[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: OpenLDAP not listening on port 389



On Sat, 2006-02-25 at 09:08 +0000, Ben Stokes wrote:
> I've installed BDB 4.2.52 and OpenLDAP 2.3.19. The problem I have now is: 
> 
> /usr/local/openldap/sbin/slapadd -l
> /usr/local/openxchange/share/init_ldap.ldif
> bdb_db_open: Warning - No DB_CONFIG file found in directory
> /usr/local/openldap/var/openldap-data: (2)
> Expect poor performance for suffix dc=ukstokes,dc=com.
> str2entry: invalid value for attributeType OpenLDAPaci #0 (syntax
> 1.3.6.1.4.1.4203.666.2.1)
> slapadd: could not parse entry (line=145)
> 
> Line 145 in init_ldap.ldif is blank, but it follows this section which uses
> ACI's:
> 
> objectClass: shadowAccount
> objectClass: posixAccount
> objectClass: person
> objectClass: inetOrgPerson
> objectClass: OXUserObject
> OpenLDAPaci:1#entry#grant;r,w,s,c;cn,initials,mail,title,ou,l,birthday,descr
> iption,street,postalcode,st,c,oxtimezone,homephone,mobile,pager,facsimiletel
> ephonenumber,telephonenumber,labeleduri,jpegphoto,loginDestination,sn,givenn
> ame,;r,s,c;[all]#self#
> uidNumber: 501
> homeDirectory: /home/mailadmin/
> loginShell: /bin/bash
> mailEnabled: OK
> gidNumber: 500
> mailDomain: ukstokes.com
> ou: Administration
> uid: mailadmin
> sn: Admin
> preferredLanguage: EN
> mail: mailadmin@ukstokes.com
> o: UKStokes Network
> smtpServer: localhost
> imapServer: localhost
> alias: postmaster@ukstokes.com
> alias: root@ukstokes.com
> givenName: Admin
> cn: Admin Admin
> shadowMin: 0
> shadowMax: 9999
> shadowWarning: 7
> shadowExpire: 0
> userPassword: {CRYPT}KYMLkc4NHqWeM
> OXAppointmentDays: 5
> OXGroupID: 500
> OXTaskDays: 5
> OXTimeZone: Europe/Berlin
> 
> If I comment out the line starting with OpenLDAPaci then slapadd works, but
> I am unable to add any new users in Open Exchange. I feel I have made some
> small progress though, as at least slapd is running now. Any ideas how I can
> overcome this? Is there a syntax error in the OpenLDAPaci line?
> 
> str2entry: invalid value for attributeType OpenLDAPaci #0 (syntax
> 1.3.6.1.4.1.4203.666.2.1)
> slapadd: could not parse entry (line=145)

I see a number of errors in the above ACI.  Note that OpenLDAP 2.3
introduced a(n undocumented, sigh) syntax for ACIs which causes values
to be validated (and normalized) when written, instead of when used.  If
we accept that the syntax did not change (which I haven't cared to
prove, though), the most relevant effect (which I consider absolutely
benign) is that now invalid ACIs are detected as soon as possible and
cannot be written, while previously they were plainly ignored during
access checking.

Recently (<http://www.openldap.org/lists/openldap-
software/200602/msg00168.html>) someone pointed out that the form
"{grant,deny}(<access>;<attrlist>)*" was previously supported, although
not documented; in 2.3 only the form "{grant,deny}(<access>;<attr>)*" is
supported, as specified in the long ago expired <draft-ietf-ldapext-aci-
model>.

I think the Author of the mentioned message is working (at least he said
he would) at writing some documentation for the above ACIs, and at
designing a patch to restore the original "<access>;<attrlist>" behavior
(which I'd be happy to consider and apply, if adequate, given that there
is no specs to stick with).  In the meanwhile you should change the
above ACI so that each attr is listed separately, prefixed by its access
rights.

I also note that there is an extra trailing "," at the end of the
attribute list in the above ACI which would likely prevent it from
validating even if the attribute list were supported.  The fact that the
above ACI used to work with older ACI implementations sounds like a bug.

Back to your initial problem, if you don't need to live with ACIs, you
can easily write an equivalent ACL rule and remove that string from your
entry.  All in all, it has been repeatedly pointed out that ACIs are a
less than optimal approach to access control, and anything that can be
done with ACIs can be done with ACLs as well.

p.





Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------