September 2009 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

6 years, 9 months

4
11
0 / 0

dynlist overlay feature request

by Alexander 'Leo' Bergolth

Are there any plans to extend the dynlist overlays dynamic group feature to return not the DNs of the matched entries but an attribute of the entries? This would be useful for defining dynamic groups based on posixGroup (which need only the username, not the full DN) and populating them with entries from posixAccounts. If the dynlist-attrset could be extended by one parameter like: dynlist-attrset <group-oc> <URL-ad> [<member-ad>] [<result-ad>] ... where the additional parameter specifies the attribute that should be returned from the search results, a dynamic posixGroup could be configured like that: dynlist-attrset myposixGroup memberURL memberUid uid with a search filter like that: ldap:///ou=users,dc=local,dc=site??sub?(&(objectClass=posixAccount)(<searchfilter>)) I.e. "take the uid attribute of the matched entries and add them as memberUid." Could this extension be easily implemented? Is there currently any workaround? E.g. a way to dynamically add a memberUid to each posixAccount that contains the same data as the uid attribute? If that works, a filter like ldap:///ou=users,dc=local,dc=site?memberUid?sub?(&(objectClass=posixAccount)(<searchfilter>)) ... could work. Thanks in advance, --leo -- e-mail ::: Leo.Bergolth (at) wu.ac.at fax ::: +43-1-31336-906050 location ::: IT-Services | Vienna University of Economics | Austria

13 years, 3 months

3
6
0 / 0

Using Arbitrary X509 certificates for LDAPS authentication

by Stephen Cartwright

Hi there, Are there any restrictions on the DN or other attributes of credentials used for LDAP authentication? We are using grid credentials (X509 format) with DNs like this: issuer= /C=CA/O=Grid/CN=Grid Canada Certificate Authority subject= /C=CA/O=Grid/CN=host/somehost.somedomain.ca When I use some grid certs (X509 format) I see this message in the debug output from slapd: connection_read(10): unable to get TLS client DN error=49 id=3 When I try to connect, I get this: ldap_initialize( ldaps://somehost.somedomain.ca ) ldap_bind: Can't contact LDAP server The openssl command to create a connection works OK: CONNECTED(00000003) --- Certificate chain 0 s:/C=CA/O=Grid/CN=host/somehost.somedomain.ca i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority 1 s:/C=CA/O=Grid/CN=Grid Canada Certificate Authority i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority --- Server certificate -----BEGIN CERTIFICATE----- ... -----END CERTIFICATE----- subject=/C=CA/O=Grid/CN=host/somehost.somedomain.ca issuer=/C=CA/O=Grid/CN=Grid Canada Certificate Authority --- No client certificate CA names sent --- SSL handshake has read 2083 bytes and written 320 bytes --- New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA Server public key is 1024 bit SSL-Session: Protocol : TLSv1 Cipher : DES-CBC3-SHA Session-ID: 43B46528E848663E7C8E9CAAEA4E6DB5E4A9675C05C3066DBD826CD1CF59A566 Session-ID-ctx: Master-Key: A8245A0731BA98F0D88821346432868C392FEE3F23EAFB9F356A34CB6BB663FC0892374118F280D6284C8E2ACAC3 Key-Arg : None Start Time: 1251330160 Timeout : 300 (sec) Verify return code: 0 (ok) When I use certs created by us with another DN format such as this: subject= /C=CA/ST=Province/L=Town/O=Organization/OU=Unit/CN=somehost.somedomain.ca/emailAddress=email(a)somewhere.ca issuer= /C=CA/ST=Province/O=Organization/OU=Town/CN=Our CA/emailAddress=email(a)somewhere.ca And then make no other changes to the config other than pointing everything to the new commands I can make a connection. Any suggestions? Please advise. Steve

13 years, 4 months

3
6
0 / 0

smbk5pwd does not properly update sambaNTPassword and sambaLMPassword

by Scott Classen

Hello I am running openldap 2.4.18 (BDB 4.8.24). Both of which I compiled from source. I compiled smbk5pwd with support ONLY for samba. I am using the samba that is distributed with CentOS 5.3 (3.0.33) openldap does not crash or complain when it launches so I assume that: moduleload /usr/local/libexec/smbk5pwd.la is at least loading up the module correctly. I have a user with the sambaSamAccount objectclass. I have configured PAM to change the LDAP userPassword when invoked from the command line with /usr/bin/passwd The userPassword hash gets successfully updated and the values of the sambaNTPassword and sambaLMPassword hashes are changed, but I am unable to authenticate as a samba user against these hashes... and they look sorta weird: 010000000000000090c9c94100000000 when I would expect them to look more "complicated" like: 552902031BEDE9EFAAD3B435B51404EE Does this smell of a smbk5pwd bug/problem/misconfiguration or a samba/ PAM one? Thanks, Scott

13 years, 5 months

4
5
0 / 0

Fwd: syncrepl inseard of back-perl ?

