openldap-technical October 2010

openldap-technical@openldap.org

99 participants
93 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Re: (ITS#6666) Feature Request: Triggers implementation
by Buchan Milne 24 May '11

24 May '11

On Thursday, 7 October 2010 20:32:49 Nick Milas wrote: > It all started for me when I wanted to watch a serial number value from > an ldap-stored SOArecord (using powerdns with openldap backend) and when > it changes to fire a bash script. I reached the conclusion it was not > easy to be done with higher-level means within openldap and I created a > bash script which scans (using ldapsearch and other linux tools) the > SOArecords regularly (using cron) to find out if any change has happend > and do whatever is required. It would be much more elegant if I could > get a trigger from openldap when the SOArecord changes. Maybe you need this: http://memberwebs.com/stef/software/slapi-dnsnotify/ A more generic solution would be nice, but as far as I can tell, this software satisfies your current need. Regards, Buchan

7 18

Certificate authentication and back-ldap proxy
by Ubay Dorta Guerra 27 Dec '10

27 Dec '10

Hi, We have some problems with certificate authentication when the master server is behind a back-ldap proxy. We have openldap 2.4.21 on Suse Linux Enterprise Server 10 SP3 and these are the details of our scenario: The master server: server1.example.com has the following slapd.conf file: access to dn.base="" by * read access to dn.base="cn=Subschema" by * read access to attrs=userPassword,userPKCS12 by self write by dn.exact="CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU" read by * auth access to attrs=shadowLastChange by self write by * read access to * by * read # # Security SSL # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCertificateFile /etc/ssl/certs/server1.example.com.pem TLSCertificateKeyFile /etc/ssl/private/server1.example.com.key TLSCACertificatePath /etc/ssl/cacerts/ TLSVerifyClient demand # #Log level # loglevel 256 # Require authentication require authc ####################################################################### # HDB database definitions ####################################################################### database hdb suffix "dc=example,dc=com" checkpoint 1024 5 cachesize 10000 rootdn "cn=Manager,dc=example,dc=com" rootpw secret # Indices to maintain index objectClass eq # Overlay ppolicy overlay ppolicy ---------------------- Authentication is required, and we give access to the user passwords for the dn of a certificate. When we search for passwords using the certificate we get the following: root# ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://server1.example.com userPassword SASL/EXTERNAL authentication started SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU SASL SSF: 0 dn: uid=user_w_pass,ou=people,dc=example,dc=com userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0= ----------------------- The root user (ldap client) has a ~/.ldaprc file with: TLS_CACERTDIR /etc/ssl/cacerts/ TLS_CERT /etc/ssl/certs/admin_w_cert.pem TLS_KEY /etc/ssl/private/admin_w_cert.key TLS_REQCERT demand SASL_MECH EXTERNAL In /var/log/messages we get: ldap-master[22358]: conn=1000 fd=11 ACCEPT from IP=server1.example.com:40899 (IP=server1.example.com:636) ldap-master[22358]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256 ldap-master[22358]: conn=1000 op=0 BIND dn="" method=163 ldap-master[22358]: conn=1000 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-master[22358]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-master[22358]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-master[22358]: conn=1000 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-master[22358]: conn=1000 op=1 SRCH attr=userPassword ldap-master[22358]: conn=1000 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text= ldap-master[22358]: conn=1000 op=2 UNBIND ldap-master[22358]: conn=1000 fd=11 closed This is the correct behavior for us. The problem appears when we introduce a back-ldap proxy between the client and the master. The proxy server (proxy-server1.example.com) is listening in port 1636 and its slapd.conf file is: # # Security SSL # TLSCipherSuite HIGH:MEDIUM:+SSLv3 TLSCACertificatePath /etc/ssl/cacerts/ TLSCertificateFile /etc/ssl/certs/proxy-server1.example.com.pem TLSCertificateKeyFile /etc/ssl/private/proxy-server1.example.com.key TLSVerifyClient demand # Log level loglevel 256 ####################################################################### # Database definitions ####################################################################### database ldap rebind-as-user true suffix "dc=example,dc=com" uri "ldaps://server1.example.com" tls ldaps tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem tls_key=/etc/ssl/private/proxy-server1.example.com.key tls_cacertdir=/etc/ssl/cacerts/ ---------------------- If we search