RE: Disable uniqueness for mail Attribute
--On Thursday, February 29, 2024 8:11 PM + CALDEIRA JAVIEL Sandro wrote: Hi Quanah, I am running openldap from bitnami docker - https://github.com/bitnami/containers/tree/main/bitnami/openldap/2.6/debi an- 12 So there is not slapd.conf: $ slapcat -n 0 could not stat config file "/opt/bitnami/openldap/etc/openldap/slapd.conf": No such file or directory (2) slapcat: bad configuration file! So clearly not using slapd.conf. I realize you do have to specify -F /path/to/slapd/config for the slapcat to work. But since you searched the config and there's no slapo-unique loaded, you're not using it. This would imply that your database has bad data in it, where there are duplicate values for the "mail" attribute IN a single entry like: uid=joe,ou=whatever,dc=example,dc=org ... mail: j...@example.com mail: j...@example.com Would count as duplicates, for example. Most likely validation checks during slapadd were improved between 2.4 and 2.6, so those errors are now being caught. You'll need to clean your database to be correct. --Quanah
RE: Disable uniqueness for mail Attribute
Hi Quanah, I am running openldap from bitnami docker - https://github.com/bitnami/containers/tree/main/bitnami/openldap/2.6/debian- 12 So there is not slapd.conf: $ slapcat -n 0 could not stat config file "/opt/bitnami/openldap/etc/openldap/slapd.conf": No such file or directory (2) slapcat: bad configuration file! Nevertheless, I ran this search: ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config > /bitnami/openldap/data/config And tried to find the related config: $ grep -i unique config r uniquely identifying a user in an administrative domain' EQUALITY integerMa r uniquely identifying a group in an administrative domain' EQUALITY integerM olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256: X .500 unique identifier' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.1 olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique me mber of a group' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1 olcObjectClasses: {15}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a gr oup of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uni ESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch SUBSTR olcAttributeTypes: {28}( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier' DE SC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.14 $ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $ pre $ grep -I overlay config olcObjectIdentifier: olmOverlayAttributes olmSubSystemAttributes:2 olcObjectIdentifier: olmOverlayObjectClasses olmSubSystemObjectClasses:2 olcObjectIdentifier: olmSyncReplAttributes olmOverlayAttributes:1 olcObjectIdentifier: olmSyncReplObjectClasses olmOverlayObjectClasses:1 olcAttributeTypes: ( OLcfgGlAt:34 NAME 'olcOverlay' SUP olcDatabase SINGLE-VAL olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.11 NAME 'monitorOverlay' DESC ' name of overlays defined for a given database' SUP monitoredInfo NO-USER-MODI olcObjectClasses: ( OLcfgGlOc:5 NAME 'olcOverlayConfig' DESC 'OpenLDAP Overlay -specific options' SUP olcConfig STRUCTURAL MUST olcOverlay MAY olcDisabled ) abeledURI $ monitoredInfo $ managedInfo $ monitorOverlay ) ) ider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $ o dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig olcOverlay: {0}syncprov So it seems I have nothing in my config for unique. The only olcOverlay in use in for syncprov. Another point: Inside container I have some modules in folder /opt/bitnami/openldap/lib/openldap Among several libs, unique and syncprov: lrwxrwxrwx 1 root root 17 Aug 18 2023 unique.so -> unique.so.2.0.200 lrwxrwxrwx 1 root root 17 Aug 18 2023 unique.so.2 -> unique.so.2.0.200 -rwxr-xr-x 1 root root 39424 Aug 18 2023 unique.so.2.0.200 lrwxrwxrwx 1 root root 19 Aug 18 2023 syncprov.so -> syncprov.so.2.0.200 lrwxrwxrwx 1 root root 19 Aug 18 2023 syncprov.so.2 -> syncprov.so.2.0.200 -rwxr-xr-x 1 root root 92736 Aug 18 2023 syncprov.so.2.0.200 From compose file I enable syncprov for replication environment: - LDAP_ENABLE_SYNCPROV=yes And I can see the files to enable syncprov: $ cat /opt/bitnami/openldap/share/syncprov_create_overlay_configuration.ldif dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpCheckpoint: 100 10 olcSpSessionLog: 100 -Original Message- From: Quanah Gibson-Mount Sent: Thursday, February 29, 2024 5:33 PM To: CALDEIRA JAVIEL Sandro ; openldap-technical@openldap.org Subject: RE: Disable uniqueness for mail Attribute [You don't often get email from qua...