openldap-technical January 2010

openldap-technical@openldap.org

56 participants
66 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

tls private key
by Alex Samad 26 Mar '10

26 Mar '10

Hi I am setting up my sync repl to use certificates, my problem is I don't want to leave my private key for the server un encrypted. the file pointed to by TLSCertificateKeyFile is is just read at slapd load up time, ie can i unencrypt the file start slapd and then remove the un encrypted file ? Alex

4 5

Server-Side Sort Overlay ordering problems
by Diego Lima 19 Feb '10

19 Feb '10

Hello, I have enabled the server-side sorting overlay and I received the following error on a search: sssvlv: no ordering rule specified and no default ordering rule for attribute uid <= get_ctrls: n=1 rc=18 err="serverSort control: No ordering rule" send_ldap_result: conn=1000 op=7 p=3 send_ldap_response: msgid=8 tag=101 err=18 ber_flush2: 50 bytes to sd 13 ldap_write: want=50, written=50 0000: 30 30 02 01 08 65 2b 0a 01 12 04 00 04 24 73 65 00...e+......$se 0010: 72 76 65 72 53 6f 72 74 20 63 6f 6e 74 72 6f 6c rverSort control 0020: 3a 20 4e 6f 20 6f 72 64 65 72 69 6e 67 20 72 75 : No ordering ru 0030: 6c 65 le conn=1000 op=7 do_search: get_ctrls failed Where should I specify the ordering rule for the uid attribute? The core schema? Thank you -- Diego Lima

6 6

Problem with nss-ldap using GSSAPI
by Wojtek Polcwiartek 17 Feb '10

17 Feb '10

Hello, we use ldap as name source in our system (libnss-ldap). Until now we used anonymous bind with LDAP and it worked fine. Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent passwd <name>') does not work: no result is returned/printed. Strange is that, when we run the query in debug-mode (debug 7 in /etc/ldap.conf), you can see the correct result in the debug part (in "hexes") but at the end no result is printed . The only error message we could see is: res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <> Querying LDAP with ldapsearch still works fine. Do You have any idea how to get closer to the source of the problem? We use Ubuntu Karmic as client (repo package) and Solaris10 (with OpenLdap 2.4.16) as server. Greetings! -- Wojtek Polcwiartek ------ tubIT TU-Berlin Web : www.tubit.tu-berlin.de Email : tubit(a)tu-berlin.de Tel : +49.30.314.28000

2 3

slapd dying, what next?
by Bryan J. Maupin 10 Feb '10

10 Feb '10

A few weeks ago, we upgraded to OpenLDAP 2.4.19. All seemed well, for about 4 weeks, and then within the last few days (starting Jan 14), slapd has been dying on our replica servers. It doesn't seem to follow any pattern, and the system seems fine when slapd dies; it isn't out of memory, and doesn't show any load spikes. In our logs we get messages like: Jan 14 22:18:34 slapd[7940]: ch_malloc of 14698087920909635104 bytes failed (from ldap.log) Jan 15 16:58:03 kernel: slapd[22663] general protection rip:2ac667af65cc rsp:4659d970 error:0 Jan 16 15:42:34 kernel: slapd[10272] general protection rip:2b71f6c6d9c4 rsp:45441980 error:0 Jan 16 17:20:01 kernel: slapd[7538] general protection rip:2aec51954ae0 rsp:449518d0 error:0 Jan 19 13:38:46 kernel: slapd[2821] general protection rip:2aeac3070ae0 rsp:4918f8d0 error:0 (from /var/log/messages) from another replica server: Jan 16 20:56:15 kernel: slapd[17948] general protection rip:2aedf150d9c4 rsp:4154f980 error:0 Jan 18 01:42:46 kernel: slapd[9446] general protection rip:2ae369401ae0 rsp:454c08d0 error:0 Jan 19 13:04:29 kernel: slapd[25339] general protection rip:2b9803877ae0 rsp:4b6bc8d0 error:0 We're running on RHEL 5.4, with Heimdal 1.2.1-3, OpenSSL 0.9.8k, Cyrus-SASL 2.1.23, BDB 4.7.25 (with patches), libunwind 0.99 (for Google tcmalloc), Google tcmalloc 1.3. 1. Is there any useful information that can be obtained from these log entries, or do we simply need to change to a more verbose log level and wait for slapd to die again? 2. If we need to change our log level, what is a suggested level? Right now we're using "loglevel sync stats". Would it be wise to change the log level to -1 (any)? These are production servers, and I imagine that'd be a huge performance hit. 3. Also, we're logging asynchronously at the moment. Should we disable this while debugging? Thanks!

