Ldap

OpenLDAP memberof 覆蓋錯誤:memberof_value_modify err=32

  • October 25, 2021

我使用 OpenLDAP 2.4.57 啟用了 refint 和 memberof 覆蓋,但是當我創建 groupOfNames 時出現memberof_value_modify .. failed err=32錯誤。我還啟用了帶備件的syncprov。我究竟做錯了什麼?

組加法

$ ldapadd -W -x -D cn=admin,dc=mydomain,dc=tld << EOF
dn: cn=mygroup,ou=groups,dc=mydomain,dc=tld
objectClass: top
objectClass: groupOfNames
cn: mygroup
member: cn=myüser,ou=members,dc=mydomain,dc=tld
EOF

錯誤日誌

slapd: conn=132979 op=1: memberof_value_modify DN="cn=myüser,ou=members,dc=mydomain,dc=tld" add memberOf="cn=mygroup,ou=groups,dc=mydomain,dc=tld" failed err=32
slapd: <= bdb_equality_candidates: (memberOf) not indexed

配置

$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b cn=module{0},cn=config
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModuleLoad: {2}memberof
olcModuleLoad: {3}refint

$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
dn: olcOverlay={0}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: top
olcOverlay: memberof
olcMemberOfDangling: ignore
olcMemberOfRefInt: TRUE
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD:: bWVtYmVyT2Yg

$ sudo ldapsearch -Y EXTERNAL -H ldapi:/// -b olcOverlay={2}refint,olcDatabase={1}hdb,cn=config
dn: olcOverlay={2}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {2}refint
olcRefintAttribute: memberof member manager owner

錯誤 32 表示no such object

我的節點的 dn 是 base64 編碼的,因為它包含重音。對於另一個具有明確 DN 的對象,一切正常。

$ ldapsearch -W -x -D cn=admin,dc=mydomain,dc=tld -b ou=members,dc=mydomain,dc=tld sn=Doe
dn:: Y249bXn8c2VyLG91PW1lbWJlcnMsZGM9bXlkb21haW4sZGM9dGxk
objectClass: top
objectClass: person
objectClass: inetOrgPerso
sn: Doe
givenName: John
uid: john.doe

這是RFC2849中定義的行為說:

 4)  Any dn or rdn that contains characters other than those
     defined as "SAFE-UTF8-CHAR", or begins with a character other
     than those defined as "SAFE-INIT-UTF8-CHAR", above, MUST be
     base-64 encoded.  Other values MAY be base-64 encoded.  Any
     value that contains characters other than those defined as
     "SAFE-CHAR", or begins with a character other than those
     defined as "SAFE-INIT-CHAR", above, MUST be base-64 encoded.
     Other values MAY be base-64 encoded.

使用 dn 的編碼版本一切正常:

$ ldapadd -W -x -D cn=admin,dc=mydomain,dc=tld << EOF
dn: cn=mygroup,ou=groups,dc=mydomain,dc=tld
objectClass: top
objectClass: groupOfNames
cn: mygroup
member:: Y249bXn8c2VyLG91PW1lbWJlcnMsZGM9bXlkb21haW4sZGM9dGxk
EOF

引用自:https://serverfault.com/questions/1080937

相關問答

Linux

如何在 OpenLDAP 中創建名為“{2}accesslog”的訪問日誌

  • October 30, 2022
檢視問答
Ldap

無法在 LDAP 結構中創建 inetOrgPerson

  • August 9, 2022
檢視問答
Ldap

無法在 macOS 客戶端上驗證 OpenLDAP 使用者“找不到使用者:數據庫中沒有秘密”

  • May 5, 2022
檢視問答
Ldap

openLDAP ldap_modify: 嘗試刪除自定義模式時伺服器不願意執行 (53)

  • April 29, 2022
檢視問答
Ldap

openldap / slapd 返回錯誤:“守護程序:listen(ldap://my.server1.org, 5) failed errno=98 (Address already in use)”

  • January 3, 2022
檢視問答
Centos7

每個 LDAP 使用者使用 LDAP 和 sssd (Centos7) 給出“權限被拒絕”

  • December 21, 2021
檢視問答