Closed joshuacox closed 11 months ago
so I have successfully turned a few configlines into around 60 ldif lines:
dn: cn=schema,cn=config
cn: schema
objectClass: olcSchemaConfig
olcAttributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' D
he entry belongs to' EQUALITY distinguishedNameMatch SYNTAX
115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation X-ORIGI
ted Administrator' )
olcAttributeTypes: ( OLcfgOvAt:8.1 NAME ( 'olcDynListAttrSet'
DESC 'Dynamic list: <group objectClass>, <URL attributeDesc
attributeDescription>' EQUALITY caseIgnoreMatch SYNTAX OMsD
ORDERED 'VALUES' )
dn: cn=schema,cn=config
cn: schema
objectClass: olcSchemaConfig
olcObjectClasses: ( OLcfgOvOc:8.1 NAME ( 'olcDynListConfig' '
DESC 'Dynamic list configuration' SUP olcOverlayConfig STRU
ListAttrSet )
dn: cn={4}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDA
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'm
dentifies an URL associated with each member of a group. Any
URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC
when processing the memberURL' SUP distinguishedName SINGLE
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'O
tion rules that determine who is allowed to assume the dgIde
uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES'
olcAttributeTypes: {3}( DynGroupAttr:3 NAME 'dgMemberOf' DESC
entry belongs to' EQUALITY distinguishedNameMatch SYNTAX 1.3
.121.1.12 )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'group
TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ descr
owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP
( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig
dn: olcOverlay={0}dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: {0}dynlist
olcDynListAttrSet: {0}groupOfURLs labeledURI member
olcDynListAttrSet: {1}groupOfURLs memberURL member+memberOf@g
structuralObjectClass: olcDynListConfig
However, placing this in /ldifs does not seem to have the desired effect. And honestly, this seems to be the wrong approach. i.e. to take two lines of very easy to understand config and turn them into some archaic block of 60 lines of ldif. I seem to be handing the next person who looks at these configs a major headache.
perhaps it requires to be ran as schema? (EDIT: the structuralObjectClass
requires that it be in the schema I believe) appending to /schema/custom.ldif (which had an ldapPublicKey definition in there) and changing the modify to adds
dn: cn=ldapPublicKey,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk-openldap
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
uid ) )
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: memberof
olcModuleLoad: dynlist
olcModuleLoad: refint
olcModuleLoad: argon2
dn: cn=schema,cn=config
cn: schema
objectClass: olcSchemaConfig
olcAttributeTypes: ( 1.2.840.113556.1.2.102 NAME 'memberOf' D
he entry belongs to' EQUALITY distinguishedNameMatch SYNTAX
115.121.1.12 NO-USER-MODIFICATION USAGE dSAOperation X-ORIGI
ted Administrator' )
olcAttributeTypes: ( OLcfgOvAt:8.1 NAME ( 'olcDynListAttrSet'
DESC 'Dynamic list: <group objectClass>, <URL attributeDesc
attributeDescription>' EQUALITY caseIgnoreMatch SYNTAX OMsD
ORDERED 'VALUES' )
olcObjectClasses: ( OLcfgOvOc:8.1 NAME ( 'olcDynListConfig' '
