Re: Ppolicy control missing from supportedControl
Le Tue, 7 Jul 2020 14:52:30 +0200, Michael Ströder a écrit : > Do you actually see any value of attribute 'supportedControl'? > > If not, did you explicitly request the attribute 'supportedControl' > when reading rootDSE or used '+' in the attribute list? I use '+', and it does return supportedControl. > > It is causing problems for PHP automated extension tests, the > > php-ldap module skips tests depending on whether associated > > controls are listed by the server or not, but ppolicy is never > > returned so the ppolicy test cannot run. > > Hmm, this approach can fail because not every control or extension > listed in the rootDSE is really handled. > > In case of slapo-ppolicy the overlay is available in mainstream Linux > distros anyway. > On which platforms are you testing FusionDirectory? Debian. Here is the setup for the automated test ldap server: https://github.com/php/php-src/pull/5794/files#diff-49f45f40446e443fc480bb7d54078f24 The author has the same problem as I do: https://github.com/php/php-src/pull/5794#issuecomment-652933484 So, maybe a problem specific to the debian package or the openldap version in there? Côme
Ppolicy control missing from supportedControl
Hello, I have ppolicy overlay correctly set up, but the ppolicy control 1.3.6.1.4.1.42.2.27.8.5.1 is not returned in supportedControl by openldap when querying the root DSE. Is this a bug or a feature? Is there something to do configuration wise to fix this? It is causing problems for PHP automated extension tests, the php-ldap module skips tests depending on whether associated controls are listed by the server or not, but ppolicy is never returned so the ppolicy test cannot run. Côme
Re: Remove duplicate ppolicy overlay
Le mercredi 6 mai 2020, 08:16:35 CEST Quanah Gibson-Mount a écrit : > You need to provide the -F option so it knows where to write the data out > to. Thank you very much, that works! -- Côme Chilliet FusionDirectory - https://www.fusiondirectory.org
Remove duplicate ppolicy overlay
Hello, I have a duplicated ppolicy overlay. If I try to delete it using an LDAP operation on the node under cn=config, I get a 53 error. After searching I found an email on this list ( https://www.openldap.com/lists/openldap-technical/201811/msg00077.html ) which suggest the following procedure: a) slapcat -n 0 -l /tmp/config.ldif b) Remove the duplicate entries from /tmp/config.ldif c) mv /path/to/current/config /path/to/current/config.old;mkdir -p /path/to/current/config d) slapadd -n 0 -l /tmp/config.ldif But this does not work, because when calling slapadd at the end, it complains that there is no slapd.conf. Is there some way to tell slapadd what to do? Or do I need to create a slapd.conf file that I remove after? -- Côme Chilliet FusionDirectory - https://www.fusiondirectory.org
Re: OATH TOTP LDAP schema?
Le mercredi 4 décembre 2019, 13:28:36 CET Quanah Gibson-Mount a écrit : > Although perhaps this isn't exactly what was being asked for. I.e., the > module provides the ability to enable TOTP use with OpenLDAP, whereas > perhaps you're looking for a way to store data in LDAP as a backend for a > TOTP system? Yes this is more what I was looking for. How does the module handle the storing, there is no specific schema for this? -- Côme Chilliet FusionDirectory - https://www.fusiondirectory.org
OATH TOTP LDAP schema?
Hello, We are working on implementing TOTP support in our application based on LDAP, and are looking for an LDAP schema for this. I found https://oath-ldap.stroeder.com but I can’t seem to find out the LDAP schema for this, allowing to store user tokens. Does anyone knows if there is a publicly accessible schema for this? -- Côme Chilliet FusionDirectory - https://www.fusiondirectory.org
Re: Extensible filters and ordering searches: filtering shadowExpire by range?
