Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 5 months
memberOf data in new replica servers 2.4.31
by Todd Stein
Hi,
I have a provider server and five consumer servers, all of which have the
memberOf overlay configured:
overlay memberof
memberof-group-oc groupOfUniqueNames
memberof-member-ad uniqueMember
memberof-refint true
memberof-dangling ignore
syncrepl rid=005
provider=ldap://<server>:389
type=refreshAndPersist
interval=00:00:05:00
retry="60 10 600 +"
searchbase="dc=<removed>,dc=<removed>"
filter="(objectClass=*)"
scope=sub
attrs="*"
schemachecking=off
starttls=no
bindmethod=simple
binddn="cn=replica,dc=<removed>,dc=<removed>"
credentials=<removed>
When I bring a new replica online, it appears that entries are replicated
in the order that they were created on the provider server which produces
many "memberof_value_modify failed err=32" messages in the log, and
incomplete memberOf data. To get around this, I wrote a script which
empties all groups prior to replication, and then recreates the memberships
after the initial replication. This seems to work, but is hardly ideal. Is
there a "more correct" way of replicating memberOf values without
manipulating my provider each time I bring up a new consumer?
Thank you very much,
Todd
11 years, 1 month
ldapsearch SASL/GSSAPI bind really slow
by Matthew B. Brookover
I am upgrading the openldap servers and ran into a bit of a problem.
SASL/GSSAPI binds to the new server are too slow. An ldapsearch to the
old server using GSSAPI to bind is much faster on the old server then
the same search on the new server.
I am not even sure where to start to debug this and am hoping that some
one will have some ideas.
First off, here are a few details:
The old LDAP server is running Openldap 2.3.43 on CentOS 5.2 with the
CentOS built MIT Kerberos(1.6.1) and saslauthd (2.1.22). This server is
configured with the slapd.conf file. The host name is
infinite.mines.edu in the example runs below.
The new LDAP server is running Openldap 2.4.31 on CentOS 6.3 with the
CentOS built MIT Kerberos (1.9) and saslauthd (2.1.23). This server is
configured with slapd-config (new dynamic configuration is very cool!)
The host name is infinte-temp.mines.edu in the example runs below.
Both the old and new servers are configured to use SASL for GSSAPI and
for simple binds.
First test, simple bind to new server and then the old server:
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -Duid=testua,ou=People,dc=mines,dc=edu -y passwd -x -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.324s
user 0m0.017s
sys 0m0.004s
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -Duid=testua,ou=People,dc=mines,dc=edu -y passwd -x -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.163s
user 0m0.016s
sys 0m0.004s
[testua@merlin ~]$
As you can see, the new server takes nearly twice as long to perform the
search as the old server. Both servers are using saslauthd to send the
password to Kerberos for authentication.
Next test, GSSAPI bind to the new server and then the old server:
[testua@merlin ~]$ kinit
Password for testua(a)MINES.EDU:
[testua@merlin ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_11192_d1yOuC
Default principal: testua(a)MINES.EDU
Valid starting Expires Service principal
07/25/12 13:32:11 07/26/12 04:32:11 krbtgt/MINES.EDU(a)MINES.EDU
renew until 07/26/12 13:32:07
Kerberos 4 ticket cache: /tmp/tkt11192
klist: You have no tickets cached
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
SASL/GSSAPI authentication started
SASL username: testua(a)MINES.EDU
SASL SSF: 56
SASL data security layer installed.
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m1.145s
user 0m0.021s
sys 0m0.004s
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
SASL/GSSAPI authentication started
SASL username: testua(a)MINES.EDU
SASL SSF: 56
SASL data security layer installed.
