RE: Disable uniqueness for mail Attribute
--On Thursday, February 29, 2024 8:11 PM + CALDEIRA JAVIEL Sandro wrote: Hi Quanah, I am running openldap from bitnami docker - https://github.com/bitnami/containers/tree/main/bitnami/openldap/2.6/debi an- 12 So there is not slapd.conf: $ slapcat -n 0 could not stat config file "/opt/bitnami/openldap/etc/openldap/slapd.conf": No such file or directory (2) slapcat: bad configuration file! So clearly not using slapd.conf. I realize you do have to specify -F /path/to/slapd/config for the slapcat to work. But since you searched the config and there's no slapo-unique loaded, you're not using it. This would imply that your database has bad data in it, where there are duplicate values for the "mail" attribute IN a single entry like: uid=joe,ou=whatever,dc=example,dc=org ... mail: j...@example.com mail: j...@example.com Would count as duplicates, for example. Most likely validation checks during slapadd were improved between 2.4 and 2.6, so those errors are now being caught. You'll need to clean your database to be correct. --Quanah
RE: Disable uniqueness for mail Attribute
Hi Quanah,
I am running openldap from bitnami docker -
https://github.com/bitnami/containers/tree/main/bitnami/openldap/2.6/debian-
12
So there is not slapd.conf:
$ slapcat -n 0
could not stat config file "/opt/bitnami/openldap/etc/openldap/slapd.conf":
No such file or directory (2)
slapcat: bad configuration file!
Nevertheless, I ran this search:
ldapsearch -Y EXTERNAL -H ldapi:/// -LLL -b cn=config >
/bitnami/openldap/data/config
And tried to find the related config:
$ grep -i unique config
r uniquely identifying a user in an administrative domain' EQUALITY
integerMa
r uniquely identifying a group in an administrative domain' EQUALITY
integerM
olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256:
X
.500 unique identifier' EQUALITY bitStringMatch SYNTAX
1.3.6.1.4.1.1466.115.1
olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique
me
mber of a group' EQUALITY uniqueMemberMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1
olcObjectClasses: {15}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a
gr
oup of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST (
uni
ESC 'RFC1274: unique identifier of document' EQUALITY caseIgnoreMatch
SUBSTR
olcAttributeTypes: {28}( 0.9.2342.19200300.100.1.44 NAME 'uniqueIdentifier'
DE
SC 'RFC1274: unique identifer' EQUALITY caseIgnoreMatch SYNTAX
1.3.6.1.4.1.14
$ roomNumber $ secretary $ uid $ userCertificate $ x500uniqueIdentifier $
pre
$ grep -I overlay config
olcObjectIdentifier: olmOverlayAttributes olmSubSystemAttributes:2
olcObjectIdentifier: olmOverlayObjectClasses olmSubSystemObjectClasses:2
olcObjectIdentifier: olmSyncReplAttributes olmOverlayAttributes:1
olcObjectIdentifier: olmSyncReplObjectClasses olmOverlayObjectClasses:1
olcAttributeTypes: ( OLcfgGlAt:34 NAME 'olcOverlay' SUP olcDatabase
SINGLE-VAL
olcAttributeTypes: ( 1.3.6.1.4.1.4203.666.1.55.11 NAME 'monitorOverlay' DESC
'
name of overlays defined for a given database' SUP monitoredInfo
NO-USER-MODI
olcObjectClasses: ( OLcfgGlOc:5 NAME 'olcOverlayConfig' DESC 'OpenLDAP
Overlay
-specific options' SUP olcConfig STRUCTURAL MUST olcOverlay MAY olcDisabled
)
abeledURI $ monitoredInfo $ managedInfo $ monitorOverlay ) )
ider configuration' SUP olcOverlayConfig STRUCTURAL MAY ( olcSpCheckpoint $
o
dn: olcOverlay={0}syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
olcOverlay: {0}syncprov
So it seems I have nothing in my config for unique. The only olcOverlay in
use in for syncprov.
