openldap-technical November 2011

openldap-technical@openldap.org

80 participants
91 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

SASL passthrough - multiple domains
by Liam Gretton 05 Jul '12

05 Jul '12

I have a working configuration with pass-through auth to an AD domain using saslauthd. However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file. Using multiple saslauthd daemons isn't possible either as there's no way (that I can work out) of getting OpenLDAP to use anything other than the single socket specified in /etc/sasl2/slapd.conf. My final idea was to run an LDAP instance per realm, each talking to the separate saslauthd daemons, and have another outward facing LDAP service with these as the backends but that's a non starter too because there's no way of specifying the sasl slapd.conf file, it seems sasl always looks in /etc/sasl2 for a file derived from the process name (a chroot environment for each LDAP server is therefore the next thing to look at). But this seems like a lot of work just to be able to authenticate users against multiple domains. I appreciate this is a SASL issue rather than a problem with OpenLDAP, but I'm hoping that someone here has cracked this already. Googling hasn't thrown up an solution that I can find. -- Liam Gretton liam.gretton(a)le.ac.uk HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

8 10

Changing schema OID values in cn=config
by Nick Milas 17 Feb '12

17 Feb '12

Hello, In my config there is: DN: cn={5}postfix,cn=schema,cn=config objectClass: olcSchemaConfig cn: {5}postfix olcAttributeTypes: {0}( 1.3.6.1.4.1.25260.1.000 NAME 'mailacceptinggeneralid' DESC 'Defines an address that we accept mail for' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.25260.1.001 NAME 'maildrop' DESC 'Defines the address mail goes to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.25260.1.002 NAME 'mailacceptinguser' DESC 'Defines if this user accepts mail' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.25260.1.003 NAME 'aliasInactive' DESC 'A flag, for marking the alias as not in use' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.25260.1.1.100 NAME 'virtualaccount' DESC 'Holds mail info for a virtual account' STRUCTURAL MUST ( owner $ mailacceptinggeneralid $ maildrop $ cn ) MAY ( description $ aliasInactive ) ) olcObjectClasses: {1}( 1.3.6.1.4.1.25260.1.1.101 NAME 'maillist' DESC 'Virtual account for holding mailing list info' STRUCTURAL MUST ( mailacceptinggeneralid $ maildrop $ cn ) MAY ( owner $ description $ aliasInactive ) ) olcObjectClasses: {2}( 1.3.6.1.4.1.25260.1.1.102 NAME 'mailAccount' DESC 'Email account details' AUXILIARY MUST ( mailacceptinguser $ maildrop $ cn ) MAY ( mailacceptinggeneralid $ aliasInactive ) ) olcObjectClasses: {3}( 1.3.6.1.4.1.25260.1.1.105 NAME 'virtualbox' DESC 'Mailbox for system use' STRUCTURAL MUST ( owner $ mail $ uid $ cn ) MAY description ) When I try to change attribute OID value, for example: 1.3.6.1.4.1.25260.1.000 to 1.3.6.1.4.1.25260.1.0 (using a visual LDAP client) then the server hangs and will not restart. (I had to restore from backup and restart.) What is the recommended way to do this change? Thanks, Nick

4 14

Using NSS
by Braden McDaniel 05 Feb '12

05 Feb '12

I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In cn=config.ldif I have: olcTLSCACertificatePath: /etc/pki/nssdb olcTLSCertificateFile: endoframe I have used certutil to create a self-signed certificate: # certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI endoframe Cu,Cu,Cu But this doesn't appear to be working: $ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1 ldap_url_parse_ext(ldaps://rail) ldap_create ldap_url_parse_ext(ldaps://rail:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP rail:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) slapd is running: # systemctl status slapd.service slapd.service - LSB: starts and stopd OpenLDAP server daemon Loaded: loaded (/etc/rc.d/init.d/slapd) Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago Main PID: 1429 (slapd) CGroup: name=systemd:/system/slapd.service └ 1429 /usr/sbin/slapd -h ldap:/// -u ldap Any ideas of what I might be doing wrong, or where I should be looking to debug this? -- Braden McDaniel <braden(a)endoframe.com>

