Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
6 years, 12 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
7 years, 11 months
memberOf data in new replica servers 2.4.31
by Todd Stein
Hi,
I have a provider server and five consumer servers, all of which have the
memberOf overlay configured:
overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-refint true
memberof-dangling ignore
syncrepl rid=005
provider=ldap://<server>:389
type=refreshAndPersist
interval=00:00:05:00
retry="60 10 600 +"
searchbase="dc=<removed>,dc=<removed>"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
starttls=no
bindmethod=simple
binddn="cn=replica,dc=<removed>,dc=<removed>"
credentials=<removed>
When I bring a new replica online, it appears that entries are replicated
in the order that they were created on the provider server which produces
many "memberof_value_modify failed err=32" messages in the log, and
incomplete memberOf data. To get around this, I wrote a script which
empties all groups prior to replication, and then recreates the memberships
after the initial replication. This seems to work, but is hardly ideal. Is
there a "more correct" way of replicating memberOf values without
manipulating my provider each time I bring up a new consumer?
Thank you very much,
Todd
10 years, 6 months
replicating accesslog
by Marvin Mundry
Hello everybody,
I am trying to replicate an accesslog database (cn=accesslog) from a
provider to 2 consumers.
The replication works fine except that old accesslog entries that get
removed via "logpurge 07+00:00 01+00:00" on the provider
do not get removed from the replicas.
over time the accesslog databases on the consumers get rather huge.
a workaround seems to be running a script from time to time that
identifies and removes old accesslog entries via ldap.
deletions in cn=accesslog made via ldap get replicated correctly.
is there a way to have the deletions by logpurge replicated as well?
bests,
Marvin
10 years, 10 months
Filter character encoding independent
by Philip Brusten
Hi,
Our OpenLDAP information is stored in UTF-8 character encoding, like any
other default installation I guess.
Some of the records have special characters in their name, like ë, é, è,
ç, etc.
We want to make a webapplication that can do lookups on these names,
without forcing the user to enter the correct characters.
E.g. if they search for "Francois", it should match all givenNames
"François" in LDAP.
However if people do search for "François" if should also match all
givenNames "François".
I've looked for certain matching rules that could do this, but I haven't
found what I'm looking for so far.
Can anybody help me out?
Kr,
Philip
10 years, 10 months
Uniqueness constraint over multiple attributes
by Jan Beerden
Hello,
Is there a way to have a unique constraint over multiple attributes? We
have different attributes for the primary email address of a person, and
for additional aliases, and we'd like to enforce global uniqueness in
such a way that the primary email address for one person can not be used
as an email alias for another person.
The slapo-unique manpage doesn't make this very clear.
Regards
--
Jan Beerden jan.beerden(a)fks.be
fks bvba - Formal and Knowledge Systems http://www.fks.be/
Schampbergstraat 32 Tel: ++32-(0)11-21 49 11
B-3511 Kuringen Fax: ++32-(0)11-22 04 19
10 years, 10 months
SASL passthrough - multiple domains
by Liam Gretton
I have a working configuration with pass-through auth to an AD domain
using saslauthd.
However now there is a requirement to be able to handle another domain
too, and I cannot work out how to do this. It seems that saslauthd
cannot deal with multiple Kerberos realms, no matter what hoops one
jumps through it eventually boils down to only using whatever
'default_realm' is set to in the krb5.conf file.
Using multiple saslauthd daemons isn't possible either as there's no way
(that I can work out) of getting OpenLDAP to use anything other than the
single socket specified in /etc/sasl2/slapd.conf.
My final idea was to run an LDAP instance per realm, each talking to the
separate saslauthd daemons, and have another outward facing LDAP service
with these as the backends but that's a non starter too because there's
no way of specifying the sasl slapd.conf file, it seems sasl always
looks in /etc/sasl2 for a file derived from the process name (a chroot
environment for each LDAP server is therefore the next thing to look at).
But this seems like a lot of work just to be able to authenticate users
against multiple domains. I appreciate this is a SASL issue rather than
a problem with OpenLDAP, but I'm hoping that someone here has cracked
this already. Googling hasn't thrown up an solution that I can find.
--
Liam Gretton liam.gretton(a)le.ac.uk
HPC Architect http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom
10 years, 10 months
New release of LinID OpenLDAP Manager
by Clément OUDOT
Hi all,
I wanted to inform you that we just released a new version (0.7) of
our OpenLDAP configuration web console. You can know more about this
version here: https://redmine.linid.org/news/16
LinID OpenLDAP Manager is free software (AGPLv3), I hope it might be
useful for some of you.
Regards,
Clément OUDOT.
10 years, 11 months
chaining and returning errors
by Frank Van Damme
List,
I'm setting up chaining. And I want to get errors, no referrals :)
my olcDatabase looks like this:
olcDatabase={0}ldap,olcOverlay={1}chain,olcDatabase={1}hdb,cn=config
objectClass: olcChainDatabase (auxiliary)
objectClass: olcConfig (abstract)
objectClass: olcDatabaseConfig (structural)
objectClass: olcLDAPConfig (structural)
objectClass: top (abstract)
olcDatabase: {0}ldap
olcDbIDAssertBind: bindmethod="simple"
binddn="uid=lalalala"
credentials="foo"
mode="self"
olcDbURI: ldap://example.com
here is this object's parent:
olcOverlay={1}chain,olcDatabase={1}hdb,cn=config
objectClass: olcConfig (abstract)
objectClass: olcOverlayConfig (structural)
objectClass: top (abstract)
olcOverlay: {1}chain
The problem is that I can't insert an olcChainReturnError attribute
into it. The schema doesn't allow it. I tried to add the
olcChainConfig objectClass to the olcDatabase={1} object, which
requires me to fill in an extra attribute "olcOverlay" - I tried
{1}chain and "chain" and "{0}ldap" but either give me an error 65
"invalid structural object class chain".
--
Frank Van Damme
No part of this copyright message may be reproduced, read or seen,
dead or alive or by any means, including but not limited to telepathy
without the benevolence of the author.
10 years, 11 months
Re: Memberof overlay with posixGroup
by Marcio Merlone
Em 28-06-2012 12:39, Julien Soula escreveu:
> On Thu, Jun 28, 2012 at 10:34:48AM -0300, Marcio Merlone wrote:
>> I am trying to implement memberof overlay on Ubuntu 10.04.4 LTS and
>> OpenLDAP 2.4.21-0ubuntu5.7 over posixGroup, not groupOfNames. I
>> created the following ldif:
>>
>> .../...
>>
>> adding new entry "olcOverlay={2}memberof,olcDatabase={1}hdb,cn=config"
>> ldap_add: Other (e.g., implementation specific) error (80)
>> additional info: member attribute="memberUid" must either
>> have DN (1.3.6.1.4.1.1466.115.121.1.12) or nameUID
>> (1.3.6.1.4.1.1466.115.121.1.34) syntax
> overlay memberof only supports DN as membership attribute (as DN and
> nameUID type). I don't know any workaround for your case.
Sorry for the noise, I SWEAR, I was so sure posixGroup use DN as
membership, overlooked that.
Thanks and best regards.
--
*Marcio Merlone*
10 years, 11 months