for passwords through the proxy we get: root # ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://proxy-server1.example.com:1636 userPassword SASL/EXTERNAL authentication started SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU SASL SSF: 0 Server is unwilling to perform (53) Additional information: authentication required In the /var/log/messages the following messages appear: ldap-proxy[22802]: conn=1001 fd=8 ACCEPT from IP=proxy-server1.example.com:60712 (IP=proxy-server1.example.com:1636) ldap-proxy[22802]: conn=1001 fd=8 TLS established tls_ssf=256 ssf=256 ldap-proxy[22802]: conn=1001 op=0 BIND dn="" method=163 ldap-proxy[22802]: conn=1001 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[22802]: conn=1001 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-proxy[22802]: conn=1001 op=0 RESULT tag=97 err=0 text= ldap-proxy[22802]: conn=1001 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-proxy[22802]: conn=1001 op=1 SRCH attr=userPassword ldap-master[22358]: conn=1008 op=2 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-master[22358]: conn=1008 op=2 SRCH attr=userPassword ldap-master[22358]: conn=1008 op=2 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required ldap-proxy[22802]: conn=1001 op=1 SEARCH RESULT tag=101 err=53 nentries=0 text=authentication required ldap-proxy[22802]: conn=1001 op=2 UNBIND ldap-proxy[22802]: conn=1001 fd=8 closed The /root/.ldaprc file is the same than the previous one. When we increase the logging level we discover this: .... ldap-proxy[23008]: conn=1000 op=0 do_bind ldap-proxy[23008]: >>> dnPrettyNormal: <> ldap-proxy[23008]: <<< dnPrettyNormal: <>, <> ldap-proxy[23008]: conn=1000 op=0 BIND dn="" method=163 ldap-proxy[23008]: do_bind: dn () SASL mech EXTERNAL ldap-proxy[23008]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0 ldap-proxy[23008]: SASL Canonicalize [conn=1000]: authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: slap_sasl_getdn: conn 1000 id=cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au [len=61] ldap-proxy[23008]: ==>slap_sasl2dn: converting SASL name cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au to a DN ldap-proxy[23008]: <==slap_sasl2dn: Converted SASL name to <nothing> ldap-proxy[23008]: SASL Canonicalize [conn=1000]: slapAuthcDN="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: SASL proxy authorize [conn=1000]: authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: conn=1000 op=0 BIND authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" ldap-proxy[23008]: SASL Authorize [conn=1000]: proxy authorization allowed authzDN="" ldap-proxy[23008]: send_ldap_sasl: err=0 len=-1 ldap-proxy[23008]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256 ldap-proxy[23008]: do_bind: SASL/EXTERNAL bind: dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" sasl_ssf=0 ldap-proxy[23008]: send_ldap_response: msgid=1 tag=97 err=0 ldap-proxy[23008]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-proxy[23008]: <== slap_sasl_bind: rc=0 .... ldap-proxy[23008]: conn=1000 op=1 SRCH base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0 filter="(objectClass=*)" ldap-proxy[23008]: conn=1000 op=1 SRCH attr=userPassword ldap-proxy[23008]: ==> limits_get: conn=1000 op=1 self="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au" this="uid=user_w_pass,ou=people,dc=example,dc=com" ldap-master[22983]: daemon: activity on 1 descriptor ldap-master[22983]: daemon: activity on: ldap-master[22983]: ldap-master[22983]: slap_listener_activate(7): ldap-master[22983]: daemon: epoll: listen=7 busy ldap-master[22983]: >>> slap_listener(ldaps://server1.example.com) ..... ldap-master[22983]: conn=1000 op=0 do_bind ldap-master[22983]: >>> dnPrettyNormal: <> ldap-master[22983]: <<< dnPrettyNormal: <>, <> ldap-master[22983]: conn=1000 op=0 BIND dn="" method=128 ldap-master[22983]: do_bind: version=3 dn="" method=128 ldap-master[22983]: send_ldap_result: conn=1000 op=0 p=3 ldap-master[22983]: send_ldap_result: err=0 matched="" text="" ldap-master[22983]: send_ldap_response: msgid=1 tag=97 err=0 ldap-master[22983]: conn=1000 op=0 RESULT tag=97 err=0 text= ldap-master[22983]: do_bind: v3 anonymous bind ---------------- Therefore the proxy is binding anonymously in the master, instead of using the dn of the certificate. Is there any problem with the SASL EXTERNAL method? If we use SIMPLE authentication through the proxy, there is no problem: root # ldapsearch -LLL -x -b 'uid=user_w_pass,ou=people,dc=example,dc=com' -H ldaps://proxy-server1.example.com:1636 -D 'uid=user_w_pass,ou=people,dc=example,dc=com' -W userPassword Enter LDAP Password: dn: uid=user_w_pass,ou=people,dc=example,dc=com userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0= Thanks in advance. --------------------------------------------------------------------------------------------- ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en

