Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 3 months
Certificate authentication and back-ldap proxy
by Ubay Dorta Guerra
Hi,
We have some problems with certificate authentication when the master
server is behind a back-ldap proxy.
We have openldap 2.4.21 on Suse Linux Enterprise Server 10 SP3 and
these are the details of our scenario:
The master server: server1.example.com has the following slapd.conf file:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by dn.exact="CN=admin_w_cert,O=Internet Widgits Pty
Ltd,ST=Some-State,C=AU" read
by *
auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
#
# Security SSL
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /etc/ssl/certs/server1.example.com.pem
TLSCertificateKeyFile /etc/ssl/private/server1.example.com.key
TLSCACertificatePath /etc/ssl/cacerts/
TLSVerifyClient demand
#
#Log level
#
loglevel 256
# Require authentication
require authc
#######################################################################
# HDB database definitions
#######################################################################
database hdb
suffix "dc=example,dc=com"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
# Indices to maintain
index objectClass eq
# Overlay ppolicy
overlay ppolicy
----------------------
Authentication is required, and we give access to the user passwords
for the dn of a certificate.
When we search for passwords using the certificate we get the following:
root# ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com'
-H ldaps://server1.example.com userPassword
SASL/EXTERNAL authentication started
SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
SASL SSF: 0
dn: uid=user_w_pass,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0=
-----------------------
The root user (ldap client) has a ~/.ldaprc file with:
TLS_CACERTDIR /etc/ssl/cacerts/
TLS_CERT /etc/ssl/certs/admin_w_cert.pem
TLS_KEY /etc/ssl/private/admin_w_cert.key
TLS_REQCERT demand
SASL_MECH EXTERNAL
In /var/log/messages we get:
ldap-master[22358]: conn=1000 fd=11 ACCEPT from
IP=server1.example.com:40899 (IP=server1.example.com:636)
ldap-master[22358]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256
ldap-master[22358]: conn=1000 op=0 BIND dn="" method=163
ldap-master[22358]: conn=1000 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-master[22358]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-master[22358]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-master[22358]: conn=1000 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-master[22358]: conn=1000 op=1 SRCH attr=userPassword
ldap-master[22358]: conn=1000 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
ldap-master[22358]: conn=1000 op=2 UNBIND
ldap-master[22358]: conn=1000 fd=11 closed
This is the correct behavior for us. The problem appears when we
introduce a back-ldap proxy between the client and the master.
The proxy server (proxy-server1.example.com) is listening in port
1636 and its slapd.conf file is:
#
# Security SSL
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificatePath /etc/ssl/cacerts/
TLSCertificateFile /etc/ssl/certs/proxy-server1.example.com.pem
TLSCertificateKeyFile /etc/ssl/private/proxy-server1.example.com.key
TLSVerifyClient demand
# Log level
loglevel 256
#######################################################################
# Database definitions
#######################################################################
database ldap
rebind-as-user true
suffix "dc=example,dc=com"
uri "ldaps://server1.example.com"
tls ldaps
tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem
tls_key=/etc/ssl/private/proxy-server1.example.com.key
tls_cacertdir=/etc/ssl/cacerts/
----------------------
If we search for passwords through the proxy we get:
root # ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com'
-H ldaps://proxy-server1.example.com:1636 userPassword
SASL/EXTERNAL authentication started
SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
SASL SSF: 0
Server is unwilling to perform (53)
Additional information: authentication required
In the /var/log/messages the following messages appear:
ldap-proxy[22802]: conn=1001 fd=8 ACCEPT from
IP=proxy-server1.example.com:60712 (IP=proxy-server1.example.com:1636)
ldap-proxy[22802]: conn=1001 fd=8 TLS established tls_ssf=256 ssf=256
ldap-proxy[22802]: conn=1001 op=0 BIND dn="" method=163
ldap-proxy[22802]: conn=1001 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[22802]: conn=1001 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-proxy[22802]: conn=1001 op=0 RESULT tag=97 err=0 text=
ldap-proxy[22802]: conn=1001 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-proxy[22802]: conn=1001 op=1 SRCH attr=userPassword
ldap-master[22358]: conn=1008 op=2 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-master[22358]: conn=1008 op=2 SRCH attr=userPassword
ldap-master[22358]: conn=1008 op=2 SEARCH RESULT tag=101 err=53
nentries=0 text=authentication required
ldap-proxy[22802]: conn=1001 op=1 SEARCH RESULT tag=101 err=53
nentries=0 text=authentication required
ldap-proxy[22802]: conn=1001 op=2 UNBIND
ldap-proxy[22802]: conn=1001 fd=8 closed
The /root/.ldaprc file is the same than the previous one.
