I have some user within a uid within uniquemember.
How to create a show that only the ldapsearch uid?
If today I run the command below, the Results is the entire contents of uniquemember and I just want to return the uid:
ldapsearch -x -h serverldap.com -p 389 -D uid=pdi00usr,ou=bind,ou=users,ou=access,o=com,c=br -W -b o=com,c=br -s sub "(&(uniqueMember=F)(cn=pdi*))"
# pdiasc01, pdi, aplic, groups, access, com, br
dn: cn=pdiasc01,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Administrator
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiasc01
uniquemember: uid=dummy
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
# pdiapf02, pdi, aplicacao, grupos, acesso, bb, br
dn: cn=pdiapf02,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Aprover
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiapf02
uniquemember: uid=dummy
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=bb,c=br
i need a resulta like this:
uid=f3799300
uid=f6802561
You've got two options as far as I can see.
First would be to simply pipe your output through grep and do some sed (or awk) magic to remove everything after the first comma or
Second use the returned uid for a second query for the entry with the dn returned by uid and query for the uid of that object (which should be what you are looking for)
Related
I have done LDAP setup on ubuntu, using apt install slapd ldap-utils
after doing all setup/configuration, added one test user also and here I get:
$ ldapsearch -x -b "dc=param,dc=co,dc=in"
# extended LDIF
#
# LDAPv3
# base <dc=param,dc=co,dc=in> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# param.co.in
dn: dc=param,dc=co,dc=in
objectClass: top
objectClass: dcObject
objectClass: organization
o: param
dc: param
# admin, param.co.in
dn: cn=admin,dc=param,dc=co,dc=in
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# testuser, param.co.in
dn: uid=testuser,dc=param,dc=co,dc=in
cn: test
sn: test
mail: testuser#param.co.in
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
uid: testuser
# search result
search: 2
result: 0 Success
# numResponses: 4
# numEntries: 3
Now I wanted to add OU with following ou.ldif file:
cn: ou=people,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: people
cn: ou=groups,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: groups
But it is giving no results i.e. no success neither error after adding this file using command:
$ ldapadd -x -W -D "cn=admin,dc=param,dc=co,dc=in" -f ou.ldif
Enter LDAP Password:
$
What wrong thing exactly am i doing here?
change 'cn' to 'dn' for distinguished name. 'cn' is common name which would just be 'people' or 'groups' (except OUs don't need a CN). so it would be:
dn: ou=people,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: people
dn: ou=groups,dc=param,dc=co,dc=in
objectClass: top
objectClass: organizationalUnit
ou: groups
I'm running OpenLDAP 2.4.42, and this is my configuration file:
include C:/OpenLDAP/schema/core.schema
include C:/OpenLDAP/schema/cosine.schema
include C:/OpenLDAP/schema/inetorgperson.schema
pidfile C:/data/slapd/pidfile.pid
database config
database monitor
access to dn.subtree="cn=Monitor" by dn.exact="uid=Admin,dc=my,dc=org" write
access to * by * write
database bdb
include C:/data/pwm/openldap.schema
directory C:/data/slapd/db/bdb
suffix dc=example,dc=it
rootdn cn=root,dc=example,dc=it
rootpw secret
access to * by * manage
index default pres,eq
index cn eq,sub
index sn pres,eq,sub
index objectClass eq
With this slapcat (cut) output:
dn: cn=paul,dc=example,dc=it
objectClass: organizationalRole
cn: paul
dn: l=somewhere,dc=example,dc=it
objectClass: top
objectClass: locality
l: somewhere
dn: cn=john,l=somewhere,dc=example,dc=it
objectClass: organizationalRole
cn: john
structuralObjectClass: organizationalRole
dn: ou=users,dc=example,dc=it
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
dn: cn=charles,ou=users,dc=example,dc=it
objectClass: person
objectClass: pwmUser
cn: charles
sn: charles
userPassword:: bWFyY28y
structuralObjectClass: person
Why does this return results (actually the "charles" entry):
ldapsearch -W -D cn=root,dc=example,dc=it -b "ou=users,dc=example,dc=it"
while this gives "no such object"?
ldapsearch -W -D cn=root,dc=example,dc=it -b "dc=example,dc=it"
I would think that the latter is the most general version of a search, where I'm asking for everything under that suffix.
