Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years
Certificate authentication and back-ldap proxy
by Ubay Dorta Guerra
Hi,
We have some problems with certificate authentication when the master
server is behind a back-ldap proxy.
We have openldap 2.4.21 on Suse Linux Enterprise Server 10 SP3 and
these are the details of our scenario:
The master server: server1.example.com has the following slapd.conf file:
access to dn.base=""
by * read
access to dn.base="cn=Subschema"
by * read
access to attrs=userPassword,userPKCS12
by self write
by dn.exact="CN=admin_w_cert,O=Internet Widgits Pty
Ltd,ST=Some-State,C=AU" read
by *
auth
access to attrs=shadowLastChange
by self write
by * read
access to *
by * read
#
# Security SSL
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /etc/ssl/certs/server1.example.com.pem
TLSCertificateKeyFile /etc/ssl/private/server1.example.com.key
TLSCACertificatePath /etc/ssl/cacerts/
TLSVerifyClient demand
#
#Log level
#
loglevel 256
# Require authentication
require authc
#######################################################################
# HDB database definitions
#######################################################################
database hdb
suffix "dc=example,dc=com"
checkpoint 1024 5
cachesize 10000
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
# Indices to maintain
index objectClass eq
# Overlay ppolicy
overlay ppolicy
----------------------
Authentication is required, and we give access to the user passwords
for the dn of a certificate.
When we search for passwords using the certificate we get the following:
root# ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com'
-H ldaps://server1.example.com userPassword
SASL/EXTERNAL authentication started
SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
SASL SSF: 0
dn: uid=user_w_pass,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0=
-----------------------
The root user (ldap client) has a ~/.ldaprc file with:
TLS_CACERTDIR /etc/ssl/cacerts/
TLS_CERT /etc/ssl/certs/admin_w_cert.pem
TLS_KEY /etc/ssl/private/admin_w_cert.key
TLS_REQCERT demand
SASL_MECH EXTERNAL
In /var/log/messages we get:
ldap-master[22358]: conn=1000 fd=11 ACCEPT from
IP=server1.example.com:40899 (IP=server1.example.com:636)
ldap-master[22358]: conn=1000 fd=11 TLS established tls_ssf=256 ssf=256
ldap-master[22358]: conn=1000 op=0 BIND dn="" method=163
ldap-master[22358]: conn=1000 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-master[22358]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-master[22358]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-master[22358]: conn=1000 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-master[22358]: conn=1000 op=1 SRCH attr=userPassword
ldap-master[22358]: conn=1000 op=1 SEARCH RESULT tag=101 err=0
nentries=1 text=
ldap-master[22358]: conn=1000 op=2 UNBIND
ldap-master[22358]: conn=1000 fd=11 closed
This is the correct behavior for us. The problem appears when we
introduce a back-ldap proxy between the client and the master.
The proxy server (proxy-server1.example.com) is listening in port
1636 and its slapd.conf file is:
#
# Security SSL
#
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCACertificatePath /etc/ssl/cacerts/
TLSCertificateFile /etc/ssl/certs/proxy-server1.example.com.pem
TLSCertificateKeyFile /etc/ssl/private/proxy-server1.example.com.key
TLSVerifyClient demand
# Log level
loglevel 256
#######################################################################
# Database definitions
#######################################################################
database ldap
rebind-as-user true
suffix "dc=example,dc=com"
uri "ldaps://server1.example.com"
tls ldaps
tls_cert=/etc/ssl/certs/proxy-server1.example.com.pem
tls_key=/etc/ssl/private/proxy-server1.example.com.key
tls_cacertdir=/etc/ssl/cacerts/
----------------------
If we search for passwords through the proxy we get:
root # ldapsearch -LLL -b 'uid=user_w_pass,ou=people,dc=example,dc=com'
-H ldaps://proxy-server1.example.com:1636 userPassword
SASL/EXTERNAL authentication started
SASL username: CN=admin_w_cert,O=Internet Widgits Pty Ltd,ST=Some-State,C=AU
SASL SSF: 0
Server is unwilling to perform (53)
Additional information: authentication required
In the /var/log/messages the following messages appear:
ldap-proxy[22802]: conn=1001 fd=8 ACCEPT from
IP=proxy-server1.example.com:60712 (IP=proxy-server1.example.com:1636)
ldap-proxy[22802]: conn=1001 fd=8 TLS established tls_ssf=256 ssf=256
ldap-proxy[22802]: conn=1001 op=0 BIND dn="" method=163
ldap-proxy[22802]: conn=1001 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[22802]: conn=1001 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-proxy[22802]: conn=1001 op=0 RESULT tag=97 err=0 text=
ldap-proxy[22802]: conn=1001 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-proxy[22802]: conn=1001 op=1 SRCH attr=userPassword
ldap-master[22358]: conn=1008 op=2 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-master[22358]: conn=1008 op=2 SRCH attr=userPassword
ldap-master[22358]: conn=1008 op=2 SEARCH RESULT tag=101 err=53
nentries=0 text=authentication required
ldap-proxy[22802]: conn=1001 op=1 SEARCH RESULT tag=101 err=53
nentries=0 text=authentication required
ldap-proxy[22802]: conn=1001 op=2 UNBIND
ldap-proxy[22802]: conn=1001 fd=8 closed
The /root/.ldaprc file is the same than the previous one.