When we increase the logging level we discover this:
....
ldap-proxy[23008]: conn=1000 op=0 do_bind
ldap-proxy[23008]: >>> dnPrettyNormal: <>
ldap-proxy[23008]: <<< dnPrettyNormal: <>, <>
ldap-proxy[23008]: conn=1000 op=0 BIND dn="" method=163
ldap-proxy[23008]: do_bind: dn () SASL mech EXTERNAL
ldap-proxy[23008]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
ldap-proxy[23008]: SASL Canonicalize [conn=1000]:
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: slap_sasl_getdn: conn 1000
id=cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au [len=61]
ldap-proxy[23008]: ==>slap_sasl2dn: converting SASL name
cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au to a DN
ldap-proxy[23008]: <==slap_sasl2dn: Converted SASL name to <nothing>
ldap-proxy[23008]: SASL Canonicalize [conn=1000]:
slapAuthcDN="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: SASL proxy authorize [conn=1000]:
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: conn=1000 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: SASL Authorize [conn=1000]: proxy authorization
allowed authzDN=""
ldap-proxy[23008]: send_ldap_sasl: err=0 len=-1
ldap-proxy[23008]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-proxy[23008]: do_bind: SASL/EXTERNAL bind:
dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
sasl_ssf=0
ldap-proxy[23008]: send_ldap_response: msgid=1 tag=97 err=0
ldap-proxy[23008]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-proxy[23008]: <== slap_sasl_bind: rc=0
....
ldap-proxy[23008]: conn=1000 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-proxy[23008]: conn=1000 op=1 SRCH attr=userPassword
ldap-proxy[23008]: ==> limits_get: conn=1000 op=1
self="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
this="uid=user_w_pass,ou=people,dc=example,dc=com"
ldap-master[22983]: daemon: activity on 1 descriptor
ldap-master[22983]: daemon: activity on:
ldap-master[22983]:
ldap-master[22983]: slap_listener_activate(7):
ldap-master[22983]: daemon: epoll: listen=7 busy
ldap-master[22983]: >>> slap_listener(ldaps://server1.example.com)
.....
ldap-master[22983]: conn=1000 op=0 do_bind
ldap-master[22983]: >>> dnPrettyNormal: <>
ldap-master[22983]: <<< dnPrettyNormal: <>, <>
ldap-master[22983]: conn=1000 op=0 BIND dn="" method=128
ldap-master[22983]: do_bind: version=3 dn="" method=128
ldap-master[22983]: send_ldap_result: conn=1000 op=0 p=3
ldap-master[22983]: send_ldap_result: err=0 matched="" text=""
ldap-master[22983]: send_ldap_response: msgid=1 tag=97 err=0
ldap-master[22983]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-master[22983]: do_bind: v3 anonymous bind
----------------
Therefore the proxy is binding anonymously in the master, instead of
using the dn of the certificate.
Is there any problem with the SASL EXTERNAL method?
If we use SIMPLE authentication through the proxy, there is no problem:
root # ldapsearch -LLL -x -b
'uid=user_w_pass,ou=people,dc=example,dc=com' -H
ldaps://proxy-server1.example.com:1636 -D
'uid=user_w_pass,ou=people,dc=example,dc=com' -W userPassword
Enter LDAP Password:
dn: uid=user_w_pass,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0=
Thanks in advance.
---------------------------------------------------------------------------------------------
ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php
WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en
12 years, 9 months
Multi master replication
by Aravind Divakaran
Hi All,
I have configured two servers with multi master replication. Below is my
configuration for synrepl on both servers.
Server One
------------
serverID 001
overlay syncprov
syncprov-checkpoint 100 10
syncrepl rid=000
provider=ldap://192.168.10.100
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=example,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=syncuser,dc=example,dc=com"
credentials=password
mirrormode TRUE
Server Two
--------------
serverID 002
overlay syncprov
syncprov-checkpoint 100 10
syncrepl rid=000
provider=ldap://192.168.10.25
type=refreshAndPersist
retry="5 5 300 +"
searchbase="dc=example,dc=com"
attrs="*,+"
bindmethod=simple
binddn="cn=syncuser,dc=example,dc=com"
credentials=password
mirrormode TRUE
Today one of user said that he was not able to login. So i checked in the
servers in one server i was able to login but on another server i was not
able to login with the same password. I have checked the contextCSN on
both server they are equal. In the log it is showing this
syncrepl_entry: rid=000 entry unchanged, ignored
(uid=user,ou=People,dc=example,dc=com)
Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000
uid=user,ou=People,dc=example,dc=com
Apr 28 12:14:17 mails slapd[16595]: syncrepl_entry: rid=000 be_add
uid=user,ou=People,dc=example,dc=com (68)
Apr 28 12:14:17 mails slapd[16595]: dn_callback : entries have identical
CSN uid=user,ou=People,dc=example,dc=com
20100422132507.789242Z#000000#002#000000
Can anyone help me why above message is showing in the log files and why
the user is not able to login.
Rgds,
Aravind M D
13 years, 3 months
ppolicy master/slave issue
by Chris Jacobs
Hello again,
I'm having an odd issue with ppolicy and my master/slave config.
First, my goals
General use:
Slave handles all reads locally.
Writes get forwarded to the master by the slave.
Password policy:
When password failures happen on clients using slave ldap servers, the failures, etc, get passed to the master to get replicated to the slaves.
I understand this would be done using the ppolicy option: ppolicy_forward_updates
Authentication:
Actually authenticate (more later).
To the problem:
---------------
When I leave the section in the chain bit of SLAVE slapd.conf below marked by lines intact (which bind as root):
* ppolicy_forward_updates seems to work great - the master shows matching "pwdFailureTime" attributes.
* Regardless of password entered, you get a shell. User/bad password = get a shell! This being a problem should be obvious.
