openldap-technical March 2010

openldap-technical@openldap.org

73 participants
87 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Overlay Chain Extended Passmod Problem
by Ralf Zimmermann 13 Apr '10

13 Apr '10

Hi all, last week I wrote to the list because I have a problem with overlay chain. Today I traced the problem. The configuration and the host are the same. OpenLDAP syncrepl runs fine over the weekend. But if I want to change a password nothing happens. I can't see any packet with tcpdump from the slave to the master. I traced slapd with loglevel=65535. The slave is openldap 2.4.21. # Here the trace with no successfull passmod operation: ----------------------------------------------------- conn=1126 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128 do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128 => bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de") => bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de" bdb_entry_get: rc=0 => bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de") bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de" bdb_entry_get: rc=0 ==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de") ) # Here the trace after I restart slapd with exactly the same config # and working passmod oepration: ------------------------------------------------------------------ conn=1000 op=1 BIND dn="cn=ldapadmin,dc=camelot,dc=de" method=128 do_bind: version=3 dn="cn=ldapadmin,dc=camelot,dc=de" method=128 => bdb_entry_get: ndn: "cn=ldapadmin,dc=camelot,dc=de" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de") => hdb_dn2id("cn=ldapadmin,dc=camelot,dc=de") <= hdb_dn2id: got id=0x5 entry_decode: "" <= entry_decode() => bdb_entry_get: found entry: "cn=ldapadmin,dc=camelot,dc=de" bdb_entry_get: rc=0 => bdb_entry_get: ndn: "cn=default,ou=policies,dc=camelot,dc=de" => bdb_entry_get: oc: "(null)", at: "(null)" bdb_dn2entry("cn=default,ou=policies,dc=camelot,dc=de") => hdb_dn2id("ou=policies,dc=camelot,dc=de") <= hdb_dn2id: got id=0x9 => hdb_dn2id("cn=default,ou=policies,dc=camelot,dc=de") <= hdb_dn2id: got id=0xa entry_decode: "" <= entry_decode() => bdb_entry_get: found entry: "cn=default,ou=policies,dc=camelot,dc=de" bdb_entry_get: rc=0 ==> hdb_bind: dn: cn=ldapadmin,dc=camelot,dc=de bdb_dn2entry("cn=ldapadmin,dc=camelot,dc=de") When the passmod operation is successfull there are hdb_dn2id entries in the trace. When the passmod operation ist not successfull the entries doesn't exist. What happens, that I must restart the slapd? The configuration is the same and all other things works fine. Only the write operations to the master hangs. If I make a passmod without TLS everything works fine and I can change the password after I restarted the slapd on the slave. Then I can change the passwords the wholy day. Tomorrow I'll must restart slapd on the slave because the passmod operation is not successfull. Any ideas? regards Ralf Zimmermann -- .''`. Ralf Zimmermann : :' : SIEGNETZ.IT GmbH `. `' Schneppenkauten 1a `- 57076 Siegen Tel.: +49 271 68193 13 Fax.: +49 271 68193 29 Amtsgericht Siegen HRB4838 Geschaeftsfuehrer: Oliver Seitz Sitz der Gesellschaft ist Siegen

2 2

Partial replication
by Joe Friedeggs 07 Apr '10

07 Apr '10

Is it possible to replicate, on a slave, two branches of the DIT (only)? I have several instances of LDAP running on servers throughout the world. Connection to some of these from our support location is not dependable. I want to do something similar to this: Main LDAP (here, master): dc=example,dc=com | +--o=support | +--o=location_A | +--o=location_B | +--o=location_C In Location A (remote slave): dc=example,dc=com | +--o=support | +--o=location_A In Location B (remote slave): dc=example,dc=com | +--o=support | +--o=location_B Location A & B are two different customers, therefore it would not be prudent to replicate Location B's users in Locations A. But I need the Support group to exist in all locations. Can this be done using syncrepl? Another thought is to have LDAP Masters existing in each location, and somehow replicate the Support branch to each (mirrormode?). Should this be the approach? Thanks, Joe _________________________________________________________________ Hotmail has tools for the New Busy. Search, chat and e-mail from your inbox. http://www.windowslive.com/campaign/thenewbusy?ocid=PID27925::T:WLMTAGL:ON:…

4 10

ldap_sasl_interactive_bind_s failed (-2) using openldap v2.3.43 when trying to replicate via syncrepl.
by Kristian Kostecky 31 Mar '10

