openldap-technical May 2011

openldap-technical@openldap.org

91 participants
81 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Authenticate Mac OS X users against OpenLDAP on Debian
by Mi 07 Sep '11

07 Sep '11

We added a Mac to our network, and I would like the network users to be able to login with their existing credentials on our Debian openLDAP server. I configured the LDAP access on the Mac, and it can indeed see the users and groups from the openldap server. But when I try to login after clicking "Other...", the login window shakes around, and nothing happens. The server logs show the connection from the Mac and it's searches ( http://pastebin.com/MB2JswAa). (Logging is configured with Parse, Stats, Stats2, Sync. Is there something else I should add to logging that may be useful?) On the Mac, I didn't find anything looking helpful in the logs (http://pastebin.com/yRreFQrJ), but maybe I don't know what to look for. I found many instructions on the Internet which concentrate on mounting user homes from the server over NFS. This is NOT what we want. Users would be authenticated with openldap, but have their homes locally on the Mac, like normal users. I also saw many mentions of adding the apple schema, and I have done that. But maybe I now need to actually use parts of that schema in the user records? Thanks for any help...

3 3

autofs wild cards
by Collins, Cris 30 Jun '11

30 Jun '11

My auto.home has "* host:/export/&" for user directories. When I use the automount migration tool the * is changed to / and I get the error: adding new entry "cn=/,ou=auto.home,dc=domain,dc=com" ldapadd: Naming violation (64) additional info: value of naming attribute 'cn' is not present in entry Is there a way to get the wild card to work or do I need to enter each user instead of using a wild card? Thank you for your time.

2 1

Slapd 2.4 upgrade woes.
by ray klassen 06 Jun '11

06 Jun '11

I recently upgraded to debian squeeze and found that the slapd configuration had been completely revamped. It's now using the cn=config setup. I was authenticating against a locally replicated copy of my directory behind a firewall. I was using anonymous binding for my own purposes and I want to continue using it that way. I don't really want to enter into a prolonged discussion of why I shouldn't. I just want to know if there is a simple way of reconfiguring under the new regime so that it will work the same way it did before. Any Takers?

2 1

when use overlay translucent error
by daydayeat 03 Jun '11

03 Jun '11

openldap-2.4.23 man slapo-translucent says: If neither translucent_local nor translucent_remote are specified, the default behavior is to search the remote database with the complete search filter. If only translucent_local is specified, searches will only be run on the local database. Likewise, if only translu- cent_remote is specified, searches will only be run on the remote database. In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client. but when i test： local proxy conf: ####################################################### # Primary database definitions ####################################################### ###################################################### #databse bdb ##################################################### database bdb suffix "dc=test,dc=com" rootdn "cn=Manager,dc=test,dc=com" rootpw "123456" directory /usr/local/ldap/var/openldap-data index objectClass eq ###################################################### #overlays ###################################################### overlay translucent #translucent_remote street #translucent_local street uri ldap://remote:388 lastmod off idassert-bind bindmethod=simple binddn="cn=Manager,dc=test,dc=com" ###################################################### remote conf: ####################################################### # Primary database definitions ####################################################### database bdb suffix "dc=test,dc=com" rootdn "cn=Manager,dc=ec,dc=com" rootpw "123456" directory "/usr/local/ldap1/var/openldap-data" index objectClass eq ####################################################### remote database have a entry: # 111, GF3, ec.com dn: o=111,o=GF3,dc=test,dc=com objectClass: organization o: 111 street: remote and in the local database change the street value: # 111, GF3, ec.com dn: o=111,o=GF3,dc=test,dc=com objectClass: organization o: 111 street: local then change the value "translucent_remote and translucent_local" in the local proxy conf。Do search in local: 1 set "translucent_local street" "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" the result is: # extended LDIF # # LDAPv3 # base <dc=test,dc=com> with scope subtree # filter: street=local # requesting: ALL # # 111, GF3, ec.com dn: o=111,o=GF3,dc=ec,dc=com objectClass: organization o: 111 street: local It is right. 2 set "translucent_remote street" "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" have no result. "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=remote" have no result why? 3 do not set any "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=local" have no result. "ldapsearch -D "cn=Manager,dc=test,dc=com" -x -w 123456 -b "dc=test,dc=com" street=remote" have no result why?

