Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 3 months
tls private key
by Alex Samad
Hi
I am setting up my sync repl to use certificates, my problem is I don't
want to leave my private key for the server un encrypted.
the file pointed to by TLSCertificateKeyFile is is just read at slapd
load up time, ie can i unencrypt the file start slapd and then remove
the un encrypted file ?
Alex
13 years, 6 months
OpenLdap mirrormode cluster with 2 slaves.
by Jan Hugo Prins
Hello,
I have the following setup that gives me some issues at the moment.
I have 2 servers running Fedora 10 with OpenLDAP 2.4.19 that are running
in Mirrormode.
The sync between those 2 servers works just fine.
Besides that we have 2 frontend servers that rely heavily on ldap for
mail delivery and mail transfers. To make this workable we thought about
creating a readonly replica on these servers and tell the sendmail to
use the local ldap as primary. When we had an old version on these
servers (I think 2.4.12) everything worked fine. We now upgraded all
servers to 2.4.19 and the configuration moved to slapd.d format, and now
it looks like those 2 servers don't see the updates on the mirrormode
backend anymore.
I have to following config's, this was from before the migration to slapd.d:
==================
master 1
==================
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 3
#
# Configure a replication consumer
#
syncrepl rid=1
provider=ldap://server2:389
type=refreshAndPersist
retry="60 10 300 +"
interval=00:00:05:00
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=syncrepl,dc=domain,dc=com"
credentials=password
mirrormode on
==================
master 2
==================
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
serverID 4
#
# Configure a replication consumer
#
syncrepl rid=1
provider=ldap://server1:389
type=refreshAndPersist
retry="60 10 300 +"
interval=00:00:05:00
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=syncrepl,dc=domain,dc=com"
credentials=password
mirrormode on
===================
slaves
===================
overlay syncprov
syncprov-checkpoint 100 10
#
# Configure a replication consumer
#
syncrepl rid=1
provider=ldap://ldap:389
type=refreshOnly
retry="60 1 120 1"
interval=00:00:05:00
searchbase="dc=domain,dc=com"
filter="(objectClass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=syncrepl,dc=domain,dc=com"
credentials=password
updateref ldap://ldap.svc.be.nl:389
updateref ldap://ldap.lan.domain.com:389
============================================
When I empty the DIT on a slave and start it again it gets the full DIT
just fine and I checked this. But after that it is not updated anymore.
Does anyone see here some obvious things I'm missing in these slave or
master configs?
Thanks a lot,
Jan Hugo Prins
13 years, 6 months
OpenLDAP client configuration with CentOS 5.3
by Cool The Breezer
Hi All,
We have a dedicated LDAP server and I would like to configure OpenLDAP client in our linux boxes running on centOS 5.3.
I have installed openldap client and changed /etc/openldap/ldap.conf with folllowing info
BASE dc=my, dc=net
URI ldap://10.122.12.13
But when I try to run ldapsearch, I get following error
SASL/EXTERNAL authentication started
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
The objective is anybody having ldap id can login to linux box. At present, I am manually creating individual ids which we want to integrate with LDAP authentication.
I would appreciate your help
- RB
13 years, 6 months
Nssov Problem Since 2.4.19
by Chris Breneman
Hi,
For the last few days, I've been trying to get nssov to work. I've
mainly been working with OpenLDAP 2.4.21, but this issue is present in
all releases since and including 2.4.19. It works fine in 2.4.18.
Everything compiles fine as expected, and the module loads (it seems),
but when I try to add configuration for the module with ldapadd, I get
this error:
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcOverlay> handler exited with 1
Using the same build instructions, configuration, and everything, 2.4.18
works without this error. Some more details are below.
I'd try to fix it myself, but I don't really know where to start. I'd
appreciate it if someone could point me in the right direction.
Thanks,
Chris Breneman
More details:
Process for building OpenLDAP (done as root):
cd openldap-2.4.21
./configure --enable-modules --enable-overlays
make depend
make -j2
make install
cd contrib/slapd-modules/nssov/nss-ldapd
./configure # Make complains about missing something unless ./configure
is executed in nss-ldapd first
cd ..
