Is spring LDAP support for control to pass to directory service.?
I need to pass the request control flag (assertionFilter "(ETag=${ETAG})") to forgerock directory server
Here is an example (ref - https://backstage.forgerock.com/docs/ds/7.1/ldap-guide/write-ldap.html#modify-optimistic-concurrency)
ldapmodify
--hostname localhost
--port 1636
--useSsl
--usePkcs12TrustStore /path/to/opendj/config/keystore
--trustStorePassword:file /path/to/opendj/config/keystore.pin
--bindDN "uid=kvaughan,ou=people,dc=example,dc=com"
--bindPassword bribery
--assertionFilter "(ETag=${ETAG})" << EOF
dn: uid=bjensen,ou=People,dc=example,dc=com
changetype: modify
replace: l
l: Grenoble
add: description
description: Employee of the Month
EOF
Related
I'm trying to import a user into OpenLDAP on Alpine Linux. Here's the LDIF that I named searchUser.ldif:
# Search account
dn: uid=search,dc=home
changetype: add
objectClass: top
objectClass: person
objectClass: inetOrgPerson
cn: search
sn: search
uid: search
The command I used to import it is:
ldapadd -x -D "cn=Manager,dc=home" -w supersecret -f searchUser.ldif
The error I get is:
ldap_add: Invalid syntax (21) additional info: objectClass: value #2 invalid per syntax
My understanding of this is the objectClasses are numbered, starting with 0, and that #2 indicates the problem is with inetOrgPerson.
I've done this successfully using OpenLDAP on Raspberry Pi OS (debian). However, I get the feeling the Debian package automates some configuration steps that the Alpine package does not. One of those steps I think Debian does during the package install is to import inetOrgPerson schema.
I've tried to do the schema import manually. Here are the steps I took prior to trying the LDIF import...
I scripted my install of OpenLDAP on Alpine, like so:
export DOMAIN="dc=home"
echo "Installing packages..."
apk add openldap openldap-back-mdb openldap-clients
echo "Configuring for v2.3+ style slapd.d config directory..."
install -m 755 -o ldap -g ldap -d /etc/openldap/slapd.d
sed -i~ \
-e 's/^cfgfile=/#cfgfile=/' \
-e 's/^#cfgdir=.*/cfgdir=\"\/etc\/openldap\/slapd.d\"/' \
/etc/conf.d/slapd
rm /etc/openldap/slapd.conf
echo "Customizing for domain: ${DOMAIN}..."
sed -i~ \
-e 's/\.la$/.so/' \
-e "s/dc=my-domain,dc=com/${DOMAIN}/" /etc/openldap/slapd.ldif
echo "Importing configuration..."
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/slapd.ldif
chown -R ldap:ldap /etc/openldap/slapd.d/*
echo "Configuring slapd service..."
install -m 755 -o ldap -g ldap -d /var/lib/openldap/run
service slapd start
rc-update add slapd
The slapd service started and I could connect to it with command-line tools and from a client over port 389. So far, so good.
The next thing I did was to import schema for cosine and inetOrgPerson. I believe the Debian package did this automatically, because I don't recall having to do this previously.
Here's what I did on Alpine to import the schema:
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/cosine.ldif
slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/inetorgperson.ldif
There were no errors.
I then created an organization using the command ldapadd -x -D "cn=Manager,dc=home" -w secret -f org.ldif and this LDIF as org.ldif:
dn: dc=home
objectclass: dcObject
objectclass: organization
o: Home
dc: home
dn: cn=Manager,dc=home
objectclass: organizationalRole
cn: Manager
This too was successful.
I can also create organizational units with this LDIF:
# Organizational unit for users
dn: ou=People,dc=home
changetype: add
objectClass: organizationalUnit
ou: People
# Organizational unit for groups.
dn: ou=Groups,dc=home
changetype: add
objectClass: organizationalUnit
ou: Groups
So I think my server is okay, but I may have done something wrong with the inetOrgPerson schema import that's causing the Invalid syntax (21) error.
Is the way I'm importing the inetOrgPerson schema correct? Is there a way to verify it?
I believe the problem was due to incorrect ownership for the new files in the /etc/openldap/slapd.d/cn=config/cn=schema directory. Once I fixed that, I was able to import the search user.