DESC 'Dynamic list configuration' SUP olcOverlayConfig STRU
ListAttrSet )
dn: cn={4}dyngroup,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {4}dyngroup
olcObjectIdentifier: {0}NetscapeRoot 2.16.840.1.113730
olcObjectIdentifier: {1}NetscapeLDAP NetscapeRoot:3
olcObjectIdentifier: {2}NetscapeLDAPattributeType NetscapeLDA
olcObjectIdentifier: {3}NetscapeLDAPobjectClass NetscapeLDAP:
olcObjectIdentifier: {4}OpenLDAPExp11 1.3.6.1.4.1.4203.666.11
olcObjectIdentifier: {5}DynGroupBase OpenLDAPExp11:8
olcObjectIdentifier: {6}DynGroupAttr DynGroupBase:1
olcObjectIdentifier: {7}DynGroupOC DynGroupBase:2
olcAttributeTypes: {0}( NetscapeLDAPattributeType:198 NAME 'm
dentifies an URL associated with each member of a group. Any
URL can be used.' SUP labeledURI )
olcAttributeTypes: {1}( DynGroupAttr:1 NAME 'dgIdentity' DESC
when processing the memberURL' SUP distinguishedName SINGLE
olcAttributeTypes: {2}( DynGroupAttr:2 NAME 'dgAuthz' DESC 'O
tion rules that determine who is allowed to assume the dgIde
uthzMatch SYNTAX 1.3.6.1.4.1.4203.666.2.7 X-ORDERED 'VALUES'
olcAttributeTypes: {3}( DynGroupAttr:3 NAME 'dgMemberOf' DESC
entry belongs to' EQUALITY distinguishedNameMatch SYNTAX 1.3
.121.1.12 )
olcObjectClasses: {0}( NetscapeLDAPobjectClass:33 NAME 'group
TRUCTURAL MUST cn MAY ( memberURL $ businessCategory $ descr
owner $ seeAlso ) )
olcObjectClasses: {1}( DynGroupOC:1 NAME 'dgIdentityAux' SUP
( dgIdentity $ dgAuthz ) )
structuralObjectClass: olcSchemaConfig
dn: olcOverlay={0}dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: {0}dynlist
olcDynListAttrSet: {0}groupOfURLs labeledURI member
olcDynListAttrSet: {1}groupOfURLs memberURL member+memberOf@g
structuralObjectClass: olcDynListConfig
does not seem to be working either.
Minimally I have tried having just two files in /shemas
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: dynlist
olcModuleLoad: argon2
and
dn: olcOverlay={0}dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: {0}dynlist
olcDynListAttrSet: {0}groupOfURLs memberURL member+memberOf@groupOfNames
at this point I can cause the openldap instance to crash by requesting a memberof attribute:
docker exec openldap ldapsearch -H ldap://localhost:1389 -x -LLL -s sub -b "dc=example,dc=net" "cn=customuser" uid
dn: cn=customuser,ou=users,dc=example,dc=net
uid: customuser
^returns fine, But this one crashes the server:
docker exec openldap ldapsearch -H ldap://localhost:1389 -x -LLL -s sub -b "dc=example,dc=net" "cn=customuser" uid memberOf
ldap_result: Can't contact LDAP server (-1)
the logs have nothing useful to say about why it died:
6519f2ee.2bb6b2b4 0x7fba23fff700 conn=1003 fd=12 ACCEPT from IP=127.0.0.1:36686 (IP=0.0.0.0:1389)
6519f2ee.2bb70fb4 0x7fba237fe700 conn=1003 op=0 BIND dn="" method=128
6519f2ee.2bb77d0f 0x7fba237fe700 conn=1003 op=0 RESULT tag=97 err=0 qtime=0.000006 etime=0.000037 text=
6519f2ee.2bb8fb7c 0x7fba23fff700 conn=1003 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(cn=customuser)"
6519f2ee.2bb91cd0 0x7fba23fff700 conn=1003 op=1 SRCH attr=uid
6519f2ee.2bbe22f8 0x7fba23fff700 conn=1003 op=1 SEARCH RESULT tag=101 err=0 qtime=0.000003 etime=0.000356 nentries=1 text=
6519f2ee.2bbe9f18 0x7fba23fff700 conn=1003 op=2 UNBIND
6519f2ee.2bbf2203 0x7fba23fff700 conn=1003 fd=12 closed
