Develop Reference

Get memberOf to be returned unconditionally

When I do an ldapsearch, I get the memberof attribute only when I explicitly query for it:
ldapsearch ... '(sAMAccountName=john)' -LLL memberof
ldapsearch ... '(sAMAccountName=john)' -LLL "+"
In contrary, the following does not return memberof attribute in the search result:
ldapsearch ... '(sAMAccountName=john)' -LLL
This is expected as per the following:
If ldapsearch finds one or more entries, the attributes specified by
attrs are returned. If * is listed, all user attributes are returned.
If + is listed, all operational attributes are returned. If no attrs
are listed, all user attributes are returned. If only 1.1 is listed,
no attributes will be returned.
I am using the Docker image osixia/openldap for testing purposes, and I need it to behave like our production LDAP server based on ActiveDirectory. The problem is that LDAP AD unconditionally returns memberof, and all of our code-base is written in a way not to explicitly ask for it.
How can I configure the OpenLDAP container to unconditionally return memberOf?
I enabled memberOf support as per the following file 03-memberOf.ldif:
# Load memberof module
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: memberof
# Backend memberOf overlay
dn: olcOverlay={0}memberof,olcDatabase={1}{{ LDAP_BACKEND }},cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcMemberOf
olcOverlay: {0}memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: group
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf

How to correctly allow a given user access to update a record on openldap

I have been trying to apply this dlif to my openldap server:
$ cat acl.ldif
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
I believe this should allow user with DN: "mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" to update the attributes ipServicePort and description on "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"
This seems to apply fine:
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f acl.ldif
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
modifying entry "olcDatabase={1}hdb,cn=config"
When I search for it I can find my updated entry:
$ sudo ldapsearch -Y EXTERNAL -H ldapi:// -b cn=config 'olcDatabase={1}hdb'
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
# extended LDIF
#
# LDAPv3
# base <cn=config> with scope subtree
# filter: olcDatabase={1}hdb
# requesting: ALL
#
# {1}hdb, config
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=thedomain,dc=com
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou
s auth by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" write by * n
one
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=domain,dc=ie,dc=aws,dc=thedomain,dc=net" w
rite by * read
olcAccess: {3}to dn.exact="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,
dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=p
eople,dc=thedomain,dc=com" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=thedomain,dc=com
olcRootPW: {SSHA}HASHEDPW
olcSyncrepl: {0}rid=003 provider=ldap://ldap.city.thedomain.com binddn="cn
=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2nU s
earchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:10 re
try="5 5 300 5" timeout=1
olcSyncrepl: {1}rid=004 provider=ldap://ldap1.domain.ie.aws.thedomain.net binddn
="cn=admin,dc=thedomain,dc=com" bindmethod=simple credentials=Cju8MJZhegnEgKp2
nU searchbase="dc=thedomain,dc=com" type=refreshAndPersist interval=00:00:00:1
0 retry="5 5 300 5" timeout=1
olcMirrorMode: TRUE
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
However, when I try to make a change using these credentials, it still fails:
$ cat /tmp/modify.ldif
dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
changetype: modify
replace: ipServicePort
ipServicePort: 1485176342
dn: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
changetype: modify
replace: description
description: Updated by ldap.city.thedomain.com on Mon Jan 23 12:59:02 UTC 2017
Running:
$ ldapmodify -H ldap://localhost -w PASSWORD -D "mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" -f /tmp/modify.ldif
modifying entry "cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com"
ldap_modify: Insufficient access (50)
I also tried making my ACL slightly less restrictive to try to understand what wasn't working, I have tried the following acl.ldif files:
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" attrs="ipServicePort,description" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to dn="cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com" by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcAccess
olcAccess: {3}to * by dn="mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com" write by * read
Result was the same
The only thing I didn't try yet, as I was hoping to avoid making the db this insecure, even during testing, was to allow * to write this record, or * to write to all records.
I've taken the dn of the record I want to allow editing on from Apache Directory Studio, which shows me:
DN: cn=ldap-city-thedomain-com,dc=repl,dc=thedomain,dc=com
And my users DN from the same:
DN: mail=itops#thedomain.com,ou=people,dc=thedomain,dc=com
I'm sure I'm doing something obviously idiotic, as my knowledge of ldap is poor and reading the documentation is painful for me. I'm hoping someone can spot my obvious error and suggest a correction as I can't see what I have done wrong after a large number of hours of tinkering.