3 4

AIX as openldap client
by Stef Coene 15 Nov '10

15 Nov '10

Hi, Some time ago, I configured an ubuntu intrepid as openldap server and I was able to use it as authentication server for AIX 6.1. I tried the same with an ubuntu maverick server, but I can not get it working anymore. I can see all the user information on the AIX server. I can do 'su - <user>' to become the user. But I can not login so I think there is a problem with the password. When I change the password of a user on the AIX server, I get these errors in the logfile on the openldap server: Oct 26 20:44:12 ldap1 slapd[28664]: Entry (uid=xxx,ou=people,dc=xxx,dc=xxx), attribute 'shadowLastChange' not allowed Oct 26 20:44:12 ldap1 slapd[28664]: entry failed schema check: attribute 'shadowLastChange' not allowed Is this important? The intrepid has version 2.4.11-0ubuntu6.2, the maverick has version 2.4.21-0ubuntu5.3. I didn't noted down what I did on the intrepid server, but I can remember that it asked a bunch of questions when I installed slapd. These initial steps are removed from the maverick version. I also remember using the ldapinit command. How can I debug the difference between these 2 versions? Using slapcat, I can see some differeces, but nothing that is important in my opinion. How can I debug the openldap server to see what's going on? I can use the openldap server on a linux ldap client without problems. Stef PS I also tried to post this message to openldap-software(a)openldap.org, but I got a 'Delivery status notification' saying that the user does not exist.

6 17

Asynchronicity
by William Ahern 11 Nov '10

11 Nov '10

Excepting DNS, is the latest release of OpenLDAP fully asynchronous-capable, even with TLS? Perusing the source code I can't find any obvious places other than DNS where things might block, but it's harder to prove the negative. I remember many years ago this wasn't the case, and I had to thread the connect phase, but the ChangeLog suggests that things have changed considerably.

3 5

uniqueMember attribute is not suffixmassaged if attribute is not mapped and changed
by Arvo Jari-Pekka 09 Nov '10