Le mardi 18 juin 2019, 12:36:56 CEST Quanah Gibson-Mount a écrit : > > So, there is no way to filter on shadowExpire values which are less than > > today's timestamp? > > shadowExpire is defined as an integer type, not as a timestamp, so no. > > > It sounds crazy that such basic needs are not covered by LDAP protocol, > > have I missed something? > > It's not clear to me what this has to do with the LDAP protocol. The > definition of the "expire" field from /etc/shadow is: > > Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute > date specifying when the login may no longer be used. > > So it's an integer (just as the RFC defines it). I would imagine you could > write something that converts a current timestamp into the number of days, > etc, and then perform a search. Yeah this is what I was calling timestamp sorry, getting the integer for today is easy, but it seems there is no way for writing a search filter with greater-than or lesser-than for this attribute. It has to do with the LDAP protocol that LDAP lets schema define attributes in ways that forbid substring and range filters. We should be able to use extensible filters for these, and specify which ordering or substring rule we want to see used. And if attributes using integer syntax were to default to integerOrdering when not specified, that would seem more sane. Côme
Re: Extensible filters and ordering searches: filtering shadowExpire by range?
Hello, It seems there is the same limitation for ordering, it is not possible to use extensible filters for this. So, there is no way to filter on shadowExpire values which are less than today’s timestamp? It sounds crazy that such basic needs are not covered by LDAP protocol, have I missed something? Côme
Re: Extensible filters and substring searches
Le lundi 27 mai 2019, 07:45:34 CEST Quanah Gibson-Mount a écrit : > That's an IA5 string, so use either: > > caseExactIA5SubstringsMatch > or > caseIgnoreIA5SubstringsMatch > > I.e., the matching rules should match the syntax. So what would the syntax be? Because I get the error posted earlier anyway: >ldapsearch [options] "(ipHostNumber:1.3.6.1.4.1.1466.109.114.3:=10.*)" dn ># extended LDIF ># ># LDAPv3 ># base with scope subtree ># filter: (ipHostNumber:1.3.6.1.4.1.1466.109.114.3:=10.*) ># requesting: dn ># > >ldap_search_ext: Bad search filter (-7) Côme signature.asc Description: This is a digitally signed message part.
Re: Extensible filters and substring searches
Le lundi 27 mai 2019, 12:43:51 CEST Michael Ströder a écrit : > On 5/27/19 12:10 PM, Côme Chilliet wrote: > > I’m trying to understand if it is possible or not to do a substring > > search on an attribute which does not specify a substring matching > > rule. > Which LDAP syntax is used in the attribute type description? Well I’m interested in knowing if it’s possible with any kind of attribute, but the usecase I came across was with ipHostNumber: attributetype ( 1.3.6.1.1.1.1.19 NAME 'ipHostNumber' DESC 'IP address' EQUALITY caseIgnoreIA5Match SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{128} ) Côme signature.asc Description: This is a digitally signed message part.
Extensible filters and substring searches
Hello, I’m trying to understand if it is possible or not to do a substring search on an attribute which does not specify a substring matching rule. I was expecting to be able to use an extensible filter and specify the sub matching rule to use, but it does not seem to work ldapsearch says "ldap_search_ext: Bad search filter (-7)" as soon as the filter contains an asterisk. And indeed reading https://tools.ietf.org/html/rfc4515 it does look like extensible filter does not allow asterisk, but it is surprising to me. Is there really no way to do an extensible search on a substring? I found some examples on the web of such filters, like here: http://www.zytrax.com/books/ldap/apa/search.html They give these examples: > # override SUBSTR match with case sensitive match > sn:caseExactSubstringMatch:=*S* # only finds Smith > # functionally same as above using OID > sn:2.5.13.7:=*S* But these do not work if I try them in ldapsearch I get bad search filter. Côme signature.asc Description: This is a digitally signed message part.
