openldap-technical August 2012

openldap-technical@openldap.org

75 participants
91 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

memberOf data in new replica servers 2.4.31
by Todd Stein 02 Nov '12

02 Nov '12

Hi, I have a provider server and five consumer servers, all of which have the memberOf overlay configured: overlay memberof memberof-group-oc groupOfUniqueNames memberof-member-ad uniqueMember memberof-refint true memberof-dangling ignore syncrepl rid=005 provider=ldap://<server>:389 type=refreshAndPersist interval=00:00:05:00 retry="60 10 600 +" searchbase="dc=<removed>,dc=<removed>" filter="(objectClass=*)" scope=sub attrs="*" schemachecking=off starttls=no bindmethod=simple binddn="cn=replica,dc=<removed>,dc=<removed>" credentials=<removed> When I bring a new replica online, it appears that entries are replicated in the order that they were created on the provider server which produces many "memberof_value_modify failed err=32" messages in the log, and incomplete memberOf data. To get around this, I wrote a script which empties all groups prior to replication, and then recreates the memberships after the initial replication. This seems to work, but is hardly ideal. Is there a "more correct" way of replicating memberOf values without manipulating my provider each time I bring up a new consumer? Thank you very much, Todd

2 1

ldapsearch SASL/GSSAPI bind really slow
by Matthew B. Brookover 05 Sep '12

05 Sep '12

I am upgrading the openldap servers and ran into a bit of a problem. SASL/GSSAPI binds to the new server are too slow. An ldapsearch to the old server using GSSAPI to bind is much faster on the old server then the same search on the new server. I am not even sure where to start to debug this and am hoping that some one will have some ideas. First off, here are a few details: The old LDAP server is running Openldap 2.3.43 on CentOS 5.2 with the CentOS built MIT Kerberos(1.6.1) and saslauthd (2.1.22). This server is configured with the slapd.conf file. The host name is infinite.mines.edu in the example runs below. The new LDAP server is running Openldap 2.4.31 on CentOS 6.3 with the CentOS built MIT Kerberos (1.9) and saslauthd (2.1.23). This server is configured with slapd-config (new dynamic configuration is very cool!) The host name is infinte-temp.mines.edu in the example runs below. Both the old and new servers are configured to use SASL for GSSAPI and for simple binds. First test, simple bind to new server and then the old server: [testua@merlin ~]$ time ldapsearch -LLL -ZZ -Duid=testua,ou=People,dc=mines,dc=edu -y passwd -x -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.324s user 0m0.017s sys 0m0.004s [testua@merlin ~]$ time ldapsearch -LLL -ZZ -Duid=testua,ou=People,dc=mines,dc=edu -y passwd -x -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.163s user 0m0.016s sys 0m0.004s [testua@merlin ~]$ As you can see, the new server takes nearly twice as long to perform the search as the old server. Both servers are using saslauthd to send the password to Kerberos for authentication. Next test, GSSAPI bind to the new server and then the old server: [testua@merlin ~]$ kinit Password for testua(a)MINES.EDU: [testua@merlin ~]$ klist Ticket cache: FILE:/tmp/krb5cc_11192_d1yOuC Default principal: testua(a)MINES.EDU Valid starting Expires Service principal 07/25/12 13:32:11 07/26/12 04:32:11 krbtgt/MINES.EDU(a)MINES.EDU renew until 07/26/12 13:32:07 Kerberos 4 ticket cache: /tmp/tkt11192 klist: You have no tickets cached [testua@merlin ~]$ time ldapsearch -LLL -ZZ -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua SASL/GSSAPI authentication started SASL username: testua(a)MINES.EDU SASL SSF: 56 SASL data security layer installed. dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m1.145s user 0m0.021s sys 0m0.004s [testua@merlin ~]$ time ldapsearch -LLL -ZZ -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua SASL/GSSAPI authentication started SASL username: testua(a)MINES.EDU SASL SSF: 56 SASL data security layer installed. dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.123s user 0m0.021s sys 0m0.003s [testua@merlin ~]$ klist Ticket cache: FILE:/tmp/krb5cc_11192_d1yOuC Default principal: testua(a)MINES.EDU Valid starting Expires Service principal 07/25/12 13:32:11 07/26/12 04:32:11 krbtgt/MINES.EDU(a)MINES.EDU renew until 07/26/12 13:32:07 07/25/12 13:32:33 07/26/12 04:32:11 ldap/infinite-temp.mines.edu(a)MINES.EDU renew until 07/26/12 13:32:07 07/25/12 13:32:41 07/26/12 04:32:11 ldap/infinite.mines.edu(a)MINES.EDU renew until 07/26/12 13:32:07 Kerberos 4 ticket cache: /tmp/tkt11192 klist: You have no tickets cached [testua@merlin ~]$ The old server is 9 times faster then the new server. This last test is to show that an anonymous bind is very fast and indicates to me that the network, BDB, caching, etc are not the issue. This test is to both servers, using a simple bind, first the old server and then the new server: [testua@merlin ~]$ time ldapsearch -LLL -ZZ -x -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.049s user 0m0.017s sys 0m0.005s [testua@merlin ~]$ time ldapsearch -LLL -ZZ -x -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua dn: uid=testua,ou=People,dc=mines,dc=edu uid: testua cn: estua, t objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount shadowLastChange: 12780 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash gidNumber: 11192 host: imagine.mines.edu gecos: estua, t homeDirectory: /u/ca/fl/testua userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ== uidNumber: 11192 real 0m0.029s user 0m0.014s sys 0m0.006s [testua@merlin ~]$ When using an anonymous bind, the old server takes longer then the new server -- which is what I would expect given that the new server has twice the number of faster processors and double the memory of the old server. Any ideas? Thanks! Matt mbrookov(a)mines.edu

