Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
Overlay Chain Extended Passmod Problem
by Ralf Zimmermann
Hi all,
last week I wrote to the list because I have a problem with overlay chain.
Today I traced the problem. The configuration and the host are the same.
OpenLDAP syncrepl runs fine over the weekend. But if I want to change a
password nothing happens. I can't see any packet with tcpdump from the slave to
the master. I traced slapd with loglevel=65535. The slave is openldap 2.4.21.
# Here the trace with no successfull passmod operation:
-----------------------------------------------------
conn=1126 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128
do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128
=> bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
=> bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de")
bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de"
bdb_entry_get: rc=0
==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
)
# Here the trace after I restart slapd with exactly the same config
# and working passmod oepration:
------------------------------------------------------------------
conn=1000 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128
do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128
=> bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
=> hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de")
<= hdb_dn2id: got id=0x5
entry_decode: ""
<= entry_decode()
=> bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de"
bdb_entry_get: rc=0
=> bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de"
=> bdb_entry_get: oc: "(null)", at: "(null)"
bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de")
=> hdb_dn2id("ou=policies,dc=camelot,dc=de")
<= hdb_dn2id: got id=0x9
=> hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de")
<= hdb_dn2id: got id=0xa
entry_decode: ""
<= entry_decode()
=> bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de"
bdb_entry_get: rc=0
==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de
bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de")
When the passmod operation is successfull there are hdb_dn2id entries in the
trace. When the passmod operation ist not successfull the entries doesn't
exist. What happens, that I must restart the slapd? The configuration is the
same and all other things works fine. Only the write operations to the master
hangs. If I make a passmod without TLS everything works fine and I can change
the password after I restarted the slapd on the slave. Then I can change the
passwords the wholy day. Tomorrow I'll must restart slapd on the slave because
the passmod operation is not successfull.
Any ideas?
regards
Ralf Zimmermann
--
.''`. Ralf Zimmermann
: :' : SIEGNETZ.IT GmbH
`. `' Schneppenkauten 1a
`- 57076 Siegen
Tel.: +49 271 68193 13
Fax.: +49 271 68193 29
Amtsgericht Siegen HRB4838
Geschaeftsfuehrer: Oliver Seitz
Sitz der Gesellschaft ist Siegen
13 years, 7 months
Partial replication
by Joe Friedeggs
Is it possible to replicate, on a slave, two branches of the DIT (only)? I have several instances of LDAP running on servers throughout the world. Connection to some of these from our support location is not dependable. I want to do something similar to this:
Main LDAP (here, master):
dc=example,dc=com
|
+--o=support
|
+--o=location_A
|
+--o=location_B
|
+--o=location_C
In Location A (remote slave):
dc=example,dc=com
|
+--o=support
|
+--o=location_A
In Location B (remote slave):
dc=example,dc=com
|
+--o=support
|
+--o=location_B
Location A & B are two different customers, therefore it would not be prudent to replicate Location B's users in Locations A. But I need the Support group to exist in all locations.
Can this be done using syncrepl?
Another thought is to have LDAP Masters existing in each location, and somehow replicate the Support branch to each (mirrormode?). Should this be the approach?
Thanks,
Joe
_________________________________________________________________
Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox.
http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:O...
13 years, 8 months
ldap_sasl_interactive_bind_s failed (-2) using openldap v2.3.43 when trying to replicate via syncrepl.
by Kristian Kostecky
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi guys,
I have a configuration that consists of 3 ldap servers. One is the provider and there are 2 consumers. I am using syncrepl to do the synchronization. simple and anonymous binds are totally disabled and Kerberos must be used via SASL (GSSAPI) and TLS to connect to the LDAP server.
distro: centos 5.4
openldap 2.3.43
cyrus-sasl 2.1.22
Other things:
- - clocks are all in sync
- - hostnames all have forward and reverse mappings and all dns servers in /etc/resolv.conf respond with proper entries on the consumer and both providers.
Here's the catch, the two providers are configured the same (except for hostnames/ips) and the first one works perfect. What is really frustrating is the lack of logging that is available to tell me what the problem is. I've tried loglevel -1 and it gave me even less info in regards to the SASL authentication than leaving it off.
