More on dynamic group searches

2010-05-23 Thread Ian Collins 

Hello,

This is my first post here, so if I'm going over old ground, please let 
me know (I have searched).


I have looked through the archives and reached the conclusion that there 
isn't a convenient means of searching for groups based on a dynamic 
entry.  For example, if I have a dynlist entry containing


olcDlAttrSet: {0}groupOfURLs memberURL uniqueMember

uniqueMember is dynamically added to search results, but can't be part 
of the search.


Is this conclusion correct?

I am migrating a client over from Sun's directory manager (which does 
allow searching on dynamic attributes) to OpenLDAP, so I have to support 
all the client applications that currently authenticate against and use 
LDAP.  For example:


filter=((objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company)) 
attrs=gidNumber


--
Ian.

Re: More on dynamic group searches

2010-05-23 Thread Howard Chu 

Ian Collins wrote:

Hello,

This is my first post here, so if I'm going over old ground, please let
me know (I have searched).

I have looked through the archives and reached the conclusion that there
isn't a convenient means of searching for groups based on a dynamic
entry.  For example, if I have a dynlist entry containing

olcDlAttrSet: {0}groupOfURLs memberURL uniqueMember

uniqueMember is dynamically added to search results, but can't be part
of the search.

Is this conclusion correct?


Yes.


I am migrating a client over from Sun's directory manager (which does
allow searching on dynamic attributes) to OpenLDAP, so I have to support
all the client applications that currently authenticate against and use
LDAP.  For example:

filter=((objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company))
attrs=gidNumber


Don't use dynamic groups then. Use autogroups.

--
  -- Howard Chu
  CTO, Symas Corp.   http://www.symas.com
  Director, Highland Sun http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Re: More on dynamic group searches

2010-05-23 Thread Ian Collins 

On 05/23/10 09:21 PM, Howard Chu wrote:

Ian Collins wrote:

I am migrating a client over from Sun's directory manager (which does
allow searching on dynamic attributes) to OpenLDAP, so I have to support
all the client applications that currently authenticate against and use
LDAP.  For example:

filter=((objectClass=posixGroup)(uniqueMember=cn=Admins,ou=groups,o=staff,dc=company)) 


attrs=gidNumber


Don't use dynamic groups then. Use autogroups.


Thanks, I hadn't looked at the contrib modules.

--
Ian.

Re: Q: status of component matching?

2010-05-23 Thread Dieter Kluenter 
Nardmann, Heiko heiko.nardm...@secunet.com writes:

 Hi all,

 we are trying to set up an openldap 2.4.21 slapd server that is able to 
 handle component-filter 
 search requests. The problem we get is that the slapd fails to load the 
 compmatch 
 module. With full debug output the error message is:
 lt_dlopenext failed: (compmatch.la) file not found

 Does anybody already have entered this problem?

No, not me.

 What we did/tried is now described in detail:

 We use Suse 11.1 as the Linux distribution.

 The openldap software is configured with the following command:

 ./configure LDFLAGS=-L/usr/local/BerkeleyDB.5.0/lib -ldb 
   --prefix /home/openldap/openldap-2.4.21-install 
   --enable-modules --enable-sssvlv --enable-syncprov --enable-valsort 
 --enable-bdb=mod

I am missing CFLAGS=-DLDAP_COMP_MATCH

[...]
 While running make for the component match module itself we encounter 
 problems when calling the libtool
 for linking:
[...]
 *** Warning: Linking the shared library compmatch.la against the
 *** static library
 /home/openldap/openldap-snacc-2.3.6/c-lib/libcasn1.a is not
 portable!

This is just a warning.

 In the resulting compmatch.a library the asn.1 lib is included four times:

 openl...@ocsp-openldap24:~/openldap-2.4.21/contrib/slapd-modules/comp_match 
 ar tv .libs/compmatch.a
 rw-r--r-- 1000/1000 152162 May 18 14:37 2010 libcasn1.a
 rw-r--r-- 1000/1000 152162 May 18 14:37 2010 lt1-libcasn1.a
 rw-r--r-- 1000/1000 131488 May 19 14:04 2010 componentlib.o
 rw-r--r-- 1000/1000  70900 May 19 14:04 2010 init.o
 rw-r--r-- 1000/1000 144908 May 19 14:04 2010 certificate.o
 rw-r--r-- 1000/1000  55372 May 19 14:04 2010 asn_to_syn_mr.o
 rw-r--r-- 1000/1000 110584 May 19 14:04 2010 authorityKeyIdentifier.o
 rw-r--r-- 1000/1000  84920 May 19 14:04 2010 crl.o
 rw-r--r-- 1000/1000 152162 May 18 14:37 2010 libcasn1.a
 rw-r--r-- 1000/1000 152162 May 18 14:37 2010 libcasn1.a

Yes, this I can confirm.