Re: placeholder problems
Le jeudi 8 février 2018, 09:59:03 CET Joeri Casteels a écrit : > Now i would like to assign them directly to the correct unix group depending > on the base you start from or Primary group you select. > If i use this placeholder:Home directory*: /home/%primaryGroup%/%uid% i get > the option in the template to select my primary group but it does not fill in > the Home Directory correct nor it fills in the correct group. Hum primaryGroup is not an LDAP field so I don’t think you can use it like that. You can use %gidNumber% but I’m not sure it will help. You can open an issue to make the primary group name available as %primaryGroup% in templates but I can’t guarantee it will be added. > Also setting the passord expiration does not work correctly with the info on > the website under placeholder i tried epoch time and it does not work at all > to fetch the day of today and add 4years on top for example. Even just > fetching the day of today does not work under unix Password Expiration data: The epoch modifier was added in FusionDirectory 1.2.1 which is not out yet. > Then there is another small matter i would like to know if there is an easy > change for this. My users are allowed to change some info on their own but > non of them find the edit button since it’s in the bottom right corner where > nobody looks. Is it possible to make these buttons directly under the last > frame? Can i edit this myself in de code? You can create you own CSS theme in which you can change the button display. See https://fusiondirectory-developer-documentation.readthedocs.io/en/latest/themes/themes.html#replacements-of-css-and-tpl-files Côme signature.asc Description: This is a digitally signed message part.
Re: plugin rsyslog
Le mercredi 7 février 2018, 15:59:18 CET Albert Shih a écrit : > Hi everyone, > > I try to install the rsyslog plugin but failed with this message The rsyslog plugin was removed some versions ago. > If it's the case how can I keep a log of « who do this, who do that ? » If what you want is to track what users are doing inside FD, you can use the audit plugin. Côme signature.asc Description: This is a digitally signed message part.
Re: [Q] what is the best practice or right way to change schemas order for cn=config case?
Le jeudi 21 décembre 2017, 19:14:13 CET Zeus Panchenko a écrit : > it is one of the causes making me to delay the switch to cn=config > topology ... :( > > all scenarios described looks too artificial ... since the very > elementary and simple operation (editing config file) becames a pain ... > > especially when I need to reorder schema files on many hosts ... > > I was sure I'm missing something in how to handle such a tasks ... Hello, We have a tool to help with this called ldap-schema-manager. It does not have its own repo yet you can find it here: https://gitlab.fusiondirectory.org/fusiondirectory/schema2ldif It does not have a reorder feature yet but it’s the kind of things that could be added. It supports insertion, update, listing and erasing (emptying - removal support should be added now that openldap supports it). Côme signature.asc Description: This is a digitally signed message part.
PHP-LDAP added EXOP support with PHP 7.2
Hello, Some people on IRC thought this was worth mentioning here. PHP 7.2.0 was released a few weeks ago: https://secure.php.net/archive/2017.php#id2017-11-30-1 It adds support for LDAP EXOP in the ldap module, here are the new functions: https://secure.php.net/manual/en/function.ldap-exop.php https://secure.php.net/manual/en/function.ldap-parse-exop.php https://secure.php.net/manual/en/function.ldap-exop-passwd.php https://secure.php.net/manual/en/function.ldap-exop-whoami.php Note that support for LDAP controls is in the git branch for PHP 7.3. Do not hesitate to have a look and give feedback about this, it’s way easier to change things before first release as PHP have a strong backward compatibility policy. Côme signature.asc Description: This is a digitally signed message part.
Re: What is the current OLC way to replace the nis schema with the rfc2307bis schema?
Le vendredi 29 septembre 2017, 07:45:53 CEST John Lewis a écrit : > There is a problem. There wasn't delete support in OLC 2.4 2012 in http > ://www.openldap.org/lists/openldap-technical/201204/msg00245.html. > > OLC does support delete in 2.5 as of 2013 https://www.slideshare.net/ld > apcon/whats-new-in-openldap. > > Since that has been established, what is the least hacky way to replace > the nis schema with the rfc2307bis schema in 2.4? Using ldap-schema-manager from https://github.com/fusiondirectory/schema2ldif/tree/1.3-fixes (or one of the repos in http://repos.fusiondirectory.org/fusiondirectory-extra/ - the package schema2ldif contains both tools) should help you. You can run "ldap-schema-manager -e nis.schema" to empty the nis schema (it will not remove it because as you noted removal is not possible in 2.4, but it will empty all its attributes). Then you can run "ldap-schema-manager -i rfc2307bis.schema" Côme signature.asc Description: This is a digitally signed message part.
