Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 4 months
dynlist overlay feature request
by Alexander 'Leo' Bergolth
Are there any plans to extend the dynlist overlays dynamic group feature
to return not the DNs of the matched entries but an attribute of the
entries?
This would be useful for defining dynamic groups based on posixGroup
(which need only the username, not the full DN) and populating them with
entries from posixAccounts.
If the dynlist-attrset could be extended by one parameter like:
dynlist-attrset <group-oc> <URL-ad> [<member-ad>] [<result-ad>]
... where the additional parameter specifies the attribute that should
be returned from the search results, a dynamic posixGroup could be
configured like that:
dynlist-attrset myposixGroup memberURL memberUid uid
with a search filter like that:
ldap:///ou=users,dc=local,dc=site??sub?(&(objectClass=posixAccount)(<searchfilter>))
I.e. "take the uid attribute of the matched entries and add them as
memberUid."
Could this extension be easily implemented?
Is there currently any workaround?
E.g. a way to dynamically add a memberUid to each posixAccount that
contains the same data as the uid attribute? If that works, a filter like
ldap:///ou=users,dc=local,dc=site?memberUid?sub?(&(objectClass=posixAccount)(<searchfilter>))
... could work.
Thanks in advance,
--leo
--
e-mail ::: Leo.Bergolth (at) wu.ac.at
fax ::: +43-1-31336-906050
location ::: IT-Services | Vienna University of Economics | Austria
13 years, 10 months
Using Arbitrary X509 certificates for LDAPS authentication
by Stephen Cartwright
Hi there,
Are there any restrictions on the DN or other attributes of
credentials used for LDAP authentication?
We are using grid credentials (X509 format) with DNs like this:
issuer= /C=CA/O=Grid/CN=Grid Canada Certificate Authority
subject= /C=CA/O=Grid/CN=host/somehost.somedomain.ca
When I use some grid certs (X509 format) I see this message in the debug
output from slapd:
connection_read(10): unable to get TLS client DN error=49 id=3
When I try to connect, I get this:
ldap_initialize( ldaps://somehost.somedomain.ca )
ldap_bind: Can't contact LDAP server
The openssl command to create a connection works OK:
CONNECTED(00000003)
---
Certificate chain
0 s:/C=CA/O=Grid/CN=host/somehost.somedomain.ca
i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
1 s:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
i:/C=CA/O=Grid/CN=Grid Canada Certificate Authority
---
Server certificate
-----BEGIN CERTIFICATE-----
...
-----END CERTIFICATE-----
subject=/C=CA/O=Grid/CN=host/somehost.somedomain.ca
issuer=/C=CA/O=Grid/CN=Grid Canada Certificate Authority
---
No client certificate CA names sent
---
SSL handshake has read 2083 bytes and written 320 bytes
---
New, TLSv1/SSLv3, Cipher is DES-CBC3-SHA
Server public key is 1024 bit
SSL-Session:
Protocol : TLSv1
Cipher : DES-CBC3-SHA
Session-ID:
43B46528E848663E7C8E9CAAEA4E6DB5E4A9675C05C3066DBD826CD1CF59A566
Session-ID-ctx:
Master-Key:
A8245A0731BA98F0D88821346432868C392FEE3F23EAFB9F356A34CB6BB663FC0892374118F280D6284C8E2ACAC3
Key-Arg : None
Start Time: 1251330160
Timeout : 300 (sec)
Verify return code: 0 (ok)
When I use certs created by us with another DN format such as this:
subject= /C=CA/ST=Province/L=Town/O=Organization/OU=Unit/CN=somehost.somedomain.ca/emailAddress=email(a)somewhere.ca
issuer= /C=CA/ST=Province/O=Organization/OU=Town/CN=Our
CA/emailAddress=email(a)somewhere.ca
And then make no other changes to the config other than pointing
everything to the new commands I can make a connection.
Any suggestions? Please advise.
Steve
13 years, 11 months
smbk5pwd does not properly update sambaNTPassword and sambaLMPassword
by Scott Classen
Hello
I am running openldap 2.4.18 (BDB 4.8.24). Both of which I compiled
from source.
I compiled smbk5pwd with support ONLY for samba. I am using the samba
that is distributed with CentOS 5.3 (3.0.33)
openldap does not crash or complain when it launches so I assume that:
moduleload /usr/local/libexec/smbk5pwd.la
is at least loading up the module correctly.
I have a user with the sambaSamAccount objectclass.
I have configured PAM to change the LDAP userPassword when invoked
from the command line with /usr/bin/passwd
The userPassword hash gets successfully updated and the values of the
sambaNTPassword and sambaLMPassword hashes are changed, but I am
unable to authenticate as a samba user against these hashes... and
they look sorta weird:
010000000000000090c9c94100000000
when I would expect them to look more "complicated" like:
552902031BEDE9EFAAD3B435B51404EE
Does this smell of a smbk5pwd bug/problem/misconfiguration or a samba/
PAM one?