I am getting an issue while adding user into an OpenLDAP server.
dn: uid=ldapuser1,ou=People,dc=infra,dc=com
uid: ldapuser1
cn: ldapuser1
sn: ldapuser1
mail: ldapuser1#ABC.com
mailRoutingAddress: ldapuser1#ABC.com
mailHost: mail.ABC.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
objectClass: shadowAccount
userPassword: {crypt}$6$JNpQAF00$y9tYggGaYWlKfPqhx.
shadowLastChange: 16947
shadowMax: 99999
shadowWarning: 7
krbName: ldapuser1#ABC.COM
loginShell: /bin/bash
uidNumber: 534
gidNumber: 537
homeDirectory: /home/ldapuserdir/ldapuser1
While executing below command it's giving error
ldapadd -x -W -D "cn=Manager,dc=infra,dc=com" -f /etc/openldap/users.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser1,ou=People,dc=infra,dc=com"
ldap_add: Invalid syntax (21)
additional info: objectClass: value #6 invalid per syntax
Schema Included:
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
How this can be solved? Let me know if more details required.
Numbering the attributes from zero, #6 is kerberosSecurityObject, which isn't present in any of those schemas.
I'm trying to add 'mail' attribute to users on my openldap server but somehow it fails.
I tried using ldapmodify but I get this:
ldap_modify: Object class violation (65)
additional info: attribute 'mail' not allowed
Here's how my schema looks like:
# LDIF Export for ou=users,dc=mydomain,dc=com
# Server: (ldap.mydomain.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 63
version: 1
# Entry 1: ou=users,dc=mydomain,dc=com
dn: ou=users,dc=mydomain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users
# Entry 2: uid=tom.hanks,ou=users,dc=mydomain,dc=com
dn: uid=tom.hanks,ou=users,dc=mydomain,dc=com
cn: tom.hanks
description: User account
gecos: tom.hanks
gidnumber: 100
homedirectory: /home/tom.hanks
loginshell: /bin/bash
objectclass: account
objectclass: posixAccount
uid: tom.hanks
uidnumber: 1005
userpassword: blahblah
Include objectclass: iNetOrgPerson to add the mail attribute.
In order to give the user the Attribute mail you first have to add the mail attribute to the user's olcObjectClasses.
This can be done by a modification via an ldif like this:
dn: cn={12345}someName,cn=schema,cn=config
changetype: modify
delete: olcObjectClasses
olcObjectClasses: {1}
-
add: olcObjectClasses
olcObjectClasses: {1}( 1.3.6.1.4.1.12344556.1.1.1 NAME 'yourObjectClassEGAccount' DESC 'some description' SUP inetOrgPerson STRUCTURAL MUST ( requiredparam1 $ requiredParam2 $ reqParam3 ) MAY ( optionalParam1 $ optionalParam2 ) ) )
-
See the documentation for ldapmodify for details: Oracle ldapmodify Doc
The modification is then given to ldap via the following command (command line):
sudo ldapmodify -f filename.ldif
make sure to read the documentation on whether you need further parameters like eg. -h for hostname or -Y for a proxyDN: lmodify Doc
I'm confused! :)
I've got a dynamic group in OpenLDAP:
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
When I search for it, it gets expanded (the dynlist module is set up correctly):
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'cn= DynamicGroup'
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
member: cn=User One,ou=People,dc=MyDomain
member: cn=User Two,ou=People,dc=MyDomain
Brilliant. Exactly what I'd expect.
However, if I search on it by member I get nothing!
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=cn=User One,ou=People,dc=MyDomain' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
But, no cn: DynamicGroup ! :(
Nothing! :(
Does anyone have an hint for me as to why that might not be working?
Update:
I thought that it might be that the member attribute was not formally mentioned in the dynlist schema. I've added it, but it still doesn't work:
dn: cn={6}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {6}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I
dentifies an URL associated with each member of a group. Any type of labeled
URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use
when processing the memberURL' SUP distinguishedName SINGLE-VALUE )
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza
tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a
uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S
TRUCTURAL MUST cn MAY ( member $ memberURL $ businessCategory $ description $
o $ ou $ owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY
( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 997a529e-a081-1033-8148-81c0722e60ba
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140715153657Z
entryCSN: 20140715153657.339934Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140715153657Z
It looks like from an attribute search perspective the member attribute either isn't matching, or it's doing the search prior to the dynlist expansion:
root#auth-new:/vagrant/LDAP# /usr/bin/ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=*' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
Update: using an auto group it now works:
dn: olcOverlay=autogroup,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutomaticGroups
olcOverlay: autogroup
olcAGattrSet: {0}groupOfURLs memberURL member
olcAGmemberOfAd: memberOf
The dynlist overlay doesn't implement the feature you're looking for. You're correct about the expansion happening later than the search filter. See for example the thread starting at http://www.openldap.org/lists/openldap-software/200708/msg00250.html
You may want to look at the contributed autogroup overlay, which maintains membership info in the database (where it can be searched and filtered) but updates it automatically when needed.