Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
6 years, 12 months
Re: (ITS#6666) Feature Request: Triggers implementation
by Buchan Milne
On Thursday, 7 October 2010 20:32:49 Nick Milas wrote:
> It all started for me when I wanted to watch a serial number value from
> an ldap-stored SOArecord (using powerdns with openldap backend) and when
> it changes to fire a bash script. I reached the conclusion it was not
> easy to be done with higher-level means within openldap and I created a
> bash script which scans (using ldapsearch and other linux tools) the
> SOArecords regularly (using cron) to find out if any change has happend
> and do whatever is required. It would be much more elegant if I could
> get a trigger from openldap when the SOArecord changes.
Maybe you need this:
http://memberwebs.com/stef/software/slapi-dnsnotify/
A more generic solution would be nice, but as far as I can tell, this software
satisfies your current need.
Regards,
Buchan
12 years
Replication monitoring
by Andreas Andersson
Hi!
I posted an announcement here about a year ago about my little LDAP monitoring project CN=Monitor.
Asked for feedback and received a lot. Thank you! Some feedback was related to adding replication verification for OpenLDAP so of course I gave it a try.
Unfortunately I don’t have a large scale OpenLDAP environment to verify this functionality on so I need your help :)
Is it working and can it be improved?
This is how it works:
The contextCSN is verified on all servers within the same environment. See attached image.
As always… I appreciate all feedback I can get and let me know if you have any suggestions on new features or something else that can approve this monitoring application.
Project page:
http://cnmonitor.sourceforge.net
Freshmeat:
http://freshmeat.net/projects/cnmonitor
Best Regards - Andreas
12 years, 2 months
Handling slapd.d in OpenLDAP and Kerberos
by sarathkrishna89@gmail.com
Hi,
We are currently trying to use OpenLDAP as the database for Kerberos in our
lab.
We installed OpenLDAP in Ubuntu 10.04 and is working without any problem
(i,e. queries are showing the correct results)
But we are not able to get Kerberos authenticate via OpenLDAP.
For authenticating via OpenLDAP, the principles needs to be rewritten (using
authz-policy and authz-regexp). We know how to do
that in older version of OpenLDAP which had (slapd.conf) but don't know how
to do the same in new OpenLDAP which has slapd.d directory instead.
The manuals also doesn't say anything on this issue.
We did the following for testing authentication via Kerberos:
kinit username; ldapsearch -H ldaps://server.example.com
And we got this result:
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
additional info: SASL(-13): user not found: no secret in database
We just want to perform this:
authz-policy from
authz-regexp
uid=(.*),cn=example.com,cn=GSSAPI,cn=auth
uid=$1,ou=people,dc=example,dc=com
We think adding this in slapd.conf should serve the purpose. Any
suggestions/help is highly appreciated.
--
Sarath
12 years, 3 months
Re: Transparent proxy, (objectClass=user) not being relayed. Schema issue?
by masarati@aero.polimi.it
>> 2.3.43 included with CentOS. I'll try the latest package. Thanks!
>
> Ah. Actually, I only tried an undefined objectClass, which works. In
> fact, in the case you're considering, (objectClass=user) contains an
> invalid value of a valid attribute, while (sAMAccountName=user01) contains
> an invalid attribute, so the two cases are different. Right now, with
> HEAD's back-meta for "(&(objectClass=user)(sAMAccountName=user01))" I get
> "(&(?objectClass=user)(!(objectClass=*)))". Let me check a bit more.
I have provided another round of fixes. One of them affects back-meta
(map.c, ITS#6818); another affects filter handling (ava.c); finally,
another affects slapo-rwm when used in conjunction with back-ldap
(rwmmap.c). Now the issue should be definitely fixed. Please test.
p.
12 years, 3 months
same objects in multiple ou?
by Joe Comeaux
I'm trying to design an environment that does not allow anonymous
binds, and the users that require authentication reside across
multiple OU's. It seems common practice among authentication modules
to take a cn, bind anonymously to scan for the full dn, and then check
password with full dn to authenticate.
What I'd like to avoid is the anonymous bind, or storing a name and
password with read access to bind, to increase security.
I think what would be ideal is to somehow map all objects across
multiple ou's to a single ou. Something along the lines of : all
objects in ou=Department1,dc=example,dc=com +
ou=Department2,dc=example,dc=com + ou=Department3,dc=example,dc=com to
be linked to ou=Everyone,dc=example,dc=com. If something like that
were in place, new users created in Department3 could be authenticated
with cn=username,ou=Everyone,dc=example,dc=com. All modules designed
to check authentication would not need to bind first to search the
directory for the full dn.
