November 2012 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

7 years, 6 months

4
11
0 / 0

OpenLDAP and dynalogin (two-factor auth with HOTP)

by Daniel Pocock

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

8 years, 5 months

5
6
0 / 0

trouble with slapo-pcache

by btb＠bitrate.net

hi- i'm having a few different issues with slapo-pcache. i did a bit of searching in the its and did not find any items which seemed to match my symptoms. i'm using 2.4.31, on ubuntu 12.10. the first is that i so to not be able to add, via ldapadd, additional olcPcacheTemplate attributes to the config entry. i was able to add the first one using ldapadd, but subsequent modify operations to add another complain "no equality matching rule": >ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base Enter LDAP Password: dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(uid=)" 0 3600 >cat template.ldif dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config changetype: modify add: olcPcacheTemplate olcPcacheTemplate: "(cn=)" 0 3600 >ldapadd -ZZxWH 'ldap://localhost/' -D 'cn=config' -f template.ldif Enter LDAP Password: modifying entry "olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config" ldap_modify: Inappropriate matching (18) additional info: modify/add: olcPcacheTemplate: no equality matching rule Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 STARTTLS Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 RESULT oid= err=0 text= Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 ACCEPT from IP=127.0.0.1:32916 (IP=0.0.0.0:389) Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 TLS established tls_ssf=128 ssf=128 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" method=128 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" mech=SIMPLE ssf=0 Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 29 20:01:32 dsa1 slapd[8250]: connection_input: conn=1003 deferring operation: binding Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD dn="olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config" Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD attr=olcPcacheTemplate Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 RESULT tag=103 err=18 text=modify/add: olcPcacheTemplate: no equality matching rule Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=3 UNBIND Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 fd=12 closed adding the attribute "manually" [e.g. slapcat, modify ldif, slapadd] seems to be fine: >ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base Enter LDAP Password: dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(objectclass=)" 0 3600 olcPcacheTemplate: "(uid=)" 0 3600 my second problem is with caching when slapo-nssov is involved. it appears to not cache [QUERY NOT ANSWERABLE/QUERY NOT CACHEABLE] when a query occurs via nss: >getent passwd flash flash:x:2013:2013:flash gordon:/home/flash:/bin/bash Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on: Oct 31 08:42:15 deepfield slapd[12862]: 11r Oct 31 08:42:15 deepfield slapd[12862]: Oct 31 08:42:15 deepfield slapd[12862]: daemon: read active on 11 Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11) Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11): got connid=0 Oct 31 08:42:15 deepfield slapd[12862]: nssov: connection from uid=0 gid=0 Oct 31 08:42:15 deepfield slapd[12862]: nssov_passwd_byname(flash) Oct 31 08:42:15 deepfield slapd[12862]: str2filter "(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: AND Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter_list Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on: Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: Oct 31 08:42:15 deepfield slapd[12862]: end get_filter_list Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0 Oct 31 08:42:15 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=)) Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT ANSWERABLE Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT CACHEABLE Oct 31 08:42:15 deepfield slapd[12862]: =>ldap_back_getconn: conn 0xb51f8ee8 fetched refcnt=1. Oct 31 08:42:15 deepfield slapd[12862]: => ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:42:15 deepfield slapd[12862]: <= ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))" (0) Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:42:15 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:42:15 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: conn=-1 op=0 p=0 Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" although i believe i have a matching query template defined in the config: dn: olcDatabase={2}ldap,cn=config objectClass: olcLDAPConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {2}ldap olcSuffix: dc=example,dc=net olcLastMod: TRUE olcReadOnly: TRUE olcRootDN: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net olcMonitoring: TRUE olcDbURI: ldap://dsa1.example.net/ olcDbStartTLS: start tls_cacert="/etc/pki/trusted_roots/example_networks_roo t_ca-cert.pem" tls_reqcert="demand" olcDbACLBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services,ou=a ccounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx" s tarttls="critical" tls_cacert="/etc/pki/trusted_roots/example_networks_root _ca-cert.pem" tls_reqcert="demand" olcDbIDAssertBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services ,ou=accounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx" structuralObjectClass: olcLDAPConfig entryUUID: f24e435a-b35a-1031-8f37-336141b7bc90 creatorsName: cn=config createTimestamp: 20121026014812Z entryCSN: 20121031023501.089672Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121031023501Z dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {0}pcache olcPcache: mdb 1000 100 1000 60 olcPcacheAttrset: 0 "*" "+" olcPcacheTemplate: "(objectClass=)" 0 3600 olcPcacheTemplate: "(uid=)" 0 3600 olcPcacheTemplate: "(&(objectClass=)(uid=))" 0 3600 olcPcacheBind: "(uid=)" 0 60 "sub" "dc=example,dc=net" structuralObjectClass: olcPcacheConfig entryUUID: ddb05d7e-b4fa-1031-811e-353e11fff366 creatorsName: cn=config createTimestamp: 20121028032528Z entryCSN: 20121030002115.179177Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121030002115Z dn: olcDatabase={0}mdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config objectClass: olcPcacheDatabase objectClass: olcMdbConfig objectClass: olcDatabaseConfig objectClass: olcConfig objectClass: top olcDatabase: {0}mdb olcDbDirectory: /var/lib/ldap/example.net/ olcLastMod: TRUE olcMaxDerefDepth: 15 olcDbNoSync: FALSE olcDbIndex: certfingerprint eq olcDbIndex: cn eq olcDbIndex: default eq olcDbIndex: description eq olcDbIndex: entrycsn eq olcDbIndex: entryuuid eq olcDbIndex: gidnumber pres,eq olcDbIndex: host eq olcDbIndex: iphostnumber eq olcDbIndex: ipserviceport eq olcDbIndex: ipserviceprotocol eq olcDbIndex: mail eq olcDbIndex: maillocaladdress eq