6519f2fa.13988926 0x7fba237fe700 conn=1004 fd=12 ACCEPT from IP=127.0.0.1:51926 (IP=0.0.0.0:1389)
6519f2fa.139968ca 0x7fba23fff700 conn=1004 op=0 BIND dn="" method=128
6519f2fa.139a0394 0x7fba23fff700 conn=1004 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000047 text=
6519f2fa.139b1475 0x7fba237fe700 conn=1004 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(cn=customuser)"
6519f2fa.139b5522 0x7fba237fe700 conn=1004 op=1 SRCH attr=uid memberOf
my docker-compose.yml at this point was:
version: "3"
networks:
openldapnet:
external: false
services:
openldap:
image: bitnami/openldap:2.6.6
container_name: openldap
environment:
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=admin
- LDAP_USERS=customuser
- LDAP_PASSWORDS=custompassword
- LDAP_ROOT=dc=example,dc=net
- LDAP_ADMIN_DN=cn=admin,dc=example,dc=net
- LDAP_CUSTOM_SCHEMA_FILE=/schema/custom.ldif
- LDAP_CUSTOM_SCHEMA_DIR=/custom_schemas
- LDAP_EXTRA_SCHEMAS=cosine,dyngroup,inetorgperson,nis
#- LDAP_EXTRA_SCHEMAS=collective,corba,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,namedobject,nis,openldap,pmi
- BITNAMI_DEBUG=true
#- LDAP_EXTRA_SCHEMAS=collective,corba,core,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,msuser,namedobject,nis,openldap,pmi
restart: always
networks:
- openldapnet
ports:
- 389:1389
- 636:1636
volumes:
- ./openldap_whc/schema:/schema
- ./openldap_whc/schemas:/custom_schemas
- ./openldap_whc/ldiff:/ldiff
- ./openldap_whc/ldifs:/ldifs
#- ./openldap_data:/bitnami/openldap
- ./slaptest:/slaptest
#- ./openldap_whc/schemas:/schemas
phpldapadmin:
ports:
- 80:80
- 443:443
container_name: phpldapadmin
networks:
- openldapnet
environment:
- PHPLDAPADMIN_LDAP_HOSTS=ldap://openldap:1389
image: osixia/phpldapadmin:0.9.0
I have made an example repo for demonstration purposes:
Hi @joshuacox ,
I recently had a similar requirement to use an overlay, Sync Provider, not enabled OOTB.
After some digging I found the cn=module backend was only created when a supported overlay, pprovider, was enabled.
Following this approach I extended libopenldap.sh
to support both Sync Provider and Access Logging overlays.
I've tested a similar extension for the Dynamic Lists overlay that deploys perfectly.
Happy to create a PR for this if that approach would work?
@jonnoss1 I'd be very happy to test a PR! tyvm
Hi @joshuacox,
I've pushed the changes here. You can test by building an image based on the README.md steps then running with the new image and these additional environment options in your above docker-compose.
- LDAP_ENABLE_DYNLIST=yes
- LDAP_DYNLIST_ATTRSETS=groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
@jonnoss1 awesome on actually implementing the environment variables. However, I do seem to be getting the same crashing situation when I implement:
- LDAP_DYNLIST_ATTRSETS=groupOfURLs memberURL member+memberOf@groupOfNames
which I got directly from the man page man slapo-dynlist
docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" "cn=customuser" uid memberof
ldap_result: Can't contact LDAP server (-1)
but uid alone returns just fine:
docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" "cn=customuser" uid
dn: cn=customuser,ou=users,dc=example,dc=net
uid: customuser
Hi @joshuacox ,
What schema are you using to add memberOf
?