by Brett ＠Google

Hello, I was wondering if there are any concrete examples of using syncrepl to monitor a slapd for changes, and perform some scripted operation if the monitored data changes. I can think of several cases where this might be very handy, where you want to run a script or custom business logic, on receipt of some data being changed. I have seen some examples in the 2.3.x days, where slurpd was used to push changes to a back-perl script, which then did some custom business logic and it did fill an very useful niche. I imagine these post-slurp syncrepl days you could use the syncrepl protocol in a push mode via a proxy to push changes at a back-perl instance to the same sort of thing. But perhaps using syncrepl directly might seem like a better option, as this has been touted as a benefit of syncrepl, although i have not seen any specific examples.. To this end, i am wondering are the syncrepl client parts of slapd usable outside the context of the slapd binary? Has anyone tried this and has any examle code they are willing to share ? Cheers Brett

13 years, 5 months

5
7
0 / 0

Segmentation fault using logpurge option in slapd.conf

by Julian Thomé

Hello mailing list, We have a problem using OpenLdap V. 2.4.11 with Debian Lenny. If we use the option logpurge in our slapd.conf, slapd can't start anymore. Our slapd.conf: >8-----------------------------------------------/etc/ldap/slapd.conf # Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/misc.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/inetorgperson.schema include /etc/ldap/schema/hdb.schema include /etc/ldap/schema/nis.schema # Where the pid file is put. The init.d script # will not stop the server if you change this. pidfile /var/run/slapd/slapd.pid # List of arguments that were passed to the server argsfile /var/run/slapd/slapd.args # Read slapd.conf(5) for possible values loglevel 4 #sasl-secprops minssf=0 # Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_hdb moduleload smbk5pwd moduleload accesslog # The maximum number of entries that is returned for a search operation sizelimit unlimited # TLS Stuff TLSCACertificateFile /etc/ssl/certs/ca.pem TLSCertificateKeyFile /etc/ldap/openldap.key TLSCertificateFile /etc/ldap/openldap.crt # The tool-threads parameter sets the actual amount of cpu's that is used # for indexing. tool-threads 2 # Specific Backend Directives for hdb: backend hdb # Specific Directives for database: accesslog database hdb directory "/var/lib/accesslog" suffix "cn=accesslog" checkpoint 512 30 rootdn "cn=accesslog" rootpw ... index default eq index reqStart eq index reqType eq dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 # Specific Directives for database: data database hdb directory "/var/lib/ldap" overlay smbk5pwd overlay accesslog logdb cn=accesslog logops writes logsuccess TRUE logold (objectClass=posixAccount) logpurge 07+00:00 01+00:00 suffix ... rootdn ... rootpw ... dbconfig set_cachesize 0 2097152 0 dbconfig set_lk_max_objects 1500 dbconfig set_lk_max_locks 1500 dbconfig set_lk_max_lockers 1500 # Indexing options for database #1 index default eq index objectClass eq index uidNumber pres,eq index uid eq smbk5pwd-enable krb5 smbk5pwd-enable samba smbk5pwd-must-change 2592000 password-hash {K5KEY} # lastmod on # The userPassword by default can be changed # by the entry owning it if they are authenticated. # Others should not be able to see it, except the # admin entry below # These access lines apply to database #1 only access to attrs=userPassword,shadowLastChange filter="(memberOf=Archiv)" by peername.ip=192.168.222.17 auth stop by peername.regex=.* none break access to dn.base="..." by * read access to attrs=userPassword,shadowLastChange filter="(!(memberOf=Archiv))" by peername.ip=192.168.222.17 none stop by peername.regex=.* none break # this rule is more specific than the admin rule below access to attrs=userPassword,shadowLastChange by set="user/memberOf & [Administratoren]" write by dn="cn=admin,..." write by anonymous auth by self write by * none # Ensure read access to the base for things like # supportedSASLMechanisms. Without this you may # have problems with SASL not knowing what # mechanisms are available and the like. # Note that this is covered by the 'access to *' # ACL below too but if you change that as people # are wont to do you'll still need this if you # want SASL (and possible other things) to work # happily. access to dn.base="" by * read # The admin dn has full write access, everyone else # can read everything. # be sure to include the admins in the previous, more specific rule access to * by set="user/memberOf & [Administratoren]" write by dn="cn=admin,..." write by * read access to dn.subtree="ou=Benutzer,..." by sockurl="ldapi:///" write authz-regexp "gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,..." ----------------------------------------------------8< Starting slapd with the command: slapd -d 16383 produces the following output: >8--------------------------------------------------- ... ... >>> dnPrettyNormal: <cn=accesslog> => ldap_bv2dn(cn=accesslog,0) <= ldap_bv2dn(cn=accesslog)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=accesslog)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=accesslog)=0 <<< dnPrettyNormal: <cn=accesslog>, <cn=accesslog> line 65 (rootpw ***) line 66 (index default eq) line 67 (index reqStart eq) index reqStart 0x0004 line 68 (index reqType eq) index reqType 0x0004 line 69 (dbconfig set_cachesize 0 2097152 0) line 70 (dbconfig set_lk_max_objects 1500) line 71 (dbconfig set_lk_max_locks 1500) line 72 (dbconfig set_lk_max_lockers 1500) line 75 (database hdb) hdb_db_init: Initializing HDB database line 76 (directory "/var/lib/ldap") line 78 (overlay smbk5pwd) line 80 (overlay accesslog) line 81 (logdb cn=accesslog) >>> dnPrettyNormal: <cn=accesslog> => ldap_bv2dn(cn=accesslog,0) <= ldap_bv2dn(cn=accesslog)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=accesslog)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=accesslog)=0 <<< dnPrettyNormal: <cn=accesslog>, <cn=accesslog> line 82 (logops writes) line 83 (logsuccess TRUE) line 85 (logpurge 07+00:00 01+00:00) Speicherzugriffsfehler ----------------------------------------------------8< If the logpurge-option is uncommented, slapd starts without any problems. It would be very nice if someone could help us ! Greetings Julian ___________________________________________________________ Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de