Thanks,
Scott
13 years, 11 months
Fwd: syncrepl inseard of back-perl ?
by Brett @Google
Hello,
I was wondering if there are any concrete examples of using syncrepl
to monitor a slapd for changes, and perform some scripted operation if
the monitored data changes. I can think of several cases where this
might be very handy, where you want to run a script or custom business
logic, on receipt of some data being changed.
I have seen some examples in the 2.3.x days, where slurpd was used to
push changes to a back-perl script, which then did some custom
business logic and it did fill an very useful niche. I imagine these
post-slurp syncrepl days you could use the syncrepl protocol in a push
mode via a proxy to push changes at a back-perl instance to the same
sort of thing.
But perhaps using syncrepl directly might seem like a better option,
as this has been touted as a benefit of syncrepl, although i have not
seen any specific examples.. To this end, i am wondering are the
syncrepl client parts of slapd usable outside the context of the slapd
binary? Has anyone tried this and has any examle code they are willing
to share ?
Cheers
Brett
13 years, 12 months
Segmentation fault using logpurge option in slapd.conf
by Julian Thomé
Hello mailing list,
We have a problem using OpenLdap V. 2.4.11 with Debian Lenny.
If we use the option logpurge in our slapd.conf, slapd can't start anymore.
Our slapd.conf:
>8-----------------------------------------------/etc/ldap/slapd.conf
# Schema and objectClass definitions
include /etc/ldap/schema/core.schema
include /etc/ldap/schema/misc.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/hdb.schema
include /etc/ldap/schema/nis.schema
# Where the pid file is put. The init.d script
# will not stop the server if you change this.
pidfile /var/run/slapd/slapd.pid
# List of arguments that were passed to the server
argsfile /var/run/slapd/slapd.args
# Read slapd.conf(5) for possible values
loglevel 4
#sasl-secprops minssf=0
# Where the dynamically loaded modules are stored
modulepath /usr/lib/ldap
moduleload back_hdb
moduleload smbk5pwd
moduleload accesslog
# The maximum number of entries that is returned for a search operation
sizelimit unlimited
# TLS Stuff
TLSCACertificateFile /etc/ssl/certs/ca.pem
TLSCertificateKeyFile /etc/ldap/openldap.key
TLSCertificateFile /etc/ldap/openldap.crt
# The tool-threads parameter sets the actual amount of cpu's that is used
# for indexing.
tool-threads 2
# Specific Backend Directives for hdb:
backend hdb
# Specific Directives for database: accesslog
database hdb
directory "/var/lib/accesslog"
suffix "cn=accesslog"
checkpoint 512 30
rootdn "cn=accesslog"
rootpw ...
index default eq
index reqStart eq
index reqType eq
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
# Specific Directives for database: data
database hdb
directory "/var/lib/ldap"
overlay smbk5pwd
overlay accesslog
logdb cn=accesslog
logops writes
logsuccess TRUE
logold (objectClass=posixAccount)
logpurge 07+00:00 01+00:00
suffix ...
rootdn ...
rootpw ...
dbconfig set_cachesize 0 2097152 0
dbconfig set_lk_max_objects 1500
dbconfig set_lk_max_locks 1500
dbconfig set_lk_max_lockers 1500
# Indexing options for database #1
index default eq
index objectClass eq
index uidNumber pres,eq
index uid eq
smbk5pwd-enable krb5
smbk5pwd-enable samba
smbk5pwd-must-change 2592000
password-hash {K5KEY}
# lastmod on
# The userPassword by default can be changed
# by the entry owning it if they are authenticated.
# Others should not be able to see it, except the
# admin entry below
# These access lines apply to database #1 only
access to attrs=userPassword,shadowLastChange
filter="(memberOf=Archiv)"
by peername.ip=192.168.222.17 auth stop
by peername.regex=.* none break
access to dn.base="..."
by * read
access to attrs=userPassword,shadowLastChange
filter="(!(memberOf=Archiv))"
by peername.ip=192.168.222.17 none stop
by peername.regex=.* none break
# this rule is more specific than the admin rule below
access to attrs=userPassword,shadowLastChange
by set="user/memberOf & [Administratoren]" write
by dn="cn=admin,..." write
by anonymous auth
by self write
by * none
# Ensure read access to the base for things like
# supportedSASLMechanisms. Without this you may
# have problems with SASL not knowing what
# mechanisms are available and the like.
# Note that this is covered by the 'access to *'
# ACL below too but if you change that as people
# are wont to do you'll still need this if you
# want SASL (and possible other things) to work
# happily.
access to dn.base="" by * read
# The admin dn has full write access, everyone else
# can read everything.
# be sure to include the admins in the previous, more specific rule
access to *
by set="user/memberOf & [Administratoren]" write
by dn="cn=admin,..." write
by * read
access to dn.subtree="ou=Benutzer,..."
by sockurl="ldapi:///" write
authz-regexp
"gidNumber=0\\\+uidNumber=0,cn=peercred,cn=external,cn=auth" "cn=admin,..."
----------------------------------------------------8<
Starting slapd with the command:
slapd -d 16383
produces the following output:
>8---------------------------------------------------
...
...