3 13

ppolicy : managing passwords by another user than root
by Smaïne Kahlouch 05 Feb '10

05 Feb '10

Hi everyone, I'm trying to allow a user to change the passwords of users in a specific subtree. For exemple : The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change the passwords of users in the following directory : ou=Users,o=Sales,dc=domain,dc=tld. I figured it out by playing with the acl's but when enabling password policy the user uid=admin-sales can't change passwords anymore. The only user alloweded is the admin (root user). Is there a way to do so or is it impossible for another user than root to manage passwords with ppolicy enabled? Regards, Grifith

5 6

LDAP/Kerberos client config
by Jaap Winius 05 Feb '10

05 Feb '10

Hi all, Now that I'm satisfied with my OpenLDAP/Kerberos server configuration, I'm attempting to devise a suitable (Debian lenny) client setup for it. Although I hear that it may not be the best approach, I'm currently pursuing a client configuration that includes kstart, libnss-ldap, nscd and libpam-ldap. At the moment I'm happy with all of it except libnss-ldap. Kstart has no problem obtaining an initial Kerberos ticket, but I can't get libnss-ldap to use it to access the DIT. So far my libnss-ldap.conf looks like: base dc=example,dc=com uri ldap://ldapks1.example.com/ ldap_version 3 rootuse_sasl yes krb5_ccname FILE:/tmp/krb5cc_0 Any idea what I might be missing? Thanks, Jaap

2 1

ACLs based on attributes?
by Jaap Winius 01 Feb '10

01 Feb '10

Hi all, Is it possible to define an ACL that gives a DN access to a particular attribute in other DNs based on the value of one of its own attributes? For example, would it be possible to define an ACL that would allow a DN with title=telephonemanager to update only the telephoneNumber attribute of other DNs? In other words, the ACL would allow updates to telephoneNumber, but only for search filter title=telephonemanager; a simple a change of the title would result in the gain or loss of the right to make such updates. Thanks, Jaap

4 12

understanding userid .vs. uid
by Stefan Palme 31 Jan '10

31 Jan '10

Hi all, This is not a problem, just a question to understand the things "behind the scenes". I am just playing around with some LDAP frontends helping the user to add the correct attributes depending on the selected objectclass(es) when creating new LDAP entries. A have tried to add an entry with objectclass "account", which requires an attribute "userid" and may have some more attributes. After adding the entry with "userid=test", the LDAP tree contained an appropriate entry, but the attributes "userid" is named "uid" now. Although I gave the entry an RDN with "userid=test", the RDH has also automagically changed to "uid=test". Obviously, userid and uid are "the same" attribute, and here are my questions: 1) The objectclass "account" is defined with "MUST userid" - but I can create an "account" entry either by giving it an "userid" attribute or by using "uid" - both works (I've expected the "uid" approach to fail). Why? 2) Where is the relationship between userid and uid defined? I've found some "attributetype" definitions in the schema files (namely NAME ('uid', 'userid')), but they are commented out. So is this relationship hardcoded in OpenLDAP's source code? If yes - is this a standard relationship also used by other LDAP servers? 3) Are there some more attribute pairs like userid/uid which are "interchangable" in this way? If yes, can I derive the list of such attributes from the schema files somehow? Or is there a RFC or something naming all such attributes? Thanks and regards -stefan- -- --------------------------------------------------------------------- Stefan Palme Email: palme(a)kapott.org WWW: http://hbci4java.kapott.org GnuPG-Fingerprint: 1BA7 D217 36A1 534C A5AD F18A E2D1 488A E904 F9EC ---------------------------------------------------------------------

3 2

Requiring LDAP host entries for user login
by Jaap Winius 30 Jan '10

30 Jan '10

Hi all, My v2.4.11 OpenLDAP server, which runs Debian lenny and requires Kerberos authentication, has these access directives: access to attrs=userPassword,shadowLastChange by * none access to dn.base="" by * read access to * by anonymous auth by users read (The second directive seems not to matter. Why?) Users cannot login unless libnss-ldap on the workstations first uses a Kerberos host key to authenticate and then searches the DIT for a matching user account. I prefer this to allowing libnss-ldap to search the DIT anonymously. I've also created LDAP entries for the hosts that are matched to their Kerberos (GSSAPI) counterparts with: authz-regexp uid=host/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth cn=$1,ou=hosts,dc=example,dc=com The server's syslog shows that these LDAP host names are being resolved when clients login to the workstations. However, I've also found that if the above authz-regexp statement is disabled, the host names will remain in their GSSAPI format, but the DIT is still searched and the users can still login. So, is it possible to make the successful authz-regexp resolution of LDAP host entries a requirement for user login? If so, how? Many thanks, Jaap

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2010