13 years, 5 months

3
3
0 / 0

Kerberos and LDAP

by Howard Chu

For those interested, I've been invited to speak at the Kerberos Conference at MIT on October 21. I'll be giving a talk on using Kerberos with LDAP, showing walkthroughs of the schema and using an LDAP backend for the KDC. http://www.kerberos.org/events/2009conf/ -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

13 years, 5 months

2
1
0 / 0

PHP: issues managing the password, what is wrong?

by Alberto Moreno

Hi people, I doing a web interface that will request a username + password, like squirrelmail i will contact my ldap server, this app will run on Centos 5.3, php 5.3, this will be where my web pages will be, the ldap server is running on Gentoo with ldap 2.3.43. My current problem is with the password, I have found small app that wants to compare the input of the password vs the ldap password this will let us identify the user. Well searching aroun, I found the crypt function but there is a thing that I don't like it: "The standard DES-based encryption crypt() returns the salt as the first two characters of the output. It also only uses the first eight characters of str , so longer strings that start with the same eight characters will generate the same result (when the same salt is used)" How can I deal with this note: 8 characters only? Some users have more than that, this is my code: $cryptedpassword='{crypt}74boAULE9gF5.'; if( preg_match( "/{([^}]+)}(.*)/", $cryptedpassword, $cypher ) ) { $cryptedpassword = $cypher[2]; $_cypher = strtolower($cypher[1]); } else { $_cypher = NULL; } if( preg_match("/^\\$2+/",$cryptedpassword ) ) { // make sure that web server supports blowfish crypt if( ! defined( 'CRYPT_BLOWFISH' ) || CRYPT_BLOWFISH == 0 ) pla_error( _('Your system crypt library does not support blowfish encryption.') ); list(,$version,$rounds,$salt_hash) = explode('$',$cryptedpassword); if( crypt( $plainpassword, '$'. $version . '$' . $rounds . '$' .$salt_hash ) == $cryptedpassword ) return true; else return false; } elseif( strstr( $cryptedpassword, '$1$' ) ) { if( ! defined( 'CRYPT_MD5' ) || CRYPT_MD5 == 0 ) pla_error( _('Your system crypt library does not support md5crypt encryption.') ); list(,$type,$salt,$hash) = explode('$',$cryptedpassword); if( crypt( $plainpassword, '$1$' .$salt ) == $cryptedpassword ) return true; else return false; } elseif (strstr( $cryptedpassword, '_' ) ) { if ( ! defined( 'CRYPT_EXT_DES' ) || CRYPT_EXT_DES == 0 ) pla_error( _('Your system crypt library does not support extended DES encryption.') ); echo crypt($plainpassword, $cryptedpassword ); if( crypt($plainpassword, $cryptedpassword ) == $cryptedpassword ) return true; else return false; } else { if( crypt($plainpassword $cryptedpassword ) == $cryptedpassword) return true; else return false; } The issue is the 8 character limitation, even If i have a password of 10 characters, the function will just take 8, how can I deal with this issue? Thanks for your time my firiends!!! -- LIving the dream...

13 years, 5 months

6
10
0 / 0

Transfer LDAP Database to an other Server

by Manfred werner

Hello List, I must transfer my Ldap Dirtetory to a new Server with an oher Main Domanin. At first I save LDAP at my Old-server with slapcat -l originaldata.ldif then I´ve copy the *.ldif to my new server next I edit the *.ldif an change all entres "OldDomain" to "NewDomain". alt last I want to restore the *.ldif with slapadd -l newdata.ldif now I get foe following Errorcode: Testserver:/dasi # slapadd -l newdatea.ldif bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap: (2) Expect poor performance for suffix dc=NewDomain,dc=de. the line 245 is an emty line ?? Thank you for your help Manfred

13 years, 5 months

2
1
0 / 0

can i bind real entry by alias ?

by 何萍

i create two entry:dn: uid=real,o=test.com userPassword=xxxx .... dn:uid=alias,o=test.com objectClass: alias objectClass: extensibleObject aliasedObjectName: uid=real,o=test.com can i bind real entry by alias and real's userPassword ? if so, how to do?

13 years, 5 months

4
4
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2009