Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years
Loading LDAP schema files into cn=config
by Mark Cave-Ayland
Hi all,
Having started to look at the changes required to migrate from a
slapd.conf setup to a cn=config setup, one of things I'm struggling with
is how to load new LDAP schemas into cn=config.
I've seen the guides similar to this one here:
http://blogger.ziesemer.com/2011/01/ldap-authentication-for-samba.html
which suggest hacking together a temporary slapd.conf file containing
just the include directives, run slaptest, and then hack the output so
that it can be loaded into cn=config using ldapadd.
Given that this is a quite a common task, is there no way of generating
the LDIF directly to be loaded into the directory, e.g.
slaptest -s /etc/ldap/schema/myschema.schema [ -n <schemanum> ] -l
myschema.ldif
Or then again, is this functionality already there but I just haven't
managed to find it yet? I'd be grateful if someone could point me in the
right direction and/or give me some hints as to the best way to manage
schemas in the new regime.
Many thanks,
Mark.
--
Mark Cave-Ayland - Senior Technical Architect
PostgreSQL - PostGIS
Sirius Corporation plc - control through freedom
http://www.siriusit.co.uk
t: +44 870 608 0063
Sirius Labs: http://www.siriusit.co.uk/labs
11 years, 7 months
Authenticate Mac OS X users against OpenLDAP on Debian
by Mi
We added a Mac to our network, and I would like the network users to be able to login with their existing credentials on our Debian openLDAP server.
I configured the LDAP access on the Mac, and it can indeed see the users and groups from the openldap server. But when I try to login after clicking "Other...", the login window shakes around, and nothing happens.
The server logs show the connection from the Mac and it's searches ( http://pastebin.com/MB2JswAa).
(Logging is configured with Parse, Stats, Stats2, Sync. Is there something else I should add to logging that may be useful?)
On the Mac, I didn't find anything looking helpful in the logs (http://pastebin.com/yRreFQrJ), but maybe I don't know what to look for.
I found many instructions on the Internet which concentrate on mounting user homes from the server over NFS. This is NOT what we want. Users would be authenticated with openldap, but have their homes locally on the Mac, like normal users.
I also saw many mentions of adding the apple schema, and I have done that. But maybe I now need to actually use parts of that schema in the user records?
Thanks for any help...
11 years, 9 months
Re: access
by Friedrich Locke
How may i know i setted SASL/GSSAPI correctly ?
Here is how i executed saslauthd:
saslauthd -a kerberos5 -cd -t 60 -n 2 -s 128
Here is a test:
sioux@gustav$ testsaslauthd -u sioux -p XYZ
0: OK "Success."
sioux@gustav$
Is there something more i need to do ?
Thanks.
On Tue, Jun 28, 2011 at 3:04 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, June 28, 2011 3:02 PM -0300 Friedrich Locke
> <friedrich.locke(a)gmail.com> wrote:
>
>> Sorry folks,
>>
>> please forgive me, i forgot to let you know i am using kerberos
>> (SASL); so i bind via sasl mechanism not as the dn owned by me.
>>
>> Thanks once more for your help.
>
> If you have correctly set up SASL/GSSAPI, then when someone binds, they are
> mapped to their DN in the database, and the access rules I reported would
> work correclty.
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 11 months
RE: allow or deny certain user access to certain hosts
by ldap@mm.st
On Sat, 18 Jun 2011 22:13 -0700, "Hai Tao" <taoh666(a)hotmail.com> wrote:
>
> Yes, I tried to add a host attribute, but I got object class violation
> error. Any idea?
>
>
> Thanks.
>
> Hai Tao
>
>
>
Did you ever resolve this? You don't mention which OS you are using,
but in standard RH5 you can do try this.
1. Install nss_ldap
2. copy /usr/share/doc/nss_ldap-253/ldapns.schema
/etc/openldap/schema/ldapns.schema
This will provide the hostObject objectClass
3. In slapd.conf
include /etc/openldap/schema/ldapns.schema
4. In a users ldap record add
objectClass: hostObject
5. In the users ldap record add
host: hostname
6. Modify the hosts ldap.conf file:
pam_check_host_attr yes
Doing this from memory, but I think that should be enough to get what
you want to work on a RH5 system. RH6 uses some different files on the
host. BTW, you can also use the account objectClass to provide the host
attribute, but my guess is that it will most likely conflict with
another structural object class.
11 years, 11 months
slapd "vs." db_archive
by Peter Palmreuther
Hello,
I tried to use 'db_archive' to figure, which of those many log.* files already accumulated I can safely remove.
Unluckily it didn't print any name, albeit there're 170 file and according to 'fuser log.*' only the last one is
held open by a process (the slapd one).
After restarting slapd db_archive prints 169 file names, to be precise all but the last.
So it seems slapd keeps used BDB in a state it does not release the logs for archival and removal.
I assume it's me that has to configure slapd or BDB environment appropriately, but unluckily I don't know which
setting would have the desired effect.
Any help on this? I tried to find something in Admin Guide and man pages, but I must have missed it.
I only saw auto remove settings, which is not what I was out for ... I want to remove by myself, after keeping a backup for recovery.
I'm using OpenLDAP 2.4.20 compiled against Berkeley 4.7.
Thank for any help,
and regards,
Peter
11 years, 11 months
cn=config completely replacing slapd.conf
by David N. Blank-Edelman
(taking this to a new thread)
Sorry for such a vague question, but my (perhaps failing) memory is once
upon a time there were still certain backends or overlays that couldn't
yet be configured via cn=config and had to be specified in slapd.conf.
Has 2.4 has already cleared up all of those legacy configuration
requirements or is that a 2.5 goal? Thanks!
-- dNb
11 years, 11 months
How to configure OpenLdap Client to work with Windows Active Directory
by yen nguyen
Hi,
Can ldapsearch work with Windows AD via GSSAPI? Is there any special setting/software I need to do on the client side?
On my Client system, I have Windows openldap client tools (ldapsearch ....etc). My Server system has Windows AD running.
I was able to use Simple Authentication and it worked.
ldapsearch.exe -H ldap://MPSD-EB01T3/ -b "dc=test,dc=com" -x
I know Windows 2008 AD support GSSAPI.
ldapsearch -H ldap://MPSD-EB01T3/ -xLLL -s base -b "" supportedSASLMechanisms
dn:
supportedSASLMechanisms: GSSAPI
supportedSASLMechanisms: GSS-SPNEGO
supportedSASLMechanisms: EXTERNAL
supportedSASLMechanisms: DIGEST-MD5
Now I tried to use GSSAPI and it failed. Is there anything special setting I need to do on the client side to make it work?
ldapsearch -H ldap://MPSD-EB01T3/ -b "cn=user1,dc=test,dc=com" -W -U user1 -Y GSSAPI -d 3
ldap_url_parse_ext(ldap://MPSD-EB01T3/)
ldap_create
ldap_url_parse_ext(ldap://MPSD-EB01T3:389/??base)
ldap_sasl_interactive_bind_s: user selected: GSSAPI
ldap_int_sasl_bind: GSSAPI
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP MPSD-EB01T3:389
ldap_new_socket: 392
ldap_prepare_socket: 392
ldap_connect_to_host: Trying 192.168.1.30:389
ldap_pvt_connect: fd: 392 tm: -1 async: 0
ldap_int_sasl_open: host=MPSD-EB01T3
ldap_err2string
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available: Unable to find a calback: 2
11 years, 11 months
simple binds
by Friedrich Locke
Is it possible to perform simple binds but looking up the entry's
password in a kerberos server?
Thanks in advance.
11 years, 11 months