When we increase the logging level we discover this:
....
ldap-proxy[23008]: conn=1000 op=0 do_bind
ldap-proxy[23008]: >>> dnPrettyNormal: <>
ldap-proxy[23008]: <<< dnPrettyNormal: <>, <>
ldap-proxy[23008]: conn=1000 op=0 BIND dn="" method=163
ldap-proxy[23008]: do_bind: dn () SASL mech EXTERNAL
ldap-proxy[23008]: ==> sasl_bind: dn="" mech=EXTERNAL datalen=0
ldap-proxy[23008]: SASL Canonicalize [conn=1000]:
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: slap_sasl_getdn: conn 1000
id=cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au [len=61]
ldap-proxy[23008]: ==>slap_sasl2dn: converting SASL name
cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au to a DN
ldap-proxy[23008]: <==slap_sasl2dn: Converted SASL name to <nothing>
ldap-proxy[23008]: SASL Canonicalize [conn=1000]:
slapAuthcDN="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: SASL proxy authorize [conn=1000]:
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: conn=1000 op=0 BIND
authcid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
authzid="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
ldap-proxy[23008]: SASL Authorize [conn=1000]: proxy authorization
allowed authzDN=""
ldap-proxy[23008]: send_ldap_sasl: err=0 len=-1
ldap-proxy[23008]: conn=1000 op=0 BIND dn="cn=admin_w_cert,o=internet
widgits pty ltd,st=some-state,c=au" mech=EXTERNAL sasl_ssf=0 ssf=256
ldap-proxy[23008]: do_bind: SASL/EXTERNAL bind:
dn="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
sasl_ssf=0
ldap-proxy[23008]: send_ldap_response: msgid=1 tag=97 err=0
ldap-proxy[23008]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-proxy[23008]: <== slap_sasl_bind: rc=0
....
ldap-proxy[23008]: conn=1000 op=1 SRCH
base="uid=user_w_pass,ou=people,dc=example,dc=com" scope=2 deref=0
filter="(objectClass=*)"
ldap-proxy[23008]: conn=1000 op=1 SRCH attr=userPassword
ldap-proxy[23008]: ==> limits_get: conn=1000 op=1
self="cn=admin_w_cert,o=internet widgits pty ltd,st=some-state,c=au"
this="uid=user_w_pass,ou=people,dc=example,dc=com"
ldap-master[22983]: daemon: activity on 1 descriptor
ldap-master[22983]: daemon: activity on:
ldap-master[22983]:
ldap-master[22983]: slap_listener_activate(7):
ldap-master[22983]: daemon: epoll: listen=7 busy
ldap-master[22983]: >>> slap_listener(ldaps://server1.example.com)
.....
ldap-master[22983]: conn=1000 op=0 do_bind
ldap-master[22983]: >>> dnPrettyNormal: <>
ldap-master[22983]: <<< dnPrettyNormal: <>, <>
ldap-master[22983]: conn=1000 op=0 BIND dn="" method=128
ldap-master[22983]: do_bind: version=3 dn="" method=128
ldap-master[22983]: send_ldap_result: conn=1000 op=0 p=3
ldap-master[22983]: send_ldap_result: err=0 matched="" text=""
ldap-master[22983]: send_ldap_response: msgid=1 tag=97 err=0
ldap-master[22983]: conn=1000 op=0 RESULT tag=97 err=0 text=
ldap-master[22983]: do_bind: v3 anonymous bind
----------------
Therefore the proxy is binding anonymously in the master, instead of
using the dn of the certificate.
