dynlist overlay and ldapsearch
by ben thielsen
hi-
i'm using the dynlist overlay and am not getting back the search results i expected. i'm using 2.4.11 courtesy of debian.
here is my overlay config:
>ldapsearch -xWLLLD 'cn=admin,cn=config' -b 'cn=config' "(objectclass=olcdynamiclist)"
dn: olcOverlay={5}dynlist,olcDatabase={2}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcDynamicList
olcOverlay: {5}dynlist
olcDLattrSet: {0}groupOfNames memberURL member
olcDLattrSet: {1}mailGroup labeledURI
here is the entry in question:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' -s base -b 'cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groundnoise,dc=net'
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
objectClass: mailGroup
objectClass: top
objectClass: extensibleObject
cn: abuse
member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail
,dc=groundnoise,dc=net
labeledURI: ldap:///ou=domains,ou=mail,dc=groundnoise,dc=net?host?sub?(objectC
lass=mailDomain)
host: phone.dipswitch.net
host: luna.mpls.mn.us
host: groundnoise.net
host: thielsen.org
host: sjva1991.org
host: dipswitch.net
host: bitrate.net
searched for another way:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))' host
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
host: phone.dipswitch.net
host: luna.mpls.mn.us
host: groundnoise.net
host: thielsen.org
host: sjva1991.org
host: dipswitch.net
host: bitrate.net
however, the results from this search are missing that entry:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=dipswitch.net)' dn
dn: host=dipswitch.net,ou=domains,ou=mail,dc=groundnoise,dc=net
or another search:
ldapsearch -xvWD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(host=*))' host
ldap_initialize( <DEFAULT> )
Enter LDAP Password:
filter: (&(objectclass=mailgroup)(host=*))
requesting: host
# extended LDIF
#
# LDAPv3
# base <dc=groundnoise, dc=net> (default) with scope subtree
# filter: (&(objectclass=mailgroup)(host=*))
# requesting: host
#
# search result
search: 2
result: 0 Success
# numResponses: 1
if i remove the labeledURI attribute and populate with static entries, things appear to work as expected:
here's the entry:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(&(objectclass=mailgroup)(cn=abuse))'
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
objectClass: mailGroup
objectClass: top
objectClass: extensibleObject
cn: abuse
member: cn=postmaster,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail
,dc=groundnoise,dc=net
host: foo
host: bar
host: com
host: net
host: org
and a search:
>ldapsearch -xWLLLD 'cn=admin,dc=groundnoise,dc=net' '(host=foo)' dn
dn: cn=abuse,ou=distribution_groups,ou=all_domains,ou=domains,ou=mail,dc=groun
dnoise,dc=net
what am i doing wrong?
thanks
-ben
13 years, 10 months
Re: solaris compile options
by Brett @Google
i am using CFLAGS="-fast -xtarget=ultraT1 -xarch=sparcvis2 -xcode=pic32 -g
-xs -O"
one set of solaris docs i read implied that -xarch=sparcvis2 was equivalent
to -xarch=v9 (which used to trigger 64 bit), but looking at the sun studio
12 compiler options, the more specific versions of -xarch (ie. other than
-xarch=v9 or v9a or v9b) may no longer imply that the 64 bit memory model
should be used. so maybe i need to add a -m64 to the above ?
(compiling on a Sun T2000, with a homegenous build / execute environment, so
favouring speed over cpu compatibility is ok)
On Thu, Mar 12, 2009 at 1:31 AM, Aaron Richton <richton(a)nbcs.rutgers.edu>wrote:
> On Wed, 11 Mar 2009, Brett @Google wrote:
>
> /data/openldap/backups/ldap_090302.ldif: Value too large for defined data
>> type
>>
>
> man lfcompile, and/or switch to 64-bit binaries?
>
13 years, 10 months
problem with security ppolicy
by Evgeniy
hello
OpenLdap 2.4.18.
Attribute "pwdAccountLockedTime" is set, but auth is still Ok . Why ? On Ldap 2.3 it works normal - user don't auth after this date.
# date
Tue Sep 22 21:24:44 MSD 2009
ldapsearch -h localhost -x -b 'ou=SrpUsers,dc=company,dc=com' -D "cn=admin,dc=company,dc=com" -w password "cn=_1*" + | grep pwdAccountLockedTime
pwdAccountLockedTime: 20090922153148Z
but
slapauth -v -f /usr/local/etc/openldap/slapd.conf -U _125363 -X u:_125363
bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/accesslog-data: (2).
Expect poor performance for suffix "cn=accesslog".
bdb_db_open: warning - no DB_CONFIG file found in directory /usr/local/var/openldap-data: (2).
Expect poor performance for suffix "dc=company,dc=com".
ID: <_125363>
authcDN: <uid=_125363,cn=auth>
authzDN: <uid=_125363,cn=auth>
authorization OK
How I can resolve problem with non-working "pwdAccountLockedTime" ?