 The component filter test fails:

 Starting test031-component-filter for bdb...
 running defines.sh
 Running slapadd to build slapd database...
 slapadd: bad configuration file!
 slapadd failed (1)!
 Be sure to have a certificate module in tests/data/comp_libs 
 The module is in openldap/contrib/slapd-modules/comp_match
 Test skipped.
 ./scripts/test031-component-filter completed OK for bdb.

did you run make install in slapd-modules/comp_match? This will
install all relevant files into tests/data/comp_match

 Now we try to load the module via slapd. In the slapd.conf we specify the 
 following:

 # Load dynamic backend modules:
 modulepath  /home/openldap/openldap-2.4.21-install/libexec/openldap
 moduleload  back_bdb.la
 moduleload  compmatch.la

 Check that all module files do exist:

 openl...@ocsp-openldap24:~/openldap-2.4.21/contrib/slapd-modules/comp_match 
 ls -al /home/openldap/openldap-2.4.21-install/libexec/openldap
 total 736
 drwxr-xr-x 2 openldap openldap   4096 2010-05-19 14:10 .
 drwxr-xr-x 3 openldap openldap   4096 2010-05-19 09:32 ..
 lrwxrwxrwx 1 openldap openldap 21 2010-05-19 09:31 back_bdb-2.4.so.2 - 
 back_bdb-2.4.so.2.5.4
 -rwxr-xr-x 1 openldap openldap 221074 2010-05-19 09:31 back_bdb-2.4.so.2.5.4
 -rwxr-xr-x 1 openldap openldap889 2010-05-19 09:31 back_bdb.la
 lrwxrwxrwx 1 openldap openldap 21 2010-05-19 09:31 back_bdb.so - 
 back_bdb-2.4.so.2.5.4
 -rwxr-xr-x 1 openldap openldap889 2010-05-19 10:02 compmatch.la
 lrwxrwxrwx 1 openldap openldap 18 2010-05-19 09:56 compmatch.so - 
 compmatch.so.0.0.0
 -rwxr-xr-x 1 openldap openldap 507076 2010-05-19 09:55 compmatch.so.0.0.0

 Starting slapd by

 openl...@ocsp-openldap24:~/openldap-2.4.21/contrib/slapd-modules/comp_match 
 strace -vall -s1024 -oasi 
   /home/openldap/openldap-2.4.21-install/libexec/slapd  -h 
 ldap://localhost:9389/ -d -1

 results in the following:
[...]
 line 26 (moduleload compmatch.la)
 lt_dlopenext failed: (compmatch.la) file not found

This I cannot reproduce, slapd starts without error on my system.

[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6

Re: Proxy authorization fail with cyrus-sasl and postfix

2010-05-23 Thread Dieter Kluenter 
Julien Vehent jul...@linuxwall.info writes:

 Hello list,

 I am trying to authenticate my mail users against my ldap directory (slapd
 2.4.17, debian squeeze). I have setup proxy authorization for user postfix
 as follow:

 in slapd.conf
 
 # SASL proxy authorization rewrite rule
 authz-regexp ^uid=([^,]+).*,cn=[^,]*,cn=auth$
   ldap:///dc=linuxwall,dc=info??sub?(uid=$1)

This regexp requires a uid attribute type.

 authz-policy to
 

 ldif of user postfix
 
 dn: cn=Postfix Administrator,ou=infrastructure,dc=linuxwall,dc=info
 authzto: ldap:///dc=linuxwall,dc=info??sub?(objectClass=inetOrgPerson)
 cn: Postfix Administrator
 [...]

unless you cut it, cn=Postfix Administrator has no uid attribute type,

[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
sip: +49.40.20932173
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6