More on dynamic group searches
Hello, This is my first post here, so if I'm going over old ground, please let me know (I have searched). I have looked through the archives and reached the conclusion that there isn't a convenient means of searching for groups based on a dynamic entry. For example, if I have a dynlist entry containing olcDlAttrSet: {0}groupOfURLs memberURL uniqueMember uniqueMember is dynamically added to search results, but can't be part of the search. Is this conclusion correct? I am migrating a client over from Sun's directory manager (which does allow searching on dynamic attributes) to OpenLDAP, so I have to support all the client applications that currently authenticate against and use LDAP. For example: filter=((objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company)) attrs=gidNumber -- Ian.
Re: More on dynamic group searches
Ian Collins wrote: Hello, This is my first post here, so if I'm going over old ground, please let me know (I have searched). I have looked through the archives and reached the conclusion that there isn't a convenient means of searching for groups based on a dynamic entry. For example, if I have a dynlist entry containing olcDlAttrSet: {0}groupOfURLs memberURL uniqueMember uniqueMember is dynamically added to search results, but can't be part of the search. Is this conclusion correct? Yes. I am migrating a client over from Sun's directory manager (which does allow searching on dynamic attributes) to OpenLDAP, so I have to support all the client applications that currently authenticate against and use LDAP. For example: filter=((objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company)) attrs=gidNumber Don't use dynamic groups then. Use autogroups. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Re: More on dynamic group searches
On 05/23/10 09:21 PM, Howard Chu wrote: Ian Collins wrote: I am migrating a client over from Sun's directory manager (which does allow searching on dynamic attributes) to OpenLDAP, so I have to support all the client applications that currently authenticate against and use LDAP. For example: filter=((objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company)) attrs=gidNumber Don't use dynamic groups then. Use autogroups. Thanks, I hadn't looked at the contrib modules. -- Ian.
Re: Q: status of component matching?
Nardmann, Heiko heiko.nardm...@secunet.com writes: Hi all, we are trying to set up an openldap 2.4.21 slapd server that is able to handle component-filter search requests. The problem we get is that the slapd fails to load the compmatch module. With full debug output the error message is: lt_dlopenext failed: (compmatch.la) file not found Does anybody already have entered this problem? No, not me. What we did/tried is now described in detail: We use Suse 11.1 as the Linux distribution. The openldap software is configured with the following command: ./configure LDFLAGS=-L/usr/local/BerkeleyDB.5.0/lib -ldb --prefix /home/openldap/openldap-2.4.21-install --enable-modules --enable-sssvlv --enable-syncprov --enable-valsort --enable-bdb=mod I am missing CFLAGS=-DLDAP_COMP_MATCH [...] While running make for the component match module itself we encounter problems when calling the libtool for linking: [...] *** Warning: Linking the shared library compmatch.la against the *** static library /home/openldap/openldap-snacc-2.3.6/c-lib/libcasn1.a is not portable! This is just a warning. In the resulting compmatch.a library the asn.1 lib is included four times: openl...@ocsp-openldap24:~/openldap-2.4.21/contrib/slapd-modules/comp_match ar tv .libs/compmatch.a rw-r--r-- 1000/1000 152162 May 18 14:37 2010 libcasn1.a rw-r--r-- 1000/1000 152162 May 18 14:37 2010 lt1-libcasn1.a rw-r--r-- 1000/1000 131488 May 19 14:04 2010 componentlib.o rw-r--r-- 1000/1000 70900 May 19 14:04 2010 init.o rw-r--r-- 1000/1000 144908 May 19 14:04 2010 certificate.o rw-r--r-- 1000/1000 55372 May 19 14:04 2010 asn_to_syn_mr.o rw-r--r-- 1000/1000 110584 May 19 14:04 2010 authorityKeyIdentifier.o rw-r--r-- 1000/1000 84920 May 19 14:04 2010 crl.o rw-r--r-- 1000/1000 152162 May 18 14:37 2010 libcasn1.a rw-r--r-- 1000/1000 152162 May 18 14:37 2010 libcasn1.a Yes, this I can confirm. The component filter test fails: Starting test031-component-filter for bdb... running defines.sh Running slapadd to build slapd database... slapadd: bad configuration file! slapadd failed (1)! Be sure to have a certificate module in tests/data/comp_libs The module is in openldap/contrib/slapd-modules/comp_match Test skipped. ./scripts/test031-component-filter completed OK for bdb. did you run make install in slapd-modules/comp_match? This will install all relevant files into tests/data/comp_match Now we try to load the module via slapd. In the slapd.conf we specify the following: # Load dynamic backend modules: modulepath /home/openldap/openldap-2.4.21-install/libexec/openldap moduleload back_bdb.la moduleload compmatch.la Check that all module files do exist: openl...@ocsp-openldap24:~/openldap-2.4.21/contrib/slapd-modules/comp_match ls -al /home/openldap/openldap-2.4.21-install/libexec/openldap total 736 drwxr-xr-x 2 openldap openldap 4096 2010-05-19 14:10 . drwxr-xr-x 3 openldap openldap 4096 2010-05-19 09:32 .. lrwxrwxrwx 1 openldap openldap 21 2010-05-19 09:31 back_bdb-2.4.so.2 - back_bdb-2.4.so.2.5.4 -rwxr-xr-x 1 openldap openldap 221074 2010-05-19 09:31 back_bdb-2.4.so.2.5.4 -rwxr-xr-x 1 openldap openldap889 2010-05-19 09:31 back_bdb.la lrwxrwxrwx 1 openldap openldap 21 2010-05-19 09:31 back_bdb.so - back_bdb-2.4.so.2.5.4 -rwxr-xr-x 1 openldap openldap889 2010-05-19 10:02 compmatch.la lrwxrwxrwx 1 openldap openldap 18 2010-05-19 09:56 compmatch.so - compmatch.so.0.0.0 -rwxr-xr-x 1 openldap openldap 507076 2010-05-19 09:55 compmatch.so.0.0.0 Starting slapd by openl...@ocsp-openldap24:~/openldap-2.4.21/contrib/slapd-modules/comp_match strace -vall -s1024 -oasi /home/openldap/openldap-2.4.21-install/libexec/slapd -h ldap://localhost:9389/ -d -1 results in the following: [...] line 26 (moduleload compmatch.la) lt_dlopenext failed: (compmatch.la) file not found This I cannot reproduce, slapd starts without error on my system. [...] -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
Re: Proxy authorization fail with cyrus-sasl and postfix
Julien Vehent jul...@linuxwall.info writes: Hello list, I am trying to authenticate my mail users against my ldap directory (slapd 2.4.17, debian squeeze). I have setup proxy authorization for user postfix as follow: in slapd.conf # SASL proxy authorization rewrite rule authz-regexp ^uid=([^,]+).*,cn=[^,]*,cn=auth$ ldap:///dc=linuxwall,dc=info??sub?(uid=$1) This regexp requires a uid attribute type. authz-policy to ldif of user postfix dn: cn=Postfix Administrator,ou=infrastructure,dc=linuxwall,dc=info authzto: ldap:///dc=linuxwall,dc=info??sub?(objectClass=inetOrgPerson) cn: Postfix Administrator [...] unless you cut it, cn=Postfix Administrator has no uid attribute type, [...] -Dieter -- Dieter Klünter | Systemberatung sip: +49.40.20932173 http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6