Controls answers, OID unicity
Hello, As some may know I’m working toward supporting controls in php-ldap. I’m facing two questions regarding controls to help me build the API: - Is it possible to have several controls with the same OID in a request or response? (if not it would allow me to parse the answer to a control hash with oid as keys) -> I tried to put twice the same control with «LDAP_CONTROL_PRE_READ» and got the error "preread control: specified multiple times", but I do not know if this is specific to preread or if it’s a rule. - Is the critical field of controls used in responses? It seems openldap server let it to false always (or I’m failing to parse it). I could not find information about these subjects in RFC 2251, if there is an other RFC on this subject bringing more information do not hesitate to point me to it :-) Côme
ppolicy and controls
Hello, I’m trying to understand how to use controls and EXOP with ppolicy overlay. I can get controls in the result from bind to get info like expired password. I can use an exop to change the password in which case an invalid password will get refused, but I’m not sure how to get the ppolicy reason for the refusal. There is ldap_parse_passwordpolicy_control but I don’t know how to get a control object to give to it. ldap_passwd_s does not return a result object for which to search controls in. It does take serverctrls and clientctrls as parameters but looking at the code it seems serversctrls is an input parameter, I’m not sure what it can be useful for. And clientctrls seems ignored, is it unused or deprecated? Côme
Re: EXOPs for PHP LDAP
Le lundi 17 juillet 2017, 18:18:47 CEST Emmanuel Dreyfus a écrit : > Côme Chilliet <c...@opensides.be> wrote: > > I don't know what ldap_refresh is for and never used it. > > it lets you change the expiry date of dynamic objects, cf slapo-dds man > page. > > Here is the previous implementation, I am not sure of what has to be > changed. I understood TSRMLS_CC had to go for instance, but is thezre > anything esle? https://wiki.php.net/phpng-upgradinghttps://wiki.php.net/phpng-upgrading zval** should be changed for zval* (and zval* for zval). For consistency I would call the method ldap_exop_refresh and return newttl instead of using an out parameter. Côme
Re: EXOPs for PHP LDAP
Le samedi 15 juillet 2017, 05:02:14 CEST Emmanuel Dreyfus a écrit : > I see the thing has been committed, which is nice. It seems ldap_refresh > is missing, though. Was it omitted on purpose? Well I had to adapt/rewrite the code for PHP7 so I started small with the two most used EXOP I’ve heard of. I don’t know what ldap_refresh is for and never used it. If you think it needs a helper please open a bug on PHP bug tracker or send a patch to add it. In the mean time you should be able to use the generic ldap_exop with the constant LDAP_EXOP_REFRESH. signature.asc Description: This is a digitally signed message part.
Re: Stopping pagination
Le mardi 11 juillet 2017, 20:48:57 Dieter Kluenter a écrit : > You should read the RFC more carefully, in particular section 3. > A page size of 0 only returns 0 results, but does not disable the > search control. > If you want to disable a size limit, you may read section 6. This is what I saw in section 3 that made me think a pagesize of 0 would stop pagination: «A sequence of paged search requests is abandoned by the client sending a search request containing a pagedResultsControl with the size set to zero (0) and the cookie set to the last cookie returned by the server.» I don’t see anything in section 6 regarding stopping pagination. So I’m not sure how to stop pagination once it’s activated. Côme signature.asc Description: This is a digitally signed message part.
Stopping pagination
Hello, Once a pagination server controls is set with ldap_set_option, it seems impossible to cancel pagination by sending a pagination control with 0 as pagesize. What I mean is calling ldap_set_option to set a pagination control (let’s say page size is 4), then starting a search, then calling ldap_set_option to set the pagination control with page size of 0 (and with the cookie returned by the search) Then trying to start new search will return 0 entries. From what I understood in https://www.ietf.org/rfc/rfc2696.txt I thought a page size of 0 would disable pagination but it does not seem to work. Am I missing something? Côme signature.asc Description: This is a digitally signed message part.