I suspect that's due to the chain overlay section...
If I comment out the lines in the SLAVE slapd.conf:
* authentication actually requires authentication (bad password = no authentication)
* ppolicy_forward_updates don't work (no updates to master)
It's possible that from my description some may already know my issue - however, just to be sure, I've pasted below 'bare' versions of the:
* a master slapd.conf (sans schema includes)
* a slave slapd.conf (sans schema includes)
* /etc/ldap.conf (using slave)
* /etc/openldap/ldap.conf (same on all ldap servers) (thanks Howard - they are NOT the same)
* /etc/pam.d/system-auth-ac (CentOS 5.4; ssh refers to system-auth-ac for all types).
Thanks for any help (and, likely, pointing out any 'stupids' below),
- chris
PS: Feel free to critique - you won't hurt my feelings.
MASTER slapd.conf: (one of a pair, mirrored, active/passive fail over)
----------------------------------------------------------------------
serverID 1
loglevel 0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile /usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
database bdb
suffix "dc=unix,dc=aptimus,dc=net"
rootdn "uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
rootpw "secret"
directory "/usr/local/var/openldap-data/aptimus"
include /etc/openldap/slapd.access.conf
index uid,cn,gidNumber,uidNumber,memberUid eq
index objectClass pres,eq
index operatingSystem pres,eq
index host pres,eq
index rack eq
index entryUUID eq
index uniqueMember eq
index entryCSN eq
index site eq
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
overlay syncprov
syncprov-checkpoint 100 10
syncprov-sessionlog 10
syncrepl rid=2
provider=ldaps://ldapmaster2.corp.aptimus.net
type=refreshAndPersist
interval=00:00:10:00
searchbase="dc=unix,dc=aptimus,dc=net"
bindmethod=simple
binddn="uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
credentials="secret"
retry="15 20 60 +"
mirrormode on
database monitor
SLAVE slapd.conf:
-----------------
serverID 13
loglevel 0
pidfile /usr/local/var/openldap-data/run/slapd.pid
argsfile /usr/local/var/openldap-data/run/slapd.args
TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /etc/openldap/cacerts/cacert.pem
TLSCertificateFile /etc/openldap/cacerts/servercrt.pem
TLSCertificateKeyFile /etc/openldap/cacerts/serverkey.pem
TLSVerifyClient never
password-hash {MD5}
sizelimit size.soft=500 size.hard=unlimited
timelimit time.soft=3600 time.soft=unlimited
overlay chain
chain-uri ldaps://ldap-vip.corp.aptimus.net/
chain-rebind-as-user TRUE
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
chain-idassert-bind bindmethod="simple"
binddn="uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
credentials="Ten%20two"
mode="self"
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
chain-tls ldaps
chain-return-error TRUE
database bdb
suffix "dc=unix,dc=aptimus,dc=net"
rootdn "uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
rootpw "secret"
directory "/usr/local/var/openldap-data/aptimus"
include /etc/openldap/slapd.access.conf
index uid,cn,gidNumber,uidNumber,memberUid eq
index objectClass pres,eq
index operatingSystem pres,eq
index host pres,eq
index rack eq
index entryUUID eq
index uniqueMember eq
index entryCSN eq
index site eq
overlay ppolicy
ppolicy_hash_cleartext
ppolicy_use_lockout
ppolicy_forward_updates
syncrepl rid=1
provider=ldaps://ldap-vip.corp.aptimus.net
type=refreshAndPersist
interval=00:00:10:00
searchbase="dc=unix,dc=aptimus,dc=net"
bindmethod=simple
binddn="uid=root,ou=people,dc=unix,dc=aptimus,dc=net"
credentials="secret"
retry="15 20 60 +"
updateref "ldaps://ldap-vip.corp.aptimus.net"
database monitor
/etc/openldap/ldap.conf: (same on all LDAP servers)
---------------------------------------------------
uri ldaps://localhost
base dc=unix,dc=aptimus,dc=net
network_timeout 0
sizelimit 0
timelimit 0
tls_cacert /etc/openldap/cacerts/cacert.pem
tls_reqcert demand
/etc/ldap.conf: (on client using slave)
---------------------------------------
uri ldaps://ldap-vip.dc1.aptimus.net
timelimit 10
bind_timelimit 10
bind_policy soft
base dc=unix,dc=aptimus,dc=net
scope sub
ssl on
tls_checkpeer no
tls_cacertfile /etc/openldap/cacert.pem (contents same as /etc/openldap/cacerts/cacert.pem)
pam_login_attribute uid
pam_lookup_policy yes
pam_password exop
/etc/pam.d/system-auth-ac:
--------------------------
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_ldap.so use_first_pass
auth required pam_deny.so
account required pam_unix.so broken_shadow
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_ldap.so
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3
password sufficient pam_unix.so sha256 shadow nullok try_first_pass use_authtok
password sufficient pam_ldap.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session optional pam_mkhomedir.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_ldap.so
This message is private and confidential. If you have received it in error, please notify the sender and remove it from your system.
13 years, 4 months
RE: RPM spec file
by Joe Friedeggs
> On 15/04/2010 16:38, Joe Friedeggs wrote:
>>
>> I need to build a Red Hat rpm for the latest OpenLDAP release. I am looking for spec file, howto page, or anything else that might speed up this project. Any advice/suggestions would be greatly appreciated.