2 2

In MirrorMode - proxy or external frontend needed?
by Pieter Baele 03 Sep '12

03 Sep '12

I've 2 servers in MirrorMode, a part of the tree wil also be partially replicated to 3 slaves. Do I really need an LDAP proxy or Load balancer(s) so writes are only directed to one server? In our LDAP, the number of writes will be very very low, most of them will be reads (authentication, ssh keys, puppet nodes...) Any benefit in using 'normal' n multimaster instead of MirrorMode?

4 4

Configuring ppolicy problem
by cbulist 01 Sep '12

01 Sep '12

Hi, I'm trying to configure ppolicy but It's not working when I set pwdMaxAge and pwdWarning (I am able to login when my password is suppose to be expired) I tried with shadowAccount instead of PwdPolicy and It is working well. This is my relevant setting in slapd.conf include /etc/openldap/schema/ppolicy.schema moduleload ppolicy.la overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=sample,dc=com" ppolicy_use_lockout My ldip file is: objectClass: organizationalUnit objectClass: top ou: policies dn: cn=default,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top cn: default pwdAttribute: userPassword sn: dummy pwdAllowUserChange: TRUE pwdCheckQuality: 2 pwdExpireWarning: 50 pwdFailureCountInternal: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: FALSE pwdLockDuration:0 pwdMaxAge: 60 pwdMaxAge: 0 pwdMaxFailure: 5 pwdMinAge: 0 pwdMinLenght: 5 pwdMustChange: FALSE pwdSafeModify: FALSE dn: cn=user1,ou=policies,dc=sample,dc=com objectClass: pwdPolicy objectClass: person objectClass: top objectClass: posixAccount objectClass: pwdPolicy objectClass: shadowAccount cn: user1 pwdAttribute: userPassword gidNumber: 501 homeDirectory: /home/user1 sn: test uid: user1 uidNumber: 501 pwdAllowUserChange: TRUE pwdAge: 20 pwdExpireWarning: 15 userPassword: XXXXX Thanks in advance!