Thank you to JoBbZ in #openldap IRC. This is a simple misunderstanding on my part. Order matters in ACL rules. LDAP will stop looking on the first match, so I need to save my olcAccess as 2 not 3

OpenLDAP mdb backend

I try to setup an OpenLDAP Server with mdb backend. But neither the version from packet repository nor a self compiled version (to be shure that back_mdb is compiled into slapd) works for me.
Config database is accessible, log doesn't print any errors and the database file is created (data.mdb) - but my root (suffix) won't show up and isn't writeable.
A basic configuration suggested by the OpenLDAP administrator's guide won't help either.
My config:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database mdb
maxsize 1073741824
suffix "dc=directory,dc=local"
rootdn "cn=admin,dc=directory,dc=local"
rootpw "{SSHA}Lh2sewmXFDo+bwc0Vqy12Xwc61n9sQ5t"
directory /var/lib/openldap/openldap-data
index objectClass eq
access to dn.subtree="ou=contacts,dc=directory,dc=local" by self write by dn="cn=server,ou=people,dc=directory,dc=local" write by dn="cn=phone,ou=people,dc=directory,dc=local" read
access to * by dn="cn=admin,dc=directory,dc=local" write by anonymous auth by dn.subtree="ou=people,dc=directory,dc=local" read by * none
database config
rootdn "cn=admin,cn=config"
rootpw "{SSHA}Lh2sewmXFDo+bwc0Vqy12Xwc61n9sQ5t"

I had to add the ldif to create my root dn on the localhost.
Create LDIF file:
dn: dc=directory,dc=local
dc: directory
o: directory.local
objectClass: top
objectClass: dcObject
objectClass: organization
structuralObjectClass: organization
Add the LDIF file and recreate database index:
slappadd -b "dc=directory,dc=local" -v -l basedn.ldif
slapindex
Start the ldap daemon and there it is: my root dn.

ldap_add: Insufficient access (50)

I am trying to add the below entry using the command below:
ldapadd -Y EXTERNAL -H ldapi:/// -f server5_ldap.ldif
The contents of server5_ldap.ldif is provided below:
# Entry 31: cn=default,ou=pwpolicies,dc=example,dc=com
dn: cn=default,ou=pwpolicies,dc=example,dc=com
cn: default
objectclass: device
objectclass: top
objectclass: pwdPolicy
objectclass: pwdPolicyChecker
pwdallowuserchange: TRUE
pwdattribute: userPassword
pwdcheckquality: 2
pwdexpirewarning: 604800
pwdfailurecountinterval: 3600
pwdgraceauthnlimit: 0
pwdinhistory: 5
pwdlockout: TRUE
pwdlockoutduration: 900
pwdmaxage: 0
pwdmaxfailure: 5
pwdminage: 0
pwdminlength: 8
pwdmustchange: FALSE
pwdsafemodify: FALSE
I am getting the error:
ldap_add: Insufficient access (50)
additional info: no write access to parent
My permissions.ldif is as given below:
#OlcAccess
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {1} to attrs=uid by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {2} to attrs=objectClass by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {3} to attrs=cn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {4} to attrs=sn by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by * none
olcAccess: {5} to * by self write by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=ConnectedSyncAdmin,ou=customers,dc=example,dc=com" write by users read by anonymous none
olcAccess: {6} to attrs=userPassword by self write by anonymous auth by dn.exact="cn=Manager,dc=example,dc=com" manage by dn.exact="cn=admin,cn=config" manage by dn.exact="cn=pwpolicies,ou=PPS,dc=example,dc=com" write by * none
I am new to ldap, and I am blocked with this issue Any help will be highly appreciated.

If you want to use Unix domain socket authentication (-Y EXTERNAL), then you have to give root the manage permission to the database. The dn for root authenticating via Unix domain sockets is:
gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
On Redhat and CentOS only the configuration and the monitor back-ends have root permission.
# ldapsearch -Y EXTERNAL -Q -H ldapi:/// -LLL -o ldif-wrap=no -b cn=config '(objectClass=olcDatabaseConfig)' olcAccess
dn: olcDatabase={-1}frontend,cn=config
dn: olcDatabase={0}config,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage by * none
dn: olcDatabase={1}monitor,cn=config
olcAccess: {0}to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read by * none
dn: olcDatabase={2}hdb,cn=config
If you want to manage database 2 in the same way you manage the configuration, you have to add the same olcAccess rule to database 2 as it is defined for database 0, the configuration back-end.
to * by dn.base="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" manage

OpenLdap - change/modify not working

I am on OpenLdap and trying to modify an entry via an LDIF with slapadd command.
#LDIF
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
add: userPassword
userPassword: MyPassWord
But I am getting below error....
54a0fc8e <= str2entry: str2ad(changetype): attribute type undefined
Why changetype is not taken by slapadd command?
Also when I manually try to change the password on ldap browser I get following on the
logs
#!RESULT ERROR
#!CONNECTION ldap://<MY_MACHINENAME>:389
#!DATE 2014-12-29T10:14:16.930
#!ERROR [LDAP: error code 8 - modifications require authentication]
dn: uid=ROOTADMIN,ou=users,dc=example,dc=com
changetype: modify
replace: userPassword
userPassword:: S2l0ZXNGbHk=
LDAP: error code 8 - modifications require authentication? Which Authenication is required?

An ldif file like this (containing changetype entries) should be used with ldapadd, not slapadd.