>
> The folks at LTB-project maintain RPMs for recent OpenLDAP releases. You
> could either use their pre-built RPMs or grab their spec file from the
> repository:
>
> http://ltb-project.org/wiki/documentation/openldap-rpm
>
> Jonathan
I googled the HECK out of that rpm.......how did I miss the LBT :-(
Thanks, Jonathan, that is just what I was looking for. And thanks to all others that provided input.
Joe
_________________________________________________________________
Hotmail: Trusted email with Microsoft’s powerful SPAM protection.
http://clk.atdmt.com/GBL/go/196390706/direct/01/
13 years, 4 months
openldap library and LDAP_OPT_X_KEEPALIVE_IDLE
by Fred MAISON
Hello,
Could someone tell which openldap library version first included
keepalive paches giving acces to following options :
LDAP_OPT_X_KEEPALIVE_IDLE
LDAP_OPT_X_KEEPALIVE_PROBES
LDAP_OPT_X_KEEPALIVE_INTERVAL
I have submitted a patch on freeradius for the rlm_ldap module for using
those options to solve firewall/load-balancers LDAP session timeout by
generation regular tcp keepalive packets ont LDAP sockets, and I see my
current linux distros does not seems to have fresh-enough openldap
library version to support this.
debian squeeze libldap2-dev
2.4.17
CentOS 5.4 openldap-devel-2.3.43-3.el5 2.3.43
Best regards
Fred MAISON
13 years, 4 months
_ldap.so: undefined symbol: gnutls_alert_send
by Jean-Sébastien Mansart
Hi.
I've got this error with a Zope/Plone site :
Traceback (most recent call last):
File
"/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py",
line 56, in ?
run()
File
"/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/run.py",
line 21, in run
starter.prepare()
File
"/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py",
line 102, in prepare
self.startZope()
File
"/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/Startup/__init__.py",
line 278, in startZope
Zope2.startup()
File
"/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/__init__.py",
line 47, in startup
_startup()
File
"/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/Zope2/App/startup.py",
line 45, in startup
OFS.Application.import_products()
File
"/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py",
line 686, in import_products
import_product(product_dir, product_name, raise_exc=debug_mode)
File
"/home/zope/z_sgec/Zope-2.10.11-final-py2.4/lib/python/OFS/Application.py",
line 709, in import_product
product=__import__(pname, global_dict, global_dict, silly)
File
"/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/__init__.py",
line 22, in ?
from Products.LDAPMultiPlugins.LDAPMultiPlugin import
addLDAPMultiPluginForm
File
"/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPMultiPlugins-1.9-py2.4.egg/Products/LDAPMultiPlugins/LDAPMultiPlugin.py",
line 29, in ?
from Products.LDAPUserFolder import manage_addLDAPUserFolder
File
"/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/__init__.py",
line 20, in ?
from Products.LDAPUserFolder.LDAPUserFolder import LDAPUserFolder
File
"/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPUserFolder.py",
line 47, in ?
from Products.LDAPUserFolder.LDAPDelegate import filter_format
File
"/home/zope/z_sgec/buildout-cache/eggs/Products.LDAPUserFolder-2.16-py2.4.egg/Products/LDAPUserFolder/LDAPDelegate.py",
line 19, in ?
import ldap
File
"/home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/ldap/__init__.py",
line 22, in ?
from _ldap import *
ImportError:
/home/zope/z_sgec/buildout-cache/eggs/python_ldap-2.3.11-py2.4-linux-i686.egg/_ldap.so:
undefined symbol: gnutls_alert_send
I have install gnutls1.3, recompiled openldap, python-ldap, and so on,
but nothing works.
Anyone could help me ?
Thanks.
--
*Jean-Sébastien Mansart *- Développeur Web
Email : jean-sebastien.mansart(a)bayard-service.com
<mailto:jean-sebastien.mansart@bayard-service.com>
Tel : 04 79 26 28 29
*Bayard Service Edition *
Savoie Technolac - House Boat
BP308 - 73377 Le Bourget du Lac Cedex
www.bayardserviceweb.com <http://www.bayardserviceweb.com>
13 years, 4 months
Slow problem after some time
by Marco Pizzoli
Hi list,
I have a problem with my openldap 2.4.22 deployment.
Today I upgraded my architecture from 2-way openldap2.4.20 to 3-way
openldap.2.4.22, but I continue to have the same problem of slowlyness after
some time my systems came up.
One of them in particular but I'm aware of our balancing system heavily
prefer this one.
The symptom is that every search, even the same simple search executed
repeteadly, cause a cpu-burst and will be served in a enormous time,
sometimes 1m30s even after a cold start the same query is served in less
than a second.
My user database is accessed for linux, AIX, DB2 and Oracle authentication.
I have repeatedly the same searches fired against my openldap instancies.
I suspect to have a problem in the way I configured the memory to be
allocated
My data on the user_db are quite static, but I have an accesslog writing
very much. Retaining 3 days of history, my db dir grow to about 11/12GB.
I'm using 4 different disk (and scsi controller) for userdb, logdb,
transactionlog and OS.
Following information about my environment. I can send others if necessary.
