openldap-technical December 2011

openldap-technical@openldap.org

88 participants
101 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

SASL passthrough - multiple domains
by Liam Gretton 05 Jul '12

05 Jul '12

I have a working configuration with pass-through auth to an AD domain using saslauthd. However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file. Using multiple saslauthd daemons isn't possible either as there's no way (that I can work out) of getting OpenLDAP to use anything other than the single socket specified in /etc/sasl2/slapd.conf. My final idea was to run an LDAP instance per realm, each talking to the separate saslauthd daemons, and have another outward facing LDAP service with these as the backends but that's a non starter too because there's no way of specifying the sasl slapd.conf file, it seems sasl always looks in /etc/sasl2 for a file derived from the process name (a chroot environment for each LDAP server is therefore the next thing to look at). But this seems like a lot of work just to be able to authenticate users against multiple domains. I appreciate this is a SASL issue rather than a problem with OpenLDAP, but I'm hoping that someone here has cracked this already. Googling hasn't thrown up an solution that I can find. -- Liam Gretton liam.gretton(a)le.ac.uk HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

8 10

Pass-though Authentication with Saslauthd and Kerberos
by Jeff B 06 Jun '12

06 Jun '12

I'm attempting to get pass-though auth to work against saslauthd and kerberos and while the problem seems to be in sasl I think it's most likely to be seen in this type of configuration with opendap which I why I chose this mailing list. When I run testsaslauthd it works but when I run ldapsearch it fails. But the curious thing is where it is failing. in doing straces of saslauthd and packet traces I've found that when ldapsearch calls salsauthd, and not when I run saslauthd kerberos does not deliver the AS-REP packets till just after saslauthd times out. I can't find any difference in how I'm invoking saslauthd with testdaslauthd and how ldapsearch is invoking saslauthd. However the packet traces are quite different as you will see below. I've seen these kind of errors here and there on google but no resolutions that I can find. (http://www.openldap.org/lists/openldap-software/200602/msg00278.html) Centos 6 openldap-2.4.23-15.el6_1.3.x86_64 openldap-clients-2.4.23-15.el6_1.3.x86_64 openldap-servers-2.4.23-15.el6_1.3.x86_64 openldap-devel-2.4.23-15.el6_1.3.x86_64 krb5-server-1.9-9.el6_1.2.x86_64 krb5-server-ldap-1.9-9.el6_1.2.x86_64 krb5-workstation-1.9-9.el6_1.2.x86_64 krb5-libs-1.9-9.el6_1.2.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-gssapi-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64 cyrus-sasl-devel-2.1.23-8.el6.x86_64 My slapd.conf contains nothing regarding kerberos / sasl / pass-through authentication. I'm using a slapd.conf file for the time being till i get it all worked out and plan on converting it to a cn=config configuration. In my DIT the userPassword field contains: {SASL}myuser@MYREALM where myuser and my realm are replaced with the proper values. /etc/sasl2/slapd.conf: mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux /etc/sysconfig/saslauthd KRB5_KTNAME=/etc/krb5.keytab SOCKETDIR=/var/run/saslauthd MECH=kerberos5 Which builds a daemon command line of: /usr/sbin/saslauthd -m /var/run/saslauthd -a kerberos5 My system keytab is: /etc/krb5.keytab (root.ldap 0640) host/my.hostname@realm ldap/my.hostname@realm My socket parent dir is: /var/run/saslauthd (root.ldap 0770) When I run testsaslauthd I get a packet trace between saslauthd and kerberos is all UDP and works: > AS-REQ < KRB5KDC_ERR_PREAUTH_REQUIRED (25) > AS-REQ < AS-REP > TGS-REQ < TGS-REP When I run ldapsearch the packet trace between saslauthd and kerberos is UDP and TCP communication. None of the kerberos replies come back for 18 seconds, the time it takes saslauthd to time out. > AS-REQ < KRB5KDC_ERR_PREAUTH_REQUIRED (25) > AS-REQ > TCP SYN < TCP SYN, ACK > TCP ACK > TCP AS-REQ < TCP ACK > AS-REQ > AS-REQ > TCP FIN, ACK <-- saslauthd times out and the AS-REPS all come back at once. < AS-REP < AS-REP < AS-REP < TCP AS-REP > TCP RST an strace of saslauthd supports this timeout theory as it shows the the timeouts and backoffs. I can't find any info regarding saslauthd and TCP or UDP or timeouts like this. Any ideas?