Is there any problem with the SASL EXTERNAL method?
If we use SIMPLE authentication through the proxy, there is no problem:
root # ldapsearch -LLL -x -b
'uid=user_w_pass,ou=people,dc=example,dc=com' -H
ldaps://proxy-server1.example.com:1636 -D
'uid=user_w_pass,ou=people,dc=example,dc=com' -W userPassword
Enter LDAP Password:
dn: uid=user_w_pass,ou=people,dc=example,dc=com
userPassword:: e2NyeXB0fTcyMXpQbU4waWdKaU0=
Thanks in advance.
---------------------------------------------------------------------------------------------
ADVERTENCIA: Sobre la privacidad y cumplimiento de la Ley de Protección de Datos, acceda a http://www.iac.es/disclaimer.php
WARNING: For more information on privacy and fulfilment of the Law concerning the Protection of Data, consult http://www.iac.es/disclaimer.php?lang=en
12 years, 5 months
cn=config and ACL formatting
by Victor Mataré
Hi everyone,
I just switched our servers from slapd.conf to cn=config in slapd.d, and I'm a bit annoyed with my ACLs now. The problem is that olcAccess attributes tend to be somewhat lengthy and I'd really appreciate some newlines in them, but slapd seems to eat those. Is there any way to tell the server to preserve the newlines in attribute values, or maybe use some other character that causes a line break?
Of course I might edit the files in /etc/slapd.d, but then the whole cn=config thingy becomes pointless, doesn't it?
greetings,
Victor
12 years, 8 months
Back-ldap configuration and id-assertion.
by Mustafa A. Hashmi
Hi all,
I am wondering if I am going about my setup the right way and am
hoping someone can give me a bit of input.
Using openldap-2.4.23 on Debian Linux, I have nssov configured to
retrieve host, user and group information on my primary server, with
back-ldap and nssov configured on a secondary machine doing the same.
The back-ldap configuration is as follows:
database ldap
suffix dc=zivios,dc=net
uri "ldap://dev03.zivios.net"
acl-bind bindmethod=simple binddn="" credentials=""
idassert-bind
bindmethod=simple
mode=self
binddn="uid=zproxyauth,ou=zusers,ou=core control,ou=zivios,dc=zivios,dc=net"
credentials="foo"
idassert-authzFrom "dn.regex:.*"
overlay nssov
nssov-map group uniqueMember member
nssov-ssd passwd ldap:///dc=zivios,dc=net??sub
nssov-ssd group ldap:///dc=zivios,dc=net??sub
nssov-ssd hosts ldap:///dc=zivios,dc=net??sub
nssov-pam hostservice
nssov-pam-session sshd
nssov-pam-session login
On the primary server, I have the authz policy set to "to", with an
authzto rule as follows for the zproxyauth user:
{0}ldap:///dc=zivios,dc=net??sub?(objectClass=posixAccount)
I have setup appropriate ACLs that allow access to the
authorizedService attribute for certain groups and, testing ssh &
logins is working as required (on the primary server). However, when
connections come in from the back-ldap server, the proxy auth works
initially, with every "other" request failing. The back-ldap server
log reports:
send_ldap_result: err=123 matched="" text="anonymous proxied
authorization not allowed"
This is quite easily reproducible via simple getent passwd/group
calls. Every second request fails with the aforementioned error. SSH
access to the secondary server (with a successful regex, id-assertion
and compare operation) works if I restart the back-ldap server,
however, all subsequent requests fail.
Below is the complete log of a failed request from the back-ldap
server on a getent passwd command:
dev02:/opt/zivios/openldap/etc/openldap# getent passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
sshd:x:101:65534::/var/run/sshd:/usr/sbin/nologin
zopenldap:x:945:945::/home/zopenldap:/bin/false
daemon: activity on 1 descriptor
daemon: activity on: 10r
daemon: read active on 10
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: epoll: listen=9 active_threads=0 tvp=NULL
connection_get(10)
connection_get(10): got connid=0
nssov: connection from uid=0 gid=0
daemon: activity on 1 descriptor
daemon: activity on:
daemon: epoll: listen=7 active_threads=0 tvp=NULL
daemon: epoll: listen=8 active_threads=0 tvp=NULL
daemon: epoll: listen=9 active_threads=0 tvp=NULL
nssov_passwd_all()
str2filter "(objectClass=posixAccount)"
put_filter: "(objectClass=posixAccount)"
put_filter: simple
put_simple_filter: "objectClass=posixAccount"
begin get_filter
EQUALITY
ber_scanf fmt ({mm}) ber:
ber_dump: buf=0xf6e8f010 ptr=0xf6e8f010 end=0xf6e8f02d len=29
0000: a3 1b 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 ....objectClass.