5 11

Re: Performance of MDB and BDB Please suggest?
by Yajuvendra Singh 31 Aug '12

31 Aug '12

Hi Quanah, Thanks for replying, I have few more observation regrading my load runs, real time of load run with MDB is 98% even at 10 TPS. What version of OpenLDAP are you using? ---2.4.32 What type of disk? --root@tspatca2103> fdisk -l /dev/mapper/vg00-root Disk /dev/mapper/vg00-root: 10.7 GB, 10737418240 bytes 255 heads, 63 sectors/track, 1305 cylinders Units = cylinders of 16065 * 512 = 8225280 bytes Sector size (logical/physical): 512 bytes / 512 bytes I/O size (minimum/optimal): 512 bytes / 512 bytes Disk identifier: 0x00000000 Disk /dev/mapper/vg00-root doesn't contain a valid partition table root@tspatca2103> What type of file system? --ext4 (/dev/mapper/vg00-root on / type ext4 (rw,nouser_xattr)) What is your *exact* slapadd command? --/opt/openldap/yaju/sbin/slapadd -q -w -f /opt/openldap/yaju/etc/openldap/slapd.conf -l /root/yaju/db.ldif I am using jmeter to simulate the load. -- Thanks and Regards Yajuvendra On Tue, Aug 28, 2012 at 8:19 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote: > --On Tuesday, August 28, 2012 5:29 PM +0530 Yajuvendra Singh < > yajuvendra.singh(a)gmail.com> wrote: > > Dear Experts, >> >> >> Today we tried with to run the load with the below schema. We added about >> .6M entries in the DB. >> Still our performance is severely poor. (10 TPS) >> >> >> Can anybody review our slapd.conf file and point us where we are wrong, >> is there any other config we have missed out. >> > > You don't provide any useful or relevant information, so it is impossible > to help you. > > What version of OpenLDAP are you using? > What type of disk? > What type of file system? > What is your *exact* slapadd command? > etc. > > There is virtually no tuning involved with MDB, although I strongly > recommend you read Howard's notes about the writeback bits for EXT4 etc he > made in a recent post to -technical about MDB. > > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

4 8

help with setting up replication
by Jeff Dickens 30 Aug '12

30 Aug '12

I've been following this page from the Ubuntu Server Guide with generally good results: https://help.ubuntu.com/12.04/serverguide/openldap-server.html Now I'm down to the replication section, at https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-ser… . So far it isn't working. First things first: I create the following ldif file to configure the sync provider: # Add indexes to the frontend db. dn: olcDatabase={1}hdb,cn=config changetype: modify add: olcDbIndex olcDbIndex: entryCSN eq - add: olcDbIndex olcDbIndex: entryUUID eq #Load the syncprov and accesslog modules. dn: cn=module{0},cn=config changetype: modify add: olcModuleLoad olcModuleLoad: syncprov - add: olcModuleLoad olcModuleLoad: accesslog # Accesslog database definitions dn: olcDatabase={2}hdb,cn=config objectClass: olcDatabaseConfig objectClass: olcHdbConfig olcDatabase: {2}hdb olcDbDirectory: /var/lib/ldap/accesslog olcSuffix: cn=accesslog olcRootDN: cn=admin,dc=intranet,dc=seamanpaper,dc=com olcDbIndex: default eq olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart # Accesslog db syncprov. dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE olcSpReloadHint: TRUE # syncrepl Provider for primary db dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config changetype: add objectClass: olcOverlayConfig objectClass: olcSyncProvConfig olcOverlay: syncprov olcSpNoPresent: TRUE # accesslog overlay definitions for primary db dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcAccessLogConfig olcOverlay: accesslog olcAccessLogDB: cn=accesslog olcAccessLogOps: writes olcAccessLogSuccess: TRUE # scan the accesslog DB every day, and purge entries older than 7 days olcAccessLogPurge: 07+00:00 01+00:00 The guide says you can test the provider with this command: root@grackle:~# ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base contextCSN dn: root@grackle:~# but as you see that doesn't return anything. However, this command does find it: root@grackle:~# slapcat | grep -C 10 contextCSN objectClass: organization o: intranet.seamanpaper.com dc: intranet structuralObjectClass: organization entryUUID: 99e43416-73a1-1031-9d82-4f560555aca0 creatorsName: cn=admin,dc=intranet,dc=seamanpaper,dc=com createTimestamp: 20120805233244Z entryCSN: 20120805233244.262007Z#000000#000#000000 modifiersName: cn=admin,dc=intranet,dc=seamanpaper,dc=com modifyTimestamp: 20120805233244Z contextCSN: 20120829024252.920832Z#000000#000#000000 dn: cn=admin,dc=intranet,dc=seamanpaper,dc=com objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator userPassword:: e1NTSEF9Nm9zUVlmUStzd1RCOVJCQXUyL3NhQURpYTZ1R0NuRC8= structuralObjectClass: organizationalRole entryUUID: 99e4f9fa-73a1-1031-9d83-4f560555aca0 creatorsName: cn=admin,dc=intranet,dc=seamanpaper,dc=com root@grackle:~# Before I go on to figure out why the sync isn't working, why isn't the ldapsearch command above returning anything? Thanks in advance for your help. -- * Jeff Dickens* IT Manager 978-632-1513

