openldap-technical April 2012

openldap-technical@openldap.org

76 participants
80 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

SASL passthrough - multiple domains
by Liam Gretton 05 Jul '12

05 Jul '12

I have a working configuration with pass-through auth to an AD domain using saslauthd. However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file. Using multiple saslauthd daemons isn't possible either as there's no way (that I can work out) of getting OpenLDAP to use anything other than the single socket specified in /etc/sasl2/slapd.conf. My final idea was to run an LDAP instance per realm, each talking to the separate saslauthd daemons, and have another outward facing LDAP service with these as the backends but that's a non starter too because there's no way of specifying the sasl slapd.conf file, it seems sasl always looks in /etc/sasl2 for a file derived from the process name (a chroot environment for each LDAP server is therefore the next thing to look at). But this seems like a lot of work just to be able to authenticate users against multiple domains. I appreciate this is a SASL issue rather than a problem with OpenLDAP, but I'm hoping that someone here has cracked this already. Googling hasn't thrown up an solution that I can find. -- Liam Gretton liam.gretton(a)le.ac.uk HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

8 10

autogenerated/virtual attributes
by btb＠bitrate.net 19 Jun '12

19 Jun '12

given an entry such as: dn=cn=abuse,ou=example.net,ou=mail,ou=groups,dc=example,dc=com objectclass=mailgroup cn=abuse member=uid=jdoe,ou=people,ou=accounts,dc=example,dc=com i'd like the entry to also include an attribute, generated automatically, based on the rdn of the entry and the superior's rdn. for example: dn=cn=abuse,ou=example.net,ou=mail,ou=groups,dc=example,dc=com objectclass=mailgroup cn=abuse member=uid=jdoe,ou=people,ou=accounts,dc=example,dc=com maillocaladdress=abuse(a)example.com where maillocaladdress is the automatically generated attribute. is this possible? it seems like something an overlay might accommodate, so i thought i might try experimenting with slapo-rwm, but wanted to also ask here in the meantime. thanks -ben

3 4

Pass-though Authentication with Saslauthd and Kerberos
by Jeff B 06 Jun '12

06 Jun '12

I'm attempting to get pass-though auth to work against saslauthd and kerberos and while the problem seems to be in sasl I think it's most likely to be seen in this type of configuration with opendap which I why I chose this mailing list. When I run testsaslauthd it works but when I run ldapsearch it fails. But the curious thing is where it is failing. in doing straces of saslauthd and packet traces I've found that when ldapsearch calls salsauthd, and not when I run saslauthd kerberos does not deliver the AS-REP packets till just after saslauthd times out. I can't find any difference in how I'm invoking saslauthd with testdaslauthd and how ldapsearch is invoking saslauthd. However the packet traces are quite different as you will see below. I've seen these kind of errors here and there on google but no resolutions that I can find. (http://www.openldap.org/lists/openldap-software/200602/msg00278.html) Centos 6 openldap-2.4.23-15.el6_1.3.x86_64 openldap-clients-2.4.23-15.el6_1.3.x86_64 openldap-servers-2.4.23-15.el6_1.3.x86_64 openldap-devel-2.4.23-15.el6_1.3.x86_64 krb5-server-1.9-9.el6_1.2.x86_64 krb5-server-ldap-1.9-9.el6_1.2.x86_64 krb5-workstation-1.9-9.el6_1.2.x86_64 krb5-libs-1.9-9.el6_1.2.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-gssapi-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64 cyrus-sasl-devel-2.1.23-8.el6.x86_64 My slapd.conf contains nothing regarding kerberos / sasl / pass-through authentication. I'm using a slapd.conf file for the time being till i get it all worked out and plan on converting it to a cn=config configuration. In my DIT the userPassword field contains: {SASL}myuser@MYREALM where myuser and my realm are replaced with the proper values. /etc/sasl2/slapd.conf: mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux /etc/sysconfig/saslauthd KRB5_KTNAME=/etc/krb5.keytab SOCKETDIR=/var/run/saslauthd MECH=kerberos5 Which builds a daemon command line of: /usr/sbin/saslauthd -m /var/run/saslauthd -a kerberos5 My system keytab is: /etc/krb5.keytab (root.ldap 0640) host/my.hostname@realm ldap/my.hostname@realm My socket parent dir is: /var/run/saslauthd (root.ldap 0770) When I run testsaslauthd I get a packet trace between saslauthd and kerberos is all UDP and works: > AS-REQ < KRB5KDC_ERR_PREAUTH_REQUIRED (25) > AS-REQ < AS-REP > TGS-REQ < TGS-REP When I run ldapsearch the packet trace between saslauthd and kerberos is UDP and TCP communication. None of the kerberos replies come back for 18 seconds, the time it takes saslauthd to time out. > AS-REQ < KRB5KDC_ERR_PREAUTH_REQUIRED (25) > AS-REQ > TCP SYN < TCP SYN, ACK > TCP ACK > TCP AS-REQ < TCP ACK > AS-REQ > AS-REQ > TCP FIN, ACK <-- saslauthd times out and the AS-REPS all come back at once. < AS-REP < AS-REP < AS-REP < TCP AS-REP > TCP RST an strace of saslauthd supports this timeout theory as it shows the the timeouts and backoffs. I can't find any info regarding saslauthd and TCP or UDP or timeouts like this. Any ideas?