0010: 0c 70 6f 73 69 78 41 63 63 6f 75 6e 74 .posixAccount
end get_filter 0
=>ldap_back_getconn: conn 0x9398940 fetched refcnt=1.
ldap_search_ext
put_filter: "(objectClass=posixAccount)"
put_filter: simple
put_simple_filter: "objectClass=posixAccount"
ldap_build_search_req ATTRS: uid userPassword uidNumber gidNumber
gecos cn homeDirectory loginShell objectClass
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x9397070 ptr=0x9397070 end=0x939716f len=255
0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi
0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net.....
0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob
0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix
0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0\..uid..
0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui
0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb
0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h
0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo
0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object
00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16.
00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4
00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe
00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0,
00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e
00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth
ber_scanf fmt ({) ber:
ber_dump: buf=0x9397070 ptr=0x9397076 end=0x939716f len=249
0000: 63 81 9c 04 10 64 63 3d 7a 69 76 69 6f 73 2c 64 c....dc=zivios,d
0010: 63 3d 6e 65 74 0a 01 02 0a 01 00 02 01 00 02 01 c=net...........
0020: 00 01 01 00 a3 1b 04 0b 6f 62 6a 65 63 74 43 6c ........objectCl
0030: 61 73 73 04 0c 70 6f 73 69 78 41 63 63 6f 75 6e ass..posixAccoun
0040: 74 30 5c 04 03 75 69 64 04 0c 75 73 65 72 50 61 t0\..uid..userPa
0050: 73 73 77 6f 72 64 04 09 75 69 64 4e 75 6d 62 65 ssword..uidNumbe
0060: 72 04 09 67 69 64 4e 75 6d 62 65 72 04 05 67 65 r..gidNumber..ge
0070: 63 6f 73 04 02 63 6e 04 0d 68 6f 6d 65 44 69 72 cos..cn..homeDir
0080: 65 63 74 6f 72 79 04 0a 6c 6f 67 69 6e 53 68 65 ectory..loginShe
0090: 6c 6c 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 a0 ll..objectClass.
00a0: 58 30 56 04 18 32 2e 31 36 2e 38 34 30 2e 31 2e X0V..2.16.840.1.
00b0: 31 31 33 37 33 30 2e 33 2e 34 2e 31 38 04 3a 64 113730.3.4.18.:d
00c0: 6e 3a 67 69 64 4e 75 6d 62 65 72 3d 30 2b 75 69 n:gidNumber=0+ui
00d0: 64 4e 75 6d 62 65 72 3d 30 2c 63 6e 3d 70 65 65 dNumber=0,cn=pee
00e0: 72 63 72 65 64 2c 63 6e 3d 65 78 74 65 72 6e 61 rcred,cn=externa
00f0: 6c 2c 63 6e 3d 61 75 74 68 l,cn=auth
ber_flush2: 255 bytes to sd 13
0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi
0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net.....
0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob
0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix
0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0\..uid..
0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui
0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb
0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h
0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo
0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object
00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16.
00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4
00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe
00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0,
00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e
00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth
ldap_write: want=255, written=255
0000: 30 81 fc 02 01 13 63 81 9c 04 10 64 63 3d 7a 69 0.....c....dc=zi
0010: 76 69 6f 73 2c 64 63 3d 6e 65 74 0a 01 02 0a 01 vios,dc=net.....
0020: 00 02 01 00 02 01 00 01 01 00 a3 1b 04 0b 6f 62 ..............ob
0030: 6a 65 63 74 43 6c 61 73 73 04 0c 70 6f 73 69 78 jectClass..posix
0040: 41 63 63 6f 75 6e 74 30 5c 04 03 75 69 64 04 0c Account0\..uid..