olcDbIndex: member eq olcDbIndex: memberof eq olcDbIndex: memberuid eq olcDbIndex: objectclass eq olcDbIndex: rfc822mailmember eq olcDbIndex: sudoUser eq olcDbIndex: uid pres,eq,sub olcDbIndex: uidnumber pres,eq olcDbMode: 0600 olcDbSearchStack: 16 structuralObjectClass: olcMdbConfig entryUUID: 88b37716-b590-1031-8c75-439de7087923 creatorsName: cn=config createTimestamp: 20121028211650Z entryCSN: 20121029021315.039143Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121029021315Z dn: olcOverlay={1}nssov,olcDatabase={2}ldap,cn=config objectClass: olcNssOvConfig objectClass: olcOverlayConfig objectClass: olcConfig olcOverlay: {1}nssov olcNssMap: group uniquemember member olcNssPam: authz2dn hostservice olcNssPamSession: sshd olcNssPamSession: login structuralObjectClass: olcNssOvConfig entryUUID: 47ecaef0-b73e-1031-8761-9f0bff5d3212 creatorsName: cn=config createTimestamp: 20121031003305Z entryCSN: 20121031003305.637051Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20121031003305Z and if i perform the same query using ldapsearch: >ldapsearch -LLLZZxH 'ldap://localhost/' -D 'uid=flash,ou=people,ou=accounts,dc=example,dc=net' -w 'test' '(&(objectClass=posixAccount)(uid=flash))' dn: uid=flash,ou=people,ou=accounts,dc=example,dc=net initials: fg givenName: flash loginShell: /bin/bash uidNumber: 2013 gidNumber: 2013 uid: flash objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: inetOrgPerson objectClass: organizationalPerson objectClass: person objectClass: extensibleObject c: us homeDirectory: /home/flash sn: gordon cn: flash gordon displayName: flash_gordon mail: user(a)example.com it does seem to cache it: Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: slap_listener_activate(8): Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 busy Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: >>> slap_listener(ldap:///) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: listen=8, new connection on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: added 18r (active) listener=(nil) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 ACCEPT from IP=127.0.0.1:37220 (IP=0.0.0.0:389) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x77, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 do_extended Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037 Oct 31 08:55:37 deepfield slapd[12862]: do_extended: oid=1.3.6.1.4.1.1466.20037 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 STARTTLS Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_extended: err=0 oid= len=0 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=1 tag=120 err=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 RESULT oid= err=0 text= Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): unable to get TLS client DN, error=49 id=1003 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 TLS established tls_ssf=128 ssf=128 Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x60, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 do_bind Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128 Oct 31 08:55:37 deepfield slapd[12862]: do_bind: version=3 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: ndn: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: oc: "(null)", at: "(null)" Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: found entry: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: mdb_entry_get: rc=0 Oct 31 08:55:37 deepfield slapd[12862]: str2filter "(uid=flash)" Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e250 Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 5 times) Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "entry" requested Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd) Oct 31 08:55:37 deepfield slapd[12862]: base_candidates: base: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" (0x00000004) Oct 31 08:55:37 deepfield slapd[12862]: => test_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "uid" requested Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd) Oct 31 08:55:37 deepfield slapd[12862]: <= test_filter 6 Oct 31 08:55:37 deepfield slapd[12862]: pc_bind_search: cache is stale, reftime: 1351688135, current time: 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: =>ldap_back_getconn: conn=1003 op=1: lc=0xb38f9788 inserted refcnt=1 rc=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" mech=SIMPLE ssf=0 Oct 31 08:55:37 deepfield slapd[12862]: do_bind: v3 bind: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: pc_setpw: CACHING BIND for uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: 0x00000004: uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: <= acl_access_allowed: granted to database root Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: replace userPassword Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: updated id=00000004 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3 Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text="" Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=2 tag=97 err=0 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 RESULT tag=97 err=0 text= Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: 18r Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18 Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18) Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003 Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003 Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x63, time 1351688137 Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 do_search Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <dc=example,dc=net>, <dc=example,dc=net> Oct 31 08:55:37 deepfield slapd[12862]: SRCH "dc=example,dc=net" 2 0 Oct 31 08:55:37 deepfield slapd[12862]: 0 60 0 Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: AND Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter_list Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: end get_filter_list Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0 Oct 31 08:55:37 deepfield slapd[12862]: filter: (&(objectClass=posixAccount)(uid=flash)) Oct 31 08:55:37 deepfield slapd[12862]: attrs: Oct 31 08:55:37 deepfield slapd[12862]: Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=flash))" Oct 31 08:55:37 deepfield slapd[12862]: ==> limits_get: conn=1003 op=2 self="uid=flash,ou=people,ou=accounts,dc=example,dc=net" this="dc=example,dc=net" Oct 31 08:55:37 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=)) Oct 31 08:55:37 deepfield slapd[12862]: Entering QC, querystr = (&(objectClass=posixAccount)(uid=flash)) Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e350 Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 1 times) Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("dc=example,dc=net") Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x1 Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode: what am i doing wrong? -ben