The affected consumer is giving me:
Mar 31 22:41:00 ZZZ slapd[2442]: slapd starting
Mar 31 22:41:02 ZZZ slapd[2442]: do_syncrep1: rid 010 ldap_sasl_interactive_bind_s failed (-2)
Mar 31 22:41:02 ZZZ slapd[2442]: do_syncrepl: rid 010 quitting
On the "Provider":
Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 ACCEPT from IP=10.130.1.230:60288 (IP=0.0.0.0:389)
Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=0 STARTTLS
Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=0 RESULT oid= err=0 text=
Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 TLS established tls_ssf=256 ssf=256
Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=1 UNBIND
Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 closed
This is what's REALLY weird - from the affected/broken box, ZZZ, after I kinit, I can do an LDAP search or ldapwhoami, no problems! So, kerberos and GSSAPI via SASL is working fine. ie:
ldapsearch -H ldaps://XXX/ -Y GSSAPI -> will dump the entries.
or
ldapwhoami -H ldaps://XXX/ -Y GSSAPI -> shows me that proper creds
If I destroy the credentials, it doesn't work as would be expected.
ON the working consumer, the behaviour is that I can ldapsearch and ldapwhoami properly after I kinit and when I start ldap it will authenticate properly with the provider via SASL GSSAPI and replicates the DB. If I kdestroy the credentials and start it, I get the same error that I'm struggling with on the box that doesn't work ->ldap_sasl_interactive_bind_s failed (-2) This behaviour leads me to believe that for some reason the ldap server on the box that doesn't work is having problems transmitting the kerberos credentials to the provider, whereas the ldapsearch and ldapwhoami binaries are not having problems.
There are some suspicious differences between the consumer that works and the broken one. The provider and consumer that works both have TLDs that match - '.com' and the consumer whose synrepl process won't authenticate is part of the .eu TLD. However, as you can see below in the krb5.conf files, the .com and .eu TLDS are always mapped to the same authentication realm. PLUS, again, ldapsearch and ldapwhoami WORK. It's just the syncrepl process that isn't quite getting the auth right.
This is the provider's pertinent configs:
slapd.conf:
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 100
This is the consumer's pertinent configs (WORKS ON one, not on the other)
slapd.conf:
syncrepl rid=10
provider=ldap://xxx.XXX.com
starttls=yes
type=refreshOnly
interval=00:00:01:00
searchbase="dc=XXX,dc=com"
schemachecking=off
bindmethod=sasl
saslmech=GSSAPI
krb5.conf [same as provider and kerb server]:
[libdefaults]
default_realm = BOUNCE.AAA.COM
encrypt = true
allow_weak_crypto = false
clockskew = 600
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 8h
forwardable = no
proxiable = no
[realms]
BOUNCE.AAA.COM = {
kdc = XXX.com
kdc = YYY.com
kdc = ZZZ.eu
admin_server = XXX.com
}
[domain_realm]
.com = BOUNCE.AAA.COM
.eu = BOUNCE.AAA.COM
All help is greatly appreciated! This has been going on for days and I've already yanked out most of my hair. Thank you.
Kris.
PGP Key: 4CC63A18
PGP Server: pool.sks-keyservers.net
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.14 (Darwin)
iEYEARECAAYFAkuzyroACgkQ2C/J5/UUQWEuUACdH/BhiZgTXFWbNMXS7Q99k8Rg
VY8An3YWKcpnkxVYvZMlelkT0TIpYuAP
=O9KI
-----END PGP SIGNATURE-----
13 years, 8 months
Re: Re-engaging the Samba4 LDAP backend
by Endi Sukma Dewata
Hi Andrew,
----- "Andrew Bartlett" <abartlet(a)samba.org> wrote:
> - a replacement for the Samba4 rdn_name module. For OpenLDAP I have
> tried out ITS#6055 but it fails, sadly.
> http://www.openldap.org/its/index.cgi/Development?id=6055;selectid=6055
> I don't know of any comparable effort in Fedora DS.
We're considering this proposal for FDS:
http://directory.fedoraproject.org/wiki/RDN_Value
At this point it's still being designed, so I can't say yet when this
would become available.
> - Transaction support. While most of the transaction-aware tasks in
> Samba have now been either pushed off as 'too hard on LDAP' or into
> modules that are now in the LDAP backend, we still do need
> transactions
> over LDAP.
Transaction on FDS is deferred until later this year:
http://directory.fedoraproject.org/wiki/LDAP_Transactions
> - A way to easily detect that we have OpenLDAP or Fedora DS
> installed
> on the system, and what it's version is. Once we have that, we could
> start trying to run at least some of Samba4's tests against such a
> backend regularly (and stop breaking it so often).