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.123s
user 0m0.021s
sys 0m0.003s
[testua@merlin ~]$ klist
Ticket cache: FILE:/tmp/krb5cc_11192_d1yOuC
Default principal: testua(a)MINES.EDU
Valid starting Expires Service principal
07/25/12 13:32:11 07/26/12 04:32:11 krbtgt/MINES.EDU(a)MINES.EDU
renew until 07/26/12 13:32:07
07/25/12 13:32:33 07/26/12 04:32:11 ldap/infinite-temp.mines.edu(a)MINES.EDU
renew until 07/26/12 13:32:07
07/25/12 13:32:41 07/26/12 04:32:11 ldap/infinite.mines.edu(a)MINES.EDU
renew until 07/26/12 13:32:07
Kerberos 4 ticket cache: /tmp/tkt11192
klist: You have no tickets cached
[testua@merlin ~]$
The old server is 9 times faster then the new server.
This last test is to show that an anonymous bind is very fast and
indicates to me that the network, BDB, caching, etc are not the issue.
This test is to both servers, using a simple bind, first the old server
and then the new server:
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -x -Hldap://infinite.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.049s
user 0m0.017s
sys 0m0.005s
[testua@merlin ~]$ time ldapsearch -LLL -ZZ -x -Hldap://infinite-temp.mines.edu/ -bou=People,dc=mines,dc=edu uid=testua
dn: uid=testua,ou=People,dc=mines,dc=edu
uid: testua
cn: estua, t
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
shadowLastChange: 12780
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
gidNumber: 11192
host: imagine.mines.edu
gecos: estua, t
homeDirectory: /u/ca/fl/testua
userPassword:: e1NBU0x9dGVzdHVhQE1JTkVTLkVEVQ==
uidNumber: 11192
real 0m0.029s
user 0m0.014s
sys 0m0.006s
[testua@merlin ~]$
When using an anonymous bind, the old server takes longer then the new
server -- which is what I would expect given that the new server has
twice the number of faster processors and double the memory of the old
server.
Any ideas?
Thanks!
Matt
mbrookov(a)mines.edu
11 years, 3 months
In MirrorMode - proxy or external frontend needed?
by Pieter Baele
I've 2 servers in MirrorMode, a part of the tree wil also be partially
replicated to 3 slaves.
Do I really need an LDAP proxy or Load balancer(s) so writes are only
directed to one server?
In our LDAP, the number of writes will be very very low, most of them will
be reads (authentication, ssh keys, puppet nodes...)
Any benefit in using 'normal' n multimaster instead of MirrorMode?
11 years, 3 months
Configuring ppolicy problem
by cbulist
Hi,
I'm trying to configure ppolicy but It's not working when I set
pwdMaxAge and pwdWarning (I am able to login when my password is suppose
to be expired)
I tried with shadowAccount instead of PwdPolicy and It is working well.
This is my relevant setting in slapd.conf
include /etc/openldap/schema/ppolicy.schema
moduleload ppolicy.la
overlay ppolicy
ppolicy_default "cn=default,ou=policies,dc=sample,dc=com"
ppolicy_use_lockout
My ldip file is:
objectClass: organizationalUnit
objectClass: top
ou: policies
dn: cn=default,ou=policies,dc=sample,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
cn: default
pwdAttribute: userPassword
sn: dummy
pwdAllowUserChange: TRUE
pwdCheckQuality: 2
pwdExpireWarning: 50
pwdFailureCountInternal: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: FALSE
pwdLockDuration:0
pwdMaxAge: 60
pwdMaxAge: 0
pwdMaxFailure: 5
pwdMinAge: 0
pwdMinLenght: 5
pwdMustChange: FALSE
pwdSafeModify: FALSE
dn: cn=user1,ou=policies,dc=sample,dc=com
objectClass: pwdPolicy
objectClass: person
objectClass: top
objectClass: posixAccount
objectClass: pwdPolicy
objectClass: shadowAccount
cn: user1
pwdAttribute: userPassword
gidNumber: 501
homeDirectory: /home/user1
sn: test
uid: user1
uidNumber: 501
pwdAllowUserChange: TRUE
pwdAge: 20
pwdExpireWarning: 15
userPassword: XXXXX
Thanks in advance!
11 years, 3 months
Re: Performance of MDB and BDB Please suggest?
by Yajuvendra Singh
Hi Quanah,
Thanks for replying, I have few more observation regrading my load runs,
real time of load run with MDB is 98% even at 10 TPS.
What version of OpenLDAP are you using?
---2.4.32
What type of disk?
