Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
SASL passthrough - multiple domains
by Liam Gretton
I have a working configuration with pass-through auth to an AD domain
using saslauthd.
However now there is a requirement to be able to handle another domain
too, and I cannot work out how to do this. It seems that saslauthd
cannot deal with multiple Kerberos realms, no matter what hoops one
jumps through it eventually boils down to only using whatever
'default_realm' is set to in the krb5.conf file.
Using multiple saslauthd daemons isn't possible either as there's no way
(that I can work out) of getting OpenLDAP to use anything other than the
single socket specified in /etc/sasl2/slapd.conf.
My final idea was to run an LDAP instance per realm, each talking to the
separate saslauthd daemons, and have another outward facing LDAP service
with these as the backends but that's a non starter too because there's
no way of specifying the sasl slapd.conf file, it seems sasl always
looks in /etc/sasl2 for a file derived from the process name (a chroot
environment for each LDAP server is therefore the next thing to look at).
But this seems like a lot of work just to be able to authenticate users
against multiple domains. I appreciate this is a SASL issue rather than
a problem with OpenLDAP, but I'm hoping that someone here has cracked
this already. Googling hasn't thrown up an solution that I can find.
--
Liam Gretton liam.gretton(a)le.ac.uk
HPC Architect http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
11 years, 4 months
Changing schema OID values in cn=config
by Nick Milas
Hello,
In my config there is:
DN: cn={5}postfix,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {5}postfix
olcAttributeTypes: {0}( 1.3.6.1.4.1.25260.1.000 NAME
'mailacceptinggeneralid' DESC 'Defines an address that we accept mail
for' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.25260.1.001 NAME 'maildrop' DESC
'Defines the address mail goes to' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.25260.1.002 NAME 'mailacceptinguser'
DESC 'Defines if this user accepts mail' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.25260.1.003 NAME 'aliasInactive'
DESC 'A flag, for marking the alias as not in use' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.25260.1.1.100 NAME 'virtualaccount'
DESC 'Holds mail info for a virtual account' STRUCTURAL MUST ( owner $
mailacceptinggeneralid $ maildrop $ cn ) MAY ( description $
aliasInactive ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.25260.1.1.101 NAME 'maillist' DESC
'Virtual account for holding mailing list info' STRUCTURAL MUST (
mailacceptinggeneralid $ maildrop $ cn ) MAY ( owner $ description $
aliasInactive ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.25260.1.1.102 NAME 'mailAccount' DESC
'Email account details' AUXILIARY MUST ( mailacceptinguser $ maildrop $
cn ) MAY ( mailacceptinggeneralid $ aliasInactive ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.25260.1.1.105 NAME 'virtualbox' DESC
'Mailbox for system use' STRUCTURAL MUST ( owner $ mail $ uid $ cn ) MAY
description )
When I try to change attribute OID value, for example:
1.3.6.1.4.1.25260.1.000 to 1.3.6.1.4.1.25260.1.0 (using a visual LDAP
client) then the server hangs and will not restart. (I had to restore
from backup and restart.)
What is the recommended way to do this change?
Thanks,
Nick
11 years, 9 months
Using NSS
by Braden McDaniel
I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In
cn=config.ldif I have:
olcTLSCACertificatePath: /etc/pki/nssdb
olcTLSCertificateFile: endoframe
I have used certutil to create a self-signed certificate:
# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
endoframe Cu,Cu,Cu
But this doesn't appear to be working:
$ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
ldap_url_parse_ext(ldaps://rail)
ldap_create
ldap_url_parse_ext(ldaps://rail:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP rail:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
slapd is running:
# systemctl status slapd.service
slapd.service - LSB: starts and stopd OpenLDAP server daemon
Loaded: loaded (/etc/rc.d/init.d/slapd)
Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago
Main PID: 1429 (slapd)
CGroup: name=systemd:/system/slapd.service
└ 1429 /usr/sbin/slapd -h ldap:/// -u ldap
Any ideas of what I might be doing wrong, or where I should be looking
to debug this?
--
Braden McDaniel <braden(a)endoframe.com>
11 years, 9 months
Ldap+Nfsv4+kerberos *nix / *bsd puzzle.
by Harry Coin
Hello group!
Looking for guidance on an ldap+NFS4+Kerberos puzzle in a mixed OS local
environment.
Simple demo case, four computers on a little net.
box 1: Running openlap server, kerberos KDC, kadmin, lets say it's
running freebsd, doesn't matter. nfs server & client.
box 2: Linux box. nfs server & client.
box 3: *bsd/Solaris box. nfs server & client.
box 4: misc user box, could be *bsd or *nix.
Networking: Nfs4 secured with kerberos. That means No uid/gid numbers
on the wire, only user@box. NSS is active on all boxes, reaching out
to the ldap server on box 1 for info for what is not in the local passwd
file searched first.