09 Nov '10

Hi. My configuration is like this: --------- database meta suffix "ou=a,dc=c,dc=b" uri "ldap://host:port/ou=a,dc=c,dc=b" suffixmassage "ou=a,dc=c,dc=b" "dc=a,dc=b" ... --------- This works fine in everything else but the uniqueMembers of groupOfUniqueNames gets not rewritten (they are still in dc=a,dc=b domain). If I however add a mapping --------- map objectClass groupOfNames groupOfUniqueNames map attribute member uniqueMember --------- then the "member" attributes are correctly rewritten. The problem of course is that I do not want to change the objectclass. Mapping the attribute to itself does not help either. So --------- map objectClass groupOfUniqueNames * map attribute uniqueMember * --------- does not have any effect. I must have missed something crucial on the documentation. Can someone please tell me what it is and how can I get uniqueMembers rewritten without changing the objectclass. OpenLDAP version is 2.4.11 for both the real and the meta server. BR, Jari-Pekka Arvo

3 2

Re: Error 18: Solaris 10 Native LDAP-Client
by Benjamin Griese 04 Nov '10

04 Nov '10

Correction: -w <passwd> or -w - instead of -W On Thu, Oct 28, 2010 at 15:02, Benjamin Griese <der.darude(a)gmail.com> wrote: > Hello Günther, > > sorry for my late reply, I hate sun cluster panics after patching > those beasts. :( > > Here is the content of solaris_profile: > > dn: cn=solaris_profile,ou=profile,dc=example,dc=de > objectClass: DUAConfigProfile > objectClass: top > cn: solaris_profile > authenticationMethod: simple > bindTimeLimit: 10 > credentialLevel: proxy > defaultSearchBase: dc=example,dc=de > defaultSearchScope: sub > defaultServerList: exampleldap01 exampleldap02 (syncrepl, configured > to mirrormode) > followReferrals: FALSE > profileTTL: 3600 > searchTimeLimit: 30 > serviceSearchDescriptor: sudoers:ou=SUDOers,dc=example,dc=de?sub > serviceSearchDescriptor: group:ou=groups,dc=example,dc=de?sub > serviceSearchDescriptor: passwd:ou=people,dc=example,dc=de?sub > > > Regarding to the sorting I found this in man ldapsearch: > > "-F sep > > Use sep as the field separator between attribute names > and values. If this option has been specified, the -L > option is ignored. > > > -S [-]attribute > > Specify an attribute for sorting the entries returned by > the search. The sort criteria is alphabetical on the > attribute's value or reverse alphabetical with the form > -attribute. You can give multiple -S options to refine > the sorting, For example: > > -S sn -S givenname > > By default, the entries are not sorted. Use the -x > option to perform server-side sorting." > > If I use -x for server side sorting, I get the complete list of > uid-Objects, but not sorted in any obvious way: > # ldapsearch -v -x -b dc=example,dc=de -h exampleldap01 -D > cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)' > > ldapsearch: started Thu Oct 28 12:16:49 2010 > ldap_init( exampleldap01, 389 ) > filter pattern: (uid=*) > returning: ALL > filter is: (uid=*) > version: 1 > > If I use this string I get the complete list of uid-objects sorted by uidNumber > # ldapsearch -v -S uidnumber -b dc=example,dc=de -h exampleldap01 -D > cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)' > > ldapsearch: started Thu Oct 28 12:37:11 2010 > ldap_init( exampleldap01, 389 ) > filter pattern: (uid=*) > returning: ALL > filter is: (uid=*) > version: 1 > > If I try to search with -x and -S uidnumber I get the same message > that appears in the OpenLDAP logfile: > # ldapsearch -v -x -S uidNumber -b dc=example,dc=de -h exampleldap01 > -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)' > > ldapsearch: started Thu Oct 28 12:25:50 2010 > ldap_init( exampleldap01, 389 ) > filter pattern: (uid=*) > returning: ALL > filter is: (uid=*) > ldap_search: Inappropriate matching > ldap_search: additional info: serverSort control: No ordering rule > ldap_parse_sort_control: Requested LDAP control not found > > Finally I still have no clue how to prevent the client from doing > these kinds of searches. > And I couldn't find any templates regarding the ldapclient on my test machine. > > Any other clues or ideas? > > Bye, Benjamin. > > On Sat, Oct 23, 2010 at 19:17, Dieter Kluenter <dieter(a)dkluenter.de> wrote: >> Benjamin Griese <der.darude(a)gmail.com> writes: >> >>> Hey thanks for quick reply, >>> >>> I put the config of the ldapclient on the ML some days ago, >>> but I can't figure out how I may have set such a rule on client side. >>> Probably it is something hardcoded. >>> >>> ldapclient config: >>> NS_LDAP_FILE_VERSION= 2.0 >>> NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de >>> NS_LDAP_BINDPASSWD= secret >>> NS_LDAP_SERVERS= ldap01 >>> NS_LDAP_SEARCH_BASEDN= dc=example,dc=de >>> NS_LDAP_AUTH= simple >>> NS_LDAP_SEARCH_REF= FALSE >>> NS_LDAP_SEARCH_SCOPE= sub >>> NS_LDAP_SEARCH_TIME= 30 >>> NS_LDAP_CACHETTL= 60 >>> NS_LDAP_PROFILE= solaris_profile >>> NS_LDAP_CREDENTIAL_LEVEL= proxy >>> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub >>> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub >>> NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub >>> >>> That's all I setup, its like defaultest of the defaultest I guess :) >>> >>> And thanks for describing EQUALITY. >> >> I must admit I am not that familiar with old netscape tools, but the >> openldap log ist quite clear, there is a request for a Server Side >> Sorting extended operation, which in fact is quite unusual. You really >> should check Solaris 10 setup for appropriate templates, i.e. what is >> the content of solaris_profile? By the way, AFAIR the flag for sss is >> -F so you may check any templates, Redhat provides these in >> /usr/share/dirsrv, Solaris might be different. >> >> -Dieter >> >> -- >> Dieter Klünter | Systemberatung >> sip: 7770535(a)sipgate.de >> http://www.dpunkt.de/buecher/2104.html >> GPG Key ID:8EF7B6C6 >> > > > > -- > To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To > be is to do -- Sartre | Do be do be do -- Sinatra > -- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra

4 11

LDAP filter question
by Antonio Batovanja 01 Nov '10

01 Nov '10

Hi, I'm having problems finding documentation for range filters. Can someone explain to me how to use a range filter on shadowExpire? From nis.schema: attributetype ( 1.3.6.1.1.1.1.10 NAME 'shadowExpire' EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 SINGLE-VALUE ) so it's an integer value. from my slapd.conf (openldap 2.3.38): index shadowExpire pres,eq I'd like to find entries where either shadowExpire is not present, or shadowExpire is present and greater than or equal to X. # ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire=*))' dn returns 978 entries. # ldapsearch -x '(&(objectclass=shadowaccount)(!(shadowexpire=*)))' dn returns 311 entries. But: # ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire>1000))' dn gives me ldap_search_ext: Bad search filter (-7) and # ldapsearch -x '(&(objectclass=shadowaccount)(shadowexpire>=1000))' dn returns no results. At least one entry has shadowExpire > 1000: # ldapsearch -x -LLL uid=toni objectclass shadowexpire dn: cn=Batovanja Antonio,ou=People,ou=EDV Zentrale,dc=humanomed,dc=at objectClass: person objectClass: posixAccount objectClass: shadowAccount objectClass: hmUserExtention objectClass: organizationalPerson shadowExpire: 20000 My final filter should be (|(shadowExpire=0)(shadowExpire>=14910)(!(shadowExpire=*))) but that's not working What am I doing wrong? Cheers, Toni