10 years, 8 months

2
2
0 / 0

OpenLDAP as an address book for MS Outlook

by Victor Sudakov

Dear Colleagues, I have been trying to investigate what is needed in OpenLDAP to have Microsoft Outlook 2007 display a list of names in the addressbook when first accessed in the same way that it does with ActiveDirectory/Exchange. From what I have found out from Web searching, MS Outlook requires a certain set of overlays, supportedCapabilities and supportedControls from the LDAP server to show the addressbook this way. The CommunigatePro LDAP server can emulate those. Are there any success stories or recommendations or howtos how to setup OpenLDAP to provide such service? I am running openldap-server-2.4.33 on FreeBSD. I have tried various combinations of sssvlv and valsort overlays to no avail. Outlook does show contacts from the OpenLDAP addressbook when I specifically search for them, so my general setup (schema etc) seems to be correct. Thank you very much in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru

10 years, 12 months

10
45
0 / 0

Openldap schema for services like Skype, Jabber, AIM, ….

by Bas van der Vlies

Hello, I needed to store information how to reach people, e.g.: * Skype * Jabber * AIM * Facetime * … I wanted to know if there is a schema for it or people write there own schema? I have read that there is an URI schema for this kind of services: * http://en.wikipedia.org/wiki/URI_scheme regards -- Bas van der Vlies mail: basv(a)sara.nl<mailto:basv@sara.nl> SARA - Academic Computing Services , Amsterdam, The Netherlands

10 years, 12 months

2
1
0 / 0

Re: Password policy

by Mauricio Tavares

On Mon, Nov 19, 2012 at 10:46 AM, jeevan kc <jeev_biz(a)hotmail.com> wrote: > Thanks . But we have like more than 25k users on the server. Doing that individually would be tedious. Is there any other way ? > How about a script of some sorts? Something on the lines of: ask ldap for the userlist (using ldapsearch) for each user Add objectClass: pwdPolicy (using ldapmodify) done > Sent from my iPhone > > On Nov 19, 2012, at 10:42 AM, "Mauricio Tavares" <raubvogel(a)gmail.com> wrote: > >> On Mon, Nov 19, 2012 at 10:14 AM, jeevan kc <jeev_biz(a)hotmail.com> wrote: >>> Hello >>> >>> I want to enable password policy on Openldap 2.4.30(to all users. I see that >>> the ppolicy.ldif and ppolicy.schema are listed under >>> /usr/local/etc/openldap/schema but are not present on >>> /usr/local/etc/openldap/slapd.d/cn=config folder. So do I need to add the >>> policy.ldif to the cn=config folder ? Is there like specific procedure to do >>> that or can I add manually with ldapadd ? Also how do I enable that schema >>> to all users ? Please help. >>> >>> >>> Jeevan >> >> If you have the policy as a diff, you could add it by saying >> >> ldapadd -Y EXTERNAL -H ldapi:/// -f /path/to/ppolicy.ldif >> >> Then you need to ldapmodify each user, adding something like >> >> objectClass: pwdPolicy >> >> to each of them. >> >> This is off the top of my head, so do verify before doing exciting >> thingies to your server. ;)

11 years

4
4
0 / 0

Difference between 2.4.30 and 2.3.43 in certificateMatch.

by Mike Hulsman

Hi, I stumbled upon an difference between openldap 2.4.30 and 2.3.43. This is my configuration. X509 certificates are stored in the directory and a search is done with: (&(mail=aaa@a.b)(userCertificate:certificateMatch:=<binary certificate)) if that is a match the uid must be returned. That is working on 2.3.43 but when I try that on 2.4.30 it does not work and I start debugging I see filter="(&(mail=aaa(a)a.b)(?=undefined))" in the logfiles. The request is the same on both openldap servers, I copied the schema's and the acl's are the same. A slapcat on 2.3.43 is done and imported on 2.4.30 An ldapsearch on both servers for that user is returning the same data. Do I need some more configuration for the 2.4.30 version or am I doing something wrong. The 2.3.43 version is working properly, but I want to update to 2.4.xx for better replication. Kind regards. Mike Hulsman ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.

