Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
tls private key
by Alex Samad
Hi
I am setting up my sync repl to use certificates, my problem is I don't
want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd
load up time, ie can i unencrypt the file start slapd and then remove
the un encrypted file ?
Alex
13 years, 8 months
Server-Side Sort Overlay ordering problems
by Diego Lima
Hello,
I have enabled the server-side sorting overlay and I received the following
error on a search:
sssvlv: no ordering rule specified and no default ordering rule for
attribute uid
<= get_ctrls: n=1 rc=18 err="serverSort control: No ordering rule"
send_ldap_result: conn=1000 op=7 p=3
send_ldap_response: msgid=8 tag=101 err=18
ber_flush2: 50 bytes to sd 13
ldap_write: want=50, written=50
0000: 30 30 02 01 08 65 2b 0a 01 12 04 00 04 24 73 65 00...e+......$se
0010: 72 76 65 72 53 6f 72 74 20 63 6f 6e 74 72 6f 6c rverSort control
0020: 3a 20 4e 6f 20 6f 72 64 65 72 69 6e 67 20 72 75 : No ordering ru
0030: 6c 65 le
conn=1000 op=7 do_search: get_ctrls failed
Where should I specify the ordering rule for the uid attribute? The core
schema?
Thank you
--
Diego Lima
13 years, 9 months
Problem with nss-ldap using GSSAPI
by Wojtek Polcwiartek
Hello,
we use ldap as name source in our system (libnss-ldap).
Until now we used anonymous bind with LDAP and it worked fine.
Now we want to switch to GSSAPI (MIT Krb5), but getting names ('getent
passwd <name>') does not work: no result is returned/printed.
Strange is that, when we run the query in debug-mode (debug 7 in
/etc/ldap.conf), you can see the correct result in the debug part (in
"hexes") but at the end no result is printed .
The only error message we could see is:
res_errno: 14, res_error: <SASL(0): successful result: >, res_matched: <>
Querying LDAP with ldapsearch still works fine.
Do You have any idea how to get closer to the source of the problem?
We use Ubuntu Karmic as client (repo package) and Solaris10 (with
OpenLdap 2.4.16) as server.
Greetings!
--
Wojtek Polcwiartek
------
tubIT
TU-Berlin
Web : www.tubit.tu-berlin.de
Email : tubit(a)tu-berlin.de
Tel : +49.30.314.28000
13 years, 9 months
slapd dying, what next?
by Bryan J. Maupin
A few weeks ago, we upgraded to OpenLDAP 2.4.19. All seemed well, for
about 4 weeks, and then within the last few days (starting Jan 14),
slapd has been dying on our replica servers. It doesn't seem to follow
any pattern, and the system seems fine when slapd dies; it isn't out of
memory, and doesn't show any load spikes. In our logs we get messages like:
Jan 14 22:18:34 slapd[7940]: ch_malloc of 14698087920909635104 bytes failed
(from ldap.log)
Jan 15 16:58:03 kernel: slapd[22663] general protection
rip:2ac667af65cc rsp:4659d970 error:0
Jan 16 15:42:34 kernel: slapd[10272] general protection
rip:2b71f6c6d9c4 rsp:45441980 error:0
Jan 16 17:20:01 kernel: slapd[7538] general protection rip:2aec51954ae0
rsp:449518d0 error:0
Jan 19 13:38:46 kernel: slapd[2821] general protection rip:2aeac3070ae0
rsp:4918f8d0 error:0
(from /var/log/messages)
from another replica server:
Jan 16 20:56:15 kernel: slapd[17948] general protection
rip:2aedf150d9c4 rsp:4154f980 error:0
Jan 18 01:42:46 kernel: slapd[9446] general protection rip:2ae369401ae0
rsp:454c08d0 error:0
Jan 19 13:04:29 kernel: slapd[25339] general protection
rip:2b9803877ae0 rsp:4b6bc8d0 error:0
We're running on RHEL 5.4, with Heimdal 1.2.1-3, OpenSSL 0.9.8k,
Cyrus-SASL 2.1.23, BDB 4.7.25 (with patches), libunwind 0.99 (for Google
tcmalloc), Google tcmalloc 1.3.
1. Is there any useful information that can be obtained from these log
entries, or do we simply need to change to a more verbose log level and
wait for slapd to die again?
2. If we need to change our log level, what is a suggested level? Right
now we're using "loglevel sync stats". Would it be wise to change the
log level to -1 (any)? These are production servers, and I imagine
that'd be a huge performance hit.
3. Also, we're logging asynchronously at the moment. Should we disable
this while debugging?
Thanks!
13 years, 9 months
ppolicy : managing passwords by another user than root
by Smaïne Kahlouch
Hi everyone,
I'm trying to allow a user to change the passwords of users in a
specific subtree.
