What works
Suppose I have inetOrgPersons in ou=people,dc=example,dc=com. Example:
dn: cn=John Doe,ou=people,dc=example,dc=com
objectClass: inetOrgPerson (structural)
objectClass: person (structural)
objectClass: top (abstract)
cn: John Doe
sn: Doe
givenName: John
mail: john.doe#example.com
uid: john.doe
In addition I have several organizations:
dn: o=foo,dc=example,dc=com
objectClass: organization (structural)
objectClass:top (abstract)
o: foo
dn: o=bar,dc=example,dc=com
objectClass: organization (structural)
objectClass:top (abstract)
o: bar
For each organization there is a groupOfNames:
dn: cn=users,o=foo,dc=example,dc=com
objectClass:groupOfNames (structural)
cn: users
member: cn=John Doe,ou=people,dc=example,dc=com
dn: cn=users,o=bar,dc=example,dc=com
objectClass:groupOfNames (structural)
cn: users
As you can see, cn=John Doe,ou=people,dc=example,dc=com is listed as a member of cn=users,o=foo,dc=example,dc=com but not of dn: cn=users,o=bar,dc=example,dc=com.
Problem
I want to note membership at the inetOrgPersons, too.
memberOf is not in the schemas I currently use for a user. Is there any schema available that provides memberOf?
member is part of groupOfNames but this objectClass conflicts with inetOrgPerson:
[LDAP: error code 65 - invalid structural object class chain (inetOrgPerson/groupOfNames)]
Question
How can I note the membership in cn=users,o=foo,dc=example,dc=com on cn=John Doe,ou=people,dc=example,dc=com?
If you're using OpenLDAP you need to use the 'memberof' overlay, which maintains a real 'memberOf' attribute among the operational attributes.
Note that it won't affect memberships that already exist, only new ones from when you first load the overlay. See the OpenLDAP documentation.
Depending on the server in use, memberOf might be a virtual attribute and would not be listed in the entry, but rather is generated by the server. Some other servers use isMemberOf instead of memberOf. memberOf or isMemberOf would be generated upon request by server.
One could search:
ldapsearch -h hostname -p port \
-b dc=example,dc=com -s sub \
'(memberOf=cn=users,o=foo,dc=example,dc=com)'
or
ldapsearch -h hostname -p port \
-b dc=example,dc=com -s sub \
'(isMemberOf=cn=users,o=foo,dc=example,dc=com)'
to get the distinguished names that are members of cn=users,o=foo,dc=example,dc=com.
To get the groups of which a known distinguished name is a member:
ldapsearch -h hostname -p port \
-b dc=example,dc=com -s sub \
'(cn=Joe User)' isMemberOf
or
ldapsearch -h hostname -p port \
-b dc=example,dc=com -s sub \
'(cn=Joe User)' memberOf
The object class violation occurs because groupofNames and inetOrgPerson are both structural object classes. Only one structural object class is permitted per object. Some broken directory servers (DSEE for example) will allow multiple structural object classes per object, though. In one of your examples it appears the person and inetOrgPerson are in the same object together, this is a different case because inetOrgPerson is a descendant of person.
Related
How to delete one of these 2 enteries. I want delete the first one.
I tryied it but always I have error
ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=config olcOverlay={2}auditlog |grep -v "#"
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: olcOverlay={2}auditlog,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAuditlogConfig
olcOverlay: {2}auditlog
olcAuditlogFile: /var/log/ldapaudit.log
dn: olcOverlay={3}auditlog,olcDatabase={2}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAuditlogConfig
olcOverlay: {3}auditlog
olcAuditlogFile: /var/log/ldap.log
search: 2
result: 0 Success
Older versions of OpenLDAP (2.4 or older, I believe) do not support hot removal of overlays – they can only be added via LDAP, but removing them needs to be done offline (i.e. with the slapd service stopped).
The official method is to dump the cn=config database slapcat -n 0 into an LDIF file, edit it as needed, then delete the whole slapd.d directory and rebuild it from LDIF using slapadd -n 0.
The unofficial method is to rm just the corresponding files from within slapd.d/cn=config/.
My ldap.conf looks like: (server and client on the same machine)
# TLS certificates (needed for GnuTLS)
TLS_CACERT /etc/ssl/certs/ca-certificates.crt
BASE dc=hdlldaptest,dc=net
URI ldap://localhost
Results of ldapsearch -x:
# extended LDIF
#
# LDAPv3
# base <dc=hdlldaptest,dc=net> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# hdlldaptest.net
dn: dc=hdlldaptest,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
o: qatest
dc: hdlldaptest
# admin, hdlldaptest.net
dn: cn=admin,dc=hdlldaptest,dc=net
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
I try to add a user using this file: qa_test.ldif
dn: uid=qa_test,ou=users,dc=hdlldaptest,dc=net
objectClass: top
objectClass: account
objectClass: posixAccount
objectClass: shadowAccount
cn: qa_test
uid: qa_test
uidNumber: 16859
gidNumber: 100
homeDirectory: /home/qa_test
loginShell: /bin/bash
gecos: qa_test
userPassword: {crypt}x
shadowLastChange: 0
shadowMax: 0
shadowWarning: 0
Then I run
# ldapadd -x -W -D "cn=ramesh,dc=tgs,dc=com" -f qa_test.ldif
Enter LDAP Password:
I don't know what password I am supposed to use, I tried leaving as is and entering x. Adding a real password, but every time I run, I get invalid credentials. I thought that you add the password after the user was created.