3 3

LinuxCon Presentation 2012-08-29
by Howard Chu 30 Aug '12

30 Aug '12

Just FYI, I'll be giving a talk on MDB, OpenLDAP's new memory-mapped database library, at LinuxCon in San Diego next month. http://events.linuxfoundation.org/events/linuxcon/schedule Some of the benchmark data I posted here will be part of that talk: http://highlandsun.com/hyc/mdb/microbench/ If you haven't looked into MDB yet, here's your chance to find out all about it! -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

3 3

How to config LDAP client to get data from multiple sub domains in LDAP server?
by Qian Zhang 29 Aug '12

29 Aug '12

Hi All, I encountered one issue when configuring the LDAP client. My question is how to configure the LDAP client to make it get the users and groups information from two sub domains. The base domain of the LDAP server is "dc=main,dc=com", and under the base domain, there are more than one sub domains. Such as, sub domain 1 ("dc=sub1,dc=main,dc=com"), sub domain 2 ("dc=sub2,dc=main,dc=com"), sub domain 3 ("dc=sub3,dc=main,dc=com"), .... Now I just wanna list the users and groups information from sub domain sub1 and sub domain sub2 (by command "getent passwd"). The information from sub domain sub3 must be excluded. My test env is : Rehl6.2_x86_64, openldap-2.4.23 I have tried the following way: Step1, configure the LDAP server. I used the access control item "olcAccess" in file /etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif olcAccess: to dn.subtree="dc=sub1,dc=main,dc=com" by dn="uid=user1,dc=sub1,dc=main,dc=com" read olcAccess: to dn.subtree="dc=sub2,dc=main,dc=com" by dn="uid=user1,dc=sub1,dc=main,dc=com" read See above, I added the access controls, they mean that only the user "uid=user1,dc=sub1,dc=main,dc=com" can access the information of the two sub domains (sub1 and sub2). After added the configurations, I restarted slapd service in server side. Step2, configure the LDAP client, in /etc/nslcd and /etc/pam_ldap.conf, I modified the items blow: base dc=main,dc=com binddn uid=user1,dc=sub1,dc=main,dc=com bindpw *** Then restart the service nslcd, but I can't get any users information by command "getent passwd" in LDAP client side. ( I confirmed my others configuration are correct, if I change the base to "base dc=sub1,dc=main,dc=com", I can get all the information from sub1). I think the problem is from LDAP server side, the user "uid=user1,dc=sub1,dc=main,dc=com" in sub domain "sub1" is only allowed to access the sub doamins (sub1 and sub2) by access control. But I can't change the "base" from "dc=main,dc=com" to "dc=sub1,dc=main,dc=com" or "dc=sub2,dc=main,dc=com". That's because only one sub domain can be the "base", so I only can get the information from one of the sub domains, but this is not my purpose. Then I try to set the search scope to "scope sub", but still can't work. Any comments? I will be really appreciated for your feedback.

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2012