OpenLDAP Dynamic Groups not searching by member - ldap

I'm confused! :)
I've got a dynamic group in OpenLDAP:
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
When I search for it, it gets expanded (the dynlist module is set up correctly):
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'cn= DynamicGroup'
dn: cn=DynamicGroup,ou=Group,dc=MyDomain
cn: DynamicGroup
objectClass: groupOfURLs
memberURL: ldap:///ou=People,dc=MyDomain??one?(&(objectClass=User)(isInDynamicGroup=TRUE))
member: cn=User One,ou=People,dc=MyDomain
member: cn=User Two,ou=People,dc=MyDomain
Brilliant. Exactly what I'd expect.
However, if I search on it by member I get nothing!
$ ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=cn=User One,ou=People,dc=MyDomain' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
But, no cn: DynamicGroup ! :(
Nothing! :(
Does anyone have an hint for me as to why that might not be working?
Update:
I thought that it might be that the member attribute was not formally mentioned in the dynlist schema. I've added it, but it still doesn't work:
dn: cn={6}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {6}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDAP:1
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:2
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'memberURL' DESC 'I
dentifies an URL associated with each member of a group. Any type of labeled
URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC 'Identity to use
when processing the memberURL' SUP distinguishedName SINGLE-VALUE )
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'Optional authoriza
tion rules that determine who is allowed to assume the dgIdentity' EQUALITY a
uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES' )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'groupOfURLs' SUP top S
TRUCTURAL MUST cn MAY ( member $ memberURL $ businessCategory $ description $
o $ ou $ owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP top AUXILIARY MAY
( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig
entryUUID: 997a529e-a081-1033-8148-81c0722e60ba
creatorsName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
createTimestamp: 20140715153657Z
entryCSN: 20140715153657.339934Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20140715153657Z
It looks like from an attribute search perspective the member attribute either isn't matching, or it's doing the search prior to the dynlist expansion:
root#auth-new:/vagrant/LDAP# /usr/bin/ldapsearch -H "ldapi:///" -b "dc=MyDomain" -s sub -LLL -d 0 -QY EXTERNAL 'member=*' 'cn'
dn: cn=Developers,ou=Group,dc=MyDomain
cn: Developers
dn: cn=VPNUsers,ou=Group,dc=MyDomain
cn: VPNUsers
Update: using an auto group it now works:
dn: olcOverlay=autogroup,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAutomaticGroups
olcOverlay: autogroup
olcAGattrSet: {0}groupOfURLs memberURL member
olcAGmemberOfAd: memberOf

The dynlist overlay doesn't implement the feature you're looking for. You're correct about the expansion happening later than the search filter. See for example the thread starting at http://www.openldap.org/lists/openldap-software/200708/msg00250.html
You may want to look at the contributed autogroup overlay, which maintains membership info in the database (where it can be searched and filtered) but updates it automatically when needed.

Related

OpenLDAP ldapadd Invalid DN syntax (34)

I've been strugling/googling for hours about this, just trying a very simple thing add entries to my ldap using ldapadd (OpenLDAP on Ubuntu).
my structure.ldif looks like this :
dn: ou=Personnes,dc=odi,dc=com
objectClass: organizationalUnit
ou: Personnes
description: Employes de l entreprise
dn: ou=Machines,dc=odi,dc=com
objectClass: organizationalUnit
ou: Machines
description: Ordinateurs de l entreprise
dn: cn=Marie Dupond,ou=Personnes,dc=odi,dc=com
objectClass: inetOrgPerson
givenName: Marie
sn: Dupond
cn: Marie Dupond
uid: mdupond
userPassword: mdupond
and my ldap config :
version: 1
#
# LDAPv3
# base <dc=odi,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# odi.com
dn: dc=odi,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: odi
dc: odi
# admin, odi.com
dn: cn=admin,dc=odi,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
and I can understand why when I add it through ldapadd -x -W -D “cn=admin,dc=odi,dc=com” -H ldapi:/// -f structure.ldif Iget an ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
Any help would be really appreciated,
I had the exact same problem! Highlighted from your comment above:
was using “ instead of "
Not the same characters! How frustrating!

LDAP search with custom attributes filter

I'm having problems with finding a specific entry in LDAP tree, given a filter defined on a custom attribute.
I.e. (search by samaccountname=jpa)
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "samaccountname=jpa" does not work (returns no result)
whereas (search sn=jpa):
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "sn=jpa" works
even (check for existence of samaccountname):
ldapsearch -x -D "CN=admin,DC=my,DC=com" -w admin -H ldap://localhost:10389 -b "ou=My Users,dc=my,dc=com" -s sub "samaccountname=*" works
Any ideas what can be wrong here? My intention is to find the given user using sub (samaccountname=jpa) filter
My config is (using osixia/openldap docker image):
schema:
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
USAGE userApplications )
objectclass ( 2.5.6.30 NAME 'extendedUser'
SUP person
STRUCTURAL
MUST ( sAMAccountName ) )
ACL's:
dn: olcDatabase={1}mdb,cn=config
changetype: modify
delete: olcAccess
-
add: olcAccess
olcAccess: to * by * read
LDIF:
DN: OU=My Users,DC=my,DC=com
OU: My Users
objectClass: organizationalUnit
DN: CN=jpa,OU=My Users,DC=my,DC=com
CN: jpa
sn: jpa
sAMAccountName: jpa
objectClass: extendedUser
userPassword: xxx
You need to define an EQUALITY on your attribute. LDAP doesn't currently know how to perform the search on that attribute.
attributetype ( 1.2.840.113556.1.4.221 NAME 'sAMAccountName'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
EQUALITY caseIgnoreMatch
SINGLE-VALUE
USAGE userApplications )
OpenLDAP Schema Specification

How do I list all the entries in LDAP directory information tree?