3 3

tag=97 error in openLDAP
by Tim Dunphy 01 Nov '10

01 Nov '10

Hello, I recently had a "knowledgeable" friend work on my openldap server. he made some changes to the cofigs without backing them up and now users are unable to authenticate against this openldap 2.4 server where previously they could. I am running on FreeBSD 8.1. I am a student trying to learn and be comfortable with openLDAP. when a user ssh's to any machine on the network that is configured to listen to this ldap server now gets an error in the LDAP logs: Oct 29 22:49:41 LBSD2 slapd[1085]: <= bdb_equality_candidates: (uid) not indexed Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1001 op=7 SEARCH RESULT tag=101 err=0 nentries=1 text= Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=4 BIND dn="uid=bluethundr,ou=summitnjops,ou=staff,dc=summitnjhome,dc=com" method=128 Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=4 RESULT tag=97 err=49 text= Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=5 BIND dn="" method=128 Oct 29 22:49:41 LBSD2 slapd[1085]: conn=1002 op=5 RESULT tag=97 err=0 text= it looks like it's failing to bind: conn=1003 op=3 BIND dn="" method=128 and I think this error may be key but I am unsure of it's meaning: tag=97 my ldap.conf reads as so: host ldap.summitnjhome.com base dc=summitnjhome,dc=com scope sub pam_password exop nss_base_passwd ou=staff,dc=summitnjhome,dc=com nss_base_shadow ou=staff,dc=summitnjhome,dc=com sudoers_base ou=sudoers,ou=Services,dc=summitnjhome,dc=com And why would the uid not be indexed? and this is the user id in LDAP: [root@LBSD2:/home/bluethundr/txt/ldif]#cat bluethundr.ldif dn: uid=bluethundr,ou=summitnjops,ou=staff,dc=summitnjhome,dc=com uid: bluethundr cn: Timothy P. givenName: Timothy P. sn: mail: bluethundr(a)blah.com mailRoutingAddress: bluethundr(a)mail.blah.com mailHost: mail.blah.com objectClass: inetLocalMailRecipient objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: posixAccount objectClass: top userPassword: {CRYPT}secret loginShell: /usr/local/bin/bash uidNumber: 1001 gidNumber: 1002 homeDirectory: /home/bluethundr gecos: Timothy P. and these are my ACL's in slapd.conf: access to * by read access to attrs=userPassword by self write by anonymous auth access to * by self write by dn.children="ou=summitnjops,ou=staff,dc=summitnjhome,dc=com" write by users read by anonymous auth access to * by self write I would certainly appreciate any help to get this working again! thank you -- Here's my RSA Public key: gpg --keyserver pgp.mit.edu --recv-keys 5A4873A9 Share and enjoy!!

2 1

Push-based syncrepl + slapo-rwm
by Raphael Ordinas 29 Oct '10

29 Oct '10

Hi, I'd like to replicate with syncrepl a master directory and change the naming context on the consumer. I try setup a syncrepl push-based synchronization, with a proxy and slapo-rwm overlay. Here's what my config looks like : MASTER LDAP (suffix : dc=suffix1,dc=com) | | | PROXY push-based syncrepl and slapo-rwm (rewrite "dc=suffix1,dc=com" to "dc=suffix2,dc=com") | | | SLAVE (suffix : dc=suffix2,dc=com) I can't get rewriting working on the proxy, data are pushed to my slave directory with the suffix "dc=suffix1,dc=com". So replication don't work because of different naming context. PROXY's slapd.conf looks like this : ############################## database ldap hidden on suffix "dc=suffix2,dc=com" rootdn "cn=admin,dc=suffix2,dc=com" uri ldap://slave/ lastmod on restrict all acl-bind bindmethod=simple binddn="cn=admin,dc=suffix2,dc=com" credentials=secret overlay rwm rwm-rewriteEngine on rwm-suffixmassage "dc=suffix2,dc=com" "dc=suffix1,dc=com" overlay syncprov syncrepl rid=001 provider=ldap://master/ binddn="cn=admin,dc=suffix2,dc=com" bindmethod=simple credentials=secret searchbase="dc=suffix2,dc=com" type=refreshAndPersist retry="5 5 300 5" ############################## What's wrong ? Thank you for your help. Regards Raphael

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2010