Another point: Inside container I have some modules in folder
/opt/bitnami/openldap/lib/openldap
Among several libs, unique and syncprov:
lrwxrwxrwx 1 root root 17 Aug 18 2023 unique.so -> unique.so.2.0.200
lrwxrwxrwx 1 root root 17 Aug 18 2023 unique.so.2 -> unique.so.2.0.200
-rwxr-xr-x 1 root root 39424 Aug 18 2023 unique.so.2.0.200
lrwxrwxrwx 1 root root 19 Aug 18 2023 syncprov.so ->
syncprov.so.2.0.200
lrwxrwxrwx 1 root root 19 Aug 18 2023 syncprov.so.2 ->
syncprov.so.2.0.200
-rwxr-xr-x 1 root root 92736 Aug 18 2023 syncprov.so.2.0.200
From compose file I enable syncprov for replication
environment:
- LDAP_ENABLE_SYNCPROV=yes
And I can see the files to enable syncprov:
$ cat /opt/bitnami/openldap/share/syncprov_create_overlay_configuration.ldif
dn: olcOverlay=syncprov,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpCheckpoint: 100 10
olcSpSessionLog: 100
-Original Message-
From: Quanah Gibson-Mount
Sent: Thursday, February 29, 2024 5:33 PM
To: CALDEIRA JAVIEL Sandro ;
openldap-technical@openldap.org
Subject: RE: Disable uniqueness for mail Attribute
[You don't often get email from qua...@fast-mail.org. Learn why this is
important at https://aka.ms/LearnAboutSenderIdentification ]
--On Thursday, February 29, 2024 1:35 PM + CALDEIRA JAVIEL Sandro
wrote:
> Hi Quanah,
>
> I am not sure how slapo-unique works. I am struggling with the syntax.
> How can I check current config concerning it?
Does your configuration even use slapo-unique? That's the first question you
need to answer. Assuming you are using cn=config, you can use slapcat -n 0
-l /tmp/config.ldif to export your full configuration and examine it to see
if it uses the unique overlay at all.
--Quanah
smime.p7s
Description: S/MIME cryptographic signature
Re: memberOf with groupOfNames
Am 29.02.24 um 12:00 schrieb Stefan Kania:
up to now I only used:
olcDlAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames
to dynamically add the Attribute memberOf to all members of a
groupOfURLs. Is it possible to do the same with members for
groupOfNames and groupOfUniqueNames?
I yes, can someone please post the syntax?
You can set it twice:
dn: olcOverlay=dynlist,olcDatabase={1}mdb,cn=config
changetype: add
objectClass: olcDynListConfig
objectClass: olcOverlayConfig
olcOverlay: dynlist
olcDynListAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames
olcDynListAttrSet: groupOfURLs memberURL
uniqueMember+memberOf@groupOfUniqueNames
Best regards
Ulf
RE: Disable uniqueness for mail Attribute
--On Thursday, February 29, 2024 1:35 PM + CALDEIRA JAVIEL Sandro wrote: Hi Quanah, I am not sure how slapo-unique works. I am struggling with the syntax. How can I check current config concerning it? Does your configuration even use slapo-unique? That's the first question you need to answer. Assuming you are using cn=config, you can use slapcat -n 0 -l /tmp/config.ldif to export your full configuration and examine it to see if it uses the unique overlay at all. --Quanah
RE: Disable uniqueness for mail Attribute
Hi Quanah, I am not sure how slapo-unique works. I am struggling with the syntax. How can I check current config concerning it? Thanks and regards, Sandro -Original Message- From: Quanah Gibson-Mount Sent: Wednesday, February 28, 2024 6:27 PM To: CALDEIRA JAVIEL Sandro ; openldap-technical@openldap.org Subject: Re: Disable uniqueness for mail Attribute [You don't often get email from qua...@fast-mail.org. Learn why this is important at https://aka.ms/LearnAboutSenderIdentification ] --On Wednesday, February 28, 2024 7:34 AM + CALDEIRA JAVIEL Sandro wrote: > Hi, > > I have a legacy ldap instance (openlda-2.4) which has in the same > redundant user info containing mail attribute among others (objectclass: > inetOrgPerson) in 2 different ous (objectclass: organizationalUnit). I > know it is a bad design for ldap users structure but I am not allowed > to change it in a short time. When I tried to migrate this ldap > database to openldap 2.6 I realize this is not possible anymore. I > identified it is just related to mail attribute because if I omit mail > attribute or use a different value for mail, then all data is imported properly. Do you use the slapo-unique overlay? The only uniqueness requirement on mail out of the box is that for any specific entry, the mail value must be unique. There is no requirement *across* subtrees that it be unique unless the configuration loads and uses slapo-unique to do this. If you have duplicate values for 'mail' within a given entry, then you need to fix that. --Quanah smime.p7s Description: S/MIME cryptographic signature
memberOf with groupOfNames
Hi to all, up to now I only used: olcDlAttrSet: groupOfURLs memberURL member+memberOf@groupOfNames to dynamically add the Attribute memberOf to all members of a groupOfURLs. Is it possible to do the same with members for groupOfNames and groupOfUniqueNames? I yes, can someone please post the syntax? Stefan smime.p7s Description: Kryptografische S/MIME-Signatur