5 7

ACL in dynamic configuration
by Nick Milas 16 Mar '12

16 Mar '12

Hello, I have converted from static (slapd.conf) to dynamic (cn=config) configuration using auto file conversion. I would like to ask a couple of questions regarding ACL conversion. Here follows one of the rules we have in initial form (a), and after conversion (b): (a) access to dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr" attrs="children,entry" by group.exact="cn=TechAdmins,ou=Groups,dc=example,dc=gr" write by group.exact="cn=Dept1Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept2Admins,ou=Groups,dc=example,dc=gr" write by group.exact="cn=Dept3Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept4Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=Dept5Admins,ou=Groups,dc=example,dc=gr" read by group.exact="cn=GuestAdmins,ou=Groups,dc=example,dc=gr" read by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read by * break (b) as an olcAccess attribute value: {10}to dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr" attrs=children,entry by group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=example,dc=gr" write by group/groupOfNames/member.exact="cn=Dept1Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept2Admins,ou=groups,dc=example,dc=gr" write by group/groupOfNames/member.exact="cn=Dept3Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept4Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=Dept5Admins,ou=groups,dc=example,dc=gr" read by group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=example,dc=gr" read by dn.base="uid=dnsauthusr,ou=system,dc=example,dc=gr" read by * +0 break Question 1. Why "group.exact" was changed to "group/groupOfNames/member.exact" ? Yes, groups are defined as entries of groupOfNames objectClass, with members defined as values of attribute "member". But should it be like that? Should we change (manually) "group/groupOfNames/member.exact" back to "group.exact" again or not (and why)? Question 2. Is there a way we can add (manually, since conversion removed the ones which existed in initial configuration files) line breaks in olcAccess attribute value so it can be more legible (for administrative purposes)? Question 3. What is the "+0" added before "break" and why is needed? Thanks in advance, Nick

3 3

OpenLDAP 2.4 : replication doesn't work when customer is stopped
by PROST Frédéric 10 Mar '12