I'm running OpenLDAP 2.4.42, and this is my configuration file:
include C:/OpenLDAP/schema/core.schema
include C:/OpenLDAP/schema/cosine.schema
include C:/OpenLDAP/schema/inetorgperson.schema
pidfile C:/data/slapd/pidfile.pid
database config
database monitor
access to dn.subtree="cn=Monitor" by dn.exact="uid=Admin,dc=my,dc=org" write
access to * by * write
database bdb
include C:/data/pwm/openldap.schema
directory C:/data/slapd/db/bdb
suffix dc=example,dc=it
rootdn cn=root,dc=example,dc=it
rootpw secret
access to * by * manage
index default pres,eq
index cn eq,sub
index sn pres,eq,sub
index objectClass eq
With this slapcat (cut) output:
dn: cn=paul,dc=example,dc=it
objectClass: organizationalRole
cn: paul
dn: l=somewhere,dc=example,dc=it
objectClass: top
objectClass: locality
l: somewhere
dn: cn=john,l=somewhere,dc=example,dc=it
objectClass: organizationalRole
cn: john
structuralObjectClass: organizationalRole
dn: ou=users,dc=example,dc=it
objectClass: organizationalUnit
ou: users
structuralObjectClass: organizationalUnit
dn: cn=charles,ou=users,dc=example,dc=it
objectClass: person
objectClass: pwmUser
cn: charles
sn: charles
userPassword:: bWFyY28y
structuralObjectClass: person
Why does this return results (actually the "charles" entry):
ldapsearch -W -D cn=root,dc=example,dc=it -b "ou=users,dc=example,dc=it"
while this gives "no such object"?
ldapsearch -W -D cn=root,dc=example,dc=it -b "dc=example,dc=it"
I would think that the latter is the most general version of a search, where I'm asking for everything under that suffix.

openldap add mail attribute to users

I'm trying to add 'mail' attribute to users on my openldap server but somehow it fails.
I tried using ldapmodify but I get this:
ldap_modify: Object class violation (65)
additional info: attribute 'mail' not allowed
Here's how my schema looks like:
# LDIF Export for ou=users,dc=mydomain,dc=com
# Server: (ldap.mydomain.com)
# Search Scope: sub
# Search Filter: (objectClass=*)
# Total Entries: 63
version: 1
# Entry 1: ou=users,dc=mydomain,dc=com
dn: ou=users,dc=mydomain,dc=com
objectclass: organizationalUnit
objectclass: top
ou: users
# Entry 2: uid=tom.hanks,ou=users,dc=mydomain,dc=com
dn: uid=tom.hanks,ou=users,dc=mydomain,dc=com
cn: tom.hanks
description: User account
gecos: tom.hanks
gidnumber: 100
homedirectory: /home/tom.hanks
loginshell: /bin/bash
objectclass: account
objectclass: posixAccount
uid: tom.hanks
uidnumber: 1005
userpassword: blahblah
Include objectclass: iNetOrgPerson to add the mail attribute.
In order to give the user the Attribute mail you first have to add the mail attribute to the user's olcObjectClasses.
This can be done by a modification via an ldif like this:
dn: cn={12345}someName,cn=schema,cn=config
changetype: modify
delete: olcObjectClasses
olcObjectClasses: {1}
-
add: olcObjectClasses
olcObjectClasses: {1}( 1.3.6.1.4.1.12344556.1.1.1 NAME 'yourObjectClassEGAccount' DESC 'some description' SUP inetOrgPerson STRUCTURAL MUST ( requiredparam1 $ requiredParam2 $ reqParam3 ) MAY ( optionalParam1 $ optionalParam2 ) ) )
-
See the documentation for ldapmodify for details: Oracle ldapmodify Doc
The modification is then given to ldap via the following command (command line):
sudo ldapmodify -f filename.ldif
make sure to read the documentation on whether you need further parameters like eg. -h for hostname or -Y for a proxyDN: lmodify Doc

search user uid in uniquemember - ldap

I have some user within a uid within uniquemember.
How to create a show that only the ldapsearch uid?
If today I run the command below, the Results is the entire contents of uniquemember and I just want to return the uid:
ldapsearch -x -h serverldap.com -p 389 -D uid=pdi00usr,ou=bind,ou=users,ou=access,o=com,c=br -W -b o=com,c=br -s sub "(&(uniqueMember=F)(cn=pdi*))"
# pdiasc01, pdi, aplic, groups, access, com, br
dn: cn=pdiasc01,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Administrator
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiasc01
uniquemember: uid=dummy
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
# pdiapf02, pdi, aplicacao, grupos, acesso, bb, br
dn: cn=pdiapf02,ou=pdi,ou=aplic,ou=groups,ou=access,o=com,c=br
description: Aprover
objectclass: bb
objectclass: groupOfUniqueNames
objectclass: top
cn: pdiapf02
uniquemember: uid=dummy
uniquemember: uid=f3799300,ou=func,ou=users,ou=access,o=com,c=br
uniquemember: uid=f6802561,ou=func,ou=users,ou=access,o=bb,c=br
i need a resulta like this:
uid=f3799300
uid=f6802561
You've got two options as far as I can see.
First would be to simply pipe your output through grep and do some sed (or awk) magic to remove everything after the first comma or
Second use the returned uid for a second query for the entry with the dn returned by uid and query for the uid of that object (which should be what you are looking for)