uca" (dc=uca) is missing, there should be an entry (dcObject or domain objectClass) to define this attribute that holds a component of the domain name.
dcObject is intended to be used in entries for which there is an appropriate structural object class. For example, if the domain represents a particular organization, the entry would have as its structural object class 'organization', and the 'dcObject' class would be an auxiliary class.
domain is a structural object class used for entries in which no other information is being stored. The domain object class is typically used for entries that are placeholders or whose domains do not correspond to real-world entities.
In your .ldif file you can replace the first entry "dn: dc=tpw,dc=uca,dc=ma" with these 2 (then delete your database again and redo the slapadd command) :
dn: dc=uca,dc=ma
objectClass: top
objectClass: organization
objectClass: dcObject
dc: uca
o: an organization name (mandatory with 'organization' objectClass)
dn: dc=tpw,dc=uca,dc=ma
objectClass: top
objectClass: domain
dc: tpw
Second thing : obviously you have landed into an index issue. I think you do want to use indexes but if not, find and remove any line beginning with index from slapd.conf, e.g. :
index objectClass eq.
Remember to stop slapd and run slapindex after every change comitted to the index definitions in slapd.conf, and ensure all ldap clients have been disconnected before running slap commands to prevent database already in use messages.
So take the hints given you by slapindex. Don't run slapd as root, fix lines 95 and 112, and don't run slapd twice, or fix whatever is causing it to think the database is already in use.
While this isn't relevant to the OP's question, I ran into a similar error of:
bdb_db_open: database already in use
or
hdb_db_open: database "dc=XXX,dc=XXX,dc=XXX": database already in use.
One of our Openshift nodes went down and the PVC's (mount) /var/lib/ldap/ __db.001, __db.002 and __db.003 had become locked. After googling for hours, the only solution I found was to perform the following (and note, since it was OpenShift, I had to use a debug pod to get a shell).
mkdir /var/lib/ldap/backup
mv /var/lib/ldap/__db.* /var/lib/ldap/backup
Try and restart slapD, if it still fails as it did with one of OpenLDap instances, then move the alock file
mv /var/lib/ldap/__db.* /var/lib/ldap/backup
Restart slapD or in our instance delete the OpenShift pod and let it be recreated. Everything may now be working as it did for us - hope this might help anyone else running into the same issue.