2 1

Authenticate with smartcard or other certificate
by Thomas Gäbler 03 Jun '11

03 Jun '11

Hi @ all, is it possible, to authenticate with any kind of certificate (smartcard, softwaretoken, ...)? Now, I have the following solution: I have an additional attribute for the serialNumber of the certificate stored in the ldap-entry. If a user will auth with certificate, i search for all entries, where the serial-attribute match. for the matching entries i read the certificate from ldap and check the public key. but for an other implementation i need a possibility to auth directly with certificate. Any idea? Thanks for help! procilon IT-Solutions GmbH Leipziger Stra�e 110 04425 Taucha bei Leipzig tel: +49 34298 4878-10 fax: +49 34298 4878-11 www.procilon.de Sitz der Gesellschaft: Leipziger Stra�e 110, 04425 Taucha bei Leipzig Amtsgericht Leipzig HRB 18003 , Gesch�ftsf�hrer Steffen Scholz Diese E-Mail kann Betriebs- oder Gesch�ftsgeheimnisse oder sonstige vertrauliche Informationen enthalten. Sollten Sie diese E-Mail irrt�mlich erhalten haben, ist Ihnen eine Kenntnisnahme des Inhalts, eine Vervielf�ltigung oder Weitergabe der E-Mail ausdr�cklich untersagt. Bitte benachrichtigen Sie uns und vernichten Sie die empfangene E-Mail. Vielen Dank. This e-mail may contain trade secrets or privileged, undisclosed, or otherwise confidential information. If you have received this e-mail in error, you are hereby notified that any review, copying, or distribution of it is strictly prohibited. Please inform us immediately and destroy the original transmittal. Thank you for your cooperation.

2 1

OpenLDAP search filters
by Anita Luca 03 Jun '11

03 Jun '11

Hello all, I need to replace the standard AD filters with OpenLDAP filters. Basically, I assume that what changes is the value of the property (e.g. objectType=user might become objectType=person or any other value, not sure what OpenLDAP works with). Below the queries on AD: User search filter: (objectClass=user) User attribute: sAMAccountName User browse filter: (|(objectClass=user)(objectClass=organizationalUnit)) Group search filter: (objectClass=group) Group attribute: member Group browse filter: (|(objectClass=group)(objectClass=organizationalUnit)) User member of attribute: memberOf OU search filter: (objectClass=organizationalUnit) Hope you can help with a suggestion, or at least a list of properties and values for objects, where I could search. Thanks, Anita Luca

3 3

Client expects response to change-password extended operation
by Michael Smith 01 Jun '11

01 Jun '11

I noted some old correspondence about this topic in the mailing-list archives, but now it has bitten me. We have an email server in my shop (from Mirapoint) which offers users an option to change their password. It sends the password-modify extended operation, but the user's session hangs, apparently unless Mirapoint gets a response. I understand that this is non-standard behavior. But unfortunately I'm stuck with this not-very-satisfactory product. Is there any way I can tweak openLDAP to respond to the password-modify ex-op? -- -- Michael J. Smith mjs(a)smithbowen.net http://stopmebeforeivoteagain.org http://www.cars-suck.org http://fakesprogress.blogspot.com

3 2

slapo-rwm to change userPassword attribute into a string
by Lucio Capuani 01 Jun '11

01 Jun '11

That is, in OpenLDAP the userPassword attribute is binary, even when its content is cleartext. I would need to have an extra attribute of "String" type, containing that very password. Is it possible to achieve this by using slapo-rmw (or maybe translucent?), by creating a view that "offers" that "fake" string attribute, rather than being forced to duplicate the real source attribute into a second one, only differently encoded? Thank you so much, -- Lucio

1 1

Should Berkeley DB backends be reloaded occasionally?
by Mark 01 Jun '11

01 Jun '11

Back in the days of OpenLDAP 2.1 with Berkeley DB 4.1.25.3 we used to have to 'reload' out backend database occasionally as non-indexed reads would get slower and slower over time. The 'reload' entailed: - stop slapd - slapcat the contents to an .ldif file - remove the database files - slapadd the .ldif file to create a new, fresh db instance - start slapd Then our performance problems went away. Re-indexing didn't do the trick. Is such occasional re-building of the backend database recommended in OpenLDAP 2.4.25 with Berkeley DB 4.8.30? Thank you, Mark

4 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2011