The -D option is used for binding (which account is used to perform the operation), so you need to provide a DN corresponding to a user with sufficient permissions to achieve the ldapadd.
Usually that kind of operations are performed by the LDAP admin/manager, probably cn=admin,dc=hdlldaptest,dc=net in your case.
If your directory supports it, you can also bind using SASL mechanism, for example 'EXTERNAL' (usually TLS or Unix IPC) :
ldapadd -Y EXTERNAL -H ldapi:/// -f qa_test.ldif
The memberOf attribute is not showing in ldap simple search if I do the following then memberOf attribute is hidden.
ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com
# udraz, Users, example.com
dn: uid=udraz,ou=Users,dc=example,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: shadowAccount
uid: udraz
sn: Draz
givenName: Umar
mail: udraz#example.com
cn: Umar Draz
displayName: Umar Draz
uidNumber: 5000
gidNumber: 5000
gecos: Umar Draz
loginShell: /bin/bash
homeDirectory: /home/udraz
But if I do the following then memberOf attribute appear
ldapsearch -Y external -H ldapi:/// -b dc=example,dc=com memberOf
# udraz, Users, example.com
dn: uid=udraz,ou=Users,dc=example,dc=com
memberOf: cn=developers,ou=Users,dc=example,dc=com
Would you please help me how to solve this
Openldap 2.4.31 is installed on Ubuntu 14.04.
When I try to add the first entry to the LDAP, it says:
adding new entry "dc=abc,dc=com"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
This is the command I use in CLI:
ldapadd -Y EXTERNAL -H ldapi:// -f import-org.ldif
From various blogs I understood that this happens because the the new entry with dn dc=abc,dc=com cannot be added to the LDAP with suffix dc=xyz,dc=com.
Installation process defines the LDAP suffix without prompting to set a custom one.
I read a bunch of manuals and blogs and failed to find any document that describes how to change or add a new suffix or any other way to solve the issue in this version of openldap.
You need to add the new Suffix.
This example assumes that dc=example,dc=com exisits and you desire to add dc=example,dc=net
You can do this via LDIF with Something like:
# add example.net to an existing LDAP server
version: 1
dn: dc=example,dc=net
dc: example
description: Example Network Operations
objectClass: dcObject
objectClass: organization
o: Example, Inc.
dn: ou=people, dc=example,dc=net
ou: people
description: All people in organisation
objectClass: organizationalUnit
Than add the entry as desired under the new suffix.
I start my test openldap server on RedHat enterprise linux 6.5. I configured it properly I think. I add my base.ldif file which looks like that:
dn: dc=example,dc=com
dc: example
description: Root LDAP entry for example.com
objectClass: dcObject
objectClass: organizationalUnit
ou: rootObject
dn: ou=People,dc=exapmle,dc=com
ou: People
description: All people in organisation
objectClass: organizationalUnit
Using command:
ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
I got an output:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
adding new entry "ou=People,dc=exapmle,dc=com"
ldap_add: Server is unwilling to perform (53)
additional info: no global superior knowledge
But i tried second time and I receive:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f base.ldif
Enter LDAP Password:
adding new entry "dc=example,dc=com"
ldap_add: Already exists (68)
So it looks okay for me, next I tried to add an user:
dn: uid=ldapuser100,ou=People,dc=example,dc=com
uid: ldapuser100
cn: ldapuser100
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {crypt}$6$E/tH1oRF$9.Km8Xs/wDIFgWgTT.domcw0PJGUZqK7mqdFPaNru2il5LMgsxaowq5bvjulQLR8CqSq.Pw.brZU77fzviQPG.
shadowLastChange: 16460
shadowMin: 0
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 1400
gidNumber: 1400
homeDirectory: /exports/ldapuser100
Using command:
[root#melita-bladekp ~]# ldapadd -x -W -D "cn=Manager,dc=example,dc=com" -f ldapuser100.ldif
Enter LDAP Password:
adding new entry "uid=ldapuser100,ou=People,dc=example,dc=com"
ldap_add: No such object (32)
matched DN: dc=example,dc=com
And I receive that DN didn't exists. I think there is problem with that base file, do you have any idea what I can do to fix it?
My conf files(I think that the conf files are ok):
/etc/openldap/ldap.conf
BASE dc=example,dc=com
URI ldap://localhost
TLS_REQCERT never
/etc/openldap/slapd.conf
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
TLSCACertificatePath /etc/openldap/certs/ldap.crt
TLSCertificateFile /etc/openldap/certs/ldap.crt
TLSCertificateKeyFile /etc/openldap/certs/ldap.key
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage
by * none
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
by dn.exact="cn=Manager,dc=example,dc=com" read
by * none
database bdb
suffix "dc=example,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=example,dc=com"
rootpw {SSHA}MdddSPNLtlsVia4T534qLL6LWLRy2lBB
directory /var/lib/ldap
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
It looks like you have a typo in the dn of your LDIF
dn: ou=People,**dc=exapmle**,dc=com
If you change exapmle to example and re-run the LDIF with continue on error you should get the example entry and then you will be able to add your user afterwards.