--
---______________________________________________---
Evgeniy
14 years, 1 month
SASL Mech EXTERNAL disabled?
by Dieter Kluenter
Hi,
after updating to openldap-2.4.18, tls enabled sasl external mechanism
seems to be disabled, but it is still enabled via ldapi://
:~> ldapwhoami -Y external -ZZ -H ldap://localhost
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Authentication method not supported (7)
Is this a bug, or has something changed which I haven't noticed?
:~> ldapsearch -x -LLL -H ldap://localhost -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: DIGEST-MD5
:~> ldapsearch -x -ZZ -LLL -H ldap://localhost -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
:~> ldapsearch -x -LLL -H ldapi:/// -b "" -s base supportedSASLMechanisms
dn:
supportedSASLMechanisms: CRAM-MD5
supportedSASLMechanisms: PLAIN
supportedSASLMechanisms: DIGEST-MD5
supportedSASLMechanisms: LOGIN
supportedSASLMechanisms: EXTERNAL
-Dieter
--
Dieter Klünter | Systemberatung
sip: +49.180.1555.7770535
http://www.dpunkt.de/buecher/2104.html
GPG Key ID:8EF7B6C6
14 years, 2 months
Write, then read & mirror-mode
by Peter Mogensen
Hi,
I about to set up a mirror-mode server pair with a slapd-ldap proxy to
access them through.
But it strikes me that the small delay for replication may result in
race conditions for applications which use write, then read of entries.
Like:
The application creates an object through the proxy, which forwards the
add request to server-1. Immediately after the application tries to read
the object back, but now the proxy have a small chance for redirecting
the search request to server-2 ... before replication has been done?
Is this correct? Is there anyway to avoid it besides writing directly to
server-1 or server-2 and reading back from the same server?
/Peter
14 years, 2 months
LDAP_OPT_X_TLS_NEWCTX
by Michael Ströder
HI!
How is LDAP_OPT_X_TLS_NEWCTX set to LDAP_OPT_ON supposed to work?
I've added support for it in python-ldap to set connection-specific values for
LDAP_OPT_X_TLS_REQUIRE_CERT and LDAP_OPT_X_TLS_CACERTFILE.
Note: In python-ldap LDAP options can be set globally by invoking
ldap.set_option() or connection-specific with LDAPObject.set_option() which
both uses ldap_set_option() in libldap or libldap_r. A libldap constant
LDAP_OPT_FOO is mapped to a python-ldap constant ldap.OPT_FOO.
Python-code for testing looks like this:
---------------------------- snip ----------------------------
# Create LDAPObject instance
l = ldap.initialize('ldap://localhost:1390')
# Set LDAP protocol version used
l.protocol_version=ldap.VERSION3
# Force libldap to create a new SSL context
l.set_option(ldap.OPT_X_TLS_NEWCTX,ldap.OPT_ON)
# Force cert validation
l.set_option(ldap.OPT_X_TLS_REQUIRE_CERT,ldap.OPT_X_TLS_DEMAND)
# Set path name of file containing all trusted CA certificates
l.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE)
# Now try StartTLS extended operation
l.start_tls_s()
# Try a bind to provoke failure if protocol version is not supported
l.simple_bind_s('','')
# Close connection
l.unbind_s()
---------------------------- snip ----------------------------
But this does not work. The CA cert file is not taken into account for
validating the server cert. Setting it globally with
ldap.set_option(ldap.OPT_X_TLS_CACERTFILE,CACERTFILE) works.
Ciao, Michael.
14 years, 2 months
Proxy Authorization
by Jittinan Suwanrueangsri
Hi All
I try configure slapd.conf to support proxy authorization but I can not
add authzTo attribute to an entry
[root@masterldap ~]# ldapmodify -x -w secret -D "cn=admin,dc=demo,dc=net"
dn: uid=matt,ou=Users,dc=demo,dc=net
changetype: add
authzTo: dn.regex=^uid=[^,]*,ou=Users,dc=demo,dc=net$
adding new entry "uid=matt,ou=Users,dc=demo,dc=net"
ldap_add: Invalid syntax (21)
additional info: authzTo: value #0 invalid per syntax
[root@masterldap ~]#
I didn't see an authzTo attribute in any openldap schema .How can I fix
an error?
14 years, 2 months
Search fails after adding index
by Laurens Blankers
Hi,
I am trying to index searching on uid. However as soon as I add the
following index to slapd.conf:
index uid pres,eq,sub
stop slapd, run 'su openldap -c slapindex' and start slapd again, searching
for any uid returns 0 results.
I am using the following search command:
ldapsearch -x "(&(objectClass=posixAccount)(uid=laurens))"
After removing the index line from slapd.conf and restarting slapd the
search returns the desired result again. I set the loglevel to 480, but the
log does not contain any entries which indicate a problem.
Why does adding indexes result in the search failing?
