openldap-technical May 2012

openldap-technical@openldap.org

76 participants
101 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use … [View More]Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in [View Less]

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able … [View More]

5 6

SASL passthrough - multiple domains
by Liam Gretton 05 Jul '12

05 Jul '12

I have a working configuration with pass-through auth to an AD domain using saslauthd. However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file. Using multiple saslauthd daemons isn't possible either as there's no way (that I can … [View More]

8 10

Ldap filter to get group members
by dhanushka ranasinghe 25 Jun '12

25 Jun '12

Hi... guys i have a LDAP server and its has a group called . cn=internal ou=group,dc=example,dc=com --users of this group is : uid=user1,ou=user,dc=example,dc=com uid=user2,ou=user,dc=example,dc=com i need to only to authenticate the users under cn=internal .... LDAP search for the cn=internal group as follows , dn: cn=internal,ou=group,dc=example,dc=com objectClass: groupOfNames objectClass: top cn: internal member: uid=user1,ou=user,dc=example,dc=com member: uid=user2,ou=user,dc=… [View More]

3 4

Replication and acl: moddn operation problem.
by Konstantin Menshikov 20 Jun '12

20 Jun '12

Hi. I have replication setup . Full replication of o=company, but user for replication (uid=replica,ou=users,o=company) is limited by ACL. Master configuration: access to dn.subtree="ou=users,o=company" attrs=userPassword by anonymous auth access to dn.base="o=company" by dn.exact="uid=replica,ou=users,o=company" read access to dn.subtree="ou=dev,o=company" by dn.exact="uid=replica,ou=users,o=company" read #############################################################… [View More]

2 7

autogenerated/virtual attributes
by btb＠bitrate.net 19 Jun '12

19 Jun '12

given an entry such as: dn=cn=abuse,ou=example.net,ou=mail,ou=groups,dc=example,dc=com objectclass=mailgroup cn=abuse member=uid=jdoe,ou=people,ou=accounts,dc=example,dc=com i'd like the entry to also include an attribute, generated automatically, based on the rdn of the entry and the superior's rdn. for example: dn=cn=abuse,ou=example.net,ou=mail,ou=groups,dc=example,dc=com objectclass=mailgroup cn=abuse member=uid=jdoe,ou=people,ou=accounts,dc=example,dc=com maillocaladdress=abuse(a)… [View More]

3 4

Monitoring 2.3.43?
by Turbo Fredriksson 16 Jun '12

16 Jun '12

First of: I know it's old, we ARE going to upgrade at the next service interval in a few weeks! But in the meantime, is there any way to know/figure out if the master and it's slave(s) are in sync? One idea, of using a special object which is written to every x minute and then checked for consistency came up... Of course it's not a nice solution, but it is A solution... The reason for this is that yesterday our secondary LDAP server (the primary read server) stopped … [View More]

6 10

Pass-though Authentication with Saslauthd and Kerberos
by Jeff B 06 Jun '12

06 Jun '12

I'm attempting to get pass-though auth to work against saslauthd and kerberos and while the problem seems to be in sasl I think it's most likely to be seen in this type of configuration with opendap which I why I chose this mailing list. When I run testsaslauthd it works but when I run ldapsearch it fails. But the curious thing is where it is failing. in doing straces of saslauthd and packet traces I've found that when ldapsearch calls salsauthd, and not when I run saslauthd kerberos does not … [View More]deliver the AS-REP packets till just after saslauthd times out. I can't find any difference in how I'm invoking saslauthd with testdaslauthd and how ldapsearch is invoking saslauthd. However the packet traces are quite different as you will see below. I've seen these kind of errors here and there on google but no resolutions that I can find. (http://www.openldap.org/lists/openldap-software/200602/msg00278.html) Centos 6 openldap-2.4.23-15.el6_1.3.x86_64 openldap-clients-2.4.23-15.el6_1.3.x86_64 openldap-servers-2.4.23-15.el6_1.3.x86_64 openldap-devel-2.4.23-15.el6_1.3.x86_64 krb5-server-1.9-9.el6_1.2.x86_64 krb5-server-ldap-1.9-9.el6_1.2.x86_64 krb5-workstation-1.9-9.el6_1.2.x86_64 krb5-libs-1.9-9.el6_1.2.x86_64 cyrus-sasl-2.1.23-8.el6.x86_64 cyrus-sasl-lib-2.1.23-8.el6.x86_64 cyrus-sasl-gssapi-2.1.23-8.el6.x86_64 cyrus-sasl-plain-2.1.23-8.el6.x86_64 cyrus-sasl-devel-2.1.23-8.el6.x86_64 My slapd.conf contains nothing regarding kerberos / sasl / pass-through authentication. I'm using a slapd.conf file for the time being till i get it all worked out and plan on converting it to a cn=config configuration. In my DIT the userPassword field contains: {SASL}myuser@MYREALM where myuser and my realm are replaced with the proper values. /etc/sasl2/slapd.conf: mech_list: plain pwcheck_method: saslauthd saslauthd_path: /var/run/saslauthd/mux /etc/sysconfig/saslauthd KRB5_KTNAME=/etc/krb5.keytab SOCKETDIR=/var/run/saslauthd MECH=kerberos5 Which builds a daemon command line of: /usr/sbin/saslauthd -m /var/run/saslauthd -a kerberos5 My system keytab is: /etc/krb5.keytab (root.ldap 0640) host/my.hostname@realm ldap/my.hostname@realm My socket parent dir is: /var/run/saslauthd (root.ldap 0770) When I run testsaslauthd I get a packet trace between saslauthd and kerberos is all UDP and works: > AS-REQ < KRB5KDC_ERR_PREAUTH_REQUIRED (25) > AS-REQ < AS-REP > TGS-REQ < TGS-REP When I run ldapsearch the packet trace between saslauthd and kerberos is UDP and TCP communication. None of the kerberos replies come back for 18 seconds, the time it takes saslauthd to time out. > AS-REQ < KRB5KDC_ERR_PREAUTH_REQUIRED (25) > AS-REQ > TCP SYN < TCP SYN, ACK > TCP ACK > TCP AS-REQ < TCP ACK > AS-REQ > AS-REQ > TCP FIN, ACK <-- saslauthd times out and the AS-REPS all come back at once. < AS-REP < AS-REP < AS-REP < TCP AS-REP > TCP RST an strace of saslauthd supports this timeout theory as it shows the the timeouts and backoffs. I can't find any info regarding saslauthd and TCP or UDP or timeouts like this. Any ideas? [View Less]

5 7

Re: Replication and user password change
by Hugo Deprez 04 Jun '12

04 Jun '12

Hello, I am trying to do some quite the same thing : trying to send failed authentification made on the consumer to the master. I am using ppolicy overlay. I added the following to the consumer : # Referal updateref ldaps://master.domain.fr ppolicy_forward_updates When I add this on the consumer, accounts are not anymore locked on failed authentification. pwdFailureTime are not register or sent to the master.. Should I use slapo-chain too ? Regards, Hugo On 6 April 2012 18:12, Quanah … [View More]

3 4

ACL control with break
by Nick Milas 04 Jun '12

04 Jun '12

At slapd.access we read (about the control keywords): One useful application is to easily grant write privileges to an updatedn that is different from the rootdn. In this case, since the updatedn needs write access to (almost) all data, one can use access to * by dn.exact="cn=The Update DN,dc=example,dc=com" write by * break as the first access rule. As a consequence, unless the operation is performed with the updatedn identity, control is passed … [View More]

3 9

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2012