Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
6 years, 12 months
SASL passthrough - multiple domains
by Liam Gretton
I have a working configuration with pass-through auth to an AD domain
using saslauthd.
However now there is a requirement to be able to handle another domain
too, and I cannot work out how to do this. It seems that saslauthd
cannot deal with multiple Kerberos realms, no matter what hoops one
jumps through it eventually boils down to only using whatever
'default_realm' is set to in the krb5.conf file.
Using multiple saslauthd daemons isn't possible either as there's no way
(that I can work out) of getting OpenLDAP to use anything other than the
single socket specified in /etc/sasl2/slapd.conf.
My final idea was to run an LDAP instance per realm, each talking to the
separate saslauthd daemons, and have another outward facing LDAP service
with these as the backends but that's a non starter too because there's
no way of specifying the sasl slapd.conf file, it seems sasl always
looks in /etc/sasl2 for a file derived from the process name (a chroot
environment for each LDAP server is therefore the next thing to look at).
But this seems like a lot of work just to be able to authenticate users
against multiple domains. I appreciate this is a SASL issue rather than
a problem with OpenLDAP, but I'm hoping that someone here has cracked
this already. Googling hasn't thrown up an solution that I can find.
--
Liam Gretton liam.gretton(a)le.ac.uk
HPC Architect http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
10 years, 10 months
Pass-though Authentication with Saslauthd and Kerberos
by Jeff B
I'm attempting to get pass-though auth to work against saslauthd and
kerberos and while the problem seems to be in sasl I think it's most
likely to be seen in this type of configuration with opendap which I
why I chose this mailing list.
When I run testsaslauthd it works but when I run ldapsearch it fails.
But the curious thing is where it is failing. in doing straces of
saslauthd and packet traces I've found that when ldapsearch calls
salsauthd, and not when I run saslauthd kerberos does not deliver the
AS-REP packets till just after saslauthd times out.
I can't find any difference in how I'm invoking saslauthd with
testdaslauthd and how ldapsearch is invoking saslauthd. However the
packet traces are quite different as you will see below.
I've seen these kind of errors here and there on google but no
resolutions that I can find.
(http://www.openldap.org/lists/openldap-software/200602/msg00278.html)
Centos 6
openldap-2.4.23-15.el6_1.3.x86_64
openldap-clients-2.4.23-15.el6_1.3.x86_64
openldap-servers-2.4.23-15.el6_1.3.x86_64
openldap-devel-2.4.23-15.el6_1.3.x86_64
krb5-server-1.9-9.el6_1.2.x86_64
krb5-server-ldap-1.9-9.el6_1.2.x86_64
krb5-workstation-1.9-9.el6_1.2.x86_64
krb5-libs-1.9-9.el6_1.2.x86_64
cyrus-sasl-2.1.23-8.el6.x86_64
cyrus-sasl-lib-2.1.23-8.el6.x86_64
cyrus-sasl-gssapi-2.1.23-8.el6.x86_64
cyrus-sasl-plain-2.1.23-8.el6.x86_64
cyrus-sasl-devel-2.1.23-8.el6.x86_64
My slapd.conf contains nothing regarding kerberos / sasl /
pass-through authentication. I'm using a slapd.conf file for the time
being till i get it all worked out and plan on converting it to a
cn=config configuration.
In my DIT the userPassword field contains: {SASL}myuser@MYREALM where
myuser and my realm are replaced with the proper values.
/etc/sasl2/slapd.conf:
mech_list: plain
pwcheck_method: saslauthd
saslauthd_path: /var/run/saslauthd/mux
/etc/sysconfig/saslauthd
KRB5_KTNAME=/etc/krb5.keytab
SOCKETDIR=/var/run/saslauthd
MECH=kerberos5
Which builds a daemon command line of:
/usr/sbin/saslauthd -m /var/run/saslauthd -a kerberos5
My system keytab is:
/etc/krb5.keytab (root.ldap 0640)
host/my.hostname@realm
ldap/my.hostname@realm
My socket parent dir is:
/var/run/saslauthd (root.ldap 0770)
When I run testsaslauthd I get a packet trace between saslauthd and
kerberos is all UDP and works:
> AS-REQ
< KRB5KDC_ERR_PREAUTH_REQUIRED (25)
> AS-REQ
< AS-REP
> TGS-REQ
< TGS-REP
When I run ldapsearch the packet trace between saslauthd and kerberos
is UDP and TCP communication. None of the kerberos replies come back
for 18 seconds, the time it takes saslauthd to time out.