I find it in the msuser
schema file but get the following error when loading both dyngroup
and msuser
:
config error processing cn={5}msuser,cn=schema,cn=config: olcAttributeTypes: Duplicate attributeType: "MSADat2:102"
I believe I'm getting it by using dyngroup: LDAP_EXTRA_SCHEMAS=cosine,dyngroup,inetorgperson,nis
Here is my full docker-compose.yml:
version: "3"
networks:
openldapnet:
external: false
services:
openldap:
#image: bitnami/openldap:2.6.6
image: jonnos/openldap:test
container_name: openldap
environment:
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=admin
- LDAP_USERS=customuser
- LDAP_PASSWORDS=custompassword
- LDAP_ROOT=dc=example,dc=net
- LDAP_ADMIN_DN=cn=admin,dc=example,dc=net
- LDAP_EXTRA_SCHEMAS=cosine,dyngroup,inetorgperson,nis
- BITNAMI_DEBUG=true
- LDAP_ENABLE_DYNLIST=yes
- LDAP_DYNLIST_ATTRSETS=groupOfURLs memberURL member+memberOf@groupOfNames
# groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
#- LDAP_CUSTOM_SCHEMA_FILE=/schema/custom.ldif
#- LDAP_CUSTOM_SCHEMA_DIR=/custom_schemas
#- LDAP_EXTRA_SCHEMAS=collective,corba,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,namedobject,nis,openldap,pmi
#- LDAP_EXTRA_SCHEMAS=collective,corba,core,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,msuser,namedobject,nis,openldap,pmi
restart: always
networks:
- openldapnet
ports:
- 389:1389
- 636:1636
volumes:
#- ./schema:/schema
#- ./schemas:/schemas
#- ./ldifs:/ldifs
- ./slaptest:/slaptest
#- ./data:/bitnami/openldap
phpldapadmin:
ports:
- 80:80
- 443:443
container_name: phpldapadmin
networks:
- openldapnet
environment:
- PHPLDAPADMIN_LDAP_HOSTS=ldap://openldap:1389
image: osixia/phpldapadmin:0.9.0
Looks like you also need the memberOf overlay .
Pushed another change earlier today to add support for this. Using the updated image and these settings,
- LDAP_EXTRA_SCHEMAS=cosine, inetorgperson, nis, dyngroup
- LDAP_ENABLE_MEMBEROF=yes
- LDAP_ENABLE_DYNLIST=yes
- LDAP_DYNLIST_ATTRSETS=groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
Ldif for dynamic group
dn: cn=dynamicGroup,ou=dynamic,ou=thatstore,dc=source,dc=com
objectClass: groupOfURLs
objectClass: top
cn: dynamicGroup
memberURL: ldap:///ou=people,ou=thatstore,dc=source,dc=com??sub?(objectClass=inetOrgPerson)
I get the following search results:
$ ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=source,dc=com" "cn=Joe Soap" uid
dn: cn=Joe Soap,ou=people,ou=thatstore,dc=source,dc=com
uid: Joe.Soap
$ ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=source,dc=com" "cn=Joe Soap" uid memberof
dn: cn=Joe Soap,ou=people,ou=thatstore,dc=source,dc=com
uid: Joe.Soap
memberOf: cn=purple,ou=groups,ou=thatstore,dc=source,dc=com
memberOf: cn=black,ou=groups,ou=thatstore,dc=source,dc=com
$ ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=source,dc=com" "cn=dynamicGroup" member
dn: cn=dynamicGroup,ou=dynamic,ou=thatstore,dc=source,dc=com
member: cn=Some Body,ou=people,ou=thatstore,dc=source,dc=com
member: cn=Another Dude,ou=people,ou=thatstore,dc=source,dc=com
member: cn=No One,ou=people,ou=thatstore,dc=source,dc=com
member: cn=Joe Soap,ou=people,ou=thatstore,dc=source,dc=com
Not really familiar with the dynlist overlay so can't even guess what the issue is with this ATTRSET groupOfURLs memberURL member+memberOf@groupOfNames
Wow, this is fantastic! @jonnoss1 you have done it! Please submit a PR and get this merged in!
