openldap-technical December 2009

openldap-technical@openldap.org

59 participants
67 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Problem with nss-ldap using GSSAPI
by Wojtek Polcwiartek 17 Feb '10

17 Feb '10

Hello, we use ldap as name source in our system (libnss-ldap). Until now we used anonymous bind with LDAP and it worked fine. Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent passwd <name>') does not work: no result is returned/printed. Strange is that, when we run the query in debug-mode (debug 7 in /etc/ldap.conf), you can see the correct result in the debug part (in "hexes") but at the end no result is printed . The only error message we could see is: res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <> Querying LDAP with ldapsearch still works fine. Do You have any idea how to get closer to the source of the problem? We use Ubuntu Karmic as client (repo package) and Solaris10 (with OpenLdap 2.4.16) as server. Greetings! -- Wojtek Polcwiartek ------ tubIT TU-Berlin Web : www.tubit.tu-berlin.de Email : tubit(a)tu-berlin.de Tel : +49.30.314.28000

2 3

Server Side sort and the cn attribute
by Edward Capriolo 06 Jan '10

06 Jan '10

We use openldap as a back end for many things. One of the thing, it can be used for is an address book for outlook. Recently we upgrade to 2.4.16->2.4.20 from 2.(who knows how old). Outlook 2003 clients stopped working: http://support.microsoft.com/kb/555536 So I followed the instructions here to enable server side sorting: http://bacedifo.blogspot.com/2009/09/server-side-sort-with-openldap2418.html I was able to add the ordering to the sn attribute. attributetype ( 2.5.4.4 NAME ( 'sn' 'surname' ) DESC 'RFC2256: last (family) name(s) for which the entity is known by' ORDERING caseIgnoreOrderingMatch SUP name ) Unfortunately outlook is looking at the cn attribute @400000004b21316a0e808064 sssvlv: no ordering rule specified and no default ordering rule for attribute cn @400000004b21316a0e808834 <= get_ctrls: n=1 rc=18 err="serverSort control: No ordering rule" That unfortunately is not defined in the core.schema # system schema #attributetype ( 2.5.4.3 NAME ( 'cn' 'commonName' ) # DESC 'RFC2256: common name(s) for which the entity is known by' # SUP name ) I am sure there is a good reason why cn does not have an ordering, but I am guessing it used to have this in the distant past since this previously worked. So how would I go about changing the system schema? Or does anyone have a better way to deal with this. (I know I could play with client registry (kb) article but I would like to handle this server side) Thank you for your insights.

1 1

changing rootdn password
by Mihamina Rakotomandimby 31 Dec '09

31 Dec '09

Manao ahoana, Hello, Bonjour, On a Debian and a Ubuntu I install OpenLDAP with the package manager. It usually asks for an admin password. But when looking in /etc/ldap/ I found no place where it is stored (even in an encrypted form). I would like to change that admin password without calling 'dpkg-reconfigure slapd'. Is there an ldap utility or built-in command for that purpose? Misaotra, Thanks, Merci. -- Architecte Informatique chez Blueline/Gulfsat: Administration Systeme, Recherche & Developpement +261 34 29 155 34 / +261 33 11 207 36

3 3

Clients can't authenticate via consumer server
by Jaap Winius 29 Dec '09

29 Dec '09

Hi all, On my test system, which uses OpenLDAP simple authentication, I'm unable to get clients to authenticate to a consumer server, although they can authenticate to its provider server without a problem. Here's a snippet of the consumer's syslog, for which I've set the slapd.conf loglevel to "acl": ================== Dec 30 02:13:28 ldapc2 slapd[3031]: => acl_mask: access to entry "uid=ccolumbus,ou=People,dc=example,dc=com", attr "userPassword" requested Dec 30 02:13:28 ldapc2 slapd[3031]: => acl_mask: to value by "", (=0) Dec 30 02:13:28 ldapc2 slapd[3031]: <= check a_dn_pat: cn=admin,dc=example,dc=com Dec 30 02:13:28 ldapc2 slapd[3031]: <= check a_dn_pat: anonymous Dec 30 02:13:28 ldapc2 slapd[3031]: <= acl_mask: [2] applying auth(=xd) (stop) Dec 30 02:13:28 ldapc2 slapd[3031]: <= acl_mask: [2] mask: auth(=xd) ================== Judging from this, I suspect that I've misconfigured the account on the consumer server that the client machines must use to access password values in the database to authenticate clients. Currently, the consumer's ACLs look like this: ================== access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" read by anonymous auth by * none access to dn.base="" by * read access to * by * read ================== This is the same admin account that I use on the provider. If I set the client's libnss-ldap configuration to use this account and its matching password to authenticate users via the consumer server, it doesn't work. Any idea about what I'm doing wrong? Thanks, Jaap