> AS-REQ
< KRB5KDC_ERR_PREAUTH_REQUIRED (25)
> AS-REQ
> TCP SYN
< TCP SYN, ACK
> TCP ACK
> TCP AS-REQ
< TCP ACK
> AS-REQ
> AS-REQ
> TCP FIN, ACK <-- saslauthd times out and the AS-REPS all come back at once.
< AS-REP
< AS-REP
< AS-REP
< TCP AS-REP
> TCP RST
an strace of saslauthd supports this timeout theory as it shows the
the timeouts and backoffs.
I can't find any info regarding saslauthd and TCP or UDP or timeouts
like this. Any ideas?
10 years, 11 months
ACL in dynamic configuration
by Nick Milas
Hello,
I have converted from static (slapd.conf) to dynamic (cn=config)
configuration using auto file conversion.
I would like to ask a couple of questions regarding ACL conversion. Here
follows one of the rules we have in initial form (a), and after
conversion (b):
(a)
access to
dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr"
attrs="children,entry"
by group.exact="cn=TechAdmins,ou=Groups,dc=example,dc=gr" write
by group.exact="cn=Dept1Admins,ou=Groups,dc=example,dc=gr" read
by group.exact="cn=Dept2Admins,ou=Groups,dc=example,dc=gr" write
by group.exact="cn=Dept3Admins,ou=Groups,dc=example,dc=gr" read
by group.exact="cn=Dept4Admins,ou=Groups,dc=example,dc=gr" read
by group.exact="cn=Dept5Admins,ou=Groups,dc=example,dc=gr" read
by group.exact="cn=GuestAdmins,ou=Groups,dc=example,dc=gr" read
by dn.exact="uid=dnsauthusr,ou=System,dc=example,dc=gr" read
by * break
(b) as an olcAccess attribute value:
{10}to
dn.subtree="dc=xxx.xxx.xxx.in-addr.arpa,ou=dns1,dc=example,dc=gr"
attrs=children,entry by
group/groupOfNames/member.exact="cn=techadmins,ou=groups,dc=example,dc=gr"
write by
group/groupOfNames/member.exact="cn=Dept1Admins,ou=groups,dc=example,dc=gr"
read by
group/groupOfNames/member.exact="cn=Dept2Admins,ou=groups,dc=example,dc=gr"
write by
group/groupOfNames/member.exact="cn=Dept3Admins,ou=groups,dc=example,dc=gr"
read by
group/groupOfNames/member.exact="cn=Dept4Admins,ou=groups,dc=example,dc=gr"
read by
group/groupOfNames/member.exact="cn=Dept5Admins,ou=groups,dc=example,dc=gr"
read by
group/groupOfNames/member.exact="cn=guestadmins,ou=groups,dc=example,dc=gr"
read by dn.base="uid=dnsauthusr,ou=system,dc=example,dc=gr" read by *
+0 break
Question 1.
Why "group.exact" was changed to "group/groupOfNames/member.exact" ?
Yes, groups are defined as entries of groupOfNames objectClass, with
members defined as values of attribute "member". But should it be like
that? Should we change (manually) "group/groupOfNames/member.exact" back
to "group.exact" again or not (and why)?
Question 2.
Is there a way we can add (manually, since conversion removed the ones
which existed in initial configuration files) line breaks in olcAccess
attribute value so it can be more legible (for administrative purposes)?
Question 3.
What is the "+0" added before "break" and why is needed?
