I`ve installed OpenLdap v.2.4.39 for Debian 7. But during setup I have only 2 option for backend: BDB and HDB.
But I want to use MDB (http://www.openldap.org/doc/admin24/backends.html). AFAIK it is stable. How to choose it as backend?
Thank you!
PS. i can see mentions about hdb in below files:
/etc/ldap/slapd.d# grep -nr hdb *
cn=config/cn=module{0}.ldif:7:olcModuleLoad: {0}back_hdb
cn=config/olcBackend={0}hdb.ldif:3:dn: olcBackend={0}hdb
cn=config/olcBackend={0}hdb.ldif:5:olcBackend: {0}hdb
cn=config/olcDatabase={1}hdb.ldif:3:dn: olcDatabase={1}hdb
cn=config/olcDatabase={1}hdb.ldif:6:olcDatabase: {1}hdb
But I am not sure if I can edit them.
The module is there, the deconf template is not.
$ ls /usr/lib/ldap/back_mdb*
/usr/lib/ldap/back_mdb-2.4.so.2 /usr/lib/ldap/back_mdb-2.4.so.2.8.3 /usr/lib/ldap/back_mdb.la /usr/lib/ldap/back_mdb.so
To enable, we need to load the module first.
$ cat someEpicLdif.ldif
# we need to load the mdb module first
dn: cn=module,cn=config
objectClass: olcModuleList
cn: module
olcModulePath: /usr/lib/ldap
olcModuleLoad: back_mdb
# now we configure our mdb backend
dn: olcDatabase=mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: mdb
olcSuffix: dc=ldap_is_bananas,dc=org
olcDbDirectory: /var/lib/ldap
olcRootDN: cn=admin,dc=ldap_is_bananas,dc=org
olcRootPW: changeme
olcDbIndex: objectClass eq
olcLastMod: TRUE
olcMonitoring: TRUE
olcDbEnvFlags: writemap
olcDBNoSync: TRUE
olcAccess: to attrs=userPassword by dn="cn=admin,dc=ldap_is_bananas,dc=org" write by anonymous auth by self write by * none
olcAccess: to attrs=shadowLastChange by self write by * read
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=ldap_is_bananas,dc=org" write by * read
Please don't copy and paste man slapd-mdb and man slapd-config for the configuration options and supply your own.
Then add the new backend using ldapadd, if you're using SASL binds...
$ sudo ldapadd -Y EXTERNAL -H ldapi:/// -f ldap_is_bananas.ldif
In Debian the MDB backend has been enabled since slapd-2.4.39 which is available since Debian jessie (the code-name for the current testing distro).
assuming, that you are using Debian/stable (aka wheezy), the answer is simple:
your version of slapd has been built without mdb support, so you cannot use it.
if you are using slapd>2.4.39 (which seems to be the case according to your comment), you must configure the backend manually (as there is no debconf template yet that supports MDB).
checkout man slapd-mdb
Related
I created an OpenLDAP server on Ubuntu 22.04, and created users but forgot to add them to a organizational unit (ou). How can I associate them all to an ou now ?
The actual server looks like this:
dn=company
ou=Users
uid=user1
uid=user2
uid=user3
...
What I would like is:
dn=company
ou=Users
uid=user1
uid=user2
uid=user3
...
Concretely, I would like to go from this:
uid=user1,dc=example,dc=fr
to this:
uid=user1,ou=Users,dc=example,dc=fr
Adding an ou attribute to the entry is one thing, moving the entry in the DIT is another thing. For the latter, you need to use the newsuperior directive.
Using ldapmodify -f with changetype: (modrdn|moddn) :
dn: uid=user1,dc=example,dc=fr
changetype: modrdn
# rdn unchanged
newrdn: uid=user1
# deletes old entry
deleteoldrdn: 1
# adds to Users hierarchy
newsuperior: ou=Users,dc=example,dc=com
Using ldapmodrdn -r -s <newsuperior> <dn> <newrdn> :
ldapmodrdn -r -s "ou=Users,dc=example,dc=com" "uid=user1,dc=example,dc=fr" "uid=user1"
Actually I just found an answer on my own.
I simply did a LDIF file modify.ldif:
dn: uid=user1,dc=example,dc=fr
changetype: modify
add: ou
ou: Users
And then ldapmodify -x -D cn=admin,dc=example,dc=fr -W -f ./modify.ldif
I'm new to LDAP and for a school project I have an access to part of my school LDAP. I can bind with users that are in a Organizational Unit.
When I bind, I am able to see my password and not any other passwords from other users (That's normal I guess for security reasons).
So I have exported the LDIF of this LDAP and imported it on my own LDAP server for leaning purposes.
ldapsearch commands works well and I retrieve all entries (excepted password and that's normal).
So now, I try to bind with any user, I've added password by Apache Directory Studio in each LDAP Users (inetorgPerson under the ou where I usually search).
However, I can't bind.
I guess that it is due to wrong access rights.
I know that I must use ldapmodify command and that I need to forge a directive like access to * by * read (with less rights than * but it could be great to begin with).