1 0

Renaming of attributes in ldap schema
by Thilko Richter 29 Dec '09

29 Dec '09

Hello, I have a general ldap question: I would like to use ldap as configuration store for my applications. Each application gets his own object schema, since then the number properties is deterministic. Since a number of developers are involved, I try to generate the schema definition from a ruby DSL. I am now thinking about what happens to existing entries in the dit if the oids or names of the attribute definitons has changed? Are they invalid after ldap server restart? Would you recommend not to renaming any elements in the schema? I have seen that the attributes on existing entries disappeared if I change the name in the schema. Regards, Thilko

2 1

LDAP programming book
by Murray S. Kucherawy 28 Dec '09

28 Dec '09

Is the 1997 book "LDAP: Programming Directory-Enabled Applications" by Smith & Howes reasonably current to the latest OpenLDAP releases, or has enough changed in the intervening 12 years that it's not worth getting?

2 1

Chain overlay not available in Debian lenny?
by Jaap Winius 26 Dec '09

26 Dec '09

Hi all, Can anyone confirm that the chain overlay is not available in the version of OpenLDAP (2.4.11-1) that comes with Debian lenny? Although the man page for it still exists, loading it as a module result in an error (lt_dlopenext failed: (chain) chain.so: cannot open shared object file: No such file or directory), as does activating it (overlay "chain" not found) as well as attempts to use any of the "chain-" options in slapd.conf. Also, there's a Debian bug report (#502769, 19 Oct. 2008) with the subject "when adding overlay chain to the slapd.conf slapd crashes with overlay chain not found." No mention is made of a solution, but could it be that the chain overlay was simply removed from the slapd package as result? Thanks, Jaap

2 1

ACL problem
by Il Neofita 24 Dec '09

24 Dec '09

Hi I am new and probably I am facing a very basic error I am tring to create an admin for a subset I create this ldif dn: cn=mmmm,dc=test,dc=xx cn: mmmm sn: mmmm objectClass: person objectClass: top userPassword: test then on sladp.conf ... access to dn.subtree="ou=people,dc=test,dc=xx" by dn="cn=mmmm,dc=test,dc=xx" write by * read ... Restarted ldap ldapsearch -x -D "cn=mmmm,dc=test,dc=xx" -W '(objectclass=*)' ldap_bind: Invalid credentials (49) What am I do wrong?

2 5

deprecated function ldap_sort_entries, ldap_sort_values, ldap_sort_strcasecmp
by DT Piotr Wadas 24 Dec '09

24 Dec '09

Hello, using openldap 2.4.17 I'm fixing obsolete things in my old application, e.g. removed some extern statements. When building I got xxx.c:790: error: 'ldap_sort_strcasecmp' undeclared (first use in this function) After further investigation I discovered this http://www.mail-archive.com/openldap-devel@openldap.org/msg01517.html quote: " ldap_sort_entries ldap_sort_values ldap_sort_strcasecmp of which Net::LDAPapi only uses ldap_sort_entries. Is there a replacement function for this? If not, any thoughts on what the steps are to duplicate that functionality? So no one else knows what these functions do either? ;) Well, functions tend to get deprecated due to neglect. If nobody has ever used them thus far..... -- Howard Chu" Well, seems I know what these function do, I used it to sort set of values of the retrieved attribute ( char ** ), specifying function, which is to be used for sorting. The form of call was (is) ldap_sort_values( LDAP * ldc, char ** vals, ( fn & ) ldap_sort_strcasecmp); The idea was, that when I got attribute values set like attrName: /abc/xyz attrName: /abc/x/nnnn attrName: /abc attrName: /abc/xyz/u/m numericAttrName: 10 numericAttrName: 5 numericAttrName: 123 I need to process it in some resonable order, according to application needs, it was easier to use library functions than create my own's. I denoted these with ' //LDAP_SORT_AV_CMP_PROC *cmp ', but don't remember was I meant, must have been about 3 years ago. Any suggestions? Shall I create my own function to sort retrieved values, or use some server control? AFAIR one has no influence on the order, in which attribute values are PUT into the entry, but when it comes to use it, it is important to be sure, that there's NO variable of value "7" processed before value "10" ldap_sort (3) - LDAP sorting routines (deprecated) ldap_sort_entries (3) - LDAP sorting routines (deprecated) ldap_sort_strcasecmp (3) - LDAP sorting routines (deprecated) ldap_sort_values (3) - LDAP sorting routines (deprecated) Regards, DT -- http://dtpw.pl/buell [ 25th anniversary of Buell - American Motorcycles ] Linux aleft 2.6.27.29-0.1_lustre.1.8.1.1-default #1 SMP drbd 8.3.6-(api:88/proto:86-91) pacemaker 1.0.6-cebe2b6ff49b36b29a3bd7ada1c4701c7470febe

1 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2009