Because I ran the slapd commands as the root user, the resulting schema config files were owned by root. I discovered this when I restarted the slapd service and it failed with this error in /var/log/messages:
ldif_read_file: Permission denied for "/etc/openldap/slapd.d/cn=config/cn=schema/cn={1}cosine.ldif"
The solution was to change ownership on the files. This is the correct ownership:
alpine:/etc/openldap/slapd.d/cn=config/cn=schema# ls -l
total 32
-rw------- 1 ldap ldap 15575 May 5 12:43 cn={0}core.ldif
-rw------- 1 ldap ldap 11361 May 5 14:53 cn={1}cosine.ldif
-rw------- 1 ldap ldap 2855 May 5 14:53 cn={2}inetorgperson.ldif
So the answer to this question is...
Yes, importing with slapadd -n 0 -F /etc/openldap/slapd.d -l /etc/openldap/schema/inetorgperson.ldif worked fine, but the command should have been run as the ldap user so the ownership is correct. (Or run as root and change ownership after.)
One way to verify the schema is to look inside the /etc/openldap/slapd.d directory. Specifically, /etc/openldap/slapd.d/cn=config/cn=schema shows evidence of the schema I added.
Even with the potential for incorrect file ownership, I see this as a much easier way to add schema than some of the other tutorials I've found that involve creating and editing a temporary slapd.conf file.
I am looking for a Bash script to redirect a simple ls command output to a file on my Linux box from my FTP Server.
Here follows the step by step commands to illustrate what I am looking to script. The FTP site can be accessed without a user/password, so i am entering user as anonymous and password as blank when prompted.
ftp <FTP_SERVER>
Connected to <FTP_SERVER> (IP_ADDRESS).
220 Microsoft FTP Service
Name (<FTP_SERVER>:root): anonymous
331 Anonymous access allowed, send identity (e-mail name) as password.
Password:
230 Anonymous user logged in.
Remote system type is Windows_NT.
ftp> ls /Outgoing/Artemis/incremental/Hashes-1492870261.zip
227 Entering Passive Mode (10,37,108,77,5,87).
125 Data connection already open; Transfer starting.
04-22-17 07:11AM 227634 Hashes-1492870261.zip
226 Transfer complete.
I need the output of the command 'ls' command I am executing to be saved in a file on my linux box.
Here is the script i have:
ftp FTP_SERVER <<EOF >outputfile
quote USER anonymous
quote PASS
prompt noprompt
ls -la /Outgoing/Artemis/incremental/Hashes-1492870261.zip
quit
EOF
when i execute this i get a login failed error.
sh -x test.sh
+ ftp FTP_SERVER`
Password:
Login failed.
local: /Outgoing/Artemis/incremental/Hashes-1492870261.zip: No such file or directory
I used some random password as a test instead of blank (null) which I used previously, but still get the same error. How can I fix this?
Turn interactive mode off:
ftp -i -n FTP_SERVER <<EOF >outputfile
user <user> <password>
binary
ls -la .
quit
EOF
You might get on better with lftp:
lftp -e 'ls -l someFile.zip; quit' -u USER,PASSWORD FTPSERVER > ls.txt
where all the words in capitals need replacing by your own values.
Or you could try with curl:
curl ftp://FTPSERVER --user USER:PASSWORD
I want to update passwords [user's already existing in ldap] of the user by importing data from /etc/passwd & /etc/shadow
How to achieve this ?
I will give the overview of my setup.
nodes user id & password managed by management node [xcat], ldap not used for this purpose.
We have imported the user's from management node to ldap server by following the below given steps:-
Copied /etc/passwd, /etc/group & /etc/shadow from management node.
getent passwd > /tmp/passwd.out getent shadow > /tmp/shadow.out
cd /usr/share/migrationtools/ ./migrate_passwd.pl /tmp/passwd.out > /tmp/passwd.ldif
ldapadd -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Now we want to update the passwords frequently and keep the ldap server sync with out management node. please give me idea how to achive this.
I tried the same way i imported users into ldap but it gives me an error.
[root#iitmserver2 migrationtools]# ldapmodify -x -W -D "cn=Manager,dc=aadityaldap,dc=com" -f /tmp/passwd.ldif
Enter LDAP Password:
ldapmodify: modify operation type is missing at line 2, entry "uid=pharthiphan,ou=People,dc=aadityaldap,dc=com"
I've run into sort of a deadlock setting up an LDAP server on CentOS.