Re: EXOPs for PHP LDAP
Le jeudi 29 juin 2017, 05:23:58 Emmanuel Dreyfus a écrit : > Côme Chilliet <c...@opensides.be> wrote: > > > I'm currently working on a PHP RFC to add EXOP handling to php-ldap. > > The draft is here: https://wiki.php.net/rfc/ldap_exop > > FWIW I have been maintaining Pierangelo Masarati's exop patch for a > while (for PHP 4, then PHP 5.4, 5.5, and 5.6). The patch have been > available in NetBSD's pkgsrc: > http://cvsweb.netbsd.org/bsdweb.cgi/pkgsrc/databases/php-ldap/files/ > > I might need to do the 7.1 port soon. Yeah I know that, this updated patch was signaled on PHP bug tracker a few weeks ago: https://bugs.php.net/bug.php?id=69445 I already extracted the EXOP part and ported it to PHP master, you can find the result here: https://github.com/MCMic/php-src/tree/ldap_exop But the API will most likely change to match what is described in the RFC. Côme signature.asc Description: This is a digitally signed message part.
EXOPs for PHP LDAP
Hello, I’m currently working on a PHP RFC to add EXOP handling to php-ldap. The draft is here: https://wiki.php.net/rfc/ldap_exop You are welcome to comment on any aspect of the RFC, but I would especially want to know: - Which are the EXOPs actually used by people out there? - Is there any EXOP using the responseName field? In the RFCs I read there is always something like «an ExtendedResponse where the responseName field is absent» or «The responseName field contains the same string as that present in the request.» Côme signature.asc Description: This is a digitally signed message part.
Modification of objectClass failing: how can I get details?
Hello, I’m trying to modify an LDAP node to change its objectClasses: dn: cn�non-c5250,ou=printers,ou=systems,dc=xxx,dc=xxx cn: canon-c5250 description:: Q2Fub24gSVIgQURWIEM1MjUwIA=labeledURI: ipp://127.0.0.1 ipHostnumber: 127.0.0.1 macAddress: 12:12:12:12:12:12 objectClass: top objectClass: gotoPrinter I want to remove gotoPrinter objectClass which is flagged as OBSOLETE and instead use fdPrinter, ipHost and ieee802Device. I try with an ldif with the following content: dn: cn�non-c5250,ou=printers,ou=systems,dc=xxx,dc=xxx changetype: modify replace: objectClass objectClass: fdPrinter objectClass: ieee802Device objectClass: ipHost objectClass: top I get: ldapadd -D cn�min,dc=xxx,dc=xxx -f modify.ldif -W ldap_modify: Object class violation (65) How can I get more information? I don’t know which violation that could be, as I am able to insert a second object with no problem which looks like what I want: dn: cn=test-print,ou=printers,ou=systems,dc=xxx,dc=xxx changetype: add cn: test-print description: test labeledURI: ipp://127.0.0.1 ipHostnumber: 127.0.0.1 macAddress: 12:22:12:12:22:22 objectClass: fdPrinter objectClass: ieee802Device objectClass: ipHost objectClass: top Here are the classes definitions: objectclass (1.3.6.1.4.1.10098.1.2.1.31 NAME 'gotoPrinter' DESC 'GOto - Gonicus Terminal Concept, objectclass' SUP top STRUCTURAL OBSOLETE MUST ( cn ) MAY ( labeledURI $ description $ l $ gotoPrinterPPD $ macAddress $ ipHostNumber $ gotoUserPrinter $ gotoUserAdminPrinter $ gotoGroupPrinter $ gotoGroupAdminPrinter $ printerWindowsInfFile $ printerWindowsDriverDir $ printerWindowsDriverName) ) objectclass ( 1.3.6.1.4.1.38414.16.2.5 NAME 'fdPrinter' DESC 'FusionDirectory printer class' MUST ( cn ) MAY ( labeledURI $ fdPrinterWindowsInfFile $ fdPrinterWindowsDriverDir $ fdPrinterWindowsDriverName $ fdPrinterUsers $ fdPrinterAdminUsers)) Côme signature.asc Description: This is a digitally signed message part.