>>> dnPrettyNormal: <cn=accesslog>
=> ldap_bv2dn(cn=accesslog,0)
<= ldap_bv2dn(cn=accesslog)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=accesslog)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=accesslog)=0
<<< dnPrettyNormal: <cn=accesslog>, <cn=accesslog>
line 65 (rootpw ***)
line 66 (index default eq)
line 67 (index reqStart eq)
index reqStart 0x0004
line 68 (index reqType eq)
index reqType 0x0004
line 69 (dbconfig set_cachesize 0 2097152 0)
line 70 (dbconfig set_lk_max_objects 1500)
line 71 (dbconfig set_lk_max_locks 1500)
line 72 (dbconfig set_lk_max_lockers 1500)
line 75 (database hdb)
hdb_db_init: Initializing HDB database
line 76 (directory "/var/lib/ldap")
line 78 (overlay smbk5pwd)
line 80 (overlay accesslog)
line 81 (logdb cn=accesslog)
>>> dnPrettyNormal: <cn=accesslog>
=> ldap_bv2dn(cn=accesslog,0)
<= ldap_bv2dn(cn=accesslog)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=accesslog)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=accesslog)=0
<<< dnPrettyNormal: <cn=accesslog>, <cn=accesslog>
line 82 (logops writes)
line 83 (logsuccess TRUE)
line 85 (logpurge 07+00:00 01+00:00)
Speicherzugriffsfehler
----------------------------------------------------8<
If the logpurge-option is uncommented, slapd starts without any problems.
It would be very nice if someone could help us !
Greetings
Julian
___________________________________________________________
Telefonate ohne weitere Kosten vom PC zum PC: http://messenger.yahoo.de
13 years, 12 months
PHP: issues managing the password, what is wrong?
by Alberto Moreno
Hi people, I doing a web interface that will request a username +
password, like squirrelmail i will contact my ldap server, this app
will run on Centos 5.3, php 5.3, this will be where my web pages will
be, the ldap server is running on Gentoo with ldap 2.3.43.
My current problem is with the password, I have found small app that
wants to compare the input of the password vs the ldap password this
will let us identify the user.
Well searching aroun, I found the crypt function but there is a
thing that I don't like it:
"The standard DES-based encryption crypt() returns the salt as the
first two characters of the output. It also only uses the first eight
characters of str , so longer strings that start with the same eight
characters will generate the same result (when the same salt is used)"
How can I deal with this note: 8 characters only?
Some users have more than that, this is my code:
$cryptedpassword='{crypt}74boAULE9gF5.';
if( preg_match( "/{([^}]+)}(.*)/", $cryptedpassword, $cypher ) ) {
$cryptedpassword = $cypher[2];
$_cypher = strtolower($cypher[1]);
} else {
$_cypher = NULL;
}
if( preg_match("/^\\$2+/",$cryptedpassword ) ) {
// make sure that web server supports blowfish crypt
if( ! defined( 'CRYPT_BLOWFISH' ) || CRYPT_BLOWFISH == 0 )
pla_error( _('Your system crypt library does not
support blowfish encryption.') );
list(,$version,$rounds,$salt_hash) =
explode('$',$cryptedpassword);
if( crypt( $plainpassword, '$'. $version . '$' .
$rounds . '$' .$salt_hash ) == $cryptedpassword )
return true;
else
return false;
}
elseif( strstr( $cryptedpassword, '$1$' ) ) {
if( ! defined( 'CRYPT_MD5' ) || CRYPT_MD5 == 0 )
pla_error( _('Your system crypt library does not
support md5crypt encryption.') );
list(,$type,$salt,$hash) = explode('$',$cryptedpassword);
if( crypt( $plainpassword, '$1$' .$salt ) == $cryptedpassword )
return true;
else
return false;
}
elseif (strstr( $cryptedpassword, '_' ) ) {
if ( ! defined( 'CRYPT_EXT_DES' ) || CRYPT_EXT_DES == 0 )
pla_error( _('Your system crypt library does not
support extended DES encryption.') );
echo crypt($plainpassword, $cryptedpassword );
if( crypt($plainpassword, $cryptedpassword ) ==
$cryptedpassword )
return true;
else
return false;
}
else {
if( crypt($plainpassword $cryptedpassword ) == $cryptedpassword)
return true;
else
return false;
}
The issue is the 8 character limitation, even If i have a password
of 10 characters, the function will just take 8, how can I deal with
this issue?
Thanks for your time my firiends!!!
--
LIving the dream...
13 years, 12 months
Transfer LDAP Database to an other Server
by Manfred werner
Hello List,
I must transfer my Ldap Dirtetory to a new Server with an oher Main Domanin.
At first I save LDAP at my Old-server with
slapcat -l originaldata.ldif
then I´ve copy the *.ldif to my new server
next I edit the *.ldif an change all entres "OldDomain" to "NewDomain".
alt last I want to restore the *.ldif with
slapadd -l newdata.ldif
now I get foe following Errorcode:
Testserver:/dasi # slapadd -l newdatea.ldif
bdb_db_open: Warning - No DB_CONFIG file found in directory /var/lib/ldap:
(2)
Expect poor performance for suffix dc=NewDomain,dc=de.
the line 245 is an emty line ??
Thank you for your help Manfred
13 years, 12 months