I use the on-line configuration files under /etc/openldap/slapd.d
The documentation tells you not to modify those files by hand, and the files are checksummed.
But I cannot use ldapmodify, because I can't log in (simple bind) - and I can't log in because I can't set a password for the user - and I can't set a password for the user because I can't use ldapmodify, because I can't log in, because I can't set a password, because ....
I could of course set it up by editing the files directly - and I have done it, and it works.
But it just bugs me, that I can't find a way to do it "properly".
Ubuntu (Debian Packages)
Ubuntu and maybe other distributions with debian packages try to be super smart and set up everything for you - which really becomes a problem when you want to do a non-interactive installation, because debconf will set random admin-passwords and also configure the base-DN according to your machine name. You might be able to guess the base-DN - but you can't guess the password, and as it is deleted from the debconf-DB after installation you can not read it out.
You can however configure the passwords and DN before you install the package:
export DEBIAN_FRONTEND=noninteractive
sudo debconf-set-selections <<EOF
slapd slapd/internal/generated_adminpw password changeme
slapd slapd/password2 password changeme
slapd slapd/internal/adminpw password changeme
slapd slapd/password1 password changeme
slapd slapd/domain string example.com
slapd shared/organization string example.com
EOF
sudo apt-get install -y slapd ldap-utils
Be very careful with your spaces here: putting two spaces before the password will set the password to __changeme_ (that is: (blankspace)changeme)
Thanks to OpenStackPro for showing how to configure the selections
You can test your setup with
ldapsearch -x -D "cn=admin,dc=example,dc=com" -w "changeme"
Which should output in something like
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
This means, there is nothing in your LDAP-Database (yet), but at least you were able to log in :-)
If you get something like
ldap_bind: Invalid credentials (49)
you need to double check your admin-DN and password. You can check your admin-DN with
sudo slapcat -n0 | grep olcRootDN
CentOS 6.6 (and most likely RedHat, Fedora etc.)
Install the packages
sudo yum -y install openldap openldap-servers openldap-clients
First get a password-hash with
slappasswd -s changeme
Be aware that the CentOS-package uses my-domain.com instead of example.com, so you might need to adapt the commands accordingly.
Create an initial ldif, in a file like init.ldif:
dn: dc=my-domain,dc=com
objectClass: top
objectClass: dcObject
objectClass: organization
o: my-domain.com
dc: my-domain
dn: cn=admin,dc=my-domain,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword: {SSHA}rX8oWGKW6B7mKY+nUJhrv4g1pPH5KtQg
To write this config to your LDAP use:
sudo slapadd -F /etc/openldap/slapd.d -b "cn=config" -l init.ldif
Again, You can test your setup with
ldapsearch -x -D "cn=admin,dc=my-domain,dc=com" -w "changeme"
(see above at "Ubuntu")
using an OPENLDAP server i want to retrieve informations from it with ldapsearch. I created a custom class called iduriclass, this class is used to store an id and an uri. in my ldapsearch command i want it to return only the uri for a specified id.
EXAMPLE : the directory contain now two entries id=test uri=server.com/test and id=test2 uri=server.com/test2
Trying it i get an ldif file that contains all uris in the server
I want to have an ldapsearch command that takes test as argument and returns only a value that is : server.com/test
Here's how you query your ldap server.
HOSTNAME=<your ladap hostname>
USERNAME=<your ldap username>
PASSWORD=<your ldap username's password>
SEARCHBASE=<your ldap's search base DN>
QUERYSTRING=test1
PORT=<your ldap port>
ldapsearch -LLL -h ${HOSTNAME} -p $PORT -D cn=${USERNAME} -w ${PASSWORD} -b "${SEARCHBASE}" "(id=${QUERYSTRING})" uri | sed -n 's/^[ \t]*uri:[ \t]*\(.*\)/\1/p'
The option -LLL will not print ldap comments on output. Your ldap may require -x (simple authentication) if it doesn't support SASL.
Adding the parameter -tt writes a file with ONLY the requested attribute(s) value as the OP requested. No preceding field name or anything else. Path is configurable with -T, otherwise is /tmp