--root@tspatca2103> fdisk -l /dev/mapper/vg00-root
Disk /dev/mapper/vg00-root: 10.7 GB, 10737418240 bytes
255 heads, 63 sectors/track, 1305 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Sector size (logical/physical): 512 bytes / 512 bytes
I/O size (minimum/optimal): 512 bytes / 512 bytes
Disk identifier: 0x00000000
Disk /dev/mapper/vg00-root doesn't contain a valid partition table
root@tspatca2103>
What type of file system?
--ext4 (/dev/mapper/vg00-root on / type ext4 (rw,nouser_xattr))
What is your *exact* slapadd command?
--/opt/openldap/yaju/sbin/slapadd -q -w -f
/opt/openldap/yaju/etc/openldap/slapd.conf -l /root/yaju/db.ldif
I am using jmeter to simulate the load.
--
Thanks and Regards
Yajuvendra
On Tue, Aug 28, 2012 at 8:19 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>wrote:
> --On Tuesday, August 28, 2012 5:29 PM +0530 Yajuvendra Singh <
> yajuvendra.singh(a)gmail.com> wrote:
>
> Dear Experts,
>>
>>
>> Today we tried with to run the load with the below schema. We added about
>> .6M entries in the DB.
>> Still our performance is severely poor. (10 TPS)
>>
>>
>> Can anybody review our slapd.conf file and point us where we are wrong,
>> is there any other config we have missed out.
>>
>
> You don't provide any useful or relevant information, so it is impossible
> to help you.
>
> What version of OpenLDAP are you using?
> What type of disk?
> What type of file system?
> What is your *exact* slapadd command?
> etc.
>
> There is virtually no tuning involved with MDB, although I strongly
> recommend you read Howard's notes about the writeback bits for EXT4 etc he
> made in a recent post to -technical about MDB.
>
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 3 months
help with setting up replication
by Jeff Dickens
I've been following this page from the Ubuntu Server Guide with generally
good results:
https://help.ubuntu.com/12.04/serverguide/openldap-server.html
Now I'm down to the replication section, at
https://help.ubuntu.com/12.04/serverguide/openldap-server.html#openldap-s...
.
So far it isn't working. First things first:
I create the following ldif file to configure the sync provider:
# Add indexes to the frontend db.
dn: olcDatabase={1}hdb,cn=config
changetype: modify
add: olcDbIndex
olcDbIndex: entryCSN eq
-
add: olcDbIndex
olcDbIndex: entryUUID eq
#Load the syncprov and accesslog modules.
dn: cn=module{0},cn=config
changetype: modify
add: olcModuleLoad
olcModuleLoad: syncprov
-
add: olcModuleLoad
olcModuleLoad: accesslog
# Accesslog database definitions
dn: olcDatabase={2}hdb,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcDatabase: {2}hdb
