openldap-technical June 2011

openldap-technical@openldap.org

80 participants
92 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Loading LDAP schema files into cn=config
by Mark Cave-Ayland 19 Oct '11

19 Oct '11

Hi all, Having started to look at the changes required to migrate from a slapd.conf setup to a cn=config setup, one of things I'm struggling with is how to load new LDAP schemas into cn=config. I've seen the guides similar to this one here: http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html which suggest hacking together a temporary slapd.conf file containing just the include directives, run slaptest, and then hack the output so that it can be loaded into cn=config using ldapadd. Given that this is a quite a common task, is there no way of generating the LDIF directly to be loaded into the directory, e.g. slaptest -s /etc/ldap/schema/myschema.schema [ -n <schemanum> ] -l myschema.ldif Or then again, is this functionality already there but I just haven't managed to find it yet? I'd be grateful if someone could point me in the right direction and/or give me some hints as to the best way to manage schemas in the new regime. Many thanks, Mark. -- Mark Cave-Ayland - Senior Technical Architect PostgreSQL - PostGIS Sirius Corporation plc - control through freedom http://www.siriusit.co.uk t: +44 870 608 0063 Sirius Labs: http://www.siriusit.co.uk/labs

13 49

Authenticate Mac OS X users against OpenLDAP on Debian
by Mi 07 Sep '11

07 Sep '11

We added a Mac to our network, and I would like the network users to be able to login with their existing credentials on our Debian openLDAP server. I configured the LDAP access on the Mac, and it can indeed see the users and groups from the openldap server. But when I try to login after clicking "Other...", the login window shakes around, and nothing happens. The server logs show the connection from the Mac and it's searches ( http://pastebin.com/MB2JswAa). (Logging is configured with Parse, Stats, Stats2, Sync. Is there something else I should add to logging that may be useful?) On the Mac, I didn't find anything looking helpful in the logs (http://pastebin.com/yRreFQrJ), but maybe I don't know what to look for. I found many instructions on the Internet which concentrate on mounting user homes from the server over NFS. This is NOT what we want. Users would be authenticated with openldap, but have their homes locally on the Mac, like normal users. I also saw many mentions of adding the apple schema, and I have done that. But maybe I now need to actually use parts of that schema in the user records? Thanks for any help...

3 3

Re: access
by Friedrich Locke 06 Jul '11

06 Jul '11

How may i know i setted SASL/GSSAPI correctly ? Here is how i executed saslauthd: saslauthd -a kerberos5 -cd -t 60 -n 2 -s 128 Here is a test: sioux@gustav$ testsaslauthd -u sioux -p XYZ 0: OK "Success." sioux@gustav$ Is there something more i need to do ? Thanks. On Tue, Jun 28, 2011 at 3:04 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, June 28, 2011 3:02 PM -0300 Friedrich Locke > <friedrich.locke(a)gmail.com> wrote: > >> Sorry folks, >> >> please forgive me, i forgot to let you know i am using kerberos >> (SASL); so i bind via sasl mechanism not as the dn owned by me. >> >> Thanks once more for your help. > > If you have correctly set up SASL/GSSAPI, then when someone binds, they are > mapped to their DN in the database, and the access rules I reported would > work correclty. > > --Quanah > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

4 5

RE: allow or deny certain user access to certain hosts
by ldap＠mm.st 06 Jul '11

06 Jul '11

On Sat, 18 Jun 2011 22:13 -0700, "Hai Tao" <taoh666(a)hotmail.com> wrote: > > Yes, I tried to add a host attribute, but I got object class violation > error. Any idea? > > > Thanks. > > Hai Tao > > > Did you ever resolve this? You don't mention which OS you are using, but in standard RH5 you can do try this. 1. Install nss_ldap 2. copy /usr/share/doc/nss_ldap-253/ldapns.schema /etc/openldap/schema/ldapns.schema This will provide the hostObject objectClass 3. In slapd.conf include /etc/openldap/schema/ldapns.schema 4. In a users ldap record add objectClass: hostObject 5. In the users ldap record add host: hostname 6. Modify the hosts ldap.conf file: pam_check_host_attr yes Doing this from memory, but I think that should be enough to get what you want to work on a RH5 system. RH6 uses some different files on the host. BTW, you can also use the account objectClass to provide the host attribute, but my guess is that it will most likely conflict with another structural object class.