EDIT: just adding in my final docker-compose.yml
version: "3"
networks:
openldapnet:
external: false
services:
openldap:
#image: bitnami/openldap:2.6.6
image: jonnos/openldap:test
container_name: openldap
environment:
- LDAP_ADMIN_USERNAME=admin
- LDAP_ADMIN_PASSWORD=admin
- LDAP_USERS=customuser
- LDAP_PASSWORDS=custompassword
- LDAP_ROOT=dc=example,dc=net
- LDAP_ADMIN_DN=cn=admin,dc=example,dc=net
- LDAP_EXTRA_SCHEMAS=cosine,dyngroup,inetorgperson,nis
- BITNAMI_DEBUG=true
- LDAP_ENABLE_DYNLIST=yes
- LDAP_DYNLIST_ATTRSETS=groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
- LDAP_ENABLE_MEMBEROF=yes
#- LDAP_DYNLIST_ATTRSETS=groupOfURLs memberURL member+memberOf@groupOfNames
# groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
#- LDAP_CUSTOM_SCHEMA_FILE=/schema/custom.ldif
#- LDAP_CUSTOM_SCHEMA_DIR=/custom_schemas
#- LDAP_EXTRA_SCHEMAS=collective,corba,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,namedobject,nis,openldap,pmi
#- LDAP_EXTRA_SCHEMAS=collective,corba,core,cosine,dsee,duaconf,dyngroup,inetorgperson,java,misc,msuser,namedobject,nis,openldap,pmi
restart: always
networks:
- openldapnet
ports:
- 389:1389
- 636:1636
volumes:
#- ./schema:/schema
#- ./schemas:/schemas
#- ./ldifs:/ldifs
- ./slaptest:/slaptest
#- ./data:/bitnami/openldap
phpldapadmin:
ports:
- 80:80
- 443:443
container_name: phpldapadmin
networks:
- openldapnet
environment:
- PHPLDAPADMIN_LDAP_HOSTS=ldap://openldap:1389
image: osixia/phpldapadmin:0.9.0
@jonnoss1 just one slight note, in trying to replicate what you have done here before your PR gets merged, I run into this error:
olcDynListAttrSet: value #0: "dynlist-attrset <oc> [uri] <URL-ad> [[<mapped-ad>:]<member-ad>[+<memberOf-ad>[@<static-oc>[*]] ...]": unable to find AttributeDescription #0 "member,groupOfURLs"
where my schemas directory looks like this:
bat --style header-filename schemas/*
File: schemas/00-modules.ldif
dn: cn=module,cn=config
cn: module
objectClass: olcModuleList
olcModulePath: /opt/bitnami/openldap/lib/openldap
olcModuleLoad: dynlist
olcModuleLoad: memberof
olcModuleLoad: argon2
File: schemas/01-openssh-lpk_openldap.ldif
dn: cn=ldapPublicKey,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: openssh-lpk-openldap
olcAttributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 NAME 'sshPublicKey' DES
C 'MANDATORY: OpenSSH Public key' EQUALITY octetStringMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.40 )
olcObjectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 NAME 'ldapPublicKey' DESC
'MANDATORY: OpenSSH LPK objectclass' SUP top AUXILIARY MUST ( sshPublicKey $
uid ) )
File: schemas/97-memberOf.ldif
dn: olcOverlay=memberof,olcDatabase={2}mdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcMemberOfConfig
olcOverlay: memberof
olcMemberOfDN: dc=example,dc=net
olcMemberOfDangling: ignore
olcMemberOfDanglingError: 80
olcMemberOfRefInt: FALSE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
File: schemas/98-dynlistconfig.ldif
dn: olcOverlay=dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: dynlist
olcDynListAttrSet: groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
Removing the member,groupOfURLs
segment, everything works just fine:
dn: olcOverlay=dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: dynlist
olcDynListAttrSet: groupOfURLs labeledURI memberURL memberOf
docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" "cn=customuser" uid memberof
dn: cn=customuser,ou=users,dc=example,dc=net
uid: customuser
memberOf: cn=readers,ou=users,dc=example,dc=net
But I am wondering what schema is supplying that member,groupOfURLs
? No big deal, as the memberOf
is working as intended now. Again TYVM for the help here, and let me know if I can help test anything else to ensure any PR you make is working well and ready to merge.