5 7

Concerns with OLC (cn=config) for editing schema, ACLs, and deleting entries
by Chris Hiestand 20 May '12

20 May '12

Part 1: Readability I know you veterans are probably sick to death of us late-comers asking questions about cn=config. I understand but please hear me out because I feel I have done due diligence; but I still have some concerns with the transition. Workflow has been discussed before, but I suspect it hasn't been fleshed out because the switch from editing schema and ACLs in flat files to LDAP entries reduces readability. I have no problem using cn=config for most configuration attributes, but it gets a lot less user friendly when the value is, what used to be in slapd.conf, a multi-line string. But I could just be missing something. Your help is appreciated. Attached are some screenshots of editing ACLs and a custom schema via 3 methods: 1. cn=config via ldap client (ie apache directory studio) 2. cn=config via ldif 3. old style slapd.conf Look at the pictures and pick which method you'd like to use to edit ACLs or a schema: http://snl.salk.edu/~chiestand/openldap/ACLs-via-ldap.png http://snl.salk.edu/~chiestand/openldap/ACLs-via-ldif.png http://snl.salk.edu/~chiestand/openldap/ACLs-via-slapd.conf.png http://snl.salk.edu/~chiestand/openldap/schema-via-ldap.png http://snl.salk.edu/~chiestand/openldap/schema-via-ldif.png http://snl.salk.edu/~chiestand/openldap/schema-via-slapd.conf.png I think the choice is clearly old style slapd.conf. Otherwise you miss comments and ordering (until Howard Chu's X-ORDERED ldap extension is implemented), and unlimited whitespace to substantially improve readability. The LDIF files are a mess because of the way words are split unpredictably by new lines. You can't use a simple search and replace with any hope of it working. Readability would be vastly improved with new lines before keywords (eg to, filter, attrs …) but I don't think it's possible to have ldapsearch output this way. Editing via an ldap client is easy if you're just editing an attribute here and there, but because of the interacting nature of ACLs and schema elements, poor readability (no newlines) makes editing via an ldap client more difficult (a gui with smart sorting and syntax highlighting could make it better). Am I just missing workflow techniques or key concepts that improves readability? Or is your advice to just suck it up and get used to it? Part 2: Deleting entries in cn=config Quanah Gibson-Mount has said entry deletes are coming in 2.5, is that still the plan? The Roadmap page isn't specific. What about whole schema deletes? From a sysadmin perspective, I should be able to add, modify, or delete anything from the configuration. For QA reasons, you want to be have the exact configuration you want; not the configuration you want plus legacy boogers. I understand if this isn't trivial to achieve from the developer perspective. Granted I don't have the whole picture here, but I'd argue that it's worth it. Lastly, I thank everyone who contributes to OpenLDAP.

16 47

ACL syntax with wildcards
by Nick Milas 18 May '12

18 May '12

Hi, We would like to use ACL statements of the form (used for illustration purposes): access to dn.subtree="ou=people,dc=example,dc=com" filter="(ou=xxxxx)" attrs="someAttrs" by group.exact="cn=xxxxxAdmins,ou=Groups,dc=example,dc=com" write by group.exact="cn=allAdmins,ou=Groups,dc=example,dc=com" read by self read where xxxxx is some string. In essence, we assign people entries to various administrative groups, depending on the value of the ou attribute of the entry. Of course we can write many statements, one per ou value / admin group, but it would be much more concise to use just one statement using wildcards. Could someone please suggest if and how the above can be written correctly, using e.g. regex? I appreciate any suggestions. Thanks, Nick

7 15

translucent overlay and local objects?
by Eugene Vilensky 16 May '12

16 May '12

Greetings, Pardon if this is an RTFM (I'd love a link), but is it possible to store entities locally using the translucent overlay? The overlay works for what we are trying to do when it comes to search and modifying attributes on an entry, but I would like to create an entire local groupofnames, consisting of remote UIDs. For example, this LDIF imports OK: #!RESULT OK #!CONNECTION ldap://xxxxx #!DATE 2012-04-09T16:01:33.961 dn: cn=instructors,ou=Groups,dc=xxxx,dc=zzz changetype: add objectClass: groupofnames member: uid=nate member: uid=penelope member: uid=rhonda cn: instructors But searching for it does not bring back a result. However, it must have gone somewhere since if I try to import the same LDIF again: #!RESULT ERROR #!CONNECTION ldap://xxxxx #!DATE 2012-04-09T16:21:28.221 #!ERROR [LDAP: error code 68 - Entry Already Exists] Kind regards, Eugene

