Common Problems in OpenLDAP
Incorrect PIDs in Entitlements
A common problem for NEO-LDAP occurs when a user changes his/her PID in ED-LDAP, but the entitlements in NEO-LDAP do not get updated with the new PID. To resolve this problem, it's important to know three things:
- The PID is stored in the uupid attribute in ED-LDAP, but in the uid attribute in NEO-LDAP.
- The entitlements in ou=Entitlements,ou=NIS,o=vt are granted to entries in ou=People,ou=NIS,o=vt by setting the entitled attribute of the former to the dn of the latter, AND the entitledUID of the latter to the uupid from ED-LDAP.
- The uid attribute of the ou=People,ou=NIS,o=vt entry is what is used by the user to authenticate to the network. Let's consider an example to see how we might resolve this kind of problem.
Example Problem:
- Hokie Bird uses Account Manager to change his PID from hbird to hokieb.
- The network account web service encounters an error and therefore:
- Fails to update the entitledUID attribute of nuid=1010101010,ou=Entitlements,ou=NIS,o=vt
- Fails to update the uid attribute of nuid=7777777,ou=People,ou=NIS,o=vt
- In rare cases, does only one of the above
Now the ED-LDAP entry looks like this:
dn: uid=12345678,ou=People,dc=vt,dc=edu
givenName: Hokie
sn: Bird
uid: 11111111
uidNumber: 11111111
virginiaTechID: 999999999
uupid: hokieb
mail: hokieb@vt.edu
mailPreferredAddress: hokieb@vt.edu
...
and the NEO-LDAP entries might look like this:
dn: nuid=1010101010,ou=Entitlements,ou=NIS,o=vt
nuid: 1010101010
entitled: nuid=7777777,ou=People,ou=NIS,o=vt
entitledUID: hbird
entitlement: cns.service.network.wireless
objectClass: nisEntitlement
and this:
dn: nuid=7777777,ou=People,ou=NIS,o=vt
nuid: 7777777
objectClass: nisUserAccount
objectClass: inetOrgPerson
prohibited: FALSE
userPassword:: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
uid: hbird
sn: Bird
cn: Hokie Bird
or in rare situations like this:
dn: nuid=1010101010,ou=Entitlements,ou=NIS,o=vt
nuid: 1010101010
entitled: nuid=7777777,ou=People,ou=NIS,o=vt
entitledUID: hbird
entitlement: cns.service.network.wireless
objectClass: nisEntitlement
and this:
dn: nuid=7777777,ou=People,ou=NIS,o=vt
nuid: 7777777
objectClass: nisUserAccount
objectClass: inetOrgPerson
prohibited: FALSE
userPassword:: eeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeeee
uid: hokieb
sn: Bird
cn: Hokie Bird
There could also be corresponding cns.service.network.vpn entitlement entries in the two cases above, and these will have their own distinct nuid attributes. In either of the above cases, we can restore the intended entitlements to the user with the ldapmodify command. Network administrators can define and use a mgrldapmodify alias instead of ldapmodify below.
First case:
ldapmodify << EOF
dn: nuid=7777777,ou=People,ou=NIS,o=vt
changetype: modify
replace: uid
uid: hokieb
dn: nuid=1010101010,ou=People,ou=NIS,o=vt
changetype: modify
replace: entitledUID
entitledUID: hokieb
EOF
Second case:
ldapmodify << EOF
dn: nuid=1010101010,ou=People,ou=NIS,o=vt
changetype: modify
replace: entitledUID
entitledUID: hokieb
EOF