My user database is quite little:
1.5MB slapcat ldif
database hdb
suffix "dc=lancse,dc=csebo.it"
rootdn "cn=Manager,dc=lancse,dc=csebo.it"
rootpw {SSHA}mySecret
directory /srv/ldap/db_utenti
index cn eq
index ou eq
index objectClass eq
index uid eq
index gidNumber eq
index uidNumber eq
#index member pres,eq
index memberUid eq
index entryCSN eq
index entryUUID eq
index userPassword pres
index uniqueMember eq
limits dn="cn=Manager,dc=lancse,dc=csebo.it" size=unlimited
# cachesize: numero di entry del db da tenere in cache.
# Ad oggi (2010-04-20) nel database degli utenti ne abbiamo
cachesize 2000000
# dncachesize: indica il numero di dn da tenere in memoria.
# Il valore di 0 indica nessun limite
#dncachesize 2000000
dncachesize 0
# idlcachesize: index-data-lookup cache. Indica il numero di slot
dell'indice tenuti in memoria
idlcachesize 2000000
# cachefree: indica quante entry alla volta liberare quando viene saturata
cachefree 10
# checkpoint ogni 1MB di scritte eseguite e/o 30 minuti di tempo
checkpoint 1024 30
[root@ldap01 db_utenti]# ls -lhtr *.bdb
-rw------- 1 ldap ldap 44K Apr 26 18:09 uid.bdb
-rw------- 1 ldap ldap 40K Apr 26 18:09 gidNumber.bdb
-rw------- 1 ldap ldap 8.0K Apr 27 09:07 uniqueMember.bdb
-rw------- 1 ldap ldap 28K Apr 27 12:32 uidNumber.bdb
-rw------- 1 ldap ldap 40K Apr 27 12:32 ou.bdb
-rw------- 1 ldap ldap 32K Apr 28 11:04 memberUid.bdb
-rw------- 1 ldap ldap 36K Apr 28 16:14 userPassword.bdb
-rw------- 1 ldap ldap 164K Apr 28 16:14 objectClass.bdb
-rw------- 1 ldap ldap 72K Apr 28 16:14 entryUUID.bdb
-rw------- 1 ldap ldap 260K Apr 28 16:14 dn2id.bdb
-rw------- 1 ldap ldap 32K Apr 28 16:14 cn.bdb
-rw------- 1 ldap ldap 64K Apr 28 17:34 entryCSN.bdb
-rw------- 1 ldap ldap 2.0M Apr 28 17:39 id2entry.bdb
The DB_CONFIG is this:
# Uso 256MB di cache splittato in 2 file
set_cachesize 0 268435456 2
# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
# IMPOSTO LA DIR DEI TLOGS IN UN FileSystem DEDICATO
set_lg_dir logs
# PARAMETRI DI TUNING DEI LOCK
set_lk_max_objects 3000
set_lk_max_locks 3000
set_lk_max_lockers 3000
# IMPOSTO LA RIMOZIONE AUTOMATICA DEI LOG
set_flags DB_LOG_AUTOREMOVE
-------------------------------------------------------------------------------------
This is the accesslog db dir
database hdb
suffix "cn=log01,dc=csebo.it"
rootdn "cn=Manager,cn=log01,dc=csebo.it"
