Re: How do I allow root to edit mdb database?

[Ryan Tandy]

On Tue, Aug 02, 2016 at 12:37:58AM -0400, John Lewis wrote:

How do I allow root aka
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to edit
olcDatabase={1}mdb,cn=config.


Besides olcAuthRegex mentioned by other posters, setting up an explicit 
access control entry for that DN is another option.


If you installed slapd from the Debian archive, the default access rules 
for the config database include:


# Config db settings
dn: olcDatabase=config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: config
# Allow unlimited access to local connection from the local root user
olcAccess: to * by 
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth manage by * 
break

You could grant root-like access to the root user by copying that access 
line to your mdb database.

Modification of objectClass failing: how can I get details?

[Côme Chilliet]

Hello,

I’m trying to modify an LDAP node to change its objectClasses:
dn: cn�non-c5250,ou=printers,ou=systems,dc=xxx,dc=xxx
cn: canon-c5250
description:: Q2Fub24gSVIgQURWIEM1MjUwIA=labeledURI: ipp://127.0.0.1
ipHostnumber: 127.0.0.1
macAddress: 12:12:12:12:12:12
objectClass: top
objectClass: gotoPrinter

I want to remove gotoPrinter objectClass which is flagged as OBSOLETE and 
instead use fdPrinter, ipHost and ieee802Device.
I try with an ldif with the following content:
dn: cn�non-c5250,ou=printers,ou=systems,dc=xxx,dc=xxx
changetype: modify
replace: objectClass
objectClass: fdPrinter
objectClass: ieee802Device
objectClass: ipHost
objectClass: top

I get:
ldapadd -D cn�min,dc=xxx,dc=xxx -f modify.ldif -W
ldap_modify: Object class violation (65)

How can I get more information? I don’t know which violation that could be, as 
I am able to insert a second object with no problem which looks like what I 
want:
dn: cn=test-print,ou=printers,ou=systems,dc=xxx,dc=xxx
changetype: add
cn: test-print
description: test
labeledURI: ipp://127.0.0.1
ipHostnumber: 127.0.0.1
macAddress: 12:22:12:12:22:22
objectClass: fdPrinter
objectClass: ieee802Device
objectClass: ipHost
objectClass: top

Here are the classes definitions:
objectclass (1.3.6.1.4.1.10098.1.2.1.31 NAME 'gotoPrinter'
  DESC 'GOto - Gonicus Terminal Concept, objectclass' SUP top STRUCTURAL
  OBSOLETE
  MUST ( cn )
  MAY ( labeledURI $ description $ l $ gotoPrinterPPD $ macAddress $ 
ipHostNumber $ gotoUserPrinter $
gotoUserAdminPrinter $ gotoGroupPrinter $ gotoGroupAdminPrinter $
printerWindowsInfFile $ printerWindowsDriverDir $ 
printerWindowsDriverName) )

objectclass ( 1.3.6.1.4.1.38414.16.2.5 NAME 'fdPrinter'
  DESC 'FusionDirectory printer class'
  MUST ( cn )
  MAY  ( labeledURI $
  fdPrinterWindowsInfFile $ fdPrinterWindowsDriverDir $ 
fdPrinterWindowsDriverName $
  fdPrinterUsers $ fdPrinterAdminUsers))

Côme


signature.asc
Description: This is a digitally signed message part.

Re: password policies not functioning properly

[Kruger, P (Justid)]

Just found the problem and the solution to the problem that policies were not 
working.

It occurred that there was also a (probably mistakenly) second config module 
activated.
The module I had configured with ppolicy, was not used. The extra module that 
was active, did not have the ppolicy overlay loaded.

After correcting this, all seems to work as expected.

password policies not functioning as expected

[Kruger, P (Justid)]

Just found the problem and the solution.
It occurred that there was also a (probably mistakenly) second config module 
activated.

The module I had configured with ppolicy, was not used. The extra module that 
was active, did not have the ppolicy overlay loaded.

After correcting this, all seems to work as expected.



-Oorspronkelijk bericht-
Van: openldap-technical [mailto:openldap-technical-boun...@openldap.org] Namens 
openldap-technical-requ...@openldap.org
Verzonden: donderdag 28 juli 2016 14:00
Aan: openldap-technical@openldap.org
Onderwerp: openldap-technical Digest, Vol 104, Issue 21

Send openldap-technical mailing list submissions to
openldap-technical@openldap.org

To subscribe or unsubscribe via the World Wide Web, visit
http://www.openldap.org/lists/mm/listinfo/openldap-technical
or, via email, send a message with subject or body 'help' to
openldap-technical-requ...@openldap.org

You can reach the person managing the list at
openldap-technical-ow...@openldap.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of openldap-technical digest..."