10 Mar '12

Hello, I configured MirrorMode replication between 2 openldap 2.4 node installed on Debian (from apt). Everything is working fine when the two nodes are online but if I stop the second node, and add new datas to the first node, then restart the second node, the new data are not synced. However, if I then add new datas on node 1, they are replicated to node2 without problem. Here is a scenario of this problem : 1/ node1 and node 2 are online : I add user1 to node 1 => user1 appears on node2 => ok 2/ node1 is online and node2 is off : I add user2 on node1 => nothing happens on node2 as it is off => ok 3/ I restart node2 => user2 is not replicated to node2 => not ok 4/ node1 and node 2 are online : I add user3 to node 1 => user3 appears on node2 => ok At the end of this scenario, node1 contains user1, user2 and user3 and node2 contains only user1 and user3 (but not user2). How can I slove this problem ? Thank you for your help, Best regards, Fred Here is my config : version: 1 dn: cn=config objectClass: olcGlobal cn: config olcAllows: bind_v2 olcArgsFile: /var/run/slapd/slapd.args olcLogLevel: any olcPidFile: /var/run/slapd/slapd.pid olcServerID: 1 ldap://192.168.1.103 olcServerID: 2 ldap://192.168.1.104 olcSizeLimit: 1000000 olcToolThreads: 1 dn: cn=module{0},cn=config objectClass: olcModuleList cn: module{0} olcModuleLoad: {0}back_hdb olcModuleLoad: {1}syncprov olcModulePath: /usr/lib/ldap dn: olcBackend={0}hdb,cn=config objectClass: olcBackendConfig olcBackend: {0}hdb dn: olcDatabase={-1}frontend,cn=config objectClass: olcDatabaseConfig objectClass: olcFrontendConfig olcDatabase: {-1}frontend olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcAccess: {1}to dn.exact="" by * read olcAccess: {2}to dn.base="cn=Subschema" by * read olcSizeLimit: 500 dn: olcDatabase={0}config,cn=config objectClass: olcDatabaseConfig olcDatabase: {0}config olcAccess: {0}to * by dn.exact="uid=syncrepl,dc=tracteur91,dc=local" read by * break olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern al,cn=auth manage by * break olcLimits: {0}dn.exact="uid=syncrepl,dc=tracteur91,dc=local" size=unlimited olcMirrorMode: TRUE olcRootDN: cn=admin,cn=config olcRootPW: {MD5}BkY718PMIcgBNjpfXmGpOA== olcSyncrepl: {0}rid=001 provider="ldap://192.168.1.103" searchbase="cn=confi g" type=refreshAndPersist bindmethod=simple binddn="uid=syncrepl,dc=tracteu r91,dc=local" credentials="Tr@cteur91" retry="30 +" network-timeout=5 timeo ut=30 olcSyncrepl: {1}rid=002 provider="ldap://192.168.1.104" searchbase="cn=confi g" type=refreshAndPersist bindmethod=simple binddn="uid=syncrepl,dc=tracteu r91,dc=local" credentials="Tr@cteur91" retry="30 +" network-timeout=5 timeo ut=30 dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 5 dn: olcDatabase={1}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {1}hdb olcDbDirectory: /var/lib/ldap olcAccess: {0}to * by dn.exact="uid=syncrepl,dc=tracteur91,dc=local" read by * break olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonym ous auth by dn="cn=admin,dc=tracteur91,dc=local" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=tracteur91,dc=local" wri te by * read olcDbCheckpoint: 512 30 olcDbConfig: {0}set_cachesize 0 2097152 0 olcDbConfig: {1}set_lk_max_objects 1500 olcDbConfig: {2}set_lk_max_locks 1500 olcDbConfig: {3}set_lk_max_lockers 1500 olcDbIndex: objectClass eq olcDbIndex: uid eq olcDbIndex: cn eq olcDbIndex: ou eq olcDbIndex: dc eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcLastMod: TRUE olcLimits: {0}dn.exact="uid=syncrepl,dc=tracteur91,dc=local" size=unlimited olcMirrorMode: TRUE olcRootDN: cn=admin,dc=tracteur91,dc=local olcRootPW: {SSHA}ZtvvlHUQYloI17cv2/cjPFmx51+Ut/+5 olcSuffix: dc=tracteur91,dc=local olcSyncrepl: {0}rid=003 provider="ldap://192.168.1.103" searchbase="dc=tract eur91,dc=local" type=refreshAndPersist bindmethod=simple binddn="uid=syncre pl,dc=tracteur91,dc=local" credentials="Tr@cteur91" retry="30 +" network-ti meout=5 timeout=30 olcSyncrepl: {1}rid=004 provider="ldap://192.168.1.104" searchbase="dc=tract eur91,dc=local" type=refreshAndPersist bindmethod=simple binddn="uid=syncre pl,dc=tracteur91,dc=local" credentials="Tr@cteur91" retry="30 +" network-ti meout=5 timeout=30 dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: {0}syncprov olcSpCheckpoint: 100 5

3 8

Changing schema OID values in cn=config
by Nick Milas 17 Feb '12

17 Feb '12

Hello, In my config there is: DN: cn={5}postfix,cn=schema,cn=config objectClass: olcSchemaConfig cn: {5}postfix olcAttributeTypes: {0}( 1.3.6.1.4.1.25260.1.000 NAME 'mailacceptinggeneralid' DESC 'Defines an address that we accept mail for' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {1}( 1.3.6.1.4.1.25260.1.001 NAME 'maildrop' DESC 'Defines the address mail goes to' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {2}( 1.3.6.1.4.1.25260.1.002 NAME 'mailacceptinguser' DESC 'Defines if this user accepts mail' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) olcAttributeTypes: {3}( 1.3.6.1.4.1.25260.1.003 NAME 'aliasInactive' DESC 'A flag, for marking the alias as not in use' EQUALITY booleanMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE ) olcObjectClasses: {0}( 1.3.6.1.4.1.25260.1.1.100 NAME 'virtualaccount' DESC 'Holds mail info for a virtual account' STRUCTURAL MUST ( owner $ mailacceptinggeneralid $ maildrop $ cn ) MAY ( description $ aliasInactive ) ) olcObjectClasses: {1}( 1.3.6.1.4.1.25260.1.1.101 NAME 'maillist' DESC 'Virtual account for holding mailing list info' STRUCTURAL MUST ( mailacceptinggeneralid $ maildrop $ cn ) MAY ( owner $ description $ aliasInactive ) ) olcObjectClasses: {2}( 1.3.6.1.4.1.25260.1.1.102 NAME 'mailAccount' DESC 'Email account details' AUXILIARY MUST ( mailacceptinguser $ maildrop $ cn ) MAY ( mailacceptinggeneralid $ aliasInactive ) ) olcObjectClasses: {3}( 1.3.6.1.4.1.25260.1.1.105 NAME 'virtualbox' DESC 'Mailbox for system use' STRUCTURAL MUST ( owner $ mail $ uid $ cn ) MAY description ) When I try to change attribute OID value, for example: 1.3.6.1.4.1.25260.1.000 to 1.3.6.1.4.1.25260.1.0 (using a visual LDAP client) then the server hangs and will not restart. (I had to restore from backup and restart.) What is the recommended way to do this change? Thanks, Nick

