October 2013 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

7 years

4
11
0 / 0

OpenLDAP and dynalogin (two-factor auth with HOTP)

by Daniel Pocock

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

7 years, 11 months

5
6
0 / 0

DIT for an academic institution

by Shali 9846303531

Dear All, I am new to these LDAP concepts , i have prepared a DIT for our organization with two academic institutions with each institution having different branches of study and also there is staff and students . i have attached the DIT , if am going through a wrong way kindly guide me. -- Thanks & Regards Shali.K.R Server Administrator

9 years

4
3
0 / 0

"LDAP Injection" attacks

by Howard Chu

A paper and presentation making the rounds, claiming to show how webapps using LDAP are vulnerable to search filter spoofing attacks. http://www.youtube.com/watch?v=wtahzm_R8e4 http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepap... Can't imagine that work like this gets peer-reviewed, because it's mostly garbage. They concoct a scenario in section 4.1.1 of their paper, supposedly showing how filter manipulation can allow a webapp user to bypass LDAP-based authentication. It's ridiculous drivel though, since LDAP-based authentication uses Bind requests and not search filters. Most LDAP deployments don't even give search/compare access to userPassword attributes in the first place. Just in case anybody out there might be bitten by this info - client-enforced security is no security at all. This is why slapd has such an extensive ACL engine - you enforce access controls on the server, and then it doesn't matter what kind of garbage requests your clients send to you, they can only ever access information that they were allowed to access. This is also why the old pam_ldap authorization scheme was such a bad idea, it relied on the LDAP client (pam_ldap) to correctly implement authorization, instead of the server. (Multiply that by hundreds or thousands of clients and you have an unmanageable, insecurable mess.) This is why we have nssov today. Of course, this is no excuse to be sloppy when writing your web apps. But if you've configured ACLs to adequately protect your data, then it doesn't matter how sloppy your clients are. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

9 years, 5 months

4
9
0 / 0

RE24 testing call (OpenLDAP 2.4.37)

by Quanah Gibson-Mount

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.37 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

9 years, 5 months

12
32
0 / 0

ldapmodify replace olcAccess

by Daniel Jung

Hi all, Is it possible to use the replace the instead of delete then add again for olcAccess? dn: olcDatabase={2}hdb,cn=config changetype: modify replace: olcDbCacheSize olcDbCacheSize: 10240 - replace: olcAccess olcAccess: {0}to dn.base="" attrs=namingContexts by * none olcAccess: {1}to * by * read - Thanks

9 years, 6 months

3
2
0 / 0

OpenLDAP DB question

by Dheeraj Khanna

Hi I wanted to find if I can add a host based authentication, here is my setup. Regular LDAP DB , I use group and users and associate permissions to users based on groups. What I want to achieve is this: *If a User A is a member of "Group A" and has access to "hostsA" allow else deny, this will allow me to limit access to certain server types based on user groups. I think we can define this in /etc/ldap.conf but I could not find find the right syntax to add hosts in this config file.* *Question: *I do not know how to add this ou called "hostaccess", I used a GUI portal called Apache Directory Studio to add/delete users and groups. If some one knows how to add hosts in LDAP and be able t map groups and users to it that would greatly help me. Thanks Dheera

9 years, 6 months

3
3
0 / 0

Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]

by Philippe MARASSE

Hello, I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config for the unique overlay : DN: cn=module{1},cn=config objectClass: olcModuleList objectClass: olcConfig objectClass: top cn: module{1} olcModuleLoad: {0}memberof olcModuleLoad: {1}refint olcModuleLoad: {2}unique olcModulePath: /usr/lib/ldap DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config objectClass: olcUniqueConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}unique olcUniqueURI: ldap:///?mail?sub olcUniqueURI: ldap:///?uid?sub assuming the configuration is good, I've tried to create 2 entries : uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the same mail : test(a)mydomain.com => created without error. change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works going back to test(a)mydomain.com => no error The first time, I've used the main administrative account. So I created a sub administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two entries with the same mail without error. I've tried to put slapd in debug mode, the only ting I've noticed is : 51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>, <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e *unique_modify: administrative bypass, skipping* 51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com") 51f7df1e bdb_entry_get: rc=0 If someone has a clue... Rgds -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19

9 years, 7 months

4
13
0 / 0

Mixing multi-master and master-slave replication

by Robert Minsk

As a factility we have locations world wide. Within each facility we would like to use multi-master replication. We would also like to sync each facility to a glued set of databases on the global servers with simple master slave replication. See ASCII art diagram below. If every OpenLDAP server across all our locations has a unique "serverID" will the global master-slave replication play nice with the facility multi-master replication? -------- -------- -------- -------- | la01 |<-- multi-master --> | la02 | | ny01 |<-- multi-master -->| ny02 | -------- -------- -------- -------- | | -- master-slave -- -- master-slave -- | | v v ------------ | global01 | ------------ -- Robert Minsk Systems and Software Engineer WWW.METHODSTUDIOS.COM <http://www.methodstudios.com> 730 Arizona Ave, Santa Monica, CA 90401 O:+1 310 434 6500 <tel:+13104346500> // F:+1 310 434 6501 <tel:+13104346501> Los Angeles <http://www.methodstudios.com/signature/url/los-angeles><http://www.methodstudios.com/signature/url/los-angeles> This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.