0050: 75 73 65 72 50 61 73 73 77 6f 72 64 04 09 75 69 userPassword..ui
0060: 64 4e 75 6d 62 65 72 04 09 67 69 64 4e 75 6d 62 dNumber..gidNumb
0070: 65 72 04 05 67 65 63 6f 73 04 02 63 6e 04 0d 68 er..gecos..cn..h
0080: 6f 6d 65 44 69 72 65 63 74 6f 72 79 04 0a 6c 6f omeDirectory..lo
0090: 67 69 6e 53 68 65 6c 6c 04 0b 6f 62 6a 65 63 74 ginShell..object
00a0: 43 6c 61 73 73 a0 58 30 56 04 18 32 2e 31 36 2e Class.X0V..2.16.
00b0: 38 34 30 2e 31 2e 31 31 33 37 33 30 2e 33 2e 34 840.1.113730.3.4
00c0: 2e 31 38 04 3a 64 6e 3a 67 69 64 4e 75 6d 62 65 .18.:dn:gidNumbe
00d0: 72 3d 30 2b 75 69 64 4e 75 6d 62 65 72 3d 30 2c r=0+uidNumber=0,
00e0: 63 6e 3d 70 65 65 72 63 72 65 64 2c 63 6e 3d 65 cn=peercred,cn=e
00f0: 78 74 65 72 6e 61 6c 2c 63 6e 3d 61 75 74 68 xternal,cn=auth
ldap_result ld 0x9398980 msgid 19
wait4msg ld 0x9398980 msgid 19 (timeout 100000 usec)
wait4msg continue ld 0x9398980 msgid 19 all 0
** ld 0x9398980 Connections:
* host: dev03.zivios.net port: 389 (default)
refcnt: 2 status: Connected
last used: Tue Aug 31 20:07:02 2010
** ld 0x9398980 Outstanding Requests:
* msgid 19, origid 19, status InProgress
outstanding referrals 0, parent count 0
ld 0x9398980 request count 1 (abandoned 0)
** ld 0x9398980 Response Queue:
Empty
ld 0x9398980 response count 0
ldap_chkResponseList ld 0x9398980 msgid 19 all 0
ldap_chkResponseList returns ld 0x9398980 NULL
ldap_int_select
read1msg: ld 0x9398980 msgid 19 all 0
ber_get_next
ldap_read: want=8, got=8
0000: 30 37 02 01 13 65 32 0a 07...e2.
ldap_read: want=49, got=49
0000: 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f 75 73 20 .{...+anonymous
0010: 70 72 6f 78 69 65 64 20 61 75 74 68 6f 72 69 7a proxied authoriz
0020: 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c 6f 77 65 ation not allowe
0030: 64 d
ber_get_next: tag 0x30 len 55 contents:
ber_dump: buf=0x93988f0 ptr=0x93988f0 end=0x9398927 len=55
0000: 02 01 13 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e ...e2..{...+anon
0010: 79 6d 6f 75 73 20 70 72 6f 78 69 65 64 20 61 75 ymous proxied au
0020: 74 68 6f 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 thorization not
0030: 61 6c 6c 6f 77 65 64 allowed
read1msg: ld 0x9398980 msgid 19 message type search-result
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x93988f0 ptr=0x93988f3 end=0x9398927 len=52
0000: 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f e2..{...+anonymo
0010: 75 73 20 70 72 6f 78 69 65 64 20 61 75 74 68 6f us proxied autho
0020: 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c rization not all
0030: 6f 77 65 64 owed
ldap_chase_referrals
read1msg: V2 referral chased, mark request completed, id = 19
read1msg: ld 0x9398980 0 new referrals
read1msg: mark request completed, ld 0x9398980 msgid 19
request done: ld 0x9398980 msgid 19
res_errno: 123, res_error: <anonymous proxied authorization not
allowed>, res_matched: <>
ldap_free_request (origid 19, msgid 19)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x93988f0 ptr=0x93988f3 end=0x9398927 len=52
0000: 65 32 0a 01 7b 04 00 04 2b 61 6e 6f 6e 79 6d 6f e2..{...+anonymo
0010: 75 73 20 70 72 6f 78 69 65 64 20 61 75 74 68 6f us proxied autho
0020: 72 69 7a 61 74 69 6f 6e 20 6e 6f 74 20 61 6c 6c rization not all
0030: 6f 77 65 64 owed
ber_scanf fmt (}) ber:
ber_dump: buf=0x93988f0 ptr=0x9398927 end=0x9398927 len=0
ldap_msgfree
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=123 matched="" text="anonymous proxied
authorization not allowed"
----
The primary server log shows only one line:
Aug 31 20:13:53 dev03 slapd[32705]: conn=1604 op=19 do_search: get_ctrls failed
----
I am not sure why an anonymous request is made by back-ldap --
probably my lack of understanding on how it should be configured. If
anyone can point out where I am going wrong, it would be greatly
appreciated.