Hi @joshuacox,
Maybe a couple questions before we forge on with a PR.
This one is definitely incorrect.
File: schemas/98-dynlistconfig.ldif
dn: olcOverlay=dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: dynlist
olcDynListAttrSet: groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
Should be something like this
dn: olcOverlay={0}dynlist,olcDatabase={-1}frontend,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynListConfig
olcOverlay: dynlist
olcDynListAttrSet: {0}groupOfURLs labeledURI member
olcDynListAttrSet: {1}groupOfURLs memberURL memberOf
This is likely causing some kind of problem.
Re: where the schema's come from:
Are you only looking be be able to run a search like this on the memberOf attribute:
$ ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" "cn=customuser" uid memberof
Or do you additionally require the ability to define dynamic lists using this pattern:
dn: cn=dynamicGroup,ou=dynamic,ou=thatstore,dc=source,dc=com
objectClass: groupOfURLs
objectClass: top
cn: dynamicGroup
memberURL: ldap:///ou=people,ou=thatstore,dc=source,dc=com??sub?(objectClass=inetOrgPerson)
This one is definitely incorrect.
olcDynListAttrSet: groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
I believe that is generated when using this env var:
- LDAP_DYNLIST_ATTRSETS=groupOfURLs labeledURI member,groupOfURLs memberURL memberOf
which was the original example you gave, that is where I got confused.
But my current problem is still crashing when I execute something like:
docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b "dc=example,dc=net" '(&(objectClass=inetOrgPerson)(memberof=cn=readers,ou=users,dc=example,dc=net))'
ldap_result: Can't contact LDAP server (-1)
in the logs I can see the 'crash' at exit 0, though I'm not certain why openldap thought it appropriate to throw a zero there, as it seems to me to be worthy of an exit 1 or higher.
openldap | 21:49:53.51 INFO ==> ** Starting slapd **
openldap | 6525c701.1ebee3d7 0x7f6ab13cd740 @(#) $OpenLDAP: slapd 2.6.6 (Aug 18 2023 23:33:58) $
openldap | @a67812f7d14b:/bitnami/blacksmith-sandox/openldap-2.6.6/servers/slapd
openldap | 6525c701.1f502bd2 0x7f6ab13cd740 slapd starting
openldap | 6525c70d.269ddf1d 0x7f6a6bfff700 conn=1000 fd=12 ACCEPT from IP=127.0.0.1:38708 (IP=0.0.0.0:1389)
openldap | 6525c70d.269eb4a7 0x7f6a6bfff700 conn=1000 op=0 BIND dn="" method=128
openldap | 6525c70d.26a0b25d 0x7f6a6bfff700 conn=1000 op=0 RESULT tag=97 err=0 qtime=0.000005 etime=0.000144 text=
openldap | 6525c70d.26a2d1fc 0x7f6a6b7fe700 conn=1000 op=1 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=inetOrgPerson)(memberOf=cn=readers,ou=users,dc=example,dc=net))"
openldap exited with code 0
openldap | 21:50:06.57 INFO ==> Validating settings in LDAP_* env vars
openldap | 21:50:06.58 INFO ==> Initializing OpenLDAP...
openldap | 21:50:06.58 DEBUG ==> Ensuring expected directories/files exist...
openldap | 21:50:06.59 INFO ==> Using persisted data
openldap | 21:50:16.61 INFO ==> ** LDAP setup finished! **
openldap |
openldap |
openldap | 21:50:16.63 INFO ==> ** Starting slapd **
openldap | 6525c718.266e99de 0x7fa1ecb78740 @(#) $OpenLDAP: slapd 2.6.6 (Aug 18 2023 23:33:58) $
openldap | @a67812f7d14b:/bitnami/blacksmith-sandox/openldap-2.6.6/servers/slapd
openldap | 6525c718.270356a7 0x7fa1ecb78740 slapd starting
As to whether I need the dynamic group, I don't foresee it immediately being necessary, but I also didn't realize I needed a few things here before getting further.