4 11

slapadd hanging initializing mdb backend
by Mark 02 May '12

02 May '12

When I try to slapadd initial data into an empty mdb backend, the slapadd hangs: $ /tmp/openldap-2.4.31/sbin/slapadd -w -S 1 -c -F /tmp/openldap-2.4.31/etc/slapd.d -b dc=example,dc=com -l /tmp/openldap-2.4.31/etc/initdb.ldif _#################### 100.00% eta none elapsed none fast! (does not return to a shell prompt. I have to INT it.) I add '-d -1' to get some debugging output and I get this after removing the data.mdb and lock.mdb created above: $ /tmp/openldap-2.4.31/sbin/slapadd -d -1 -w -S 1 -c -F /tmp/openldap-2.4.31/etc/slapd.d -b dc=example,dc=com -l /tmp/openldap-2.4.31/etc/initdb.ldif (lines removed for brevity but can be submitted if need be) 4f9ea9c0 => str2entry: "dn: ou=Users,dc=example,dc=com objectClass: organizationalUnit ou: Users " 4f9ea9c0 >>> dnPrettyNormal: <ou=Users,dc=example,dc=com> 4f9ea9c0 <<< dnPrettyNormal: <ou=Users,dc=example,dc=com>, <ou=users,dc=example,dc=com> 4f9ea9c0 <= str2entry(ou=Users,dc=example,dc=com) -> 0x6afeba8 4f9ea9c0 oc_check_required entry (ou=Users,dc=example,dc=com), objectClass "organizationalUnit" 4f9ea9c0 oc_check_allowed type "objectClass" 4f9ea9c0 oc_check_allowed type "ou" 4f9ea9c0 oc_check_allowed type "structuralObjectClass" 4f9ea9c0 => mdb_tool_entry_put( -1, "ou=Users,dc=example,dc=com" ) 4f9ea9c0 => mdb_dn2id("ou=users,dc=example,dc=com") 4f9ea9c0 <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798) 4f9ea9c0 => mdb_dn2id_add 0x6: "ou=users,dc=example,dc=com" 4f9ea9c0 <= mdb_dn2id_add 0x6: 0 4f9ea9c0 => index_entry_add( 6, "ou=Users,dc=example,dc=com" ) 4f9ea9c0 mdb_idl_insert_keys: 6 [9bee355f] 4f9ea9c0 mdb_idl_insert_keys: 6 [ef1184ca] 4f9ea9c0 mdb_idl_insert_keys: 6 4f9ea9c0 <= index_entry_add( 6, "ou=Users,dc=example,dc=com" ) success 4f9ea9c0 => mdb_entry_encode(0x00000006): ou=Users,dc=example,dc=com 4f9ea9c0 <= mdb_entry_encode(0x00000006): ou=Users,dc=example,dc=com 4f9ea9c0 => mdb_dn2id("dc=example,dc=com") 4f9ea9c0 <= mdb_dn2id: got id=0x1 4f9ea9c0 => mdb_entry_decode: 4f9ea9c0 <= mdb_entry_decode 4f9ea9c0 => mdb_tool_entry_modify( 1, "(null)" ) (it's hung) Here is the /tmp/openldap-2.4.31/etc/initdb.ldif: ### BEGIN INITDB.LDIF dn: dc=example,dc=com objectClass: organization objectClass: dcObject dc: example o: example.com dn: cn=manager,dc=example,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject cn: manager userPassword: {SSHA}asif dn: cn=replicator,dc=example,dc=com objectClass: organizationalRole objectClass: simpleSecurityObject cn: replicator userPassword: {SSHA}asif dn: ou=Groups,dc=example,dc=com objectClass: organizationalUnit ou: Groups dn: cn=LDAP Admins,ou=Groups,dc=example,dc=com objectClass: top objectClass: groupOfUniqueNames cn: LDAP Admins uniqueMember: cn=manager,dc=example,dc=com dn: ou=Users,dc=example,dc=com objectClass: organizationalUnit ou: Users ### END INITDB.LDIF I used the following slaptest commands to create the initial slapd.d/ directory from a slapd.conf file: $ /tmp/openldap-2.4.31/sbin/slaptest -u -f /tmp/openldap-2.4.31/etc/slapd.conf -F /tmp/openldap-2.4.31/etc/slapd.d config file testing succeeded $ /tmp/openldap-2.4.31/sbin/slaptest -f /tmp/openldap-2.4.31/etc/slapd.conf -F /tmp/openldap-2.4.31/etc/slapd.d 4f9eab15 mdb_db_open: database "dc=example,dc=com" cannot be opened, err 2. Restore from backup! 