openldap-technical January 2011

openldap-technical@openldap.org

91 participants
107 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Re: (ITS#6666) Feature Request: Triggers implementation
by Buchan Milne 23 May '11

23 May '11

On Thursday, 7 October 2010 20:32:49 Nick Milas wrote: > It all started for me when I wanted to watch a serial number value from > an ldap-stored SOArecord (using powerdns with openldap backend) and when > it changes to fire a bash script. I reached the conclusion it was not > easy to be done with higher-level means within openldap and I created a > bash script which scans (using ldapsearch and other linux tools) the > SOArecords regularly (using cron) to find out if any change has happend > and do whatever is required. It would be much more elegant if I could > get a trigger from openldap when the SOArecord changes. Maybe you need this: http://memberwebs.com/stef/software/slapi-dnsnotify/ A more generic solution would be nice, but as far as I can tell, this software satisfies your current need. Regards, Buchan

7 18

Replication monitoring
by Andreas Andersson 04 Mar '11

04 Mar '11

Hi! I posted an announcement here about a year ago about my little LDAP monitoring project CN=Monitor. Asked for feedback and received a lot. Thank you! Some feedback was related to adding replication verification for OpenLDAP so of course I gave it a try. Unfortunately I don’t have a large scale OpenLDAP environment to verify this functionality on so I need your help :) Is it working and can it be improved? This is how it works: The contextCSN is verified on all servers within the same environment. See attached image. As always… I appreciate all feedback I can get and let me know if you have any suggestions on new features or something else that can approve this monitoring application. Project page: http://cnmonitor.sourceforge.net Freshmeat: http://freshmeat.net/projects/cnmonitor Best Regards - Andreas

4 11

Handling slapd.d in OpenLDAP and Kerberos
by sarathkrishna89＠gmail.com 08 Feb '11

08 Feb '11

Hi, We are currently trying to use OpenLDAP as the database for Kerberos in our lab. We installed OpenLDAP in Ubuntu 10.04 and is working without any problem (i,e. queries are showing the correct results) But we are not able to get Kerberos authenticate via OpenLDAP. For authenticating via OpenLDAP, the principles needs to be rewritten (using authz-policy and authz-regexp). We know how to do that in older version of OpenLDAP which had (slapd.conf) but don't know how to do the same in new OpenLDAP which has slapd.d directory instead. The manuals also doesn't say anything on this issue. We did the following for testing authentication via Kerberos: kinit username; ldapsearch -H ldaps://server.example.com And we got this result: SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) additional info: SASL(-13): user not found: no secret in database We just want to perform this: authz-policy from authz-regexp uid=(.*),cn=example.com,cn=GSSAPI,cn=auth uid=$1,ou=people,dc=example,dc=com We think adding this in slapd.conf should serve the purpose. Any suggestions/help is highly appreciated. -- Sarath

5 5

Re: Transparent proxy, (objectClass=user) not being relayed. Schema issue?
by masarati＠aero.polimi.it 02 Feb '11

02 Feb '11

>> 2.3.43 included with CentOS. I'll try the latest package. Thanks! > > Ah. Actually, I only tried an undefined objectClass, which works. In > fact, in the case you're considering, (objectClass=user) contains an > invalid value of a valid attribute, while (sAMAccountName=user01) contains > an invalid attribute, so the two cases are different. Right now, with > HEAD's back-meta for "(&(objectClass=user)(sAMAccountName=user01))" I get > "(&(?objectClass=user)(!(objectClass=*)))". Let me check a bit more. I have provided another round of fixes. One of them affects back-meta (map.c, ITS#6818); another affects filter handling (ava.c); finally, another affects slapo-rwm when used in conjunction with back-ldap (rwmmap.c). Now the issue should be definitely fixed. Please test. p.