make
make install
libtool --finish /usr/local/lib # As per instructions from the make
output
Relevant slapd configuration:
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModulePath: /usr/local/libexec/openldap
olcModuleLoad: /usr/local/libexec/openldap/nssov.la
Listing of modules:
$ ls /usr/local/libexec/openldap/
nssov.a nssov.la nssov.so nssov.so.0 nssov.so.0.0.0
Command to add nssov configuration:
ldapadd -H ldap://localhost -x -D 'cn=config' -w <password>
LDIF for nssov configuration:
dn: olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcNssOvConfig
olcOverlay: {0}nssov
olcNssSsd: passwd ldap:///ou=people,dc=cluenet,dc=org??one
ldapadd output:
adding new entry "olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config"
ldap_add: Other (e.g., implementation specific) error (80)
additional info: <olcOverlay> handler exited with 1
Relevant output from running slapd with -d -1 on startup:
loaded module /usr/local/libexec/openldap/nssov.la
module /usr/local/libexec/openldap/nssov.la: null module registered
Relevant output from running slapd with -d -1 on ldapadd command:
>>> dnPrettyNormal: <olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config>
=> ldap_bv2dn(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config,0)
<= ldap_bv2dn(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config)=0
<<< dnPrettyNormal: <olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config>,
<olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config>
conn=1000 op=1 ADD dn="olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config"
=> access_allowed: add access to
"olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config" "entry" requested
<= root access granted
=> access_allowed: add access granted by manage(=mwrscxd)
<= acl_access_allowed: granted to database root
oc_check_required entry
(olcOverlay={0}nssov,olcDatabase={1}bdb,cn=config), objectClass
"olcNssOvConfig"
oc_check_allowed type "objectClass"
oc_check_allowed type "olcOverlay"
oc_check_allowed type "olcNssSsd"
oc_check_allowed type "structuralObjectClass"
slap_queue_csn: queing 0xb5d52ab2
20100228195617.582000Z#000000#000#000000
=> access_allowed: add access to "olcDatabase={1}bdb,cn=config"
"children" requested
<= root access granted
=> access_allowed: add access granted by manage(=mwrscxd)
olcOverlay: value #0: <olcOverlay> handler exited with 1!
send_ldap_result: conn=1000 op=1 p=3
send_ldap_result: err=80 matched="" text="<olcOverlay> handler exited
with 1"
send_ldap_response: msgid=2 tag=105 err=80
13 years, 6 months
RE: Trouble with memberOf Overlay
by masarati@aero.polimi.it
>
> I thank you for your response, but I'm not exactly certian I understand.
> This is a new LDAP install and a everything is fresh. I am not working
> with an existing database. Are you saying I should move the
> configurations that is specific to the memberOf overlay to the top of my
> db.ldif config file?
Please reply to the mailing list, not to me directly. No, I'm not saying
anything like that. Since yours is a fresh setup, then your error (or the
bug) must be somewhere else. I have no clue at the moment; replying to
the list might allow someone not as clueless to provide support.
p.
13 years, 6 months
Trouble with memberOf Overlay
by Bill Keirskie
I was looking through list archives and a few weeks ago, someone posted some configurations for the memberOf overlay. I modified the configurations slightly and it looks like everything is installed (with no errors) and working, but when run an ldapsearch, it does not return the memberOf. Below is the install and configuration method. Any guidance on what to change or error logs to look at?
Thx Bill
##MY RESULTS##
server-1# ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=example,dc=com memberOf
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
version: 1
dn: uid=test1,ou=People,dc=example,dc=com
##INSTALL AND CONFIG##
sudo apt-get -y install slapd ldap-utils
cd /etc/ldap
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/cosine.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/inetorgperson.ldif
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f /etc/ldap/schema/nis.ldif
sudo vi db.ldif
# Load dynamic backend modules
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module {0}
olcModulepath: /usr/lib/ldap
olcModuleload: {0}back_hdb
olcModuleload: {1}memberof.la
# Create the database
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=admin,dc=example,dc=com
olcRootPW: password
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcLastMod: TRUE
olcDbCheckpoint: 512 30
olcDbIndex: uid pres,eq
olcDbIndex: cn,sn,mail pres,eq,approx,sub
olcDbIndex: objectClass eq
dn: olcOverlay={1}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {1}memberof
structuralObjectClass: olcMemberOf
:wq!
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f db.ldif
sudo slappasswd -h {MD5}
##note: 1234 = {MD5}gdyb21LQTcIANtvYMT7QVQ==
sudo vi base.ldif
dn: dc=example,dc=com
objectClass: dcObject
objectclass: organization
o: example.com
dc: example
description: My LDAP Root
dn: cn=admin,dc=example,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
userPassword: {MD5}gdyb21LQTcIANtvYMT7QVQ==
description: LDAP administrator
:wq!