However, I cant find how to use this directive with ldapmodify.
I think that I must create an LDIF file to modify config but I don't understand which entry I should update.
Can anyone give me tips in order to modify the proper entry?
Thanks
Here id part of my config (Domain edited to domain.fr):
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by * write
dn: olcDatabase={1}mdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=domain,dc=fr
olcAccess: {0}to attrs=userPassword by self write by anonymous auth by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to * by * read
olcLastMod: TRUE
olcRoot
dn: cn=admin,dc=domain,dc=fr
olcRootPW: {SSHA}YNGbI0zpbUoVLZggbKeZqFIlVdq+0ZJP
olcDbCheckpoint: 512 30
olcDbIndex: objectClass eq
olcDbIndex: cn,uid eq
olcDbIndex: uidNumber,gidNumber eq
olcDbIndex: member,memberUid eq
olcDbMaxSize: 1073741824
search: 2
• Since, you have imported the LDIF file in the new AD, all the users in the original AD are created afresh in your AD environment. Thus, you would need to create a DNS naming service identical to the original one in your environment as the suffix to which you want to add the entry should exist in the database. Also, the domain admin credentials used in the original LDAP directory will be required to bind with the credentials of a user in imported LDIF file.
To do this, you would need to modify the domain admin credentials using the following commands. Below shown script is a sample on how to modify the domain admin credentials and then try to bind the user using those credentials.
Create a new LDIF file with the following contents: -
‘ dn: uid=XYZ,ou=Domain Administrators,dc=example,dc=com
cn: XYZ
sn: XYZ
givenName: XYZ
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
ou: Accounting
ou: People
l: Santa Clara
uid: XYZ
mail: XYZ#example.com
roomnumber: 5484
userpassword: Pass#123 ’
Then, add the entry using ‘ldapmodify’ with the ‘—defaultAdd’ option
‘ ldapmodify --hostname localhost --port 389 --bindDN "cn=Directory Manager" \
--bindPassword password --defaultAdd --filename /tmp/new.ldif ‘
With these commands, you would be able to modify the domain administrator credentials and then be able to bind the user in LDAP for sure. Just change the ldif file name with the one you have and change the entries in the ldif file with the actual ones from the original directory. Please find this link below for your reference: -
https://docs.oracle.com/cd/E22289_01/html/821-1273/adding-modifying-and-deleting-directory-data.html
I'm trying to set ACL for Manager user by I understand where is my syntax error.
Is it correct to modify the "olcDatabase={2}hdb" file??
My Terminal command:
ldapmodify -a -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
And this is the error:
ldapmodify: invalid format (line 5) entry: "olcDatabase={2}hdb"
acl.ldif:
dn: olcDatabase={2}hdb
changetype: modify
add: olcAccess
olcAccess:{0} to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage by * break
{1} to attrs=userPassword by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self write by anonymous none by users none
{2} to attrs=loginShell by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" write by self read by anonymous none by users none to attrs=uid,sn,homeDirectory by self write
{3} to dn.subtree="dc=gruppo6,dc=labreti,dc=it" by * read
olcDatabase={2}hdb.ldif:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 0c9c7626
dn: olcDatabase={2}hdb
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap
olcDbIndex: objectClass eq,pres
olcDbIndex: ou,cn,mail,surname,givenname eq,pres,sub
structuralObjectClass: olcHdbConfig
entryUUID: 05c622d2-9007-1039-808a-1106615e0d2d
creatorsName: cn=config
createTimestamp: 20191031084858Z
olcRootPW:: e1NTSEF9QXNRTGdiYjZ0RTltMjMwbHdFcW5VeE5ETzNxcE1qSXE=
olcSuffix: dc=gruppo6,dc=labreti,dc=it
olcRootDN: cn=Manager,dc=gruppo6,dc=labreti,dc=it
entryCSN: 20191031122732.077139Z#000000#000#000000
modifiersName: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
modifyTimestamp: 20191031122732Z
Thanks for every help guys
There are 2 issues :
You are trying to modify olcDatabase={2}hdb using the wrong dn in acl.ldif, this entry should be in the subtree of cn=config. You can grab the target olcDatabase using this command :
slapcat -n 0 -a olcDatabase=hdb
# Output
dn: olcDatabase={2}hdb,cn=config
...
Since you are modifying an existing entry, you don't need the -a flag (ldapadd) in ldapmodify command :
ldapmodify -x -D "cn=Manager,dc=gruppo6,dc=labreti,dc=it" -w root -H ldap:// -f acl.ldif
If your ldap manager precisely cannot modify this config entry due to insufficient permissions (reading from this directive to * by dn="cn=Manager,dc=gruppo6,dc=labreti,dc=it" manage), you can still use external binding (unix user) to perform that kind of operation :
ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
I have a problem with connecting foswiki to ldap. I want to authenticate users against LDAP directory (as it is stated in the requirements of school seminar work ). But it doesn't work. When I try to login with my name already saved in LDAP, it just writes "Oops: we could not recognize you. Try again or reset your password.". I will be thankful for any help and I will provide any further information necessary.