Thanks in advance,
Nick
11 years, 2 months
OpenLDAP 2.4 : replication doesn't work when customer is stopped
by PROST Frédéric
Hello,
I configured MirrorMode replication between 2 openldap 2.4 node installed on Debian (from apt).
Everything is working fine when the two nodes are online but if I stop the second node, and add new datas to the first node, then restart the second node, the new data are not synced.
However, if I then add new datas on node 1, they are replicated to node2 without problem.
Here is a scenario of this problem :
1/ node1 and node 2 are online : I add user1 to node 1 => user1 appears on node2 => ok
2/ node1 is online and node2 is off : I add user2 on node1 => nothing happens on node2 as it is off => ok
3/ I restart node2 => user2 is not replicated to node2 => not ok
4/ node1 and node 2 are online : I add user3 to node 1 => user3 appears on node2 => ok
At the end of this scenario, node1 contains user1, user2 and user3 and node2 contains only user1 and user3 (but not user2).
How can I slove this problem ?
Thank you for your help,
Best regards,
Fred
Here is my config :
version: 1
dn: cn=config
objectClass: olcGlobal
cn: config
olcAllows: bind_v2
olcArgsFile: /var/run/slapd/slapd.args
olcLogLevel: any
olcPidFile: /var/run/slapd/slapd.pid
olcServerID: 1 ldap://192.168.1.103
olcServerID: 2 ldap://192.168.1.104
olcSizeLimit: 1000000
olcToolThreads: 1
dn: cn=module{0},cn=config
objectClass: olcModuleList
cn: module{0}
olcModuleLoad: {0}back_hdb
olcModuleLoad: {1}syncprov
olcModulePath: /usr/lib/ldap
dn: olcBackend={0}hdb,cn=config
objectClass: olcBackendConfig
olcBackend: {0}hdb
dn: olcDatabase={-1}frontend,cn=config
objectClass: olcDatabaseConfig
objectClass: olcFrontendConfig
olcDatabase: {-1}frontend
olcAccess: {0}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcAccess: {1}to dn.exact="" by * read
olcAccess: {2}to dn.base="cn=Subschema" by * read
olcSizeLimit: 500
dn: olcDatabase={0}config,cn=config
objectClass: olcDatabaseConfig
olcDatabase: {0}config
olcAccess: {0}to * by dn.exact="uid=syncrepl,dc=tracteur91,dc=local" read by
* break
olcAccess: {1}to * by dn.exact=gidNumber=0+uidNumber=0,cn=peercred,cn=extern
al,cn=auth manage by * break
olcLimits: {0}dn.exact="uid=syncrepl,dc=tracteur91,dc=local" size=unlimited
olcMirrorMode: TRUE
olcRootDN: cn=admin,cn=config
olcRootPW: {MD5}BkY718PMIcgBNjpfXmGpOA==
olcSyncrepl: {0}rid=001 provider="ldap://192.168.1.103" searchbase="cn=confi
g" type=refreshAndPersist bindmethod=simple binddn="uid=syncrepl,dc=tracteu
r91,dc=local" credentials="Tr@cteur91" retry="30 +" network-timeout=5 timeo
ut=30
olcSyncrepl: {1}rid=002 provider="ldap://192.168.1.104" searchbase="cn=confi
g" type=refreshAndPersist bindmethod=simple binddn="uid=syncrepl,dc=tracteu
r91,dc=local" credentials="Tr@cteur91" retry="30 +" network-timeout=5 timeo
ut=30
dn: olcOverlay={0}syncprov,olcDatabase={0}config,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 5
dn: olcDatabase={1}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {1}hdb
olcDbDirectory: /var/lib/ldap
olcAccess: {0}to * by dn.exact="uid=syncrepl,dc=tracteur91,dc=local" read by
* break
olcAccess: {1}to attrs=userPassword,shadowLastChange by self write by anonym
ous auth by dn="cn=admin,dc=tracteur91,dc=local" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=tracteur91,dc=local" wri