Mustafa.
12 years, 9 months
TLS fails
by Frederik Bosch
After getting my ACL right (thanks Dieter!), I have problems installing
an official certificate. I bought a certificate at RapidSSL. Starting
slapd gives me the following error.
TLS init def ctx failed: -69
This error is thrown in openldap 2.4.17. Since I am on debian, slapd is
compiled against GnuTLS. When I was using 2.4.11 I had another error:
TLS init def ctx failed: -207
When I had a self-signed certificate I had no trouble. What could be wrong?
12 years, 9 months
RE: Getting Solaris to use Openldap
by Stuart Cherrington
> Date: Fri, 27 Aug 2010 21:33:42 +1200
> From: ian(a)ianshome.com
> To: stuart_cherrington(a)hotmail.co.uk
> Subject: Re: Getting Solaris to use Openldap
>
> On 08/27/10 08:48 PM, Stuart Cherrington wrote:
> > Hi,
> >
> > I Have an OpenLDAP 2.4.18 server on RHEL 5.3. I can get Linux clients
> > to use the master by use of the /etc/ldap.conf file. I'm now trying to
> > get a SOlaris 10 client to use the master by initialising with the
> > default profileName. If I run:
> >
> > ldapclient -v init -a proxypassword=xxxxx -a
> > proxydn=cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -a
> > domainname=ldn.sw.com 10.2.250.15
> >
> I also add a -a profileName=default
Shouldn't need to add this as ldapclient takes 'default' as the default profilename if not specified. I did try it with this anyway but got same error.
>
> > So the 2 errors are the *NOTFOUND nisDomainObject *which is there when
> > I check on the master:
> >
> > [root@msldap01 openldap2.4]# ldapsearch2.4 -h 10.2.250.15 -D
> > cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxx-b
> > dc=ldn,dc=sw,dc=com -s base
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <dc=ldn,dc=sw,dc=com> with scope baseObject
> > # filter: (objectclass=*)
> > # requesting: ALL
> > #
> >
> > # ldn.sw.com
> > dn: dc=ldn,dc=sw,dc=com
> > dc: ldn
> > o: ldn
> > associatedDomain: ldn.sw.com
> > nisDomain: ldn.sw.com
> > objectClass: dcObject
> > objectClass: organization
> > objectClass: domainRelatedObject
> > *objectClass: nisDomainObject*
> > objectClass: top
> >
> That looks OK.
> >
> > The other error is 'Failed to find defaultSearchBase for domain
> > ldn.sw.com'
> >
> > [root@msldap01 openldap2.4]# ldapsearch2.4 -h 10.2.250.15 -D
> > cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w 5wap5proxy -b
> > cn=default,ou=profile,dc=ldn,dc=sw,dc=com -s base
> > # extended LDIF
> > #
> > # LDAPv3
> > # base <cn=default,ou=profile,dc=ldn,dc=sw,dc=com> with scope baseObject
> > # filter: (objectclass=*)
> > # requesting: ALL
> > #
>
> Do you have a cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com entry?
Yeh
[root@msldap01 openldap2.4]# ldapsearch2.4 -h 10.2.250.15 -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxx -b cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -s base
# extended LDIF
#
# LDAPv3
# base <cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com> with scope baseObject
# filter: (objectclass=*)
# requesting: ALL
#
# proxyagent, profile, ldn.sw.com
dn: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com
cn: proxyagent
sn: proxyagent
objectClass: top
objectClass: person
userPassword:: e0NSWVBUfXYuTWpqUDJEb3lpMXc=
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
>
> > # default, profile, ldn.sw.com
> > dn: cn=default,ou=profile,dc=ldn,dc=sw,dc=com
> > *defaultSearchBase: dc=ldn,dc=sw,dc=com*
> > authenticationMethod: simple
> > followReferrals: TRUE
> > profileTTL: 43200
> > searchTimeLimit: 30
> > objectClass: DUAConfigProfile
> > defaultServerList: 10.2.250.15
> > credentialLevel: proxy
> > cn: default
> > defaultSearchScope: one
>
> You should add
>
> serviceSearchDescriptor: passwd:<people base>
> serviceSearchDescriptor: group:<group base>
I initially had these (and one for shadow) but they didn't make any difference the error, but I expect I'll need them when its in operation.