8 19

Ldap+Nfsv4+kerberos *nix / *bsd puzzle.
by Harry Coin 16 Dec '11

16 Dec '11

Hello group! Looking for guidance on an ldap+NFS4+Kerberos puzzle in a mixed OS local environment. Simple demo case, four computers on a little net. box 1: Running openlap server, kerberos KDC, kadmin, lets say it's running freebsd, doesn't matter. nfs server & client. box 2: Linux box. nfs server & client. box 3: *bsd/Solaris box. nfs server & client. box 4: misc user box, could be *bsd or *nix. Networking: Nfs4 secured with kerberos. That means No uid/gid numbers on the wire, only user@box. NSS is active on all boxes, reaching out to the ldap server on box 1 for info for what is not in the local passwd file searched first. Popular package X gets installed on box 2 and box 3. Package X is a drop-root privilege package, has its own uid/gid!=0. It is active on the net, might write log files or get data files via nfs on either of the other two computers in the setup. The maintainers for package X in the *bsd world have chosen a different number for the uid / gid for the package X daemon than the maintainers for package X have chosen in the *nix world. Those get written in the local passwd file on each system at package X install / download time. Note: Package X does _not_ get installed on the ldap server box #1, or box #4. There is no entry in the #1 or #4 system's passwd file for nss to find for the daemon associated with package X. nfsuserd via nss must find the package X user in ldap or the files will be unreadable or seem 'owned' by nobody:nogroup on 1 or 4 if say config or log files edited/accessed from there. Puzzle: What should the posixAccount uidNumber and gidNumber value be in ldap for uid=packageXdaemon? Alternatives: 1: Choose no entry, leave it out of the ldap db: PackageXDaemon's files will be owned by nobody:nogroup on box 1. Security Fail. 2: Choose *nix for the uid/gid in the ldap database on box 1. Fail: The files will be stored with a uid/gid that might collide with another account in the passwd database on the *bsd server. 3: Choose *bsd for the uid/gid in the ldap database on box 1: Fail: The *nix user on box 4's nfsuserid will get the bsd uid/gid from ldap which could create files not actually owned by something colliding in the *nix passwd database on box 4. 4: Instead storing all the users once under an ou=Account... create ou=AccountBSD and ou=AccountNix, duplicate the whole account tree but vary the apropos uid/gid pair under each tree with all the other remaining equal, manage collisions when amending the database. Not so pretty. 5: Edit the schema to replace uidNumber and gidNumber with uidNixNumber / uidBsdNumber & etc. for gid. Breaks code expecting standard uidNumber gidNumber in the default ldap schemas. There are so many packages that could be X, you can imagine not wanting to have to qualify and patch all of them to use a common uid/gid number. (And it gets even worse in a mixed nfs3 / nfs4 environment where uid/gid numbers actually go over the wire in some cases, and user@box in others, let's leave that to the side for now). I'm leaning toward #5 to avoid storing all the other account information under two different trees. But I'd prefer a scheme were there is a not-edited standard schema tree stored once under 'ou=Account' but with a different overlay for the uid/gid elements if looked up as AccountNix or AccountBsd. I'm sure someone has done battle with this already, what's the right answer? Thanks Harry Coin