te by * read
olcDbCheckpoint: 512 30
olcDbConfig: {0}set_cachesize 0 2097152 0
olcDbConfig: {1}set_lk_max_objects 1500
olcDbConfig: {2}set_lk_max_locks 1500
olcDbConfig: {3}set_lk_max_lockers 1500
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: cn eq
olcDbIndex: ou eq
olcDbIndex: dc eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcLastMod: TRUE
olcLimits: {0}dn.exact="uid=syncrepl,dc=tracteur91,dc=local" size=unlimited
olcMirrorMode: TRUE
olcRootDN: cn=admin,dc=tracteur91,dc=local
olcRootPW: {SSHA}ZtvvlHUQYloI17cv2/cjPFmx51+Ut/+5
olcSuffix: dc=tracteur91,dc=local
olcSyncrepl: {0}rid=003 provider="ldap://192.168.1.103" searchbase="dc=tract
eur91,dc=local" type=refreshAndPersist bindmethod=simple binddn="uid=syncre
pl,dc=tracteur91,dc=local" credentials="Tr@cteur91" retry="30 +" network-ti
meout=5 timeout=30
olcSyncrepl: {1}rid=004 provider="ldap://192.168.1.104" searchbase="dc=tract
eur91,dc=local" type=refreshAndPersist bindmethod=simple binddn="uid=syncre
pl,dc=tracteur91,dc=local" credentials="Tr@cteur91" retry="30 +" network-ti
meout=5 timeout=30
dn: olcOverlay={0}syncprov,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: {0}syncprov
olcSpCheckpoint: 100 5
11 years, 2 months
Changing schema OID values in cn=config
by Nick Milas
Hello,
In my config there is:
DN: cn={5}postfix,cn=schema,cn=config
objectClass: olcSchemaConfig
cn: {5}postfix
olcAttributeTypes: {0}( 1.3.6.1.4.1.25260.1.000 NAME
'mailacceptinggeneralid' DESC 'Defines an address that we accept mail
for' EQUALITY caseIgnoreMatch SUBSTR caseIgnoreSubstringsMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {1}( 1.3.6.1.4.1.25260.1.001 NAME 'maildrop' DESC
'Defines the address mail goes to' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {2}( 1.3.6.1.4.1.25260.1.002 NAME 'mailacceptinguser'
DESC 'Defines if this user accepts mail' EQUALITY caseIgnoreMatch SUBSTR
caseIgnoreSubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
olcAttributeTypes: {3}( 1.3.6.1.4.1.25260.1.003 NAME 'aliasInactive'
DESC 'A flag, for marking the alias as not in use' EQUALITY booleanMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 SINGLE-VALUE )
olcObjectClasses: {0}( 1.3.6.1.4.1.25260.1.1.100 NAME 'virtualaccount'
DESC 'Holds mail info for a virtual account' STRUCTURAL MUST ( owner $
mailacceptinggeneralid $ maildrop $ cn ) MAY ( description $
aliasInactive ) )
olcObjectClasses: {1}( 1.3.6.1.4.1.25260.1.1.101 NAME 'maillist' DESC
'Virtual account for holding mailing list info' STRUCTURAL MUST (
mailacceptinggeneralid $ maildrop $ cn ) MAY ( owner $ description $
aliasInactive ) )
olcObjectClasses: {2}( 1.3.6.1.4.1.25260.1.1.102 NAME 'mailAccount' DESC
'Email account details' AUXILIARY MUST ( mailacceptinguser $ maildrop $
cn ) MAY ( mailacceptinggeneralid $ aliasInactive ) )
olcObjectClasses: {3}( 1.3.6.1.4.1.25260.1.1.105 NAME 'virtualbox' DESC
'Mailbox for system use' STRUCTURAL MUST ( owner $ mail $ uid $ cn ) MAY
description )
When I try to change attribute OID value, for example:
1.3.6.1.4.1.25260.1.000 to 1.3.6.1.4.1.25260.1.0 (using a visual LDAP
client) then the server hangs and will not restart. (I had to restore
from backup and restart.)
What is the recommended way to do this change?