4 14

Using NSS
by Braden McDaniel 05 Feb '12

05 Feb '12

I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In cn=config.ldif I have: olcTLSCACertificatePath: /etc/pki/nssdb olcTLSCertificateFile: endoframe I have used certutil to create a self-signed certificate: # certutil -d /etc/pki/nssdb -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI endoframe Cu,Cu,Cu But this doesn't appear to be working: $ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1 ldap_url_parse_ext(ldaps://rail) ldap_create ldap_url_parse_ext(ldaps://rail:636/??base) ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP rail:636 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying ::1 636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 127.0.0.1:636 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_close_socket: 3 ldap_err2string ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1) slapd is running: # systemctl status slapd.service slapd.service - LSB: starts and stopd OpenLDAP server daemon Loaded: loaded (/etc/rc.d/init.d/slapd) Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago Main PID: 1429 (slapd) CGroup: name=systemd:/system/slapd.service └ 1429 /usr/sbin/slapd -h ldap:/// -u ldap Any ideas of what I might be doing wrong, or where I should be looking to debug this? -- Braden McDaniel <braden(a)endoframe.com>

8 19

Re: slapd-ldap as proxy to active directory
by Juan Miscaro 04 Jan '12

04 Jan '12

On 14 December 2011 17:44, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Wednesday, December 14, 2011 3:40 PM -0500 Juan Miscaro > <jmiscaro(a)gmail.com> wrote: >> I would like to use the slapd-ldap backend as a proxy to Active >> Directory (Windows Server 2008 R2). >> >> Firstly, AD can be queried directly: > Does your local OpenLDAP have a schema file that defines the AD attributes > you are using? No. I read that since OpenLDAP 2.3 this was not necessary (I'm running 2.4.25 on Ubuntu 11.10). I got my project from a tutorial [1] where this all worked. [1]: http://is.gd/dqM1Ts (see section "Using OpenLDAP 2.3 to Pass Unknown Schema" on page 2) -- /jm

5 7

Issue with index in OpenLDAP?
by External Mathieu DEDECKER (CAMPUS) 03 Jan '12

03 Jan '12

Hi @All, We meet a performance problem with our OpenLDAP. We think that we face a problem with the index of the database, and we think that the problem can be resolve by tunning the config (but not sure). We would like to be sure that our configuration is correct, in order to confirm if we are on a wrong track or not. *[Description]* We have an attribute (cardNumber) which is indexed. When we request the indexed attribute (cardNumber) with an LDAP Client (Ldapbrowser), we have either fast or very long response time. For the long response time, the CPU of the server hits 100%. *For example*: Request1: cardnumber=2098001010034 (less than 1sec) Request2: cardnumber=2090389917486 (nearly 20 sec). By checking the hit ratio of the attribute, we can see that cache is correctly used (97%). *[Details]* - We are running on a VM with RedHat with 4 process with 24 Go RAM. - The version of the OpenLDAP is 2.4.16. - We have 2 500 000 accounts. *[Attachment]* - *201111223_os.txt* -> informations about OS and Hardware. - *openldap_version.txt* -> informations about the version of OpenLDAP. - *20111220_stats.txt* -> informations about index and perf. - *olcDatabase={1}hdb.ldif.txt * -> informations about hdb config. Do not hesitate if you need some more informations. Thank you for your help (: Mathieu

2 2

Syncrepl problem
by Bram Cymet 03 Jan '12

03 Jan '12

Hi, I have a syncrepl setup that I thought was working fine because whenever I would change an attribute in an entry the changes would be reflected in slave. Recently I noticed that if I remove and entry or add a new entry that will not get synced. Any idea what would be going on? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752

2 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2011