I've seen references to aliasing, but that applies only to a single
object, and also mentions of mapping, but I can't tell if that would
do what I expect it to do.
Has anyone else built something similar? Can what I explain even be
done with OpenLDAP? What should I be looking in to for direction on
setting this up?
Thanks in advance
-Joe Comeaux
12 years, 3 months
User managed groups - ACLs
by Christian Manal
Hi list,
I am currently trying to make it possible for ordinary users to manage
their own groups in the following way:
1 Any user can create new groups ("groupOfNames").
1.1 On creation, the creator is set to be the first member and
manager of the group (the latter is defined as a single-value
attribute (UDBgrpAdmin) for a self defined auxiliary objectClass
"UDBgrp").
1.2 Some names should be prohibited from being used for new groups.
2 Group managers can invite any user to the group by adding their DN
to the invited list of the group (UDBgrpInvited) and revoke
invitations by removing DNs from said list.
2.1 Group managers can kick members from the group.
2.2 Group managers can delete the group.
2.3 Group managers can assign a new manager who has to be a member of
the group.
2.4 Group managers can (re)set a description for the group.
3 Invited users can accept or decline the invitation, i.e. remove
themselves from the invite list and add themselves to the member
list.
4 Group members can leave the group permanently or temporarily. The
latter is achieved by moving themselves from the member list to a
suspended list (UDBgrpSuspended) which allows them to rejoin the
group later (i.e. move themselves back to the member list) without
a new invitation.
I have most of the above covered, but I'm struggling with the points
1.1, 2.3 and to some extend 1.2.
1.1 and 2.3: I have no idea if this is even possible, let alone how to
achieve it.
1.2: By extending the 'filter' rule that limits the objectClasses for
new entries in "ou=Group" I can make a blacklist for 'cn' values, but
I'd rather have something in the DIT itself, so I can modify the list
without meddling with the server config. This is optional, though, since
I don't except the list to change very often.
This is what I've got so far:
<http://openldap.pastebin.com/n8P4eKvU>
Any help would be appreciated.
Regards,
Christian Manal
12 years, 3 months
meta directory backend and rewriting option '|'
by Lehnert, Hartmut
Hello!
I have a question concerning the pipe option '|' when using the meta
directory backend and rewriting. In the manual pages the '|' option is
marked as "not implemented". Does this reflect the actual state of the
software or has somebody just forgotten to update the man page?
Regards,
Hartmut
12 years, 3 months
Access control
by Thomas Schweikle
Hi!
I am trying to set up access control for an OpenLDAP server. I'd
like to use a Group to set up users allowed to access and write to
entries inside my tree:
I've created the group:
dn: cn=administrators,dc=example,dc=com
cn: administrators
objectclass: groupOfNames (important for the group acl feature)
member: cn=user1,ou=Users,dc=example,dc=com
member: cn=user2,ou=Users,dc=example,dc=com
in
dn: olcDatabase=hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: hdb
olcDbDirectory: /var/lib/ldap
olcSuffix: dc=example,dc=com
olcRootDN: cn=adm,dc=example,dc=com
olcRootPW: ${admpw}
olcAccess: to attrs=userPassword,shadowLastChange,krbPrincipalKey
by group.exact="cn=administrators,dc=example,dc=com" write
by dn="cn=adm,dc=example,dc=com" write
by anonymous auth
by self write
by * none
olcAccess: to dn.base=""
by * read
olcAccess: to *
by group.exact="cn=administrators,dc=example,dc=com" write
by dn="cn=adm,dc=example,dc=com" write
by * read
Now trying to access "userPassword" from any user inside the tree
"ou=Users,dc=example,dc=com".
1. The password field is empty -- it should hold a value
2. Entering a value, then pressing apply: "Error modifying
'cn=user3,ou=Users,dc=xompu,dc=de': Insufficient access
I'd expected to have access to "userPassword" and I am allowed to
write this value. Why does it not work if I log in with user1?
--
Thomas
12 years, 3 months
cn=config how to grant read rights
by John Espiro
I am new to the whole cn=config thing... Having just started with it, I
have a question.
I have an existing user for which I need to give read rights to the
tree: "This user must have the Read right to the LDAP service.".
How do I go about modifying the ACL so that he has this?
John
12 years, 3 months