1 1

server side sorting
by Chris Card 05 Jul '11

05 Jul '11

Hi, this FAQ http://www.openldap.org/faq/data/cache/649.html says that openldap 2.3 doesn't support Server Side Sorting (RFC 2891). Looking at openldap 2.4.23, it seems that Server Side Sorting is now supported - is this documented somewhere? Chris

7 21

slapd "vs." db_archive
by Peter Palmreuther 04 Jul '11

04 Jul '11

Hello, I tried to use 'db_archive' to figure, which of those many log.* files already accumulated I can safely remove. Unluckily it didn't print any name, albeit there're 170 file and according to 'fuser log.*' only the last one is held open by a process (the slapd one). After restarting slapd db_archive prints 169 file names, to be precise all but the last. So it seems slapd keeps used BDB in a state it does not release the logs for archival and removal. I assume it's me that has to configure slapd or BDB environment appropriately, but unluckily I don't know which setting would have the desired effect. Any help on this? I tried to find something in Admin Guide and man pages, but I must have missed it. I only saw auto remove settings, which is not what I was out for ... I want to remove by myself, after keeping a backup for recovery. I'm using OpenLDAP 2.4.20 compiled against Berkeley 4.7. Thank for any help, and regards, Peter

2 3

cn=config completely replacing slapd.conf
by David N. Blank-Edelman 01 Jul '11

01 Jul '11

(taking this to a new thread) Sorry for such a vague question, but my (perhaps failing) memory is once upon a time there were still certain backends or overlays that couldn't yet be configured via cn=config and had to be specified in slapd.conf. Has 2.4 has already cleared up all of those legacy configuration requirements or is that a 2.5 goal? Thanks! -- dNb

5 5

How to configure OpenLdap Client to work with Windows Active Directory
by yen nguyen 30 Jun '11

30 Jun '11

Hi, Can ldapsearch work with Windows AD via GSSAPI? Is there any special setting/software I need to do on the client side? On my Client system, I have Windows openldap client tools (ldapsearch ....etc). My Server system has Windows AD running. I was able to use Simple Authentication and it worked. ldapsearch.exe -H ldap://MPSD-EB01T3/ -b "dc=test,dc=com" -x I know Windows 2008 AD support GSSAPI. ldapsearch -H ldap://MPSD-EB01T3/ -xLLL -s base -b "" supportedSASLMechanisms dn: supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: GSS-SPNEGO supportedSASLMechanisms: EXTERNAL supportedSASLMechanisms: DIGEST-MD5 Now I tried to use GSSAPI and it failed. Is there anything special setting I need to do on the client side to make it work? ldapsearch -H ldap://MPSD-EB01T3/ -b "cn=user1,dc=test,dc=com" -W -U user1 -Y GSSAPI -d 3 ldap_url_parse_ext(ldap://MPSD-EB01T3/) ldap_create ldap_url_parse_ext(ldap://MPSD-EB01T3:389/??base) ldap_sasl_interactive_bind_s: user selected: GSSAPI ldap_int_sasl_bind: GSSAPI ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP MPSD-EB01T3:389 ldap_new_socket: 392 ldap_prepare_socket: 392 ldap_connect_to_host: Trying 192.168.1.30:389 ldap_pvt_connect: fd: 392 tm: -1 async: 0 ldap_int_sasl_open: host=MPSD-EB01T3 ldap_err2string ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: Unable to find a calback: 2

3 3

simple binds
by Friedrich Locke 30 Jun '11

30 Jun '11

Is it possible to perform simple binds but looking up the entry's password in a kerberos server? Thanks in advance.

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2011