The buildsamba02 machine is configured to test against FDS:
http://build.samba.org/?function=View+Build;host=buildsamba02;tree=samba_...
I hope there's somebody who could maintain a similar system configured
with OpenLDAP.
> - Some help debugging the existing 'make test' failures!
I've fixed some FDS-specific failures. I'll send you the patches soon.
> To address a broader range of use cases, I'm looking forward to the
> work
> Endi has promised for a 'ldap backend config file' as input to
> provision. Hopefully this will reduce the options we have to present
> to
> users on the provision command line.
Sorry about the delay on this. It's coming but slowly because I have to
handle other issues as well.
Thanks!
--
Endi S. Dewata
13 years, 8 months
Re: "new style" on ubuntu 8.04
by Luis Paulo
Thanks, Adam
I was afraid of that, but see what made me think otherwise.
At http://www.openldap.org/doc/admin24/slapdconf2.html:
"the slapd(8) runtime configuration in 2.3 (and later) is fully LDAP-enabled
and can be managed using the standard LDAP operations with data in LDIF."
- I have slapd 2.4.9
"but must be converted to the new *slapd-config*(5) format to allow runtime
changes to be saved".
- I did that, but I really don't have the slapd-config man page
in */etc/default/slapd* there were already a coment about the the cn=config
backend
# Default location of the slapd.conf file. If empty, use the compiled-in
# default (/etc/ldap/slapd.conf). If using the cn=config backend to store
# configuration in LDIF, set this variable to the directory containing the
# cn=config data.
SLAPD_CONF=
And, after all, I've already deleted slapd.conf and authentication is being
made with slapd.d/
Please forgive me for insisting. Thanks
Are you sure it can't be a matter of ACL, admin authentication, or something
else?
I'll upgrade to lucid, but it may take a couple of months.
13 years, 8 months
ldap.conf
by phiroc@free.fr
Hi,
is there a way to programmatically retrieve the path to the ldap.conf file (in other words, which conf file the program uses by default)?
Many thanks.
p
13 years, 8 months
question about exclusion control of slapd
by Tsukasa Hamano
Hi,
I'm reading the source code of slapd 2.4.21, then I found feel uneasy
point.
in servers/slapd/bind.c:207
cleanup:
if ( rs->sr_err == LDAP_SUCCESS ) {
if ( op->orb_method != LDAP_AUTH_SASL ) {
ber_dupbv( &op->o_conn->c_authmech, &mech );
}
op->o_conn->c_authtype = op->orb_method;
}
I think that this operation need mutex lock as follows.
ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex );
...
ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex );
Regards,
--
Open Source Solution Technology Corporation
Tsukasa Hamano <hamano(a)osstech.co.jp>
fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55
13 years, 8 months
Configuring OpenLDAP on Ubuntu 9.10.Need help!
by Shamika Joshi
I have followed following article to install/configure OpenLDAP on Ubuntu
Server 9.10
https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html
There is no slapd.conf in picture here instead running "dpkg-reconfigure
slapd" should come up with following Wizard (got this after running through
numerous articles on this)
*Wizard steps:*
1. *omit openldap server configuration? – no*
2. *dns domain name? vm.example.org*
3. *organization name? myCompany*
4. *database backend to use? hdb*
5. *do you want the database to be removed when slapd is purged? yes*
6. *may be the question: move old database? yes*
7. *administrator password? the same one as entered during installation*
8. *confirm password? see last step*
9. *allow LDAPv2 protocol? no*
However in my installation wizards asks
*
Omit OpenLDAP server configuration? No
Do you want the database to be removed when slapd is purged? No
Allow LDAPv2 protocol? No
Creating initial slapd configuration... done.
Starting OpenLDAP: slapd.
*Has anyone attempted this before? What I'm missing here? Could someone like
to pitch in for some help?
So when I run "ldapsearch -x" it gives me following output
admins@x6:/etc/ldap$ ldapsearch -x
# extended LDIF
#
# LDAPv3
# base <> (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# search result
search: 2
result: 32 No such object
# numResponses: 1
where is should give the output like
# extended LDIF
#
# LDAPv3
# base (default) with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# vm.example.org
dn: dc=vm,dc=example,dc=org
objectClass: top
objectClass: dcObject
objectClass: organization
o: myCompany
dc: vm
# admin, vm.example.org
dn: cn=admin,dc=vm,dc=example,dc=org
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Thanks
Shamika
13 years, 8 months