@fast-mail.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] --On Thursday, February 29, 2024 1:35 PM + CALDEIRA JAVIEL Sandro wrote: > Hi Quanah, > > I am not sure how slapo-unique works. I am struggling with the syntax. > How can I check current config concerning it? Does your configuration even use slapo-unique? That's the first question you need to answer. Assuming you are using cn=config, you can use slapcat -n 0 -l /tmp/config.ldif to export your full configuration and examine it to see if it uses the unique overlay at all. --Quanah smime.p7s Description: S/MIME cryptographic signature
Re: memberOf with groupOfNames
Am 29.02.24 um 12:00 schrieb Stefan Kania: up to now I only used: olcDlAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames to dynamically add the Attribute memberOf to all members of a groupOfURLs. Is it possible to do the same with members for groupOfNames and groupOfUniqueNames? I yes, can someone please post the syntax? You can set it twice: dn: olcOverlay=dynlist,olcDatabase={1}mdb,cn=config changetype: add objectClass: olcDynListConfig objectClass: olcOverlayConfig olcOverlay: dynlist olcDynListAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames olcDynListAttrSet: groupOfURLs memberURL uniqueMember+memberOf@groupOfUniqueNames Best regards Ulf
RE: Disable uniqueness for mail Attribute
--On Thursday, February 29, 2024 1:35 PM + CALDEIRA JAVIEL Sandro wrote: Hi Quanah, I am not sure how slapo-unique works. I am struggling with the syntax. How can I check current config concerning it? Does your configuration even use slapo-unique? That's the first question you need to answer. Assuming you are using cn=config, you can use slapcat -n 0 -l /tmp/config.ldif to export your full configuration and examine it to see if it uses the unique overlay at all. --Quanah
RE: Disable uniqueness for mail Attribute
Hi Quanah, I am not sure how slapo-unique works. I am struggling with the syntax. How can I check current config concerning it? Thanks and regards, Sandro -Original Message- From: Quanah Gibson-Mount Sent: Wednesday, February 28, 2024 6:27 PM To: CALDEIRA JAVIEL Sandro ; openldap-technical@openldap.org Subject: Re: Disable uniqueness for mail Attribute [You don't often get email from qua...@fast-mail.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] --On Wednesday, February 28, 2024 7:34 AM + CALDEIRA JAVIEL Sandro wrote: > Hi, > > I have a legacy ldap instance (openlda-2.4) which has in the same > redundant user info containing mail attribute among others (objectclass: > inetOrgPerson) in 2 different ous (objectclass: organizationalUnit). I > know it is a bad design for ldap users structure but I am not allowed > to change it in a short time. When I tried to migrate this ldap > database to openldap 2.6 I realize this is not possible anymore. I > identified it is just related to mail attribute because if I omit mail > attribute or use a different value for mail, then all data is imported properly. Do you use the slapo-unique overlay? The only uniqueness requirement on mail out of the box is that for any specific entry, the mail value must be unique. There is no requirement *across* subtrees that it be unique unless the configuration loads and uses slapo-unique to do this. If you have duplicate values for 'mail' within a given entry, then you need to fix that. --Quanah smime.p7s Description: S/MIME cryptographic signature
memberOf with groupOfNames
Hi to all, up to now I only used: olcDlAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames to dynamically add the Attribute memberOf to all members of a groupOfURLs. Is it possible to do the same with members for groupOfNames and groupOfUniqueNames? I yes, can someone please post the syntax? Stefan smime.p7s Description: Kryptografische S/MIME-Signatur