Foswiki config: http://pastebin.com/NRx4V9Ck
I am trying to login with name MarianBaca and here is the output of
ldapsearch -H ldap://localhost -b dc=bis01,dc=vse,dc=cz -x '(givenName=Marian)'
# extended LDIF
#
# LDAPv3
# base <dc=bis01,dc=vse,dc=cz> with scope subtree
# filter: (givenName=Marian)
# requesting: ALL
#
# MarianBaca, bis01.vse.cz
dn: cn=MarianBaca,dc=bis01,dc=vse,dc=cz
cn: MarianBaca
givenName: Marian
gidNumber: 500
sn: Baca
loginShell: /bin/sh
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
uidNumber: 1000
uid: MarianBaca
homeDirectory: /home/MarianBaca
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Output of /etc/ldap/ldap.conf
#
# LDAP Defaults
#
# See ldap.conf(5) for details
# This file should be world readable but not world writable.
BASE dc=bis01,dc=vse, dc=cz
URI ldap://bis01.vse.cz
#SIZELIMIT 12
#TIMELIMIT 15
#DEREF never
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
Since your pasted foswiki configuration has been removed, I will try to answer to my best knowledge.
I am assuming you are using LdapContrib
Ensure your UserMappingManager is set to Foswiki::Users::LdapUserMapping.
Ensure your PasswordManager is set to something sensible, i.e. Foswiki::Users::LdapPasswduser
I have 2 apacheds services running on workstation (Windows 7). One of the service runs as a windows service and the other one I am running from its jar file from command line using
java -jar "C:\Program Files (x86)\ApacheDS - Instance2\lib\apacheds-service-2.0.0-M15.jar" "C:\Program Files (x86)\ApacheDS - Instance2\instances\instance2"
The first apacheds installation is at location C:\Program Files (x86)\ApacheDS and it runs on 10389. The second service runs on port 11389.
Using apache directory studio I can connect to both these instances/services running on my workstation and there are no errors on console.
By using the following ldif file I have imported setting for Instance 1 which will be the master
dn: ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: modify
add: ads-replReqHandler
ads-replReqHandler: org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler
Then I have also imported following ldif file to Instance 1/master -
dn: ads-replConsumerId=1,ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: add
ads-replRefreshNPersist: TRUE
ads-replAliasDerefMode: never
ads-replProvPort: 10389
ads-replSearchSizeLimit: 0
ads-replProvHostName: localhost
objectClass: ads-replConsumer
objectClass: ads-base
ads-replUserDn: uid=admin, ou=system
ads-replRefreshInterval: 60000
ads-replUserPassword: secret
ads-replConsumerId: 1
ads-replAttributes: *
ads-replSearchTimeOut: 0
ads-replSearchScope: sub
ads-replSearchFilter: (objectClass=*)
ads-searchBaseDN: ou=system
I added a few users under ou=users, ou=system on the master but nothing gets replicated on the slave. There is no evidence on the consoles of either instances that these two instances are trying to talk and hence I think this is not the right configuration or incomplete configuration as there is nothing I could find on apacheds documentation that needs to be added as part of the consumer configuration on Instance2/Slave. Am I missing something ?
Thanks !
There was some bug in apacheds 2.0 - M15 Version regarding replication. That bug has been rectified already and the fix will be in M16. I built 2 separate instances from apacheds svn trunk and built the installers and ran 2 separate instances. Added following settings/config on the Provider/Master (Running on Port 10389) -
dn: ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: modify
add: ads-replReqHandler
ads-replReqHandler: org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler
Added following config to the consumer/slave instance (Running on 11389) -
dn: ads-replConsumerId=1,ou=replConsumers,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
changetype: add
ads-replRefreshNPersist: TRUE
ads-replAliasDerefMode: never
ads-replProvPort: 10389
ads-replSearchSizeLimit: 0
ads-replProvHostName: localhost
objectClass: ads-replConsumer
objectClass: ads-base
ads-replUserDn: uid=admin, ou=system
ads-replRefreshInterval: 60000
ads-replUserPassword: secret
ads-replConsumerId: 1
ads-replAttributes: *
ads-replSearchTimeOut: 0
ads-replSearchScope: sub
ads-replSearchFilter: (objectClass=*)
ads-searchBaseDN: ou=system
Restarted both instances and tried adding an entry under Provider and Wow ! it got replicated to the consumer.
Though the configuration I have posted in the question is incorrect, couple of confusing things led to that configuration.
Lack of clear documentation on apacheds website.
Apache ds studio - When you create a connection in apache ds studio to connect to a apacheds service, you can right click on the connection and open its configuration (Which is stored under ou=config. Its basically a GUI for ou=config). When you click on the last tab 'Replication'. The title reads 'All Replication Consumers' with a 'Add' button placed on the right. This is misleading as it gives the user an impression that one needs to add consumer/slave details here and this config should lie on the master/provider side.