openldap-software January 2007

openldap-software@openldap.org

98 participants
123 discussions

Simulating search filter
by Don Hoover 31 Jan '07

31 Jan '07

Ok. Here is an interesting problem. We have purchased one of those remote serial console access devices, and it "supports" ldap. On our servers we use search filters to control who has access to which of our servers... such as sub?|(gid=55) etc. BUT, this little thing only supports proving a "base" and not any filters. If it just has our base then everyone in our LDAP has access to this device and want to limit it to just the sysadmin group. Is there a way to create a virtual view of our existing LDAP directory with a different base but behind the scenes is a filtered view of our full LDAP directory. I thought I remember seeing something like this was available. Either as a backend option or something like that. Any ideas?

2 1

checking syncrepl consistency
by Andreas Hasenack 31 Jan '07

31 Jan '07

Hi all, I want to be able to check for the syncrepl consistency between a provider and a consumer with this database layout: provider (OL 2.3.30) consumer (OL 2.3.32) + dc=example,dc=com + dc=example,dc=com / \ / \ ... + ou=global -------> ou=global + ... / \ (syncrepl) / \ ... ... ... ... That is, only the ou=global branch is replicated to the other server, which then has two databases (one for dc=example,dc=com and another one for ou=global). This works. Now I want to be able to check if the ou=global databases are in sync with each other. There are some scripts floating around that check the contextCSN attribute, so I started with that. But it doesn't work in this scenario. The problem is when a change is done to somewhere other than ou=global on the provider. The contextCSN at dc=example,dc=com on the provider is updated, but there is no need to replicate anything because the change was not under ou=global. This means that contextCSN at the provider will be different from the contextCSN on the consumer, even though the databases are in sync. Is there another (quick, scriptable) way to make this check? I will try updated versions (2.3.33) on both sides shortly. I also noticed that once the consumer is restarted, its contextCSN assumes the same value that the one of the provider, even though there was no change to the ou=global branch.

1 0

Ppolicy overlay password checking module
by Metcalf, Roger 30 Jan '07

30 Jan '07

Hi John, I didn't find a response to your query (pasted below). I'm about to try cooking up something similar. Did you ever get help or find the magic combination of ingredients to get pwdCheckModule working? If so, please share the recipe! Thanks, Roger Metcalf # # # # # Hi all, I don't know if this is the right list, but i'm hoping the author of the overlay or somebody equally knowledgeable is on this list and will be able to help me. I'm attempting to use the password policy overlay with a custom password strength checker. The docs say the following on the subject: "pwdCheckModule This attribute names a user-defined loadable module that must instantiate the check_password() function. This function will be called to further check a new password if pwdCheckQuality is set to one (1) or two (2), after all of the built-in password compliance checks have been passed. This function will be called according to this function prototype: int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); ... Note: The user-defined loadable module named by pwdCheckModule must be in slapd's standard executable search PATH. Note: pwdCheckModule is a non-standard extension to the LDAP password policy proposal Now, i'm a little unclear on how exactly to compile such a module or where to place it so as to load it. "standard executable search PATH" seems to imply it should go where binaries go (for example /usr/local/bin) but i'm wondering if maybe it's the modulepath in the slapd.conf. I've tried both so i'm assuming i'm not compiling it up correctly The following is my simple program using cracklib (untested but i believe should work). The file is called ldap_cracklib.c #include <portable.h> #include <slap.h> #include <packer.h> int check_password (char *pPasswd, char **ppErrStr, Entry *pEntry); int check_password( char *pPasswd, char **ppErrStr, Entry *pentry) { char *ret; ret = (char *) FascistCheck( pPasswd, '/usr/local/libdata/cracklib/pw_dict' ); if (ret == NULL) { return 0; } *ppErrStr = ret; return 1; } I've compiled it to an object file with gcc -c (and a whole bunch of other arguments for includes, etc) and also to a library using libtool (i took the makefile for smbk5pwd and modified it). I've then tried modifying the pwdCheckModule to ldap_cracklib.o and ldap_cracklib.so respectively (after copying the relevant files to both /usr/local/bin and our module path, /usr/local/libexec/openldap). I'm using the following command to try and change my password: ldappasswd -x -W -A -H ldaps://ldapservername.fully.qualified.domain -D "uid=allmanj,ou=people,dc=fully,dc=qualified,dc=domain" It prompts me for my old password twice, once for my new and then says: ldap_bind: Invalid credentials (49) I can confirm that my (old) password is correct by using ldapwhoami. So should i be making a library? Should i be making a basic compiled object? Should i be making something else? Please bear in mind that i'm an administrator not a programmer so i am a little ignorant. I've tried boosting the ldap log level and looking for errors but i dont see anything. Any help would be greatly appreciated. Thanks, John