rootpw mySecret
directory /srv/ldap/db_log
index entryUUID eq
index reqStart eq
index reqEnd eq
index objectClass eq
index reqType eq
index reqDN eq
index reqAuthzID eq
index reqEntries eq
index reqAttr eq
index reqResult eq
index reqFilter pres,eq
#index reqEntries eq
#index reqSession eq
#index reqResult eq
#index reqScope eq
#index reqDerefAliases eq
#index reqAttrsOnly eq
#index reqFilter eq,approx
#index reqTimeLimit eq,approx
#index reqSizeLimit eq,approx
limits dn="cn=Manager,cn=log01,dc=csebo.it" size=unlimited
# cachesize: numero di entry del db da tenere in cache.
cachesize 150000
# dncachesize: indica il numero di dn da tenere in memoria.
# Il valore di 0 indica nessun limite
dncachesize 300000
# idlcachesize: index-data-lookup cache. Indica il numero di slot
dell'indice tenuti in memoria
# Per i backend bdb e' suggerito essere uguale a "cachesize"
# Per i backend hdb e' suggerito essere uguale ad almeno 3 volte
"cachesize"
idlcachesize 450000
# cachefree: indica quante entry alla volta liberare quando viene saturata
cachefree 10
# checkpoint ogni 4MB di scritte eseguite e/o 30 minuti di tempo
checkpoint 4096 30
[root@ldap01 db_log]# ls -lhtr
total 7.8G
drwx------ 2 ldap ldap 16K Feb 26 11:54 lost+found
lrwxrwxrwx 1 ldap ldap 26 Feb 26 12:11 logs -> ../transactionlogs/db_logs
-rw-r--r-- 1 ldap ldap 1.3K Apr 28 17:40 DB_CONFIG
-rw------- 1 ldap ldap 2.3M Apr 28 17:40 __db.004
-rw------- 1 ldap ldap 321M Apr 28 17:40 __db.003
-rw------- 1 ldap ldap 16M Apr 28 17:40 __db.002
-rw------- 1 ldap ldap 24K Apr 28 17:40 __db.001
-rw-r--r-- 1 ldap ldap 2.0K Apr 28 17:40 alock
-rw------- 1 ldap ldap 32K Apr 28 17:40 __db.006
-rw------- 1 ldap ldap 2.5M Apr 28 17:40 __db.005
-rw------- 1 ldap ldap 1.3M Apr 28 18:27 reqEntries.bdb
-rw------- 1 ldap ldap 21M Apr 28 18:27 reqFilter.bdb
-rw------- 1 ldap ldap 12M Apr 28 18:27 reqAttr.bdb
-rw------- 1 ldap ldap 1.7M Apr 28 18:27 reqType.bdb
-rw------- 1 ldap ldap 106M Apr 28 18:27 reqStart.bdb
-rw------- 1 ldap ldap 1.2M Apr 28 18:27 reqResult.bdb
-rw------- 1 ldap ldap 105M Apr 28 18:27 reqEnd.bdb
-rw------- 1 ldap ldap 6.3M Apr 28 18:27 reqDN.bdb
-rw------- 1 ldap ldap 5.7M Apr 28 18:27 reqAuthzID.bdb
-rw------- 1 ldap ldap 4.6M Apr 28 18:27 objectClass.bdb
-rw------- 1 ldap ldap 6.0G Apr 28 18:27 id2entry.bdb
-rw------- 1 ldap ldap 163M Apr 28 18:27 entryUUID.bdb
-rw------- 1 ldap ldap 1.1G Apr 28 18:27 dn2id.bdb
This is the DB_CONFIG file
# one 0.25 GB cache
set_cachesize 0 268435456 1
# Transaction Log settings
set_lg_regionmax 262144
set_lg_bsize 2097152
# IMPOSTO LA DIR DEI TLOGS IN UN FileSystem DEDICATO
set_lg_dir logs
# Dimensione dei log --> 60MB
set_lg_max 62914560
#set_lg_max 41943040
# PARAMETRI DI TUNING DEI LOCK
set_lk_max_objects 3000
set_lk_max_locks 3000
set_lk_max_lockers 3000
My system has 15 GB of RAM. This is an example of my RAM situation when the
problem arises
[root@ldap01 db_log]# free -m
total used free shared buffers cached
Mem: 14799 8009 6790 0 924 3160
-/+ buffers/cache: 3924 10875
Swap: 6143 8 6135
top -H
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ SWAP DATA
COMMAND
9008 ldap 25 0 4806m 3.8g 346m S 0.0 26.5 0:10.69 880m 4.0g
slapd2.4
9151 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 0:11.23 880m 4.0g
slapd2.4
9152 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:37.42 880m 4.0g
slapd2.4
9153 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 3:20.29 880m 4.0g
slapd2.4
9154 ldap 15 0 4806m 3.8g 346m S 0.3 26.5 3:02.49 880m 4.0g
slapd2.4
9155 ldap 16 0 4806m 3.8g 346m S 0.0 26.5 2:23.49 880m 4.0g
slapd2.4
9156 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:14.86 880m 4.0g
slapd2.4
9157 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:44.86 880m 4.0g
slapd2.4
9158 ldap 16 0 4806m 3.8g 346m S 0.0 26.5 2:03.71 880m 4.0g
slapd2.4
9163 ldap 16 0 4806m 3.8g 346m S 0.0 26.5 2:06.05 880m 4.0g
slapd2.4
9164 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:46.38 880m 4.0g
slapd2.4
9165 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:25.31 880m 4.0g
slapd2.4
9170 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:12.04 880m 4.0g
slapd2.4
9171 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:17.15 880m 4.0g
slapd2.4
9172 ldap 18 0 4806m 3.8g 346m R 98.1 26.5 2:06.54 880m 4.0g
slapd2.4
9173 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:39.32 880m 4.0g
slapd2.4
9174 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:25.64 880m 4.0g
slapd2.4
9175 ldap 15 0 4806m 3.8g 346m S 0.0 26.5 2:33.29 880m 4.0g
slapd2.4
With dstat I can see that I *don't* have disk reading, only writings due to
the accesslog
---procs--- ------memory-usage----- ---paging-- -dsk/total- ---system--
----total-cpu-usage---- ------memory-usage-----
run blk new| used buff cach free| in out | read writ| int csw |usr
sys idl wai hiq siq| used buff cach free
2 0 2|3932M 926M 3178M 6764M| 0 0 | 0 559k| 246 445 |
24 0 75 0 0 0|3932M 926M 3178M 6764M
1 0 0|3932M 926M 3178M 6764M| 0 0 | 0 464k| 200 333 |
24 0 76 0 0 0|3932M 926M 3178M 6764M
1 0 2|3933M 926M 3178M 6764M| 0 0 | 0 408k| 213 309 |
24 1 75 0 0 0|3933M 926M 3178M 6764M
3 0 0|3932M 926M 3178M 6764M| 0 0 | 0 420k| 205 280 |
23 0 75 1 0 0|3932M 926M 3178M 6764M
3 0 0|3932M 926M 3178M 6764M| 0 0 | 0 376k| 210 349 |
23 0 77 0 0 0|3932M 926M 3178M 6764M
1 0 0|3932M 926M 3178M 6764M| 0 0 | 0 900k| 233 373 |
24 0 75 0 0 0|3932M 926M 3178M 6764M
1 0 0|3932M 926M 3178M 6764M| 0 0 | 0 356k| 208 446 |
22 1 77 0 0 0|3932M 926M 3178M 6764M
1 0 0|3932M 926M 3178M 6764M| 0 0 | 0 440k| 213 389 |
22 0 76 1 0 0|3932M 926M 3178M 6764M
1 0 0|3932M 926M 3178M 6764M| 0 0 | 0 403k| 200 306 |
23 1 75 1 0 0|3932M 926M 3178M 6764M
3 0 4|3932M 926M 3178M 6764M| 0 0 | 0 648k| 196 365 |
24 1 74 1 0 0|3932M 926M 3178M 6764M
2 0 0|3932M 926M 3178M 6764M| 0 0 | 0 572k| 246 287 |
22 2 75 0 0 0|3932M 926M 3178M 6764M
1 0 2|3932M 926M 3179M 6763M| 0 0 | 0 552k| 197 256 |
25 1 73 1 0 0|3932M 926M 3179M 6763M
2 0 0|3932M 926M 3179M 6763M| 0 0 | 0 368k| 210 259 |
23 1 75 0 0 0|3932M 926M 3179M 6763M
2 0 0|3932M 926M 3179M 6763M| 0 0 | 0 4228k| 203 272 |
24 1 73 2 0 0|3932M 926M 3179M 6763M
2 0 0|3932M 926M 3179M 6763M| 0 0 | 0 440k| 218 346 |
23 1 76 0 0 0|3932M 926M 3179M 6763M
4 0 0|3932M 926M 3179M 6763M| 0 0 | 0 499k| 215 359 |
24 0 75 1 0 0|3932M 926M 3179M 6763M
2 0 0|3932M 926M 3179M 6763M| 0 0 | 0 348k| 215 313 |
25 0 74 1 0 0|3932M 926M 3179M 6763M
1 0 0|3932M 926M 3179M 6763M| 0 0 | 0 360k| 166 245 |
24 0 75 1 0 0|3932M 926M 3179M 6763M
2 0 7|3933M 926M 3179M 6762M| 0 0 | 0 432k| 225 393 |
25 3 71 0 0 0|3933M 926M 3179M 6762M
2 0 0|3933M 926M 3179M 6762M| 0 0 | 0 508k| 206 353 |
24 1 75 0 0 0|3933M 926M 3179M 6762M
1 0 2|3933M 926M 3179M 6762M| 0 0 | 0 716k| 254 342 |
25 1 75 0 0 0|3933M 926M 3179M 6762M
2 0 0|3933M 926M 3179M 6762M| 0 0 | 0 436k| 252 361 |
24 0 75 0 0 0|3933M 926M 3179M 6762M
1 0 0|3933M 926M 3179M 6762M| 0 0 | 0 456k| 226 359 |
24 0 75 1 0 0|3933M 926M 3179M 6762M
I have also password_policy with forwarding of operational attributes and
auditlog overlay.
Thanks in advance
Marco
--
_________________________________________
Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi.
Jim Morrison
13 years, 5 months
How to correctly escape search filters
by Jeremiah Martell
I've been trying to research how to correctly escape search filters, and I
can't find any single
reliable source that makes sense.
I look at RFC 2253 (http://www.ietf.org/rfc/rfc2253.txt) section 2.4,
and this IBM webpage (
http://publib.boulder.ibm.com/infocenter/iseries/v5r3/index.jsp?topic=/rz...
),
and they both seem to suggest that you need to escape (for example) the '+'
sign.
But when I escape a search filter like this:
(&(objectclass=person)(facsimileTelephoneNumber=+1234))
to this:
(&(objectclass=person)(facsimileTelephoneNumber=\+1234))
it results in a bad filter.
My hunch is that perhaps DNs, attribute names, and attribute values are all
escaped different.
Is there a simple explanation online on how to escape search filters?
Thanks,
- Jeremiah
13 years, 5 months
Re: openldap 2.4.21 - back-ldap + pcache ... backend binding
by repudi8or repu
On Tue, Apr 27, 2010 at 3:43 PM, repudi8or repu <repudi8or(a)gmail.com> wrote:
> Thanks for the response Masarati,
>
> I have setup with mode=self, but still the same error.