>
> --
> Ian.
>
12 years, 9 months
Re: OpenLDAP to replace Oracle Internet Directory
by Matheus Morais
Hi Gavin,
Sorry for the late reply, I need to organize my mail box, I just not seen
this email!
On Mon, Jul 26, 2010 at 2:24 PM, Gavin Henry <ghenry(a)openldap.org> wrote:
> > I want thank every one responsible to keep OpenLDAP project with that
> high
> > level of quality and I am really proud about that kind of quality has
> been
> > produced by a free software project (free as in freedom).
>
> Excellent news! How is it going now? Did you use our docs to help you?
>
We're doing really well at this time. Right now we're waiting for the dev
team to correct one of our LDAP API which was using substring search for
distinguishedName attributes and that works on Oracle Internet Directory but
as RFC 2256 say, section 5.50 more precisely, the 'client must not assume
that LDAP servers are capable of performing attribute subtyping'. They are
testing and after put on production we will be ready to change the last
systems which still using Oralce Internet Directory.
I most used the Administrator's Guide for version 2.4 and all the manuals
available. I think the documentation is very complete in general but could
be improved in some points, like the session of Monitor backend for example.
I also would be happy if we had a portuguese version of Admin's Guide.
Since I'm not a developer I could help on the documention at my spare time.
I would be glad if I could help in some aspect.
> Do you have any suggestions for improvements to the docs?
>
> Thanks.
>
> --
> Kind Regards,
>
> Gavin Henry.
> OpenLDAP Engineering Team.
>
> E ghenry(a)OpenLDAP.org
>
> Community developed LDAP software.
>
> http://www.openldap.org/project/
>
Thanks,
Matheus Morais!
12 years, 9 months
I can't see my /etc/ldap/slapd.conf file after reinstall
by Eric KOM
Hi Dear Team!
Please, I got problem with my OpenLDAP server on Debian Testing.
I try to purge slapd package with aptitude purge slapd and remove all
files and directories with rm on /etc/ldap/.
after reinstall slapd, I can't see the main configuration file
/etc/ldap/slapd.conf?
but the server is running.
Thank you in advance.
--
Yours truly,
Eric KOM
110 LAWN STREET ROSETTENVILLE
2190
JOHANNESBURG
SOUTH AFRICA
Phone: +27 (0) 788 791 334
Fax: +27 (0) 865 563 009
E-mail: erickom(a)namekom.co.za
Websites: www.erickom.co.za | www.namekom.co.za/erickom | www.namekom.co.za
12 years, 9 months
to much archive logs
by isso2@gmx.de
Hello team,
our openldap-server (OS: Redhat 5) was succesfully installed and it works.
But sometimes it gets out of control, that means: every 3 minutes it generates an archive-log. Shutdown and start is not successfully. We have do to a db_recover. Any idea ?
Thanks a lot.
--
GRATIS für alle GMX-Mitglieder: Die maxdome Movie-FLAT!
Jetzt freischalten unter http://portal.gmx.net/de/go/maxdome01
12 years, 9 months
syncrepl help
by Adam Cassar
Hi All,
I would appreciate some insight with a syncrepl issue that I have. The
scenario is as follows:
(1) LDAP master running debian slapd v2.3.30
replicating using syncrepl to
(2) LDAP master running debian slapd v2.4.11
The initial data for this node was seeded using slapcat/slapadd due to
the db size.
This is replicating via syncrepl to
(3) LDAP slave running debian slapd v2.4.11
On (3) the slave I am receiving the error:
do_syncrep2: cookie=rid=001,csn=20100825064231Z#000000#00#000000
do_syncrep2: rid=001 CSN too old, ignoring 20100825064231Z#000000#00#000000
for all replication events that are being received.
What I am trying to achieve is to deprecate server (1) with as little
downtime as possible, server (2) becomes the new master and (3) the new
slave
Replication between 1 & 2 works correctly but not between 2 & 3. The
time is correct on the servers. Server (3) database is seeded using
syncrepl. Configurations for 1, 2 & 3 are attached.
12 years, 9 months