Popular package X gets installed on box 2 and box 3. Package X is a
drop-root privilege package, has its own uid/gid!=0. It is active on
the net, might write log files or get data files via nfs on either of
the other two computers in the setup. The maintainers for package X in
the *bsd world have chosen a different number for the uid / gid for the
package X daemon than the maintainers for package X have chosen in the
*nix world. Those get written in the local passwd file on each system
at package X install / download time.
Note: Package X does _not_ get installed on the ldap server box #1, or
box #4. There is no entry in the #1 or #4 system's passwd file for nss
to find for the daemon associated with package X. nfsuserd via nss must
find the package X user in ldap or the files will be unreadable or seem
'owned' by nobody:nogroup on 1 or 4 if say config or log files
edited/accessed from there.
Puzzle: What should the posixAccount uidNumber and gidNumber value be
in ldap for uid=packageXdaemon?
Alternatives:
1: Choose no entry, leave it out of the ldap db: PackageXDaemon's files
will be owned by nobody:nogroup on box 1. Security Fail.
2: Choose *nix for the uid/gid in the ldap database on box 1. Fail:
The files will be stored with a uid/gid that might collide with another
account in the passwd database on the *bsd server.
3: Choose *bsd for the uid/gid in the ldap database on box 1: Fail:
The *nix user on box 4's nfsuserid will get the bsd uid/gid from ldap
which could create files not actually owned by something colliding in
the *nix passwd database on box 4.
4: Instead storing all the users once under an ou=Account... create
ou=AccountBSD and ou=AccountNix, duplicate the whole account tree but
vary the apropos uid/gid pair under each tree with all the other
remaining equal, manage collisions when amending the database. Not so
pretty.
5: Edit the schema to replace uidNumber and gidNumber with uidNixNumber
/ uidBsdNumber & etc. for gid. Breaks code expecting standard uidNumber
gidNumber in the default ldap schemas.
There are so many packages that could be X, you can imagine not wanting
to have to qualify and patch all of them to use a common uid/gid
number. (And it gets even worse in a mixed nfs3 / nfs4 environment
where uid/gid numbers actually go over the wire in some cases, and
user@box in others, let's leave that to the side for now).
I'm leaning toward #5 to avoid storing all the other account information
under two different trees. But I'd prefer a scheme were there is a
not-edited standard schema tree stored once under 'ou=Account' but with
a different overlay for the uid/gid elements if looked up as AccountNix
or AccountBsd.
I'm sure someone has done battle with this already, what's the right
answer?
Thanks
Harry Coin
11 years, 11 months
Ldap is up, trying to get tls working.
by John Tobin
Folks,
I have openldap up, it supports vsftpd, sshd, and 5 client linux machines
for remote login.
I would like to get tls working. I would support either ldaps [port 636], or
the tls available on port 389, I am aware of the differences in
implementation, and the fact that an administrator effectively has to make a
decision to support one or the other in most cases.
Currently:
I have slapd running configured for tls under ldap [std port 389].
I am testing it on the slapd machine, with a client on the same machine.
I am pointing to the same cacertificate in slapd.d [cn=config.ldif] and
ldap.conf.
With that in place, and the ldap.conf below:
nightmare:/etc # cat ldap.conf
base dc=dark,dc=net
uri ldap://nightmare.dark.net
# scope sub
# binddn "cn=admin,dc=dark,dc=net"
# bindpw jackie
bind_policy soft
# The user ID attribute (defaults to uid)
pam_login_attribute uid
pam_lookup_policy yes
pam_password exop
nss_schema rfc2307bis
tls_reqcert never
pam_filter objectClass=posixAccount
ldap_version 3
nss_map_attribute uniqueMember uniqueMember
ssl start_tls
tls_cacert /var/lib/ldap/cacert.pem
tls_cert /var/lib/server.crt
tls_key /var/lib/ldap/server.key
I have run ldapsearch:
nightmare:/media # ldapsearch -v -x -H ldap://nightmare.dark.net:389/ -b
"dc=dark,dc=net" -Z
ldap_initialize( ldap://nightmare.dark.net:389/??base )
filter: (objectclass=*)
requesting: All userApplication attributes
# extended LDIF
#
# LDAPv3
# base <dc=dark,dc=net> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#
# dark.net
dn: dc=dark,dc=net
dc: dark
o: dark
objectClass: organization
objectClass: dcObject
# admin, dark.net
dn: cn=admin,dc=dark,dc=net
objectClass: organizationalRole
cn: admin
# Default Policy, dark.net
dn: cn=Default Policy,dc=dark,dc=net
objectClass: namedObject
objectClass: pwdPolicy
cn: Default Policy
# People, dark.net
dn: ou=People,dc=dark,dc=net
objectClass: organizationalUnit
ou: People
description: People is used in mapping the /etc/passwd entries
# jtobin, People, dark.net
dn: uid=jtobin,ou=People,dc=dark,dc=net
uid: jtobin
cn: John C. Tobin
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
loginShell: /bin/ksh
uidNumber: 5000
gidNumber: 100
homeDirectory: /home/jtobin
gecos: John C. Tobin
# defaultDNS, dark.net
dn: cn=defaultDNS,dc=dark,dc=net
cn: defaultDNS
objectClass: top
objectClass: suseDnsConfiguration
suseDefaultBase: ou=DNS,dc=dark,dc=net
# DNS, dark.net
dn: ou=DNS,dc=dark,dc=net
objectClass: top
objectClass: organizationalUnit
ou: DNS
# search result
search: 3
result: 0 Success
# numResponses: 8
# numEntries: 7
nightmare:~ #
#####
So I am assuming the ldapserver on ldap://nightmare.dark.net:389/ with tls
works.