>
> Maybe im having a conceptual issue here. What i am trying to do is ensure
> the backend functions prior to looking at the configuring the frontend
> correctly. I am configuring the solaris openldap slapd with back-ldap and
> pcache and am expecting to be able to simulate a fronted authentication
> process using ldapsearch to the solaris openldap proxy. The backend ldap
> service is AD @ backendldap.core.dir.mycompany.com. the proxy box i will
> refer to as openldapproxy (openldapproxy.core.dir.mycompany.com)"
>
> my database ldap section now looks like this :-
> backendldap.core.dir.mycompany.com"
>
> database ldap
> uri "ldap://backendldap.core.dir.mycompany.com"
> suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com"
> rootdn "dc=core,dc=dir,dc=mycompany,dc=com"
> idassert-bind
> bindmethod=simple binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" credentials="password"
> mode=self
>
> i am testing by running ldapsearch on the openldapproxy host itself in the
> following manner :-
> # /usr/local/bin/ldapsearch -x -h localhost -b
> ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com employeeID=12345678
>
> the proxied bind goes out to the backend AD as i have shown in the below
> discussion. The response returned is :-
> # filter: employeeID=12345678
> # requesting: ALL
> #
> # search result
> search: 2
> result: 48 Inappropriate authentication
> # numResponses: 1
>
> Running slapd in diag mode i see the following in the debug output :-
> do_bind: v3 anonymous bind
> connection_get(11)
> connection_get(11): got connid=1014
> connection_read(11): checking for input on id=1014
> ber_get_next
> ber_get_next: tag 0x30 len 105 contents:
> op tag 0x63, time 1272346583
> ber_get_next
> conn=1014 op=1 do_search
> ber_scanf fmt ({miiiib) ber:
> >>> dnPrettyNormal:
> <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>
> => ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com,0)
> <= ldap_bv2dn(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com)=0
> <<< dnPrettyNormal:
> <ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com>,
> <ou=people,ou=eprofile,dc=core,dc=dir,dc=mycompany,dc=com>
> SRCH "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com" 2 0 0 0
> 0
> ber_scanf fmt ({mm}) ber:
> filter: (?=undefined)
> ber_scanf fmt ({M}}) ber:
> attrs:
> ==> limits_get: conn=1014 op=1 self="[anonymous]"
> this="ou=people,ou=eprofile,dc=core,dc=dir,dc=telstra,dc=com"
> send_ldap_result: conn=1014 op=1 p=3
> send_ldap_result: err=48 matched="" text=""
> send_ldap_response: msgid=2 tag=101 err=48
> Note the anonymous bind, I need this to be a simply authenticated bind
> using the idassert binddn and credentials
> Note the "self="[anonymous]"............... I was expecting that it should
> have been self=[USERID_THAT_RAN_THE_LDAPSEARCH]
>
> Regards Rep
> On Tue, Apr 27, 2010 at 1:55 PM, <masarati(a)aero.polimi.it> wrote:
>
>> > Hi Folks,
>> >
>> > I am having troubles configuring openladp to my requirements.
>> >
>> > I am setting up an openldap server running on solaris 10 x86 to use as
>> > a ldap proxy authentication server.
>> >
>> > My issue is that i cant get it to send authenticated simple binds to the
>> > backend ldap system. I am running wireshark and when i ldapsearch direct
>> > to
>> > the backend ldap i see a bind which looks like this :-
>> > Lightweight-Directory-Access-Protocol
>> > LDAPMessage bindRequest(1)
>> > "cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com" simple
>> > messageID: 1
>> > protocolOp: bindRequest (0)
>> > bindRequest
>> > version: 3
>> > name:
>> > cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com
>> > authentication: simple (0)
>> > simple: 384174656C73747261316732
>> >
>> > However when i initiate an ldapsearch to my local solaris slapd and
>> > capture
>> > the proxied backldap bind to the backend ldap system it looks like this
>> :-
>> > Lightweight-Directory-Access-Protocol
>> > LDAPMessage bindRequest(1) "<ROOT>" simple
>> > messageID: 1
>> > protocolOp: bindRequest (0)
>> > bindRequest
>> > version: 3
>> > name:
>> > authentication: simple (0)
>> > simple: <MISSING>
>> >
>> > I am having trouble working out from the documentation if it should be
>> > acl-bind or idassert-bind or some other option which influences the
>> > backend
>> > bind. I have tried both those to no avail.
>> > Here is the "database ldap" section from my slapd.conf
>> >
>> > #######################################################################
>> > # ldap database definitions
>> > #######################################################################
>> > database ldap
>> > uri "ldap://backendldap.core.dir.mycompany.com"
>> > suffix "ou=People,ou=eProfile,dc=core,dc=dir,dc=mycompany,dc=com"
>> > rootdn "dc=core,dc=dir,dc=mycompany,dc=com"
>> > acl-bind bindmethod=simple
>> > binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
>> > credentials="password"
>> > idassert-bind bindmethod=simple
>> > binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
>> > credentials="password"
>>
>> The relevant directive is "idassert-bind", since you appear to be looking
>> for an identity assertion. I hope what you posted was screwed up by the
>> mailer: continuation lines must start with whitespace. What is missing
>> above is the "mode=self" parameter to "idassert-bind". Try something like
>>
>> idassert-bind bindmethod=simple
>> binddn="cn=mybindid,cn=users,dc=core,dc=dir,dc=mycompany,dc=com"
>> credentials="password"
>> mode=self
>>
>> p.
>>
>> > overlay pcache
>> > proxycache bdb 400 1 50 1200
>> > directory /var/openldap-data
>> > cachesize 10000
>> > index cn,sn,uid pres,eq,sub
>> > index objectclass eq
>> >
>> > proxycachequeries 400
>> > proxyattrset 0 uid mail cn sn givenName
>> > proxytemplate (uid=) 0 600
>> > proxytemplate (mail=) 0 600
>> > proxytemplate (&(uid=)(mail=)) 0 600
>> >
>> > Any help would be greatly appreciated
>> >
>> > Regards Rep
>> >
>>
>>
>>
>
13 years, 5 months