My end goal is to be able to use a user filter in gitea something like:
(&(memberOf=cn=gitea,ou=Groups,dc=example,dc=net)(|(uid=%[1]s)(mail=%[1]s)))
and an admin filter of:
(&(memberOf=cn=gitea_admin,ou=Groups,dc=example,dc=net)(|(uid=%[1]s)(mail=%[1]s)))
EDIT: I did make the changes to the olcDynListAttrSet here and I added a crash.sh to document that command.
Hi @joshuacox,
I've created a PR to add support for Reverse Group Membership Maintenance aka memberOf
overlay module.
Based on the example searches you are trying to perform this appears to be the cleanest way to add support for this specific reciprocal attribute.
Can always look at dynlist
separately but it would need some thought to ensure the supporting schema is always declared to prevent schema dependency failures.
J
Thank you for submitting the associated Pull Request. Our team will review and provide feedback. Once the PR is merged, the issue will automatically close.
Your contribution is greatly appreciated!
The problem with memberOf is that it is deprecated, will be removed in the future, and it is discrouraged on replicated setups.
from man slapo-memberof:
Note that this overlay is deprecated and support will be dropped in future OpenLDAP releases. Installations should use the dynlist overlay instead. Using this overlay in a replicated environment is especially discouraged.
After a week of not looking at this issue (because the team I was working with decided to go with freeIPA instead), I came back and looked at the comment here I realized I needed to alter this line:
dn: olcOverlay=dynlist,olcDatabase={-1}frontend,cn=config
to this line:
dn: olcOverlay=dynlist,olcDatabase={2}mdb,cn=config
so the example repo here is fixed.
And all memberOf functionality is supplied by dynlist now:
./no-longer-crashes.sh
+ docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b dc=example,dc=net cn=customuser memberof
dn: cn=customuser,ou=users,dc=example,dc=net
memberOf: cn=readers,ou=users,dc=example,dc=net
memberOf: cn=Dynamic List,ou=Groups,dc=example,dc=net
memberOf: cn=Dynamic Group,ou=Groups,dc=example,dc=net
+ docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b 'cn=Dynamic Group,ou=Groups,dc=example,dc=net' member
dn: cn=Dynamic Group,ou=Groups,dc=example,dc=net
member: cn=customuser,ou=users,dc=example,dc=net
member: cn=customuser2,ou=users,dc=example,dc=net
+ docker exec openldap ldapsearch -H ldap://localhost:1389 -LLL -x -s sub -b 'cn=Dynamic List,ou=Groups,dc=example,dc=net' member
dn: cn=Dynamic List,ou=Groups,dc=example,dc=net
member: cn=customuser,ou=users,dc=example,dc=net
member: cn=customuser2,ou=users,dc=example,dc=net
Hi,
The Openldap Team changes her mind about memberof overlay : it is no more deprecated (this announce)
So this PR is very interesting : can you merge it ?
Thank you
Name and Version
bitname/openldap:2.6.6
What is the problem this feature will solve?
The documentation points to adding dynlist like so:
to slapd.conf However there is no slapd.conf in the bitnami container. as we are using /bitnami/openldap/slapd.d
The documentation points to doing something like this to convert:
But again I don't have a slapd.conf file to convert, or is there a base file I can use for this purpose? or is there a way to merge in an overlay?
What is the feature you are proposing to solve the problem?
Just an explanation of how to add in an overlay would be fantastic. Potentially adding it to the documentaiton. Or maybe even an environment variable:
I would imagine most would need configuration lines as well, like:
or something similar.
What alternatives have you considered?
just mapping in a directory and trying to slaptest a config that I might be able to ldifs out of.
with some tweaking I might be able to hack together a solution.
minimal slapd.conf (EDIT: now it works, but I am uncertain what all I need to extract from it)
so now I can get a slapcat:
It certainly is a lot of data, should I just be diffing that and slapcat on a slapd.conf of: