Configuring ldap entries with multiple values for the same attribute
Do konfigurowania wpisów w ldapie wykorzystywane jest narzędzie ldapmodify. Podawany jest plik wejściowy .ldif z interesującymi nas zmianami. W jego definicji podajemy typ zmiany zgodnie z obsługiwanymi typami (modify,add,delete,replace). Niestety jest to niewystarczające, bądź uciążliwe w przypadku występowania wielu wartości dla jednego atrybutu.
Przykładowe dane
W konfiguracji ldapa występuje definicja schemy, np.:
core schema
# {0}core, schema, config
dn: cn={0}core,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {0}core
olcAttributeTypes: {0}( 2.5.4.2 NAME 'knowledgeInformation' DESC 'RFC2256: kno
wledge information' EQUALITY caseIgnoreMatch SYNTAX 1.3.6.1.4.1.1466.115.121.
1.15{32768} )
olcAttributeTypes: {1}( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (f
amily) name(s) for which the entity is known by' SUP name )
olcAttributeTypes: {2}( 2.5.4.5 NAME 'serialNumber' DESC 'RFC2256: serial numb
er of the entity' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch S
YNTAX 1.3.6.1.4.1.1466.115.121.1.44{64} )
olcAttributeTypes: {3}( 2.5.4.6 NAME ( 'c' 'countryName' ) DESC 'RFC4519: two-
letter ISO-3166 country code' SUP name SYNTAX 1.3.6.1.4.1.1466.115.121.1.11 S
INGLE-VALUE )
olcAttributeTypes: {4}( 2.5.4.7 NAME ( 'l' 'localityName' ) DESC 'RFC2256: loc
ality which this object resides in' SUP name )
olcAttributeTypes: {5}( 2.5.4.8 NAME ( 'st' 'stateOrProvinceName' ) DESC 'RFC2
256: state or province which this object resides in' SUP name )
olcAttributeTypes: {6}( 2.5.4.9 NAME ( 'street' 'streetAddress' ) DESC 'RFC225
6: street address of this object' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreS
ubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {7}( 2.5.4.10 NAME ( 'o' 'organizationName' ) DESC 'RFC2256
: organization this object belongs to' SUP name )
olcAttributeTypes: {8}( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC '
RFC2256: organizational unit this object belongs to' SUP name )
olcAttributeTypes: {9}( 2.5.4.12 NAME 'title' DESC 'RFC2256: title associated
with the entity' SUP name )
olcAttributeTypes: {10}( 2.5.4.14 NAME 'searchGuide' DESC 'RFC2256: search gui
de, deprecated by enhancedSearchGuide' SYNTAX 1.3.6.1.4.1.1466.115.121.1.25 )
olcAttributeTypes: {11}( 2.5.4.15 NAME 'businessCategory' DESC 'RFC2256: busin
ess category' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTA
X 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {12}( 2.5.4.16 NAME 'postalAddress' DESC 'RFC2256: postal a
ddress' EQUALITY caseIgnoreListMatch SUBSTR caseIgnoreListSubstringsMatch SYN
TAX 1.3.6.1.4.1.1466.115.121.1.41 )
olcAttributeTypes: {13}( 2.5.4.17 NAME 'postalCode' DESC 'RFC2256: postal code
' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.15{40} )
olcAttributeTypes: {14}( 2.5.4.18 NAME 'postOfficeBox' DESC 'RFC2256: Post Off
ice Box' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3
.6.1.4.1.1466.115.121.1.15{40} )
olcAttributeTypes: {15}( 2.5.4.19 NAME 'physicalDeliveryOfficeName' DESC 'RFC2
256: Physical Delivery Office Name' EQUALITY caseIgnoreMatch SUBSTR caseIgnor
eSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
olcAttributeTypes: {16}( 2.5.4.20 NAME 'telephoneNumber' DESC 'RFC2256: Teleph
one Number' EQUALITY telephoneNumberMatch SUBSTR telephoneNumberSubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.50{32} )
olcAttributeTypes: {17}( 2.5.4.21 NAME 'telexNumber' DESC 'RFC2256: Telex Numb
er' SYNTAX 1.3.6.1.4.1.1466.115.121.1.52 )
olcAttributeTypes: {18}( 2.5.4.22 NAME 'teletexTerminalIdentifier' DESC 'RFC22
56: Teletex Terminal Identifier' SYNTAX 1.3.6.1.4.1.1466.115.121.1.51 )
olcAttributeTypes: {19}( 2.5.4.23 NAME ( 'facsimileTelephoneNumber' 'fax' ) DE
SC 'RFC2256: Facsimile (Fax) Telephone Number' SYNTAX 1.3.6.1.4.1.1466.115.12
1.1.22 )
olcAttributeTypes: {20}( 2.5.4.24 NAME 'x121Address' DESC 'RFC2256: X.121 Addr
ess' EQUALITY numericStringMatch SUBSTR numericStringSubstringsMatch SYNTAX 1
.3.6.1.4.1.1466.115.121.1.36{15} )
olcAttributeTypes: {21}( 2.5.4.25 NAME 'internationaliSDNNumber' DESC 'RFC2256
: international ISDN number' EQUALITY numericStringMatch SUBSTR numericString
SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.36{16} )
olcAttributeTypes: {22}( 2.5.4.26 NAME 'registeredAddress' DESC 'RFC2256: regi
stered postal address' SUP postalAddress SYNTAX 1.3.6.1.4.1.1466.115.121.1.41
)
olcAttributeTypes: {23}( 2.5.4.27 NAME 'destinationIndicator' DESC 'RFC2256: d
estination indicator' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMat
ch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44{128} )
olcAttributeTypes: {24}( 2.5.4.28 NAME 'preferredDeliveryMethod' DESC 'RFC2256
: preferred delivery method' SYNTAX 1.3.6.1.4.1.1466.115.121.1.14 SINGLE-VALU
E )
olcAttributeTypes: {25}( 2.5.4.29 NAME 'presentationAddress' DESC 'RFC2256: pr
esentation address' EQUALITY presentationAddressMatch SYNTAX 1.3.6.1.4.1.1466
.115.121.1.43 SINGLE-VALUE )
olcAttributeTypes: {26}( 2.5.4.30 NAME 'supportedApplicationContext' DESC 'RFC
2256: supported application context' EQUALITY objectIdentifierMatch SYNTAX 1.
3.6.1.4.1.1466.115.121.1.38 )
olcAttributeTypes: {27}( 2.5.4.31 NAME 'member' DESC 'RFC2256: member of a gro
up' SUP distinguishedName )
olcAttributeTypes: {28}( 2.5.4.32 NAME 'owner' DESC 'RFC2256: owner (of the ob
ject)' SUP distinguishedName )
olcAttributeTypes: {29}( 2.5.4.33 NAME 'roleOccupant' DESC 'RFC2256: occupant
of role' SUP distinguishedName )
olcAttributeTypes: {30}( 2.5.4.36 NAME 'userCertificate' DESC 'RFC2256: X.509
user certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.
4.1.1466.115.121.1.8 )
olcAttributeTypes: {31}( 2.5.4.37 NAME 'cACertificate' DESC 'RFC2256: X.509 CA
certificate, use ;binary' EQUALITY certificateExactMatch SYNTAX 1.3.6.1.4.1.
1466.115.121.1.8 )
olcAttributeTypes: {32}( 2.5.4.38 NAME 'authorityRevocationList' DESC 'RFC2256
: X.509 authority revocation list, use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.9 )
olcAttributeTypes: {33}( 2.5.4.39 NAME 'certificateRevocationList' DESC 'RFC22
56: X.509 certificate revocation list, use ;binary' SYNTAX 1.3.6.1.4.1.1466.1
15.121.1.9 )
olcAttributeTypes: {34}( 2.5.4.40 NAME 'crossCertificatePair' DESC 'RFC2256: X
.509 cross certificate pair, use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.1
0 )
olcAttributeTypes: {35}( 2.5.4.42 NAME ( 'givenName' 'gn' ) DESC 'RFC2256: fir
st name(s) for which the entity is known by' SUP name )
olcAttributeTypes: {36}( 2.5.4.43 NAME 'initials' DESC 'RFC2256: initials of s
ome or all of names, but not the surname(s).' SUP name )
olcAttributeTypes: {37}( 2.5.4.44 NAME 'generationQualifier' DESC 'RFC2256: na
me qualifier indicating a generation' SUP name )
olcAttributeTypes: {38}( 2.5.4.45 NAME 'x500UniqueIdentifier' DESC 'RFC2256: X
.500 unique identifier' EQUALITY bitStringMatch SYNTAX 1.3.6.1.4.1.1466.115.1
21.1.6 )
olcAttributeTypes: {39}( 2.5.4.46 NAME 'dnQualifier' DESC 'RFC2256: DN qualifi
er' EQUALITY caseIgnoreMatch ORDERING caseIgnoreOrderingMatch SUBSTR caseIgno
reSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.44 )
olcAttributeTypes: {40}( 2.5.4.47 NAME 'enhancedSearchGuide' DESC 'RFC2256: en
hanced search guide' SYNTAX 1.3.6.1.4.1.1466.115.121.1.21 )
olcAttributeTypes: {41}( 2.5.4.48 NAME 'protocolInformation' DESC 'RFC2256: pr
otocol information' EQUALITY protocolInformationMatch SYNTAX 1.3.6.1.4.1.1466
.115.121.1.42 )
olcAttributeTypes: {42}( 2.5.4.50 NAME 'uniqueMember' DESC 'RFC2256: unique me
mber of a group' EQUALITY uniqueMemberMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1
.34 )
olcAttributeTypes: {43}( 2.5.4.51 NAME 'houseIdentifier' DESC 'RFC2256: house
identifier' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{32768} )
olcAttributeTypes: {44}( 2.5.4.52 NAME 'supportedAlgorithms' DESC 'RFC2256: su
pported algorithms' SYNTAX 1.3.6.1.4.1.1466.115.121.1.49 )
olcAttributeTypes: {45}( 2.5.4.53 NAME 'deltaRevocationList' DESC 'RFC2256: de
lta revocation list; use ;binary' SYNTAX 1.3.6.1.4.1.1466.115.121.1.9 )
olcAttributeTypes: {46}( 2.5.4.54 NAME 'dmdName' DESC 'RFC2256: name of DMD' S
UP name )
olcAttributeTypes: {47}( 2.5.4.65 NAME 'pseudonym' DESC 'X.520(4th): pseudonym
for the object' SUP name )
olcAttributeTypes: {48}( 0.9.2342.19200300.100.1.3 NAME ( 'mail' 'rfc822Mailbo
x' ) DESC 'RFC1274: RFC822 Mailbox' EQUALITY caseIgnoreIA5Match SUBSTR ca
seIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26{256} )
olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompone
nt' ) DESC 'RFC1274/2247: domain component' EQUALITY caseIgnoreIA5Match SUBST
R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 SINGLE-VA
LUE )
olcAttributeTypes: {50}( 0.9.2342.19200300.100.1.37 NAME 'associatedDomain' DE
SC 'RFC1274: domain associated with object' EQUALITY caseIgnoreIA5Match SUBST
R caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
olcAttributeTypes: {51}( 1.2.840.113549.1.9.1 NAME ( 'email' 'emailAddress' 'p
kcs9email' ) DESC 'RFC3280: legacy attribute for email addresses in DNs' EQUA
LITY caseIgnoreIA5Match SUBSTR caseIgnoreIA5SubstringsMatch SYNTAX 1.3.6.1.4.
1.1466.115.121.1.26{128} )
olcObjectClasses: {0}( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP to
p STRUCTURAL MUST c MAY ( searchGuide $ description ) )
olcObjectClasses: {1}( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP
top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description )
)
olcObjectClasses: {2}( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organizat
ion' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ b
usinessCategory $ x121Address $ registeredAddress $ destinationIndicator $ pr
eferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNu
mber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOff
iceBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ d
escription ) )
olcObjectClasses: {3}( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an org
anizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide
$ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destination
Indicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier
$ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ str
eet $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName
$ st $ l $ description ) )
olcObjectClasses: {4}( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top
STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $
description ) )
olcObjectClasses: {5}( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an o
rganizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ regis
teredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ fac
simileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l ) )
olcObjectClasses: {6}( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an org
anizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAd
dress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ telete
xTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTe
lephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ p
ostOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $
st $ l $ description ) )
olcObjectClasses: {7}( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of n
ames (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $
seeAlso $ owner $ ou $ o $ description ) )
olcObjectClasses: {8}( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an res
idential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Ad
dress $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDN
Number $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOf
ficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l )
)
olcObjectClasses: {9}( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an ap
plication process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ descri
ption ) )
olcObjectClasses: {10}( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an ap
plication entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY (
supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) )
olcObjectClasses: {11}( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system
agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation )
olcObjectClasses: {12}( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP to
p STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ desc
ription ) )
olcObjectClasses: {13}( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256
: a strong authentication user' SUP top AUXILIARY MUST userCertificate )
olcObjectClasses: {14}( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256:
a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ c
ertificateRevocationList $ cACertificate ) MAY crossCertificatePair )
olcObjectClasses: {15}( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256:
a user security information' SUP top AUXILIARY MAY ( supportedAlgorithms ) )
olcObjectClasses: {16}( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certif
icationAuthority AUXILIARY MAY ( deltaRevocationList ) )
olcObjectClasses: {17}( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURA
L MUST ( cn ) MAY ( certificateRevocationList $ authorityRevocationList $ del
taRevocationList ) )
olcObjectClasses: {18}( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName
) MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address
$ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telex
Number $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumbe
r $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAd
dress $ physicalDeliveryOfficeName $ st $ l $ description ) )
olcObjectClasses: {19}( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP
top AUXILIARY MAY userCertificate )
olcObjectClasses: {20}( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate a
uthority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevoca
tionList $ cACertificate $ crossCertificatePair ) )
olcObjectClasses: {21}( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP
top AUXILIARY MAY deltaRevocationList )
olcObjectClasses: {22}( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC
2079: object that contains the URI attribute type' MAY ( labeledURI ) SUP top
AUXILIARY )
olcObjectClasses: {23}( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword )
olcObjectClasses: {24}( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: do
main component object' SUP top AUXILIARY MUST dc )
olcObjectClasses: {25}( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid obje
ct' SUP top AUXILIARY MUST uid )
olcObjectClasses: {26}( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a gr
oup of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uni
queMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ descript
ion $ gidNumber) )Jak widać mamy wiele wartości zarówno dla olcAttributeTypes jak i olcObjectClasses.
Jak to działa aktualnie i co jest nie tak.
Narzędzie ldapmodify nakłada zmiany dla całego wpisu, tj. jeśli zdefiniujemy zmianę (usunięcie jednego wpisu z dozwolonych atrybutów dla klasy):
dn: cn={0}core,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a group of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uniqueMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ description ) )
to narzędzie usunie wszystkie wartości atrybutu olcObjectClasses i doda tylko ten jeden zdefiniowany.
Przy aktualnej implementacji aby zachować pozostałe wpisy i dokonać jednej malutkiej zmiany musielibyśmy kopiować całą istniejącą definicję niepotrzebnie, tj:
ldif z małą zmianą
dn: cn={0}core,cn=schema,cn=config
changetype: modify
replace: olcObjectClasses
olcObjectClasses: ( 2.5.6.2 NAME 'country' DESC 'RFC2256: a country' SUP to
p STRUCTURAL MUST c MAY ( searchGuide $ description ) )
olcObjectClasses: ( 2.5.6.3 NAME 'locality' DESC 'RFC2256: a locality' SUP
top STRUCTURAL MAY ( street $ seeAlso $ searchGuide $ st $ l $ description )
)
olcObjectClasses: ( 2.5.6.4 NAME 'organization' DESC 'RFC2256: an organizat
ion' SUP top STRUCTURAL MUST o MAY ( userPassword $ searchGuide $ seeAlso $ b
usinessCategory $ x121Address $ registeredAddress $ destinationIndicator $ pr
eferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier $ telephoneNu
mber $ internationaliSDNNumber $ facsimileTelephoneNumber $ street $ postOff
iceBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l $ d
escription ) )
olcObjectClasses: ( 2.5.6.5 NAME 'organizationalUnit' DESC 'RFC2256: an org
anizational unit' SUP top STRUCTURAL MUST ou MAY ( userPassword $ searchGuide
$ seeAlso $ businessCategory $ x121Address $ registeredAddress $ destination
Indicator $ preferredDeliveryMethod $ telexNumber $ teletexTerminalIdentifier
$ telephoneNumber $ internationaliSDNNumber $ facsimileTelephoneNumber $ str
eet $ postOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName
$ st $ l $ description ) )
olcObjectClasses: ( 2.5.6.6 NAME 'person' DESC 'RFC2256: a person' SUP top
STRUCTURAL MUST ( sn $ cn ) MAY ( userPassword $ telephoneNumber $ seeAlso $
description ) )
olcObjectClasses: ( 2.5.6.7 NAME 'organizationalPerson' DESC 'RFC2256: an o
rganizational person' SUP person STRUCTURAL MAY ( title $ x121Address $ regis
teredAddress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $
teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ fac
simileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAddress $
physicalDeliveryOfficeName $ ou $ st $ l ) )
olcObjectClasses: ( 2.5.6.8 NAME 'organizationalRole' DESC 'RFC2256: an org
anizational role' SUP top STRUCTURAL MUST cn MAY ( x121Address $ registeredAd
dress $ destinationIndicator $ preferredDeliveryMethod $ telexNumber $ telete
xTerminalIdentifier $ telephoneNumber $ internationaliSDNNumber $ facsimileTe
lephoneNumber $ seeAlso $ roleOccupant $ preferredDeliveryMethod $ street $ p
ostOfficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ ou $
st $ l $ description ) )
olcObjectClasses: ( 2.5.6.9 NAME 'groupOfNames' DESC 'RFC2256: a group of n
ames (DNs)' SUP top STRUCTURAL MUST ( member $ cn ) MAY ( businessCategory $
seeAlso $ owner $ ou $ o $ description ) )
olcObjectClasses: ( 2.5.6.10 NAME 'residentialPerson' DESC 'RFC2256: an res
idential person' SUP person STRUCTURAL MUST l MAY ( businessCategory $ x121Ad
dress $ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $
telexNumber $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDN
Number $ facsimileTelephoneNumber $ preferredDeliveryMethod $ street $ postOf
ficeBox $ postalCode $ postalAddress $ physicalDeliveryOfficeName $ st $ l )
)
olcObjectClasses: ( 2.5.6.11 NAME 'applicationProcess' DESC 'RFC2256: an ap