olcDbDirectory: /var/lib/ldap/accesslog
olcSuffix: cn=accesslog
olcRootDN: cn=admin,dc=intranet,dc=seamanpaper,dc=com
olcDbIndex: default eq
olcDbIndex: entryCSN,objectClass,reqEnd,reqResult,reqStart
# Accesslog db syncprov.
dn: olcOverlay=syncprov,olcDatabase={2}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
olcSpReloadHint: TRUE
# syncrepl Provider for primary db
dn: olcOverlay=syncprov,olcDatabase={1}hdb,cn=config
changetype: add
objectClass: olcOverlayConfig
objectClass: olcSyncProvConfig
olcOverlay: syncprov
olcSpNoPresent: TRUE
# accesslog overlay definitions for primary db
dn: olcOverlay=accesslog,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcAccessLogConfig
olcOverlay: accesslog
olcAccessLogDB: cn=accesslog
olcAccessLogOps: writes
olcAccessLogSuccess: TRUE
# scan the accesslog DB every day, and purge entries older than 7 days
olcAccessLogPurge: 07+00:00 01+00:00
The guide says you can test the provider with this command:
root@grackle:~# ldapsearch -z1 -LLLQY EXTERNAL -H ldapi:/// -s base
contextCSN
dn:
root@grackle:~#
but as you see that doesn't return anything. However, this command does
find it:
root@grackle:~# slapcat | grep -C 10 contextCSN
objectClass: organization
o: intranet.seamanpaper.com
dc: intranet
structuralObjectClass: organization
entryUUID: 99e43416-73a1-1031-9d82-4f560555aca0
creatorsName: cn=admin,dc=intranet,dc=seamanpaper,dc=com
createTimestamp: 20120805233244Z
entryCSN: 20120805233244.262007Z#000000#000#000000
modifiersName: cn=admin,dc=intranet,dc=seamanpaper,dc=com
modifyTimestamp: 20120805233244Z
contextCSN: 20120829024252.920832Z#000000#000#000000
dn: cn=admin,dc=intranet,dc=seamanpaper,dc=com
objectClass: simpleSecurityObject
objectClass: organizationalRole
cn: admin
description: LDAP administrator
userPassword:: e1NTSEF9Nm9zUVlmUStzd1RCOVJCQXUyL3NhQURpYTZ1R0NuRC8=
structuralObjectClass: organizationalRole
entryUUID: 99e4f9fa-73a1-1031-9d83-4f560555aca0
creatorsName: cn=admin,dc=intranet,dc=seamanpaper,dc=com
root@grackle:~#
Before I go on to figure out why the sync isn't working, why isn't the
ldapsearch command above returning anything?
Thanks in advance for your help.
--
* Jeff Dickens*
IT Manager 978-632-1513
11 years, 3 months
How to config LDAP client to get data from multiple sub domains in LDAP server?
by Qian Zhang
Hi All,
I encountered one issue when configuring the LDAP client. My question
is how to configure the LDAP client to make it get the users and
groups information from two sub domains. The base domain of the LDAP
server is "dc=main,dc=com", and under the base domain, there are more
than one sub domains. Such as, sub domain 1
("dc=sub1,dc=main,dc=com"), sub domain 2 ("dc=sub2,dc=main,dc=com"),
sub domain 3 ("dc=sub3,dc=main,dc=com"), ....
Now I just wanna list the users and groups information from sub domain
sub1 and sub domain sub2 (by command "getent passwd"). The information
from sub domain sub3 must be excluded.
My test env is : Rehl6.2_x86_64, openldap-2.4.23
I have tried the following way:
Step1, configure the LDAP server. I used the access control item
"olcAccess" in file
/etc/openldap/slapd.d/cn\=config/olcDatabase\=\{2\}bdb.ldif
olcAccess: to dn.subtree="dc=sub1,dc=main,dc=com" by
dn="uid=user1,dc=sub1,dc=main,dc=com" read
olcAccess: to dn.subtree="dc=sub2,dc=main,dc=com" by
dn="uid=user1,dc=sub1,dc=main,dc=com" read
See above, I added the access controls, they mean that only the user
"uid=user1,dc=sub1,dc=main,dc=com" can access the information of the
two sub domains (sub1 and sub2). After added the configurations, I
restarted slapd service in server side.
Step2, configure the LDAP client, in /etc/nslcd and
/etc/pam_ldap.conf, I modified the items blow:
base dc=main,dc=com
binddn uid=user1,dc=sub1,dc=main,dc=com
bindpw ***
Then restart the service nslcd, but I can't get any users information
by command "getent passwd" in LDAP client side. ( I confirmed my
others configuration are correct, if I change the base to "base
dc=sub1,dc=main,dc=com", I can get all the information from sub1). I
think the problem is from LDAP server side, the user
"uid=user1,dc=sub1,dc=main,dc=com" in sub domain "sub1" is only
allowed to access the sub doamins (sub1 and sub2) by access control.
But I can't change the "base" from "dc=main,dc=com" to
"dc=sub1,dc=main,dc=com" or "dc=sub2,dc=main,dc=com". That's because
only one sub domain can be the "base", so I only can get the
information from one of the sub domains, but this is not my purpose.
Then I try to set the search scope to "scope sub", but still can't
work.
Any comments? I will be really appreciated for your feedback.
11 years, 3 months