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f base.ldif
sudo vi config.ldif
dn: cn=config
changetype: modify
delete: olcAuthzRegexp
dn: olcDatabase={-1}frontend,cn=config
changetype: modify
delete: olcAccess
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcRootDN
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootDN
olcRootDN: cn=admin,cn=config
dn: olcDatabase={0}config,cn=config
changetype: modify
add: olcRootPW
olcRootPW: {MD5}gdyb21LQTcIANtvYMT7QVQ==
dn: olcDatabase={0}config,cn=config
changetype: modify
delete: olcAccess
:wq!
sudo ldapadd -Y EXTERNAL -H ldapi:/// -f config.ldif
sudo vi acl.ldif
dn: olcDatabase={1}hdb,cn=config
add: olcAccess
olcAccess: to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=example,dc=com" write by anonymous auth by self write by * none
olcAccess: to dn.base="" by * read
olcAccess: to * by dn="cn=admin,dc=example,dc=com" write by * read
:wq!
sudo ldapmodify -x -D cn=admin,cn=config -W -f acl.ldif
#Add one group, add two users, place one user in group
ldapsearch -LL -Y EXTERNAL -H ldapi:/// "(uid=test1)" -b dc=example,dc=com memberOf
_________________________________________________________________
Your E-mail and More On-the-Go. Get Windows Live Hotmail Free.
http://clk.atdmt.com/GBL/go/201469229/direct/01/
13 years, 6 months
Read Waiters growing
by Peter Mogensen
Hi,
I see a strange thing in cn=Monitor. Suggestions needed.
I have a huge database, and performance is great as long as olcReadOnly
is TRUE.
But a soon as I enable writes, the number of Read Waiters are growing,
even though there's no or very few Write waiters.
# Read, Waiters, Monitor
dn: cn=Read,cn=Waiters,cn=Monitor
monitorCounter: 311
# Write, Waiters, Monitor
dn: cn=Write,cn=Waiters,cn=Monitor
monitorCounter: 0
# Current, Connections, Monitor
dn: cn=Current,cn=Connections,cn=Monitor
monitorCounter: 210
I have idletime=120 and connections do around 30 reads each before they
are retired, but not many writes. Like this:
# Connection 5389, Connections, Monitor
dn: cn=Connection 5389,cn=Connections,cn=Monitor
monitorConnectionNumber: 5389
monitorConnectionOpsReceived: 32
monitorConnectionOpsExecuting: 0
monitorConnectionOpsPending: 0
monitorConnectionOpsCompleted: 32
monitorConnectionGet: 32
monitorConnectionRead: 32
monitorConnectionWrite: 0
It's slapd 2.4.21, BDB 4.8.26 and back_bdb.
Any hint to what could cause that many read-waiters, but only while
writing is enabled and even though there's not that many writes?
/Peter
13 years, 6 months
overlay chain and TLS/SSL
by Ralf Zimmermann
Hi all,
I think I have a problem with the overlay chain and tls. We have one physical
master and two slaves in VMware Vsphere4. Our configuration runs normally fine,
but sometimes we can't modify entries like passwords to the master. Then we
must restart the slapd at the slaves. After restarting slapd all works fine.
Then slapd works fine the wholy day. We can change entries or set passwords on
the slaves. Next morning we must restart the slapd again, because we can't
modify entries from the slaves. But we can query the slapd and syncrepl works
fine. Only things over the overlay chains doesn't work. I have the problem not
only with Version 2.4.20. I tested more Versions and actually 2.4.21 from
pysically hardware.
If I can't set entries on the slave I don't see any tcp packets from the slave
to the master. DNS, time and so on looks fine and everything else is working.
And if we restart slapd everything is working. Does anybody know what is going
wrong and if there exits a workaround. I read some things abount /dev/random,
/dev/urandom and kernel 2.6 in VMware. Can this be the problem?
Here the overlay chain configuration.
<snip slapd.conf>
overlay chain
chain-uri "ldap://eisenherz.camelot.de/"
chain-idassert-bind bindmethod=simple
binddn="cn=ldapadmin,dc=camelot,dc=de"
credentials="xxxxxx"
mode="self"
chain-rebind-as-user TRUE
chain-return-error TRUE
chain-tls start
</snip slapd.conf>
Any help is appreciated.
Regards
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
13 years, 6 months
posixGroup and groupofNames
by Siddhartha Jain
Hi,
Running CentOS 5.4 with stock OpenLDAP distro 2.3.43. Both classes, posixgroup and groupofnames are structural causing conflicts if one wants to use both. And while RFC2307bis is deleted by IETF, RFC2307 doesn't seem to have the same traction (or, does it)? So, what's a good option? Simply switch posixgroup to AUX in /etc/openldap/schema/nis.schema?
Thanks,
Siddhartha
13 years, 6 months