Send openldap-technical mailing list submissions to
   openldap-technical@openldap.org
When replying, please edit your Subject: header so it is more specific than 
"Re: openldap-technical digest..."

Today's Topics:

   1. Re: need to recover slapd password and upgrade openldap
  (Dan Hyatt)
   2. Re: Antw: Intermediate certificates not being sent (Nat Sincheler)
   3. Re: sizelimit (Maily Peng)
   4. Missing user entries after restoring a backup ldif
  (Matt Spaulding)
   5. password policies not functioning properly (Kruger, P (Justid))
   6. Re: sizelimit (Dieter Kl?nter)
   7. Re: Antw: Intermediate certificates not being sent (Ulrich Windl)


--

Message: 1
Date: Tue, 26 Jul 2016 12:15:00 -0500
From: Dan Hyatt 
To: Aaron Richton , dhy...@wustl.edu
Cc: openldap-technical@openldap.org
Subject: Re: need to recover slapd password and upgrade openldap
Message-ID: 
Content-Type: text/plain; charset=windows-1252; format=flowed

So, a more simple question...

Can I install a current version of OpenLDAP on a current RedHat/Centos server 
(specially built for this purpose.
Then use slapcat  to export the information from the old server, import it to 
the new server, where the admin password is not corrupt.

Can I import the schemas or are there likely substantial changes to the schemas 
across versions?

My goals are to create a new LDAP server running Centos/Redhat, transfer
20 users and allow them to keep their existing passwords, allow them to access 
my servers, and allow them authentication to samba.
and create an LDAP slave (or cluster)
not sure if syncrepl is the current way to go.

I have root to the server, but I do not have the admin password to the Openldap 
2.2 as it became corrupted somehow.


On 07/24/2016 09:15 PM, Aaron Richton wrote:
> On Fri, 22 Jul 2016, Dan Hyatt wrote:
>
>> My admin openLDAP 2.2 password became corrupt in the last week and I 
>> cannot 
> [...]
>> I found some instructions which seem simple risky and no backout 
>> strategy. Simply running
>> http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/ 
>>
>
> That link (apparently from 2011) doesn't apply to your software from 
> 2003. There's no back-config in OpenLDAP 2.2. So don't try that...

@(#) $OpenLDAP: slapd 2.2.13 (Nov 26 2010 07:45:22) $
mockbu...@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
>
> [...]
>> Having the LDAP on two separate hyper visors (with local disks) to 
>> avoid the storage/authentication chicken/egg
>> Is there a better upgrade plan
>
> Are you saying that your one and only LDAP server uses itself for its 
> own A?
Authentication and Authorization?
The server provides authentication and authorization for my group. The 
server only does LDAP and home dirs.
I want to upgrade it to Centos 6.8 or Centos  7 (that is equal to redhat 
6.8 or redhat 7)  on a hypervisor with a slave running the current 
favored release.
>
> [...]
>> I have the log files, is there a way to backout to last week without 
>> the admin password (which became corrupt last week).
>
> I'm not sure what you're referring to by "log files." The general-case 
> OpenLDAP backup tool is slapcat(8). Hopefully you have been running it 
> routinely. The resulting LDIF can be easily inspected; if you have 
> enough backups, you might even be able to find one without corruption.

We took over responsibility the LDAP in December, there was not a happy 
handoff... no documenation..just the password and had to move it to the 
new VLAN.




--

Message: 2
Date: Tue, 26 Jul 2016 08:20:14 -0700
From: Nat Sincheler 

Re: How do I allow root to edit mdb database?

[Hallvard Breien Furuseth]

On 02. aug. 2016 14:45, John Lewis wrote:

On 08/02/2016 08:29 AM, John Lewis wrote:

On 08/02/2016 08:17 AM, Hallvard Breien Furuseth wrote:

(...)
Set the global directive olcAuthzRegexp (in cn=config) aka authz-regexp
(in slapd.conf) to
"^gidNumber=0[+]uidNumber=0,cn=peercred,cn=external$"
"cn=Manager,dc=example,dc=com"

(...)
failed to modify olcDatabase={1}mdb,cn=config - LDAP error 65
LDAP_OBJECT_CLASS_VIOLATION -   <>


*Global* directive.  Set it on the "cn=config" entry.
I should have added, maybe olcAuthzRegexp is already set,
in which case you can add to it.  You can't map the same
DN to several different DNs, but you can map different
DNs to various DNs - same or different.

--
Hallvard

In-Reply-To: AdHrvUgXFwns0ylwRzawJ6D0CewYvg==

[Kruger, P (Justid)]

Just found the problem and the solution.
It occurred that there was also a (probably mistakenly) second config module 
activated.

