openldap-technical June 2012

openldap-technical@openldap.org

66 participants
61 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

memberOf data in new replica servers 2.4.31
by Todd Stein 02 Nov '12

02 Nov '12

Hi, I have a provider server and five consumer servers, all of which have the memberOf overlay configured: overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniqueMember memberof-refint true memberof-dangling ignore syncrepl rid=005 provider=ldap://<server>:389 type=refreshAndPersist interval=00:00:05:00 retry="60 10 600 +" searchbase="dc=<removed>,dc=<removed>" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off starttls=no bindmethod=simple binddn="cn=replica,dc=<removed>,dc=<removed>" credentials=<removed> When I bring a new replica online, it appears that entries are replicated in the order that they were created on the provider server which produces many "memberof_value_modify failed err=32" messages in the log, and incomplete memberOf data. To get around this, I wrote a script which empties all groups prior to replication, and then recreates the memberships after the initial replication. This seems to work, but is hardly ideal. Is there a "more correct" way of replicating memberOf values without manipulating my provider each time I bring up a new consumer? Thank you very much, Todd

2 1

replicating accesslog
by Marvin Mundry 18 Jul '12

18 Jul '12

Hello everybody, I am trying to replicate an accesslog database (cn=accesslog) from a provider to 2 consumers. The replication works fine except that old accesslog entries that get removed via "logpurge 07+00:00 01+00:00" on the provider do not get removed from the replicas. over time the accesslog databases on the consumers get rather huge. a workaround seems to be running a script from time to time that identifies and removes old accesslog entries via ldap. deletions in cn=accesslog made via ldap get replicated correctly. is there a way to have the deletions by logpurge replicated as well? bests, Marvin

2 1

Filter character encoding independent
by Philip Brusten 09 Jul '12

09 Jul '12

Hi, Our OpenLDAP information is stored in UTF-8 character encoding, like any other default installation I guess. Some of the records have special characters in their name, like ë, é, è, ç, etc. We want to make a webapplication that can do lookups on these names, without forcing the user to enter the correct characters. E.g. if they search for "Francois", it should match all givenNames "François" in LDAP. However if people do search for "François" if should also match all givenNames "François". I've looked for certain matching rules that could do this, but I haven't found what I'm looking for so far. Can anybody help me out? Kr, Philip

3 4

Uniqueness constraint over multiple attributes
by Jan Beerden 06 Jul '12

06 Jul '12

Hello, Is there a way to have a unique constraint over multiple attributes? We have different attributes for the primary email address of a person, and for additional aliases, and we'd like to enforce global uniqueness in such a way that the primary email address for one person can not be used as an email alias for another person. The slapo-unique manpage doesn't make this very clear. Regards -- Jan Beerden jan.beerden(a)fks.be fks bvba - Formal and Knowledge Systems http://www.fks.be/ Schampbergstraat 32 Tel: ++32-(0)11-21 49 11 B-3511 Kuringen Fax: ++32-(0)11-22 04 19

4 10

SASL passthrough - multiple domains
by Liam Gretton 05 Jul '12

05 Jul '12

I have a working configuration with pass-through auth to an AD domain using saslauthd. However now there is a requirement to be able to handle another domain too, and I cannot work out how to do this. It seems that saslauthd cannot deal with multiple Kerberos realms, no matter what hoops one jumps through it eventually boils down to only using whatever 'default_realm' is set to in the krb5.conf file. Using multiple saslauthd daemons isn't possible either as there's no way (that I can work out) of getting OpenLDAP to use anything other than the single socket specified in /etc/sasl2/slapd.conf. My final idea was to run an LDAP instance per realm, each talking to the separate saslauthd daemons, and have another outward facing LDAP service with these as the backends but that's a non starter too because there's no way of specifying the sasl slapd.conf file, it seems sasl always looks in /etc/sasl2 for a file derived from the process name (a chroot environment for each LDAP server is therefore the next thing to look at). But this seems like a lot of work just to be able to authenticate users against multiple domains. I appreciate this is a SASL issue rather than a problem with OpenLDAP, but I'm hoping that someone here has cracked this already. Googling hasn't thrown up an solution that I can find. -- Liam Gretton liam.gretton(a)le.ac.uk HPC Architect http://www.le.ac.uk/its IT Services Tel: +44 (0)116 2522254 University of Leicester, University Road Leicestershire LE1 7RH, United Kingdom

8 10

New release of LinID OpenLDAP Manager
by Clément OUDOT 29 Jun '12

29 Jun '12

Hi all, I wanted to inform you that we just released a new version (0.7) of our OpenLDAP configuration web console. You can know more about this version here: https://redmine.linid.org/news/16 LinID OpenLDAP Manager is free software (AGPLv3), I hope it might be useful for some of you. Regards, Clément OUDOT.

2 2

chaining and returning errors
by Frank Van Damme 29 Jun '12

29 Jun '12

List, I'm setting up chaining. And I want to get errors, no referrals :) my olcDatabase looks like this: olcDatabase={0}ldap,olcOverlay={1}chain,olcDatabase={1}hdb,cn=config objectClass: olcChainDatabase (auxiliary) objectClass: olcConfig (abstract) objectClass: olcDatabaseConfig (structural) objectClass: olcLDAPConfig (structural) objectClass: top (abstract) olcDatabase: {0}ldap olcDbIDAssertBind: bindmethod="simple" binddn="uid=lalalala" credentials="foo" mode="self" olcDbURI: ldap://example.com here is this object's parent: olcOverlay={1}chain,olcDatabase={1}hdb,cn=config objectClass: olcConfig (abstract) objectClass: olcOverlayConfig (structural) objectClass: top (abstract) olcOverlay: {1}chain The problem is that I can't insert an olcChainReturnError attribute into it. The schema doesn't allow it. I tried to add the olcChainConfig objectClass to the olcDatabase={1} object, which requires me to fill in an extra attribute "olcOverlay" - I tried {1}chain and "chain" and "{0}ldap" but either give me an error 65 "invalid structural object class chain". -- Frank Van Damme No part of this copyright message may be reproduced, read or seen, dead or alive or by any means, including but not limited to telepathy without the benevolence of the author.

2 2

Re: Memberof overlay with posixGroup
by Marcio Merlone 29 Jun '12

29 Jun '12

Em 28-06-2012 12:39, Julien Soula escreveu: > On Thu, Jun 28, 2012 at 10:34:48AM -0300, Marcio Merlone wrote: >> I am trying to implement memberof overlay on Ubuntu 10.04.4 LTS and >> OpenLDAP 2.4.21-0ubuntu5.7 over posixGroup, not groupOfNames. I >> created the following ldif: >> >> .../... >> >> adding new entry "olcOverlay={2}memberof,olcDatabase={1}hdb,cn=config" >> ldap_add: Other (e.g., implementation specific) error (80) >> additional info: member attribute="memberUid" must either >> have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID >> (1.3.6.1.4.1.1466.115.121.1.34) syntax > overlay memberof only supports DN as membership attribute (as DN and > nameUID type). I don't know any workaround for your case. Sorry for the noise, I SWEAR, I was so sure posixGroup use DN as membership, overlooked that. Thanks and best regards. -- *Marcio Merlone*

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2012