3 3

gss_wrap/gss_unwrap sasl buffers?
by Michael B Allen 29 Jan '07

29 Jan '07

Hi, I need to gss_wrap/gss_unwrap all requests and responses into SASL buffers. Is there an existing method for doing that? Otherwise, I suppose the best techniqure would be to allow the user to register an "inspect" callback that will be called with the data buffer just read from or wrtten to the network. I'm starting to look at the code now but if someone could give me a hint I would appreciate it. Mike

3 8

pcache + LDAP_NO_ATTRS
by Mike Malsman 28 Jan '07

28 Jan '07

I am using OpenLDAP 2.3.33. I run a slapd service using the pcache overlay, which in turn queries another instance of slapd by means of 'database ldap'. It seems to work nicely for my simple use. I can verify that query results are cached if the requested attribute matches that of the "proxyattrset" directive. However, I have a software which specifies LDAP_NO_ATTRS to the attributes parameter of ldap_search_st(), as the software is interested only in the presence of results, not their content. Is it possible to instruct the pcache overlay, via "proxyattrset" or any combination of other directives, to cache the results of such queries? I have unsuccessfully attempted to define "proxyattrset 0", simply omitting the attribute set. slapd starts fine, but does not seem to cache my queries. It is unclear to me how slapd interprets this configuration. I've failed to find any relevant information in the list archives or google. Am I asking the wrong question? Is this simply an unnatural use of the pcache overlay? Ciao, -Mike

2 1

invalidAttributeSyntax error when an empty string is added
by Kazu Nisimura 28 Jan '07

28 Jan '07

Hi, When I tried to add an empty string to the IA5 String attribute, slapd returned invalidAttributeSyntax(21) error. Is this a correct behavior? from RFC4517: === 3.3.6. Directory String A value of the Directory String syntax is a string of one or more arbitrary characters from the Universal Character Set (UCS) [UCS]... [...] 3.3.15. IA5 String A value of the IA5 String syntax is a string of zero, one, or more characters from International Alphabet 5 (IA5) [T.50], ... === It seems that zero-length IA5 String is allowed, while Directory String have to be one or more characters. (However, I don't understand why zero-length Directory String is not allowed. It is very frustrated.) I'm using OpenLDAP 2.3.27. Regards, -- Kazu Nisimura

2 1

slapd-relay
by Douglas B. Jones 26 Jan '07

26 Jan '07

I am on 2.3.33 and I am trying to fix it so that people with an old base of o=gpc,c=us will automatically be given the results from the base dc=employee,dc=gpc,dc=edu. From the slapd-relay doc., I first tried: database relay suffix "o=gpc,c=us" relay "dc=employee,dc=gpc,dc=edu" and tried a lookup with the command: ldapsearch -b o=gpc,c=us uid=someone cn and I get: result: 53 Server is unwilling to perform If I change the config. file to: database relay suffix "o=gpc,c=us" overlay rwm suffixmessage "dc=employee,dc=gpc,dc=edu" and try the same command, the slapd process disappears and no core file is found (I did a find on the whole system for anything with '*core*' in it. The output to the terminal is: ldap_result: Can't contact LDAP server (-1) and the logs have: Jan 26 09:38:37 mldap slapd[19110]: conn=0 op=1 SRCH base="o=gpc,c=us" scope=2 d eref=0 filter="(uid=someone)" Jan 26 09:38:37 mldap slapd[19110]: conn=0 op=1 SRCH attr=cn When I start slapd back up, it says in the logs: Jan 26 09:42:55 mldap slapd[19149]: bdb_db_open: unclean shutdown detected; atte mpting recovery. and works fine otherwise. I can stop and restart and the warning does not appear again - as expected (unless of course I do the same experiment again). I am sort of new to the linux (RHEL4) environment, so I am not really sure where I should go from here. On tru64, I can attach to a process, slapd in this case, I am not sure how to do that in linux. The two examples I used above came from the slapd-relay man page, as far as I can tell, with just what they had. Thanks for any help!