The module I had configured with ppolicy, was not used. The extra module that 
was active, did not have the ppolicy overlay loaded.

After correcting this, all seems to work as expected.



-Oorspronkelijk bericht-
Van: openldap-technical [mailto:openldap-technical-boun...@openldap.org] Namens 
openldap-technical-requ...@openldap.org
Verzonden: donderdag 28 juli 2016 14:00
Aan: openldap-technical@openldap.org
Onderwerp: openldap-technical Digest, Vol 104, Issue 21

Send openldap-technical mailing list submissions to
openldap-technical@openldap.org

To subscribe or unsubscribe via the World Wide Web, visit
http://www.openldap.org/lists/mm/listinfo/openldap-technical
or, via email, send a message with subject or body 'help' to
openldap-technical-requ...@openldap.org

You can reach the person managing the list at
openldap-technical-ow...@openldap.org

When replying, please edit your Subject line so it is more specific than "Re: 
Contents of openldap-technical digest..."


Send openldap-technical mailing list submissions to
   openldap-technical@openldap.org
When replying, please edit your Subject: header so it is more specific than 
"Re: openldap-technical digest..."

Today's Topics:

   1. Re: need to recover slapd password and upgrade openldap
  (Dan Hyatt)
   2. Re: Antw: Intermediate certificates not being sent (Nat Sincheler)
   3. Re: sizelimit (Maily Peng)
   4. Missing user entries after restoring a backup ldif
  (Matt Spaulding)
   5. password policies not functioning properly (Kruger, P (Justid))
   6. Re: sizelimit (Dieter Kl?nter)
   7. Re: Antw: Intermediate certificates not being sent (Ulrich Windl)


--

Message: 1
Date: Tue, 26 Jul 2016 12:15:00 -0500
From: Dan Hyatt 
To: Aaron Richton , dhy...@wustl.edu
Cc: openldap-technical@openldap.org
Subject: Re: need to recover slapd password and upgrade openldap
Message-ID: 
Content-Type: text/plain; charset=windows-1252; format=flowed

So, a more simple question...

Can I install a current version of OpenLDAP on a current RedHat/Centos server 
(specially built for this purpose.
Then use slapcat  to export the information from the old server, import it to 
the new server, where the admin password is not corrupt.

Can I import the schemas or are there likely substantial changes to the schemas 
across versions?

My goals are to create a new LDAP server running Centos/Redhat, transfer
20 users and allow them to keep their existing passwords, allow them to access 
my servers, and allow them authentication to samba.
and create an LDAP slave (or cluster)
not sure if syncrepl is the current way to go.

I have root to the server, but I do not have the admin password to the Openldap 
2.2 as it became corrupted somehow.


On 07/24/2016 09:15 PM, Aaron Richton wrote:
> On Fri, 22 Jul 2016, Dan Hyatt wrote:
>
>> My admin openLDAP 2.2 password became corrupt in the last week and I 
>> cannot 
> [...]
>> I found some instructions which seem simple risky and no backout 
>> strategy. Simply running
>> http://techiezone.rottigni.net/2011/12/change-root-dn-password-on-openldap/ 
>>
>
> That link (apparently from 2011) doesn't apply to your software from 
> 2003. There's no back-config in OpenLDAP 2.2. So don't try that...

@(#) $OpenLDAP: slapd 2.2.13 (Nov 26 2010 07:45:22) $
mockbu...@x86-003.build.bos.redhat.com:/builddir/build/BUILD/openldap-2.2.13/openldap-2.2.13/build-servers/servers/slapd
>
> [...]
>> Having the LDAP on two separate hyper visors (with local disks) to 
>> avoid the storage/authentication chicken/egg
>> Is there a better upgrade plan
>
> Are you saying that your one and only LDAP server uses itself for its 
> own A?
Authentication and Authorization?
The server provides authentication and authorization for my group. The 
server only does LDAP and home dirs.
I want to upgrade it to Centos 6.8 or Centos  7 (that is equal to redhat 
6.8 or redhat 7)  on a hypervisor with a slave running the current 
favored release.
>
> [...]
>> I have the log files, is there a way to backout to last week without 
>> the admin password (which became corrupt last week).
>
> I'm not sure what you're referring to by "log files." The general-case 
> OpenLDAP backup tool is slapcat(8). Hopefully you have been running it 
> routinely. The resulting LDIF can be easily inspected; if you have 
> enough backups, you might even be able to find one without corruption.

We took over responsibility the LDAP in December, there was not a happy 
handoff... no documenation..just the password and had to move it to the 
new VLAN.