For exemple :
The user uid=admin-sales,o=Sales,dc=domain,dc=tld is allowed to change
the passwords of users in the following directory :
ou=Users,o=Sales,dc=domain,dc=tld.
I figured it out by playing with the acl's but when enabling password
policy the user uid=admin-sales can't change passwords anymore. The only
user alloweded is the admin (root user).
Is there a way to do so or is it impossible for another user than root
to manage passwords with ppolicy enabled?
Regards,
Grifith
13 years, 9 months
LDAP/Kerberos client config
by Jaap Winius
Hi all,
Now that I'm satisfied with my OpenLDAP/Kerberos server configuration,
I'm attempting to devise a suitable (Debian lenny) client setup for it.
Although I hear that it may not be the best approach, I'm currently
pursuing a client configuration that includes kstart, libnss-ldap,
nscd and libpam-ldap. At the moment I'm happy with all of it except
libnss-ldap.
Kstart has no problem obtaining an initial Kerberos ticket, but I
can't get libnss-ldap to use it to access the DIT. So far my
libnss-ldap.conf looks like:
base dc=example,dc=com
uri ldap://ldapks1.example.com/
ldap_version 3
rootuse_sasl yes
krb5_ccname FILE:/tmp/krb5cc_0
Any idea what I might be missing?
Thanks,
Jaap
13 years, 9 months
ACLs based on attributes?
by Jaap Winius
Hi all,
Is it possible to define an ACL that gives a DN access to a particular
attribute in other DNs based on the value of one of its own attributes?
For example, would it be possible to define an ACL that would allow a
DN with title=telephonemanager to update only the telephoneNumber
attribute of other DNs? In other words, the ACL would allow updates to
telephoneNumber, but only for search filter title=telephonemanager; a
simple a change of the title would result in the gain or loss of the
right to make such updates.
Thanks,
Jaap
13 years, 10 months
understanding userid .vs. uid
by Stefan Palme
Hi all,
This is not a problem, just a question to understand the things
"behind the scenes".
I am just playing around with some LDAP frontends helping the user
to add the correct attributes depending on the selected objectclass(es)
when creating new LDAP entries.
A have tried to add an entry with objectclass "account", which requires
an attribute "userid" and may have some more attributes. After adding
the entry with "userid=test", the LDAP tree contained an appropriate
entry, but the attributes "userid" is named "uid" now.
Although I gave the entry an RDN with "userid=test", the RDH has also
automagically changed to "uid=test".
Obviously, userid and uid are "the same" attribute, and here are my
questions:
1) The objectclass "account" is defined with "MUST userid" - but I can
create an "account" entry either by giving it an "userid" attribute
or by using "uid" - both works (I've expected the "uid" approach to
fail). Why?
2) Where is the relationship between userid and uid defined? I've found
some "attributetype" definitions in the schema files (namely
NAME ('uid', 'userid')), but they are commented out. So is this
relationship hardcoded in OpenLDAP's source code? If yes - is this
a standard relationship also used by other LDAP servers?
3) Are there some more attribute pairs like userid/uid which are
"interchangable" in this way? If yes, can I derive the list of such
attributes from the schema files somehow? Or is there a RFC or
something naming all such attributes?
Thanks and regards
-stefan-
--
---------------------------------------------------------------------
Stefan Palme
Email: palme(a)kapott.org
WWW: http://hbci4java.kapott.org
GnuPG-Fingerprint: 1BA7 D217 36A1 534C A5AD F18A E2D1 488A E904 F9EC
---------------------------------------------------------------------
13 years, 10 months
Requiring LDAP host entries for user login
by Jaap Winius
Hi all,
My v2.4.11 OpenLDAP server, which runs Debian lenny and requires
Kerberos authentication, has these access directives:
access to attrs=userPassword,shadowLastChange
by * none
access to dn.base=""
by * read
access to *
by anonymous auth
by users read
(The second directive seems not to matter. Why?)
Users cannot login unless libnss-ldap on the workstations first uses a
Kerberos host key to authenticate and then searches the DIT for a
matching user account. I prefer this to allowing libnss-ldap to search
the DIT anonymously. I've also created LDAP entries for the hosts that
are matched to their Kerberos (GSSAPI) counterparts with:
authz-regexp
uid=host/([^/\.]+).example.com,cn=example.com,cn=gssapi,cn=auth
cn=$1,ou=hosts,dc=example,dc=com
The server's syslog shows that these LDAP host names are being
resolved when clients login to the workstations. However, I've also
found that if the above authz-regexp statement is disabled, the host
names will remain in their GSSAPI format, but the DIT is still
searched and the users can still login.
So, is it possible to make the successful authz-regexp resolution of
LDAP host entries a requirement for user login? If so, how?
Many thanks,
Jaap
13 years, 10 months