31 Mar '10

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi guys, I have a configuration that consists of 3 ldap servers. One is the provider and there are 2 consumers. I am using syncrepl to do the synchronization. simple and anonymous binds are totally disabled and Kerberos must be used via SASL (GSSAPI) and TLS to connect to the LDAP server. distro: centos 5.4 openldap 2.3.43 cyrus-sasl 2.1.22 Other things: - - clocks are all in sync - - hostnames all have forward and reverse mappings and all dns servers in /etc/resolv.conf respond with proper entries on the consumer and both providers. Here's the catch, the two providers are configured the same (except for hostnames/ips) and the first one works perfect. What is really frustrating is the lack of logging that is available to tell me what the problem is. I've tried loglevel -1 and it gave me even less info in regards to the SASL authentication than leaving it off. The affected consumer is giving me: Mar 31 22:41:00 ZZZ slapd[2442]: slapd starting Mar 31 22:41:02 ZZZ slapd[2442]: do_syncrep1: rid 010 ldap_sasl_interactive_bind_s failed (-2) Mar 31 22:41:02 ZZZ slapd[2442]: do_syncrepl: rid 010 quitting On the "Provider": Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 ACCEPT from IP=10.130.1.230:60288 (IP=0.0.0.0:389) Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=0 STARTTLS Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=0 RESULT oid= err=0 text= Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 TLS established tls_ssf=256 ssf=256 Mar 31 17:49:54 XXX slapd[3494]: conn=212 op=1 UNBIND Mar 31 17:49:54 XXX slapd[3494]: conn=212 fd=21 closed This is what's REALLY weird - from the affected/broken box, ZZZ, after I kinit, I can do an LDAP search or ldapwhoami, no problems! So, kerberos and GSSAPI via SASL is working fine. ie: ldapsearch -H ldaps://XXX/ -Y GSSAPI -> will dump the entries. or ldapwhoami -H ldaps://XXX/ -Y GSSAPI -> shows me that proper creds If I destroy the credentials, it doesn't work as would be expected. ON the working consumer, the behaviour is that I can ldapsearch and ldapwhoami properly after I kinit and when I start ldap it will authenticate properly with the provider via SASL GSSAPI and replicates the DB. If I kdestroy the credentials and start it, I get the same error that I'm struggling with on the box that doesn't work ->ldap_sasl_interactive_bind_s failed (-2) This behaviour leads me to believe that for some reason the ldap server on the box that doesn't work is having problems transmitting the kerberos credentials to the provider, whereas the ldapsearch and ldapwhoami binaries are not having problems. There are some suspicious differences between the consumer that works and the broken one. The provider and consumer that works both have TLDs that match - '.com' and the consumer whose synrepl process won't authenticate is part of the .eu TLD. However, as you can see below in the krb5.conf files, the .com and .eu TLDS are always mapped to the same authentication realm. PLUS, again, ldapsearch and ldapwhoami WORK. It's just the syncrepl process that isn't quite getting the auth right. This is the provider's pertinent configs: slapd.conf: overlay syncprov syncprov-checkpoint 100 10 syncprov-sessionlog 100 This is the consumer's pertinent configs (WORKS ON one, not on the other) slapd.conf: syncrepl rid=10 provider=ldap://xxx.XXX.com starttls=yes type=refreshOnly interval=00:00:01:00 searchbase="dc=XXX,dc=com" schemachecking=off bindmethod=sasl saslmech=GSSAPI krb5.conf [same as provider and kerb server]: [libdefaults] default_realm = BOUNCE.AAA.COM encrypt = true allow_weak_crypto = false clockskew = 600 dns_lookup_realm = false dns_lookup_kdc = false ticket_lifetime = 8h forwardable = no proxiable = no [realms] BOUNCE.AAA.COM = { kdc = XXX.com kdc = YYY.com kdc = ZZZ.eu admin_server = XXX.com } [domain_realm] .com = BOUNCE.AAA.COM .eu = BOUNCE.AAA.COM All help is greatly appreciated! This has been going on for days and I've already yanked out most of my hair. Thank you. Kris. PGP Key: 4CC63A18 PGP Server: pool.sks-keyservers.net -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.14 (Darwin) iEYEARECAAYFAkuzyroACgkQ2C/J5/UUQWEuUACdH/BhiZgTXFWbNMXS7Q99k8Rg VY8An3YWKcpnkxVYvZMlelkT0TIpYuAP =O9KI -----END PGP SIGNATURE-----