[I looked through the message output in /var/log/message and see the
³STARTTLS² and ³TLS established tls_ssf=256²]
I have done a number of similar ldapsearches. This appears to work
correctly.
On the client machine I now do :
nightmare:/media # su - jtobin
su: user jtobin does not exist
nightmare:/media #
/var/log/message - output......
nightmare:/var/log # tail f |grep I tls
Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 op=0 STARTTLS
Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls
failed:stat=-1
Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept
failure error=-1 id=1217, closing
Oct 28 11:29:01 nightmare slapd[11118]: conn=1217 fd=14 closed (TLS
negotiation failure)
Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 op=0 STARTTLS
Oct 28 11:29:01 nightmare worker_nscd: nss-ldap: do_open: do_start_tls
failed:stat=-1
Oct 28 11:29:01 nightmare slapd[11118]: connection_read(14): TLS accept
failure error=-1 id=1218, closing
Oct 28 11:29:01 nightmare slapd[11118]: conn=1218 fd=14 closed (TLS
negotiation failure)
[if you want more of the log, I can obviously get it, but these appear to be
the important parts.]
This is probably a configuration error, or a logical / architecture
misunderstanding, ok, I m a newbie.
Do I have certificates incorrectly generated? [certificates were generated
via http://www.openldap.org/faq/data/cache/185.html].
What did I do wrong?
This is running openldap 2.4.26 off of Suse 12.1 milestone 5.
Thanks in advance.
tob
11 years, 11 months
Syncrepl SSL fail
by Hugo Deprez
Dear community,
I setup a syncrepl between my master openldap server and a consumer.
I am trying to use SSL for this syncrepl
I got the following error in the log when I start slapd on the consumer :
Oct 13 17:04:59 server slapd[16905]: slapd starting
Oct 13 17:04:59 server slapd[16905]: slap_client_connect:
URI=ldaps://ldap.mydomain.fr:1024/
DN="cn=syncrepluser,o=others,dc=mydomain,dc=fr" ldap_sasl_bind_s
failed (-1)
Oct 13 17:04:59 server slapd[16905]: do_syncrepl: rid=003 rc -1
retrying (9 retries left)
I don't understand why it is failing as a single ldapsearch from the
same server with the syncrepl user is working.
here is my syncrepl configuration :
Syncrepl rid=003
provider=ldaps://ldap.mydomain.fr:1024/
type=refreshOnly
retry="60 10 600 +"
interval=00:00:00:10
searchbase="dc=mydomain,dc=fr"
scope=sub
schemachecking=on
bindmethod=simple
binddn="cn=syncrepluser,o=others,dc=mydomain,dc=fr"
credentials=my_password
Any idea ?
Regards,
Hugo
11 years, 11 months
memberof overlay deployment
by Asplund Marko
Hi,
I'm planning on deploying the memberof overlay feature in our OpenLDAP v2.3 directory and I'd like to get some practical advice on this. So far, I've done some testing in my test environment. I've added an overlay directive in slapd.conf:
overlay memberof
and imported group info to populate data.
memberof queries appear to be working fine.
Is there something else I should consider in addition?
What would be the best way to get the memberof attribute values populated in the production database?
Should I reimport all the data? What would be the best way for doing that?
Or is it possible to somehow get the attribute values populated without reimporting?
marko
11 years, 11 months
Re: LDAP query to Active Directory backend
by Khaled Blah
Thanks for your reply, Michael!
I should have mentioned that I have tested this code with an OpenLDAP
server (2.4.23) and a Lotus Notes server (ver. 8) and both of them
return UTF-8 encoded data (like I expected it). The only difference
are the parameters which I use to start the query on these backends
(bind DN, filter, etc...).
Regards,
Khaled
11 years, 12 months
Security between server and client nodes.
by Jayavant Patil
Hi,
I am using openLDAP-2.4.19-4 on fedora 12 machine. I want to make server
secure from client nodes so that clients don't hack the server node. Hack
in the sense that one client doesn't even read the data of another client,
client doesn't tamper the server directory information or try to spoof the
server.
Does anybody have any suggestions how to avoid these things in openLDAP?
Thanks in advance.
--
Regards,
Jayavant Ningoji Patil
Engineer: System Software
Computational Research Laboratories Ltd.
Pune-411 004.
Maharashtra, India.
+91 9923536030.
11 years, 12 months