11 years

3
6
0 / 0

last login time

by Jignesh Patel

How to capture last login time in openLDAP? -Jignesh

11 years

5
11
0 / 0

Re: Index Add Failures

by Kyle Smith

Ok, I have been running 2.4.32 for some time with no issues. Yesterday, 2 different servers (both part of a 4-way MMR) produced an "index add failure" and an "index delete failure". I went back over the bdb DB_CONFIG Settings (listed below) and everything looks nominal to me. Would it just make more sense to switch from bdb to mdb instead of troubleshooting these "random" errors too much? I also noticed that the number of "deadlocks" corresponds to the number of errors that were produced. Is there correlation there? Thanks! 578 Last allocated locker ID 0x7fffffff Current maximum unused locker ID 9 Number of lock modes 3000 Maximum number of locks possible 1500 Maximum number of lockers possible 1500 Maximum number of lock objects possible 1 Number of lock object partitions 15 Number of current locks 1029 Maximum number of locks at any one time 17 Maximum number of locks in any one bucket 0 Maximum number of locks stolen by for an empty partition 0 Maximum number of locks stolen for any one partition 123 Number of current lockers 224 Maximum number of lockers at any one time 15 Number of current lock objects 526 Maximum number of lock objects at any one time 5 Maximum number of lock objects in any one bucket 0 Maximum number of objects stolen by for an empty partition 0 Maximum number of objects stolen for any one partition 3581M Total number of locks requested (3581768929) 3581M Total number of locks released (3581768869) 0 Total number of locks upgraded 77 Total number of locks downgraded 7041 Lock requests not available due to conflicts, for which we waited 43 Lock requests not available due to conflicts, for which we did not wait 2 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 1MB 392KB The size of the lock region 0 The number of partition locks that required waiting (0%) 0 The maximum number of times any partition lock was waited for (0%) 0 The number of object queue operations that required waiting (0%) 577 The number of locker allocations that required waiting (0%) 32148 The number of region locks that required waiting (0%) 5 Maximum hash bucket length On Wed, Aug 29, 2012 at 12:04 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Wednesday, August 29, 2012 11:32 AM -0400 Kyle Smith < > alacer.cogitatus(a)gmail.com> wrote: > > Quanah, Thanks for the info, I have confirmed I'm hitting the lock maxes >> of 1000. And I will be upgrading to 2.4.32. I was wondering, what steps >> should be done to have the changes in DB_CONFIG take effect? >> >> >> stop slapd >> make changes to DB_CONFIG >> db_recover >> start slapd >> >> >> Will this also auto remove the log.* files? ( I plan on setting this: >> "set_flags DB_LOG_AUTOREMOVE" in DB_CONFIG) >> > > If you have checkpointing set in slapd.conf/cn=config, it should, yes. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

11 years

4
15
0 / 0

Optimization help

by Pawan Kamboj

Hi, What can I do to maximize the performance of my openldap setup which running in master-slave mode using syncrepl? System has 8GM RAM and 4GB swap space Openldap-2.3.32 and DB.4.5 ---------------------------------- Total dn count is 2450000. LDIF size is 670MB using ldapsearch dbd size is : du -c -h *.bdb 69M authenticationId.bdb 227M cn.bdb 602M dn2id.bdb 27M entryCSN.bdb 24M entryUUID.bdb 2.5G id2entry.bdb 6.4M mail.bdb 4.6M objectClass.bdb 16M ou.bdb 263M sn.bdb 740M uid.bdb 4.4G total ----------------------- Portion of slapd.conf: cachesize 50000 checkpoint 4096 10 sizelimit 2500000 ------------------------- DB_CONFIG # Set the database in memory cache size. set_cachesize 2 0 1 # Set database flags. set_flags DB_TXN_NOSYNC set_lk_max_locks 2000 set_lk_max_objects 1000 set_lk_max_lockers 1000 set_txn_timeout 3000000 set_lock_timeout 3000000 set_lg_regionmax 1048576 set_lg_max 10485760 set_lg_bsize 2097152 set_lg_dir /usr/local/var/master/logs db_stat -h /usr/local/master/db -m | head -n 2 2GB Total cache size 1 Number of caches Thanks Pawan Kumar

11 years

2
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2012