--

Message: 2
Date: Tue, 26 Jul 2016 08:20:14 -0700
From: Nat Sincheler 

Re: How do I allow root to edit mdb database?

[John Lewis]

On 08/02/2016 08:29 AM, John Lewis wrote:
> On 08/02/2016 08:17 AM, Hallvard Breien Furuseth wrote:
>> On 02. aug. 2016 13:15, John Lewis wrote:
>>> If I wanted to map the permissions from
>>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to my
>>> olcRootDN: which I will call cn=Manager,dc=example,dc=com which is the
>>> olcRootDN: for dn: olcDatabase={1}mdb,cn=config, how would I do it?
>> Set the global directive olcAuthzRegexp (in cn=config) aka authz-regexp
>> (in slapd.conf) to
>> "^gidNumber=0[+]uidNumber=0,cn=peercred,cn=external$"
>> "cn=Manager,dc=example,dc=com"
>>
>>
> Slapd.conf? That is deprecated so I don't use it at all. I use ldapvi or
> ldbedit instead and connect using cn=config as the  base and
> cn=admin,cn=config as the bind dn.
>
> They both render the directory as a file and run the ldap query behind
> the scenes.
>
>
I thought I figured out what you meant and I tried to add olcAuthzRegexp
as an attribute but I got this error.

failed to modify olcDatabase={1}mdb,cn=config - LDAP error 65
LDAP_OBJECT_CLASS_VIOLATION -   <>

Re: How do I allow root to edit mdb database?

[John Lewis]

On 08/02/2016 08:17 AM, Hallvard Breien Furuseth wrote:
> On 02. aug. 2016 13:15, John Lewis wrote:
>> If I wanted to map the permissions from
>> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to my
>> olcRootDN: which I will call cn=Manager,dc=example,dc=com which is the
>> olcRootDN: for dn: olcDatabase={1}mdb,cn=config, how would I do it?
>
> Set the global directive olcAuthzRegexp (in cn=config) aka authz-regexp
> (in slapd.conf) to
> "^gidNumber=0[+]uidNumber=0,cn=peercred,cn=external$"
> "cn=Manager,dc=example,dc=com"
>
>
Slapd.conf? That is deprecated so I don't use it at all. I use ldapvi or
ldbedit instead and connect using cn=config as the  base and
cn=admin,cn=config as the bind dn.

They both render the directory as a file and run the ldap query behind
the scenes.

Re: How do I allow root to edit mdb database?

[Hallvard Breien Furuseth]

On 02. aug. 2016 13:15, John Lewis wrote:

If I wanted to map the permissions from
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to my
olcRootDN: which I will call cn=Manager,dc=example,dc=com which is the
olcRootDN: for dn: olcDatabase={1}mdb,cn=config, how would I do it?


Set the global directive olcAuthzRegexp (in cn=config) aka authz-regexp
(in slapd.conf) to
"^gidNumber=0[+]uidNumber=0,cn=peercred,cn=external$" 
"cn=Manager,dc=example,dc=com"



--
Hallvard

Re: How do I allow root to edit mdb database?

[John Lewis]

On 08/02/2016 05:15 AM, Dieter Klünter wrote:
> Am Tue, 2 Aug 2016 00:37:58 -0400
> schrieb John Lewis :
>
>> How do I allow root aka
>>  to edit
>> olcDatabase={1}mdb,cn=config. I am trying to configure ldapscripts
>> , but the idea of
>> having a password in the clear is just disturbing.
> There is no password involved, if handled this correctly. The idea is
> that posix account of root is bound to uid number 0 and group id number
> 0. While  data transport is done over ldapi (IPC) and a SASL EXTERNAL
> Mechanism is called, ipc function provides permission information to the
> operation. This permission id is mapped onto rootdn of cn=config.
> [...]
>
> -Dieter
>
If I wanted to map the permissions from
dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to my
olcRootDN: which I will call cn=Manager,dc=example,dc=com which is the
olcRootDN: for dn: olcDatabase={1}mdb,cn=config, how would I do it?

Re: How do I allow root to edit mdb database?

[Dieter Klünter]

Am Tue, 2 Aug 2016 00:37:58 -0400
schrieb John Lewis :

> How do I allow root aka
> dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=external to edit
> olcDatabase={1}mdb,cn=config. I am trying to configure ldapscripts
> , but the idea of
> having a password in the clear is just disturbing.

There is no password involved, if handled this correctly. The idea is
that posix account of root is bound to uid number 0 and group id number
0. While  data transport is done over ldapi (IPC) and a SASL EXTERNAL
Mechanism is called, ipc function provides permission information to the
operation. This permission id is mapped onto rootdn of cn=config.
[...]

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E