Directory ( LDAP )

1. DNvs. RDN

DN is globally unique
RDN : unique under same parent. RDN is typically a unique identifier ( id or uid ) attribute for an entry.  DN  =   RDN + Path to Parent

2.  ldap errorcode=10
I was having  connection to read replica and was trying to update an attribute in LDAP was resulting in this error.


3. Starter Query

dirsrv]# ldapsearch -x -h <host>  -D '<UserDN>' -w  password -b '<BaseDN>' '(&(uid=91203074))' uid cn

4.   At times when you execute a query which may result in large result set and  if nsslapd-sizelimit is set to smaller value , it wont return any results.  This limit is set is /etc/dirsrv/slapd-{ServerName}/dse.ldif.

5. To find the number of entries under  a DN

ldapsearch -u -D "cn=Directory Manager" -h ldapserver -p 389 -b "ou=myou,c=myc,o=myo" -w password  -s base "(objectclass=*)" numsubordinates


6. To add an aci
 
  ./ldapmodify -h localhost -p 1389 -D "cn=Directory Manager" -w password --filename ~/aci.ldif

aci.ldif
----------
dn: c=myc,o=myo
changetype: modify
add: aci
aci: (targetattr="*")(version 3.0; acl "give all users full rights"; allow(all) userdn =  "ldap:///uid=*,o=myo";)
-------------------

7.  To run a LDIF file

( ldapmodify -h localhost -p 389 -D "cn=Directory Manager" -w password --filename ~/ua.ldif )

7.1  LDIF file to replace an attribute value

newvalue.ldif
---------------------
dn: spsid=myid,o=myo
changetype: modify
replace: attrname
attrname: 2
--------------------
At times there is minor difference in the syntax depending upon the directory implementation.


8. Nice articles on OpenDJ

https://idmdude.com/2014/01/01/opendj-indexes-explained/
https://onemoretech.wordpress.com/2012/03/29/opendj-cheat-sheet/

8. How to see the replication status

$dsreplication status -h localhost  -p 4444 -I admin -w password -X -n

9.  To reinitialize a db on one node from another  node

 dsreplication initialize --baseDN "ou=example,o=com" --adminUID admin --adminPassword password --hostSource <sourceHostIP>  --portSource 4444 --hostDestination <destHostIP> --portDestination 4444 --trustAll

10. To check the status of  indices

/opt/opendj/bin/dsconfig list-local-db-indexes -h localhost -p 4444 -D "cn=directory manager" -w password -X -n --backend-name <backendname>

11. To check settings in (OpenDJ)

dsconfig get-global-configuration-prop -h localhost -p 4444 -w  password -X -n

12. To rebuild idex while opendj is online

./rebuild-index -p 4444 -X -w password -b <baseDN> -i iplanet-am-user-federation-info-key -i sun-fm-saml2-nameid-infokey -i memberof

To do the same when dj is offline , just remove port and password.

13. In OpenDJ  following query will result in unindexed search if there is no ordering index on modifyTimestamp.

ldapsearch -h localhost -p 1389 -D "bindDN" -w password -b "baseDN"  "(&(&(modifyTimestamp>=20160808050000Z)(modifyTimestamp<=20160815050000Z))(objectClass=user))"

14. To get the count of entries under an ou ( at east wors on OpenDJ ).

 ldapsearch -h localhost -p 1389 -D "bindDN" -w password  -b "basedDN" -s base '(objectclass=*)'  numsubordinates

15.  If an attribute has multiple types of indices and you want to remove one type of index.



dsconfig set-local-db-index-prop --port 4444 --hostname localhost --bindDN 'cn=Directory Manager' -w password --backend-name <backendName>  --index-name <attributeName> --remove index-type:ordering –trustAll

To see what index properties can be set , use this command

 dsconfig get-local-db-index-prop --port 4444 --hostname localhost --bindDN 'cn=Directory Manager' -w password --backend-name  <backendName>  --index-name <attributename> --trustAll

16. To get global properties on opendj

dsconfig get-global-configuration-prop -p 4444 -X -n -h localhost -D "cn=Directory Manager" -w password

17. To get individual user limits, query the operational attribute names ( ds-rlim-size-limit, ds-rlim-time-limit ) on individual user entry.

18. To verify if an index is good

verify-index -b "baseDN"

19. To rebuild all degraded indices

rebuild-index --rebuildDegraded -h localhost -p 4444  -D "cn=Directory Manager" -w password -b "baseDN"  -X

20. To drop a particular index

dsconfig delete-local-db-index --port 4444 --hostname localhost --bindDN 'cn=Directory Manager' -w password --backend-name <backend>   --index-name   <indexname>  -X -n

21. To get backend properties

 ./dsconfig -p 4444 -h localhost -D "cn=Directory Manager" -w password get-backend-prop --backend-name <backend>  - X

22. How to create a user which has privilege to do unindexed searches

dn: uid=testuser,ou=example,o=com
changetype: add
objectClass: person
objectClass: organizationalPerson
objectClass: inetorgperson
objectClass: top
uid: testuser
cn: Test
sn: User
givenName: Test
uid: testuser
userPassword: password

dn: o=com
changetype: modify
add: aci
aci: (target="ldap:///o=com")
     (version 3.0; acl "Allow reporting permissions";
     allow(search, read) userdn="ldap:///uid=testuser,ou=example,o=com";)

dn: uid=testuser,ou=example,o=com
changetype: modify
add: ds-privilege-name
ds-privilege-name: unindexed-search
~


Comments

Popular posts from this blog

SQL

Analytics

DBeaver