9 years, 7 months

2
2
0 / 0

Invalid credentials

by yan＠seiner.com

I am setting up a simple LDAP server. I have a few entries that I am playing with for user authentication. I have phpldapadmin set up and I can verify that the passwords are correct. However, when I test authentication usign ldapwhoami or ldapsearch (anonymous) it always fails with invalid credentials or no records found. Can anyone provide any clues on what might be going on? yan@NewMoon:/etc$ ldapwhoami -x -W -D uid=yan,ou=People,dc=seiner,dc=lan -H ldap://eluonhea1.seiner.lan/ -d 255 ldap_url_parse_ext(ldap://eluonhea1.seiner.lan/) ldap_create ldap_url_parse_ext(ldap://eluonhea1.seiner.lan:389/??base) Enter LDAP Password: ldap_sasl_bind ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP eluonhea1.seiner.lan:389 ldap_new_socket: 3 ldap_prepare_socket: 3 ldap_connect_to_host: Trying 192.168.128.21:389 ldap_pvt_connect: fd: 3 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x7f567246c800 ptr=0x7f567246c800 end=0x7f567246c83c len=60 0000: 30 3a 02 01 01 60 35 02 01 03 04 22 75 69 64 3d 0:...`5...."uid= 0010: 79 61 6e 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 yan,ou=People,dc 0020: 3d 73 65 69 6e 65 72 2c 64 63 3d 6c 61 6e 80 0c =seiner,dc=lan.. 0030: xx (password deleted) ber_scanf fmt ({i) ber: ber_dump: buf=0x7f567246c800 ptr=0x7f567246c805 end=0x7f567246c83c len=55 0000: 60 35 02 01 03 04 22 75 69 64 3d 79 61 6e 2c 6f `5...."uid=yan,o 0010: 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 73 65 69 6e u=People,dc=sein xx (password deleted) ber_flush2: 60 bytes to sd 3 0000: 30 3a 02 01 01 60 35 02 01 03 04 22 75 69 64 3d 0:...`5...."uid= 0010: 79 61 6e 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 yan,ou=People,dc 0020: 3d 73 65 69 6e 65 72 2c 64 63 3d 6c 61 6e 80 0c =seiner,dc=lan.. xx (password deleted) ldap_write: want=60, written=60 0000: 30 3a 02 01 01 60 35 02 01 03 04 22 75 69 64 3d 0:...`5...."uid= 0010: 79 61 6e 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 yan,ou=People,dc 0020: 3d 73 65 69 6e 65 72 2c 64 63 3d 6c 61 6e 80 0c =seiner,dc=lan.. xx (password deleted) ldap_result ld 0x7f5672464250 msgid 1 wait4msg ld 0x7f5672464250 msgid 1 (infinite timeout) wait4msg continue ld 0x7f5672464250 msgid 1 all 1 ** ld 0x7f5672464250 Connections: * host: eluonhea1.seiner.lan port: 389 (default) refcnt: 2 status: Connected last used: Thu Oct 31 09:42:03 2013 ** ld 0x7f5672464250 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ld 0x7f5672464250 request count 1 (abandoned 0) ** ld 0x7f5672464250 Response Queue: Empty ld 0x7f5672464250 response count 0 ldap_chkResponseList ld 0x7f5672464250 msgid 1 all 1 ldap_chkResponseList returns ld 0x7f5672464250 NULL ldap_int_select read1msg: ld 0x7f5672464250 msgid 1 all 1 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 61 07 0a 0....a.. ldap_read: want=6, got=6 0000: 01 31 04 00 04 00 .1.... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x7f567246daa0 ptr=0x7f567246daa0 end=0x7f567246daac len=12 0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1.... read1msg: ld 0x7f5672464250 msgid 1 message type bind ber_scanf fmt ({eAA) ber: ber_dump: buf=0x7f567246daa0 ptr=0x7f567246daa3 end=0x7f567246daac len=9 0000: 61 07 0a 01 31 04 00 04 00 a...1.... read1msg: ld 0x7f5672464250 0 new referrals read1msg: mark request completed, ld 0x7f5672464250 msgid 1 request done: ld 0x7f5672464250 msgid 1 res_errno: 49, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_parse_result ber_scanf fmt ({iAA) ber: ber_dump: buf=0x7f567246daa0 ptr=0x7f567246daa3 end=0x7f567246daac len=9 0000: 61 07 0a 01 31 04 00 04 00 a...1.... ber_scanf fmt (}) ber: ber_dump: buf=0x7f567246daa0 ptr=0x7f567246daac end=0x7f567246daac len=0 ldap_msgfree ldap_err2string ldap_bind: Invalid credentials (49) ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 3 0000: 30 05 02 01 02 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 02 42 00 0....B. ldap_free_connection: actually freed ========================= slapd.conf root@EluOnHea1:/etc/openldap# cat slapd.conf | grep -v ^# | grep -v ^$ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/nis.schema include /etc/openldap/schema/inetorgperson.schema pidfile /var/run/slapd.pid argsfile /var/run/slapd.args moduleload back_bdb.la access to * by self write by users read by anonymous auth database ldif suffix "dc=seiner,dc=lan" rootdn "cn=admin,dc=seiner,dc=lan" rootpw xxx directory /usr/lib/openldap-data

9 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2013