2 1

same objects in multiple ou?
by Joe Comeaux 01 Feb '11

01 Feb '11

I'm trying to design an environment that does not allow anonymous binds, and the users that require authentication reside across multiple OU's. It seems common practice among authentication modules to take a cn, bind anonymously to scan for the full dn, and then check password with full dn to authenticate. What I'd like to avoid is the anonymous bind, or storing a name and password with read access to bind, to increase security. I think what would be ideal is to somehow map all objects across multiple ou's to a single ou. Something along the lines of : all objects in ou=Department1,dc=example,dc=com + ou=Department2,dc=example,dc=com + ou=Department3,dc=example,dc=com to be linked to ou=Everyone,dc=example,dc=com. If something like that were in place, new users created in Department3 could be authenticated with cn=username,ou=Everyone,dc=example,dc=com. All modules designed to check authentication would not need to bind first to search the directory for the full dn. I've seen references to aliasing, but that applies only to a single object, and also mentions of mapping, but I can't tell if that would do what I expect it to do. Has anyone else built something similar? Can what I explain even be done with OpenLDAP? What should I be looking in to for direction on setting this up? Thanks in advance -Joe Comeaux

3 7

User managed groups - ACLs
by Christian Manal 01 Feb '11

01 Feb '11

Hi list, I am currently trying to make it possible for ordinary users to manage their own groups in the following way: 1 Any user can create new groups ("groupOfNames"). 1.1 On creation, the creator is set to be the first member and manager of the group (the latter is defined as a single-value attribute (UDBgrpAdmin) for a self defined auxiliary objectClass "UDBgrp"). 1.2 Some names should be prohibited from being used for new groups. 2 Group managers can invite any user to the group by adding their DN to the invited list of the group (UDBgrpInvited) and revoke invitations by removing DNs from said list. 2.1 Group managers can kick members from the group. 2.2 Group managers can delete the group. 2.3 Group managers can assign a new manager who has to be a member of the group. 2.4 Group managers can (re)set a description for the group. 3 Invited users can accept or decline the invitation, i.e. remove themselves from the invite list and add themselves to the member list. 4 Group members can leave the group permanently or temporarily. The latter is achieved by moving themselves from the member list to a suspended list (UDBgrpSuspended) which allows them to rejoin the group later (i.e. move themselves back to the member list) without a new invitation. I have most of the above covered, but I'm struggling with the points 1.1, 2.3 and to some extend 1.2. 1.1 and 2.3: I have no idea if this is even possible, let alone how to achieve it. 1.2: By extending the 'filter' rule that limits the objectClasses for new entries in "ou=Group" I can make a blacklist for 'cn' values, but I'd rather have something in the DIT itself, so I can modify the list without meddling with the server config. This is optional, though, since I don't except the list to change very often. This is what I've got so far: <http://openldap.pastebin.com/n8P4eKvU> Any help would be appreciated. Regards, Christian Manal

1 1

meta directory backend and rewriting option '|'
by Lehnert, Hartmut 01 Feb '11

01 Feb '11

Hello! I have a question concerning the pipe option '|' when using the meta directory backend and rewriting. In the manual pages the '|' option is marked as "not implemented". Does this reflect the actual state of the software or has somebody just forgotten to update the man page? Regards, Hartmut

2 2

Access control
by Thomas Schweikle 31 Jan '11

31 Jan '11

Hi! I am trying to set up access control for an OpenLDAP server. I'd like to use a Group to set up users allowed to access and write to entries inside my tree: I've created the group: dn: cn=administrators,dc=example,dc=com cn: administrators objectclass: groupOfNames (important for the group acl feature) member: cn=user1,ou=Users,dc=example,dc=com member: cn=user2,ou=Users,dc=example,dc=com in dn: olcDatabase=hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: hdb olcDbDirectory: /var/lib/ldap olcSuffix: dc=example,dc=com olcRootDN: cn=adm,dc=example,dc=com olcRootPW: ${admpw} olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by anonymous auth by self write by * none olcAccess: to dn.base="" by * read olcAccess: to * by group.exact="cn=administrators,dc=example,dc=com" write by dn="cn=adm,dc=example,dc=com" write by * read Now trying to access "userPassword" from any user inside the tree "ou=Users,dc=example,dc=com". 1. The password field is empty -- it should hold a value 2. Entering a value, then pressing apply: "Error modifying 'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access I'd expected to have access to "userPassword" and I am allowed to write this value. Why does it not work if I log in with user1? -- Thomas

3 5

cn=config how to grant read rights
by John Espiro 31 Jan '11

31 Jan '11

I am new to the whole cn=config thing... Having just started with it, I have a question. I have an existing user for which I need to give read rights to the tree: "This user must have the Read right to the LDAP service.". How do I go about modifying the ACL so that he has this? John

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical January 2011