1 2

Re: Re-engaging the Samba4 LDAP backend
by Endi Sukma Dewata 31 Mar '10

31 Mar '10

Hi Andrew, ----- "Andrew Bartlett" <abartlet(a)samba.org> wrote: > - a replacement for the Samba4 rdn_name module. For OpenLDAP I have > tried out ITS#6055 but it fails, sadly. > http://www.openldap.org/its/index.cgi/Development?id=6055;selectid=6055 > I don't know of any comparable effort in Fedora DS. We're considering this proposal for FDS: http://directory.fedoraproject.org/wiki/RDN_Value At this point it's still being designed, so I can't say yet when this would become available. > - Transaction support. While most of the transaction-aware tasks in > Samba have now been either pushed off as 'too hard on LDAP' or into > modules that are now in the LDAP backend, we still do need > transactions > over LDAP. Transaction on FDS is deferred until later this year: http://directory.fedoraproject.org/wiki/LDAP_Transactions > - A way to easily detect that we have OpenLDAP or Fedora DS > installed > on the system, and what it's version is. Once we have that, we could > start trying to run at least some of Samba4's tests against such a > backend regularly (and stop breaking it so often). The buildsamba02 machine is configured to test against FDS: http://build.samba.org/?function=View+Build;host=buildsamba02;tree=samba_4_… I hope there's somebody who could maintain a similar system configured with OpenLDAP. > - Some help debugging the existing 'make test' failures! I've fixed some FDS-specific failures. I'll send you the patches soon. > To address a broader range of use cases, I'm looking forward to the > work > Endi has promised for a 'ldap backend config file' as input to > provision. Hopefully this will reduce the options we have to present > to > users on the provision command line. Sorry about the delay on this. It's coming but slowly because I have to handle other issues as well. Thanks! -- Endi S. Dewata

2 1

Re: "new style" on ubuntu 8.04
by Luis Paulo 31 Mar '10

31 Mar '10

Thanks, Adam I was afraid of that, but see what made me think otherwise. At http://www.openldap.org/doc/admin24/slapdconf2.html: "the slapd(8) runtime configuration in 2.3 (and later) is fully LDAP-enabled and can be managed using the standard LDAP operations with data in LDIF." - I have slapd 2.4.9 "but must be converted to the new *slapd-config*(5) format to allow runtime changes to be saved". - I did that, but I really don't have the slapd-config man page in */etc/default/slapd* there were already a coment about the the cn=config backend # Default location of the slapd.conf file. If empty, use the compiled-in # default (/etc/ldap/slapd.conf). If using the cn=config backend to store # configuration in LDIF, set this variable to the directory containing the # cn=config data. SLAPD_CONF= And, after all, I've already deleted slapd.conf and authentication is being made with slapd.d/ Please forgive me for insisting. Thanks Are you sure it can't be a matter of ACL, admin authentication, or something else? I'll upgrade to lucid, but it may take a couple of months.

1 0

bdb_reader_get: err Cannot allocate memory(12)
by Кардаш Павел Александро вич 31 Mar '10

31 Mar '10

1 0

ldap.conf
by phiroc＠free.fr 31 Mar '10

31 Mar '10

Hi, is there a way to programmatically retrieve the path to the ldap.conf file (in other words, which conf file the program uses by default)? Many thanks. p

1 0

question about exclusion control of slapd
by Tsukasa Hamano 31 Mar '10

31 Mar '10

Hi, I'm reading the source code of slapd 2.4.21, then I found feel uneasy point. in servers/slapd/bind.c:207 cleanup: if ( rs->sr_err == LDAP_SUCCESS ) { if ( op->orb_method != LDAP_AUTH_SASL ) { ber_dupbv( &op->o_conn->c_authmech, &mech ); } op->o_conn->c_authtype = op->orb_method; } I think that this operation need mutex lock as follows. ldap_pvt_thread_mutex_lock( &op->o_conn->c_mutex ); ... ldap_pvt_thread_mutex_unlock( &op->o_conn->c_mutex ); Regards, -- Open Source Solution Technology Corporation Tsukasa Hamano <hamano(a)osstech.co.jp> fingerprint = 2285 2111 6D34 3816 3C2E A5B9 16BE D101 6069 BE55

1 0

Configuring OpenLDAP on Ubuntu 9.10.Need help!
by Shamika Joshi 31 Mar '10

31 Mar '10

I have followed following article to install/configure OpenLDAP on Ubuntu Server 9.10 https://help.ubuntu.com/9.10/serverguide/C/openldap-server.html There is no slapd.conf in picture here instead running "dpkg-reconfigure slapd" should come up with following Wizard (got this after running through numerous articles on this) *Wizard steps:* 1. *omit openldap server configuration? – no* 2. *dns domain name? vm.example.org* 3. *organization name? myCompany* 4. *database backend to use? hdb* 5. *do you want the database to be removed when slapd is purged? yes* 6. *may be the question: move old database? yes* 7. *administrator password? the same one as entered during installation* 8. *confirm password? see last step* 9. *allow LDAPv2 protocol? no* However in my installation wizards asks * Omit OpenLDAP server configuration? No Do you want the database to be removed when slapd is purged? No Allow LDAPv2 protocol? No Creating initial slapd configuration... done. Starting OpenLDAP: slapd. *Has anyone attempted this before? What I'm missing here? Could someone like to pitch in for some help? So when I run "ldapsearch -x" it gives me following output admins@x6:/etc/ldap$ ldapsearch -x # extended LDIF # # LDAPv3 # base <> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 where is should give the output like # extended LDIF # # LDAPv3 # base (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # vm.example.org dn: dc=vm,dc=example,dc=org objectClass: top objectClass: dcObject objectClass: organization o: myCompany dc: vm # admin, vm.example.org dn: cn=admin,dc=vm,dc=example,dc=org objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 Thanks Shamika

4 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2010