3 3

Ldap is up, trying to get tls working.
by John Tobin 13 Dec '11

13 Dec '11

Folks, I have openldap up, it supports vsftpd, sshd, and 5 client linux machines for remote login. I would like to get tls working. I would support either ldaps [port 636], or the tls available on port 389, I am aware of the differences in implementation, and the fact that an administrator effectively has to make a decision to support one or the other in most cases. Currently: I have slapd running configured for tls under ldap [std port 389]. I am testing it on the slapd machine, with a client on the same machine. I am pointing to the same cacertificate in slapd.d [cn=config.ldif] and ldap.conf. With that in place, and the ldap.conf below: nightmare:/etc # cat ldap.conf base dc=dark,dc=net uri ldap://nightmare.dark.net # scope sub # binddn "cn=admin,dc=dark,dc=net" # bindpw jackie bind_policy soft # The user ID attribute (defaults to uid) pam_login_attribute uid pam_lookup_policy yes pam_password exop nss_schema rfc2307bis tls_reqcert never pam_filter objectClass=posixAccount ldap_version 3 nss_map_attribute uniqueMember uniqueMember ssl start_tls tls_cacert /var/lib/ldap/cacert.pem tls_cert /var/lib/server.crt tls_key /var/lib/ldap/server.key I have run ldapsearch: nightmare:/media # ldapsearch -v -x -H ldap://nightmare.dark.net:389/ -b "dc=dark,dc=net" -Z ldap_initialize( ldap://nightmare.dark.net:389/??base ) filter: (objectclass=*) requesting: All userApplication attributes # extended LDIF # # LDAPv3 # base <dc=dark,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # dark.net dn: dc=dark,dc=net dc: dark o: dark objectClass: organization objectClass: dcObject # admin, dark.net dn: cn=admin,dc=dark,dc=net objectClass: organizationalRole cn: admin # Default Policy, dark.net dn: cn=Default Policy,dc=dark,dc=net objectClass: namedObject objectClass: pwdPolicy cn: Default Policy # People, dark.net dn: ou=People,dc=dark,dc=net objectClass: organizationalUnit ou: People description: People is used in mapping the /etc/passwd entries # jtobin, People, dark.net dn: uid=jtobin,ou=People,dc=dark,dc=net uid: jtobin cn: John C. Tobin objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount loginShell: /bin/ksh uidNumber: 5000 gidNumber: 100 homeDirectory: /home/jtobin gecos: John C. Tobin # defaultDNS, dark.net dn: cn=defaultDNS,dc=dark,dc=net cn: defaultDNS objectClass: top objectClass: suseDnsConfiguration suseDefaultBase: ou=DNS,dc=dark,dc=net # DNS, dark.net dn: ou=DNS,dc=dark,dc=net objectClass: top objectClass: organizationalUnit ou: DNS # search result search: 3 result: 0 Success # numResponses: 8 # numEntries: 7 nightmare:~ # ##### So I am assuming the ldapserver on ldap://nightmare.dark.net:389/ with tls works. [I looked through the message output in /var/log/message and see the ³STARTTLS² and ³TLS established tls_ssf=256²] I have done a number of similar ldapsearches. This appears to work correctly. On the client machine I now do : nightmare:/media # su - jtobin su: user jtobin does not exist nightmare:/media # /var/log/message - output...... nightmare:/var/log # tail f |grep I tls Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 op=0 STARTTLS Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls failed:stat=-1 Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept failure error=-1 id=1217, closing Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 fd=14 closed (TLS negotiation failure) Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 op=0 STARTTLS Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls failed:stat=-1 Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept failure error=-1 id=1218, closing Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 fd=14 closed (TLS negotiation failure) [if you want more of the log, I can obviously get it, but these appear to be the important parts.] This is probably a configuration error, or a logical / architecture misunderstanding, ok, I m a newbie. Do I have certificates incorrectly generated? [certificates were generated via http://www.openldap.org/faq/data/cache/185.html]. What did I do wrong? This is running openldap 2.4.26 off of Suse 12.1 milestone 5. Thanks in advance. tob

4 6

Syncrepl SSL fail
by Hugo Deprez 10 Dec '11

10 Dec '11

Dear community, I setup a syncrepl between my master openldap server and a consumer. I am trying to use SSL for this syncrepl I got the following error in the log when I start slapd on the consumer : Oct 13 17:04:59 server slapd[16905]: slapd starting Oct 13 17:04:59 server slapd[16905]: slap_client_connect: URI=ldaps://ldap.mydomain.fr:1024/ DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s failed (-1) Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1 retrying (9 retries left) I don't understand why it is failing as a single ldapsearch from the same server with the syncrepl user is working. here is my syncrepl configuration : Syncrepl rid=003 provider=ldaps://ldap.mydomain.fr:1024/ type=refreshOnly retry="60 10 600 +" interval=00:00:00:10 searchbase="dc=mydomain,dc=fr" scope=sub schemachecking=on bindmethod=simple binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr" credentials=my_password Any idea ? Regards, Hugo

8 14

memberof overlay deployment
by Asplund Marko 06 Dec '11

06 Dec '11

Hi, I'm planning on deploying the memberof overlay feature in our OpenLDAP v2.3 directory and I'd like to get some practical advice on this. So far, I've done some testing in my test environment. I've added an overlay directive in slapd.conf: overlay memberof and imported group info to populate data. memberof queries appear to be working fine. Is there something else I should consider in addition? What would be the best way to get the memberof attribute values populated in the production database? Should I reimport all the data? What would be the best way for doing that? Or is it possible to somehow get the attribute values populated without reimporting? marko

5 7

Re: LDAP query to Active Directory backend
by Khaled Blah 05 Dec '11

05 Dec '11

Thanks for your reply, Michael! I should have mentioned that I have tested this code with an OpenLDAP server (2.4.23) and a Lotus Notes server (ver. 8) and both of them return UTF-8 encoded data (like I expected it). The only difference are the parameters which I use to start the query on these backends (bind DN, filter, etc...). Regards, Khaled

1 1

Security between server and client nodes.
by Jayavant Patil 02 Dec '11

02 Dec '11

Hi, I am using openLDAP-2.4.19-4 on fedora 12 machine. I want to make server secure from client nodes so that clients don't hack the server node. Hack in the sense that one client doesn't even read the data of another client, client doesn't tamper the server directory information or try to spoof the server. Does anybody have any suggestions how to avoid these things in openLDAP? Thanks in advance. -- Regards, Jayavant Ningoji Patil Engineer: System Software Computational Research Laboratories Ltd. Pune-411 004. Maharashtra, India. +91 9923536030.

3 14

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2011