Thanks,
Nick
11 years, 3 months
Using NSS
by Braden McDaniel
I am trying to get OpenLDAP (2.4.24) working with NSS on Fedora 15. In
cn=config.ldif I have:
olcTLSCACertificatePath: /etc/pki/nssdb
olcTLSCertificateFile: endoframe
I have used certutil to create a self-signed certificate:
# certutil -d /etc/pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
endoframe Cu,Cu,Cu
But this doesn't appear to be working:
$ ldapsearch -H ldaps://rail -b dc=endoframe,dc=net -x -d1
ldap_url_parse_ext(ldaps://rail)
ldap_create
ldap_url_parse_ext(ldaps://rail:636/??base)
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP rail:636
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying ::1 636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 127.0.0.1:636
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_close_socket: 3
ldap_err2string
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
slapd is running:
# systemctl status slapd.service
slapd.service - LSB: starts and stopd OpenLDAP server daemon
Loaded: loaded (/etc/rc.d/init.d/slapd)
Active: active (running) since Wed, 05 Oct 2011 02:24:11 -0400; 3 weeks and 0 days ago
Main PID: 1429 (slapd)
CGroup: name=systemd:/system/slapd.service
└ 1429 /usr/sbin/slapd -h ldap:/// -u ldap
Any ideas of what I might be doing wrong, or where I should be looking
to debug this?
--
Braden McDaniel <braden(a)endoframe.com>
11 years, 3 months
Re: slapd-ldap as proxy to active directory
by Juan Miscaro
On 14 December 2011 17:44, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Wednesday, December 14, 2011 3:40 PM -0500 Juan Miscaro
> <jmiscaro(a)gmail.com> wrote:
>> I would like to use the slapd-ldap backend as a proxy to Active
>> Directory (Windows Server 2008 R2).
>>
>> Firstly, AD can be queried directly:
> Does your local OpenLDAP have a schema file that defines the AD attributes
> you are using?
No. I read that since OpenLDAP 2.3 this was not necessary (I'm
running 2.4.25 on Ubuntu 11.10). I got my project from a tutorial [1]
where this all worked.
[1]: http://is.gd/dqM1Ts (see section "Using OpenLDAP 2.3 to Pass
Unknown Schema" on page 2)
--
/jm
11 years, 4 months
Issue with index in OpenLDAP?
by External Mathieu DEDECKER (CAMPUS)
Hi @All,
We meet a performance problem with our OpenLDAP.
We think that we face a problem with the index of the database, and we
think that the problem can be resolve by tunning the config (but not sure).
We would like to be sure that our configuration is correct, in order to
confirm if we are on a wrong track or not.
*[Description]*
We have an attribute (cardNumber) which is indexed.
When we request the indexed attribute (cardNumber) with an LDAP Client
(Ldapbrowser), we have either fast or very long response time.
For the long response time, the CPU of the server hits 100%.
*For example*:
Request1: cardnumber=2098001010034 (less than 1sec)
Request2: cardnumber=2090389917486 (nearly 20 sec).
By checking the hit ratio of the attribute, we can see that cache is
correctly used (97%).
*[Details]*
- We are running on a VM with RedHat with 4 process with 24 Go RAM.
- The version of the OpenLDAP is 2.4.16.
- We have 2 500 000 accounts.
*[Attachment]*
- *201111223_os.txt* -> informations about OS and Hardware.
- *openldap_version.txt* -> informations about the version of
OpenLDAP.
- *20111220_stats.txt* -> informations about index and perf.
- *olcDatabase={1}hdb.ldif.txt * -> informations about hdb config.
Do not hesitate if you need some more informations.
Thank you for your help (:
Mathieu
11 years, 4 months
Syncrepl problem
by Bram Cymet
Hi,
I have a syncrepl setup that I thought was working fine because whenever
I would change an attribute in an entry the changes would be reflected
in slave.
Recently I noticed that if I remove and entry or add a new entry that
will not get synced.
Any idea what would be going on?
Thanks,
--
Bram Cymet
Software Developer
Canadian Bank Note Co. Ltd.
613-608-9752
11 years, 4 months