I am running OpenLDAP 2.4.17 on Debian testing with the hdb backend.
TIA,
Laurens
14 years, 2 months
syncrepl, updateref, chain overlay and the authzTo attribute
by Edgar Fuß
Some questions around syncrepl, updateref, the chain overlay and teh authzTo attribute:
For performance reasons, I need a LDAP replica on a remote site. I set this up using syncrepl.
Now, given some clients' inability to direct updates to an LDAP server different from the one they send queries to, is the following the intended way to deal with this situation (using OpenLDAP as a server, of course) or is there a simpler solution?
- set updateref on the syncrepl consumer
- use the chain overlay on the syncrepl consumer
- set an appropriate authzTo attribute for the replication entity and set autz-policy to to on the syncrepl provider
I'm somewhat reluctant to configuring something as powerful as proxy auth in LDAP attributes. Is there a way to configure proxy authorisation solely in slapd.conf? Or at least, to restrict it to entities explicitly enumerated in slapd.conf?
As an aside, I couldn't find it documented that authzTo was an operational attribute, so I wasted my time looking for a schema containing that attribute. Did I miss something or is this indeed not documented explicitly?
14 years, 2 months
Install openldap-2.4.16 is paused when "make test"
by openbsd shen
I use these command to install openldap 2.4.16:
env CPPFLAGS="-I/usr/local/BerkeleyDB.4.7/include"
LDFLAGS="-L/usr/local/BerkeleyDB.4.7/lib" ./configure
--prefix=/usr/local/openldap --enable-ldbm --enable-crypt
make depens
make
When I "make test", it said:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
cd tests; make test
make[1]: Entering directory `/tmp/openldap-2.4.16/tests'
make[2]: Entering directory `/tmp/openldap-2.4.16/tests'
Initiating LDAP tests for BDB...
Running ./scripts/all...
>>>>> Executing all LDAP tests for bdb
>>>>> Starting test000-rootdse ...
running defines.sh
Starting slapd on TCP/IP port 9011...
Using ldapsearch to retrieve the root DSE...
Using ldapsearch to retrieve the cn=Subschema...
Using ldapsearch to retrieve the cn=Monitor...
dn:
objectClass: top
objectClass: OpenLDAProotDSE
structuralObjectClass: OpenLDAProotDSE
configContext: cn=config
namingContexts: o=OpenLDAP Project,l=Internet
monitorContext: cn=Monitor
supportedControl: 1.3.6.1.4.1.4203.1.9.1.1
supportedControl: 2.16.840.1.113730.3.4.18
supportedControl: 2.16.840.1.113730.3.4.2
supportedControl: 1.3.6.1.4.1.4203.1.10.1
supportedControl: 1.2.840.113556.1.4.319
supportedControl: 1.2.826.0.1.3344810.2.3
supportedControl: 1.3.6.1.1.13.2
supportedControl: 1.3.6.1.1.13.1
supportedControl: 1.3.6.1.1.12
supportedExtension: 1.3.6.1.4.1.4203.1.11.1
supportedExtension: 1.3.6.1.4.1.4203.1.11.3
supportedExtension: 1.3.6.1.1.8
supportedFeatures: 1.3.6.1.1.14
supportedFeatures: 1.3.6.1.4.1.4203.1.5.1
supportedFeatures: 1.3.6.1.4.1.4203.1.5.2
supportedFeatures: 1.3.6.1.4.1.4203.1.5.3
supportedFeatures: 1.3.6.1.4.1.4203.1.5.4
supportedFeatures: 1.3.6.1.4.1.4203.1.5.5
supportedLDAPVersion: 3
vendorName: The OpenLDAP Project <http://www.openldap.org/>
entryDN:
subschemaSubentry: cn=Subschema
dn: cn=Subschema
objectClass: top
objectClass: subentry
objectClass: subschema
objectClass: extensibleObject
cn: Subschema
dn: cn=Monitor
objectClass: monitorServer
cn: Monitor
description: This subtree contains monitoring/managing objects.
description: This object contains information about this server.
description: Most of the information is held in operational attributes, which
must be explicitly requested.
monitoredInfo: OpenLDAP: slapd 2.4.16 (Sep 24 2009 10:16:54)
>>>>> Test succeeded
>>>>> ./scripts/test000-rootdse completed OK.
>>>>> Starting test001-slapadd ...
running defines.sh
Running slapadd to build slapd database...
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
And then, the progress is pausing....
I found that the port 9101 is opening:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
tcp 0 0 127.0.0.1:9011 0.0.0.0:*
LISTEN
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
And the progress is running:
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
root 24159 0.0 0.4 10964 4148 pts/0 S+ 10:19 0:00
/tmp/openldap-2.4.16/tests/../servers/slapd/slapd -Ta -d 0 -f
/tmp/openldap-2.4.16/tests/testrun/slapadd.conf -l
./testdata/test-ordered.ldif
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
14 years, 2 months