4f9eab15 backend_startup_one (type=mdb, suffix="dc=example,dc=com"): bi_db_open failed! (2) slap_startup failed (test would succeed using the -u switch) Here is the /tmp/openldap-2.4.31/etc/slapd.conf: ### BEGIN SLAPD.CONF include /tmp/openldap-2.4.31/etc/schema/core.schema include /tmp/openldap-2.4.31/etc/schema/cosine.schema include /tmp/openldap-2.4.31/etc/schema/nis.schema include /tmp/openldap-2.4.31/etc/schema/inetorgperson.schema argsfile /tmp/openldap-2.4.31/var/run/slapd.args pidfile /tmp/openldap-2.4.31/var/run/slapd.pid threads 8 tool-threads 2 idletimeout 0 writetimeout 0 reverse-lookup off loglevel stats serverid 1 ldap://boardwalk:2389 modulepath /tmp/openldap-2.4.31/libexec moduleload back_monitor.la moduleload back_mdb.la moduleload syncprov.la password-hash {SSHA} sizelimit unlimited database config rootdn "cn=manager,dc=example,dc=com" access to * by group="cn=LDAP Admins,ou=Groups,dc=example,dc=com" write by users read by * none database monitor rootdn "cn=manager,dc=example,dc=com" access to * by users read by * none database mdb suffix "dc=example,dc=com" rootdn "cn=manager,dc=example,dc=com" directory /tmp/openldap-2.4.31/var/data index objectClass eq index entryCSN eq index entryUUID eq syncrepl rid=001 provider=ldap://boardwalk:2389 type=refreshAndPersist retry="15 +" bindmethod=simple binddn="cn=replicator,dc=example,dc=com" credentials="asif" searchbase="dc=example,dc=com" starttls=no schemachecking=off syncrepl rid=002 provider=ldap://chance:2389 type=refreshAndPersist retry="15 +" bindmethod=simple binddn="cn=replicator,dc=example,dc=com" credentials="asif" searchbase="dc=example,dc=com" starttls=no schemachecking=off syncrepl rid=003 provider=ldap://freeparking:2389 type=refreshAndPersist retry="15 +" bindmethod=simple binddn="cn=replicator,dc=example,dc=com" credentials="asif" searchbase="dc=example,dc=com" starttls=no schemachecking=off mirrormode TRUE overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100 access to attrs=userPassword by anonymous auth by self write by dn.exact="cn=replicator,dc=example,dc=com" read by * none access to * by group="cn=LDAP Admins,ou=Groups,dc=example,dc=com" write by dn.exact="cn=replicator,dc=example,dc=com" read by users read by * none limits dn.exact="cn=replicator,dc=example,dc=com" time.soft=unlimited time.hard=unlimited size.soft=unlimited size.hard=unlimited ### END SLAPD.CONF I compiled from the following source: OpenLDAP 2.4.31 OpenSSL 1.0.1b Cyrus-SASL 2.1.25 I am running in the following environment: Dell Poweredge 2950; dual-core Intel(R) Xeon(R) CPU 5110 @ 1.60GHz; 8GB RAM Scientific Linux 5.7 Am I doing something wrong (besides the ACLs for cn=LDAP Admins,ou=Groups,dc=example,dc=com. I'm still struggling there) ? Thank you, Mark

2 1

DEL don't get synced
by Marc Patermann 02 May '12

02 May '12

Hi, under some circumstances DEL don't get replicated to the consumers (SyncRepl). I think this has to do with other changes at the some moment. I attached two logs excepts in sync.log. In the first except there is only a DEL Jan 31 09:16:01 ldapserver slapd[10641]: conn=79138 op=2 DEL dn="employeeNumber=19676,ou=humans,ou=foo" For this there is a Jan 31 09:16:01 ldapserver slapd[10641]: syncprov_sendresp: cookie=rid=401,csn=20120131081601.377028Z#000000#000#000000 line for every connected consumer. In the second step there is a MOD and a DEL Jan 31 10:31:01 ldapserver slapd[10641]: conn=79938 op=2 MOD dn="ou=FA-WF,ou=gruppen,ou=humans,ou=foo" Jan 31 10:31:01 ldapserver slapd[10641]: conn=79938 op=3 DEL dn="employeeNumber=24387,ou=humans,ou=foo" As far as I can see, there is only sync activity for the MOD action, and not for the DEL action. The DEL is not synced. Marc

11 44

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2012