plication process' SUP top STRUCTURAL MUST cn MAY ( seeAlso $ ou $ l $ descri
ption ) )
olcObjectClasses: ( 2.5.6.12 NAME 'applicationEntity' DESC 'RFC2256: an ap
plication entity' SUP top STRUCTURAL MUST ( presentationAddress $ cn ) MAY (
supportedApplicationContext $ seeAlso $ ou $ o $ l $ description ) )
olcObjectClasses: ( 2.5.6.13 NAME 'dSA' DESC 'RFC2256: a directory system
agent (a server)' SUP applicationEntity STRUCTURAL MAY knowledgeInformation )
olcObjectClasses: ( 2.5.6.14 NAME 'device' DESC 'RFC2256: a device' SUP to
p STRUCTURAL MUST cn MAY ( serialNumber $ seeAlso $ owner $ ou $ o $ l $ desc
ription ) )
olcObjectClasses: ( 2.5.6.15 NAME 'strongAuthenticationUser' DESC 'RFC2256
: a strong authentication user' SUP top AUXILIARY MUST userCertificate )
olcObjectClasses: ( 2.5.6.16 NAME 'certificationAuthority' DESC 'RFC2256:
a certificate authority' SUP top AUXILIARY MUST ( authorityRevocationList $ c
ertificateRevocationList $ cACertificate ) MAY crossCertificatePair )
olcObjectClasses: ( 2.5.6.18 NAME 'userSecurityInformation' DESC 'RFC2256:
a user security information' SUP top AUXILIARY MAY ( supportedAlgorithms ) )
olcObjectClasses: ( 2.5.6.16.2 NAME 'certificationAuthority-V2' SUP certif
icationAuthority AUXILIARY MAY ( deltaRevocationList ) )
olcObjectClasses: ( 2.5.6.19 NAME 'cRLDistributionPoint' SUP top STRUCTURA
L MUST ( cn ) MAY ( certificateRevocationList $ authorityRevocationList $ del
taRevocationList ) )
olcObjectClasses: ( 2.5.6.20 NAME 'dmd' SUP top STRUCTURAL MUST ( dmdName
) MAY ( userPassword $ searchGuide $ seeAlso $ businessCategory $ x121Address
$ registeredAddress $ destinationIndicator $ preferredDeliveryMethod $ telex
Number $ teletexTerminalIdentifier $ telephoneNumber $ internationaliSDNNumbe
r $ facsimileTelephoneNumber $ street $ postOfficeBox $ postalCode $ postalAd
dress $ physicalDeliveryOfficeName $ st $ l $ description ) )
olcObjectClasses: ( 2.5.6.21 NAME 'pkiUser' DESC 'RFC2587: a PKI user' SUP
top AUXILIARY MAY userCertificate )
olcObjectClasses: ( 2.5.6.22 NAME 'pkiCA' DESC 'RFC2587: PKI certificate a
uthority' SUP top AUXILIARY MAY ( authorityRevocationList $ certificateRevoca
tionList $ cACertificate $ crossCertificatePair ) )
olcObjectClasses: ( 2.5.6.23 NAME 'deltaCRL' DESC 'RFC2587: PKI user' SUP
top AUXILIARY MAY deltaRevocationList )
olcObjectClasses: ( 1.3.6.1.4.1.250.3.15 NAME 'labeledURIObject' DESC 'RFC
2079: object that contains the URI attribute type' MAY ( labeledURI ) SUP top
AUXILIARY )
olcObjectClasses: ( 0.9.2342.19200300.100.4.19 NAME 'simpleSecurityObject'
DESC 'RFC1274: simple security object' SUP top AUXILIARY MUST userPassword )
olcObjectClasses: ( 1.3.6.1.4.1.1466.344 NAME 'dcObject' DESC 'RFC2247: do
main component object' SUP top AUXILIARY MUST dc )
olcObjectClasses: ( 1.3.6.1.1.3.1 NAME 'uidObject' DESC 'RFC2377: uid obje
ct' SUP top AUXILIARY MUST uid )
olcObjectClasses: ( 2.5.6.17 NAME 'groupOfUniqueNames' DESC 'RFC2256: a gr
oup of unique names (DN and Unique Identifier)' SUP top STRUCTURAL MUST ( uni
queMember $ cn ) MAY ( businessCategory $ seeAlso $ owner $ ou $ o $ descript
ion ) )Kto znajdzie zmianę ten mistrz. Spoiler
Zmiana jest na końcu
Nieeeeee tak być nie może, kto wymyślił takie narzędzie!!!!1111oneone
Normalnie to nie jest problem, bo zalecane podejście w takim przypadku wygląda następująco:
- Zlokalizuj interesującą do zmiany wartość przy pomocy
ldapsearch - Podaj jej dokładną wartość przy usuwaniu (usunie tylko ten jeden wpis)
- Dodaj nowy wpis ze zmienioną wartością.
Możliwe rozwiązanie.
Mając takie kroki jak wyżej moglibyśmy redefiniować implementację konfiguracji ldapa, która jest aktualnie. Jednak wiąże się z to z pewnymi trudnościami.
Ucieczka znaków specjalnych w filtrach ldapsearch
Aby zrealizować punkt pierwszy należy najpierw zlokalizować interesujący nas wpis (co by zapewniło później idempotentność). Niestety te wpisy jak i inne potencjalne zawierać mogą znaki specjalne, które trzeba "escapeować" podając je w filtrach. Tutaj akurat są to znaki nawiasu (()). Dlaczego tak jest? Otóż filtry narzędzia ldapsearch grupuje się za pomocą właśnie nawiasów. To jest tylko jeden przypadek, wszystkie znaki które trzeba byłoby obsłużyć można znaleźc w rfc4515.
Dalej to już z górki, bo usuwanie i dodawanie jest teoretycznie obsłużone.
Podsumowanie
Mamy dwie możliwości, które niosą za sobą plusy i minusy:
Opcja 1 - zostawienie jak jest
-
➕ brak dodatkowej roboty :) -
➖ kopiowanie niepotrzebnych linii
Opcja 2 - implementacja zalecanego podejścia
-
➕ zwięzłe definicje modyfikacji -
➕ idempotentność na poziomie ansibla -
➖ obsługa ucieczki wielu znaków specjalnych -
➖ skomplikowanie implementacji
Co robić? Jak żyć?