3 5

the best and the shortest way ?
by Julien Oix 26 Jan '07

26 Jan '07

Hi everyone, I'm stopped with technical stuff tryin' to deploy a specific backend meta. (see here : http://www.openldap.org/lists/openldap-software/200701/msg00190.html and here : http://www.openldap.org/lists/openldap-software/200701/msg00272.html ) So iI will try to explain what I want, and maybe what I'm tryin' to do is not the best way :) The background : 1) there is a general openldap directory existing D1, on which I just have a system account to read its data --> no anonymous bind permitted to access the data, I need to call ldapsearch this way to retrieve any results : ldapsearch -x -D "cn=toto,ou=system,dc=univ-paris7,dc=fr" -w xxxx -H ldaps://ldap.univ-paris.fr -b "ou=people,dc=univ-paris7,dc=fr" cn mail -LLL 2) the fact is that I need authentication datas on people who are not in that directory D1, so I have to build my own ldap directory D2; and I don't want any data redundancy between D1 and D2 --> D1 (union) D2 = empty set 3) to have an unique way to get authentication in Apache for example, in order that people from D1 AND D2 can access, I've been thinkin' that the best solution was to deploy a openldap meta backend D3 that would transmit the authentication requests both to D1 and D2. --> D1 and D2 are D3's targets. Is this the simplest way ? are there any solutions to implement that ? The technical stuff See the previous posts to see what stops me. Directory with anonymous binds don't have any problems to be targeted, but as soon as authentication is needed, access is refused whenever I give a dn to authenticate ... Thanks, -- Julien Oix UFR d'Informatique - Université Paris Diderot Bureau 5C01 (5ème étage) 175 rue du Chevaleret 75013 PARIS Tel : +33 (0) 144 278 504 Mobile : +33 (0) 664 392 207 --------------------------------------------- http://www.gnu.org/philosophy/no-word-attachments.html

2 1

sessionlog vs syncprov_sessionlog / missing delete phase
by Daniel Eckstein 26 Jan '07

26 Jan '07

Dear listmember, I have a openldap setup consisting of 1 master (read/write) and 4 replica, with around 370.000 entries, ~200 reads/s at the replica and ~5 modifications/s on master. Replication is just working fine in terms of adding, modify entries, but not, when it comes to deletion of entries. If I delete an entry at the master, the deletion seems not to be synchronised to the replica. All the replica do have the very same count of objects, but they differ to the masters object count (master have less, because deletions work there...) What I have found so far is that I only have syncprov_sessionlog configured and the manual page is talking about sessionlog too. Which directive should I use on the syncprov master? Is there a problem with the delete phase? What else could I check? Thanks alot in advance! Best regards, Daniel

3 3

base_64 encoding
by Thierry Lacoste 26 Jan '07

26 Jan '07

According to Faq-O-Matic: The command slappasswd -h {SHA} -s abcd123 will generate {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E= so, in your entry, an attribute like this could be specified: userPassword: {SHA}fDYHuOYbzxlE6ehQOmYPIfS28/E= but when you do a slapcat or ldapsearch and the output is in LDIF format, the userpassword will be base_64 encoded, and it will look like this: userPassword:: e1NIQX1mRFlIdU9ZYnp4bEU2ZWhRT21ZUElmUzI4L0U9 Just out of curiosity why is it further encoded as everything in the userPassword is already base_64 encoded except the string {SHA}? I thought it may be because of the brackets but putting brackets in another attribute (e.g. mail) doesn't trigger an encoding. Regards, Thierry.

3 2

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software January 2007