Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 5 months
DIT for an academic institution
by Shali 9846303531
Dear All,
I am new to these LDAP concepts , i have prepared a DIT for our
organization with two academic institutions with each institution having
different branches of study and also there is staff and students . i have
attached the DIT , if am going through a wrong way kindly guide me.
--
Thanks & Regards
Shali.K.R
Server Administrator
9 years, 6 months
"LDAP Injection" attacks
by Howard Chu
A paper and presentation making the rounds, claiming to show how webapps using
LDAP are vulnerable to search filter spoofing attacks.
http://www.youtube.com/watch?v=wtahzm_R8e4
http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepap...
Can't imagine that work like this gets peer-reviewed, because it's mostly
garbage. They concoct a scenario in section 4.1.1 of their paper, supposedly
showing how filter manipulation can allow a webapp user to bypass LDAP-based
authentication. It's ridiculous drivel though, since LDAP-based authentication
uses Bind requests and not search filters. Most LDAP deployments don't even
give search/compare access to userPassword attributes in the first place.
Just in case anybody out there might be bitten by this info - client-enforced
security is no security at all. This is why slapd has such an extensive ACL
engine - you enforce access controls on the server, and then it doesn't matter
what kind of garbage requests your clients send to you, they can only ever
access information that they were allowed to access. This is also why the old
pam_ldap authorization scheme was such a bad idea, it relied on the LDAP
client (pam_ldap) to correctly implement authorization, instead of the server.
(Multiply that by hundreds or thousands of clients and you have an
unmanageable, insecurable mess.) This is why we have nssov today.
Of course, this is no excuse to be sloppy when writing your web apps. But if
you've configured ACLs to adequately protect your data, then it doesn't matter
how sloppy your clients are.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 11 months
ldapmodify replace olcAccess
by Daniel Jung
Hi all,
Is it possible to use the replace the instead of delete then add again
for olcAccess?
dn: olcDatabase={2}hdb,cn=config
changetype: modify
replace: olcDbCacheSize
olcDbCacheSize: 10240
-
replace: olcAccess
olcAccess: {0}to dn.base="" attrs=namingContexts by * none
olcAccess: {1}to * by * read
-
Thanks
10 years
OpenLDAP DB question
by Dheeraj Khanna
Hi
I wanted to find if I can add a host based authentication, here is my setup.
Regular LDAP DB , I use group and users and associate permissions to users
based on groups. What I want to achieve is this:
*If a User A is a member of "Group A" and has access to "hostsA" allow else
deny, this will allow me to limit access to certain server types based on
user groups. I think we can define this in /etc/ldap.conf but I could not
find find the right syntax to add hosts in this config file.*
*Question: *I do not know how to add this ou called "hostaccess", I used a
GUI portal called Apache Directory Studio to add/delete users and groups.
If some one knows how to add hosts in LDAP and be able t map groups and
users to it that would greatly help me.
Thanks
Dheera
10 years, 1 month
Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]
by Philippe MARASSE
Hello,
I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes
with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config
for the unique overlay :
DN: cn=module{1},cn=config
objectClass: olcModuleList
objectClass: olcConfig
objectClass: top
cn: module{1}
olcModuleLoad: {0}memberof
olcModuleLoad: {1}refint
olcModuleLoad: {2}unique
olcModulePath: /usr/lib/ldap
DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {4}unique
olcUniqueURI: ldap:///?mail?sub
olcUniqueURI: ldap:///?uid?sub
assuming the configuration is good, I've tried to create 2 entries :
uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the
same mail : test(a)mydomain.com => created without error.
change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works
going back to test(a)mydomain.com => no error
The first time, I've used the main administrative account. So I created a sub
administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two
entries with the same mail without error.
I've tried to put slapd in debug mode, the only ting I've noticed is :
51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>,
<uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e *unique_modify: administrative bypass, skipping*
51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com")
51f7df1e bdb_entry_get: rc=0
If someone has a clue...
Rgds
--
Philippe MARASSE
Service Informatique - Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
10 years, 1 month
Mixing multi-master and master-slave replication
by Robert Minsk
As a factility we have locations world wide. Within each facility we
would like to use multi-master replication. We would also like to sync
each facility to a glued set of databases on the global servers with
simple master slave replication. See ASCII art diagram below. If every
OpenLDAP server across all our locations has a unique "serverID" will
the global master-slave replication play nice with the facility
multi-master replication?
-------- -------- -------- --------
| la01 |<-- multi-master --> | la02 | | ny01 |<-- multi-master -->| ny02 |
-------- -------- -------- --------
| |
-- master-slave -- -- master-slave --
| |
v v
------------
| global01 |
------------
--
Robert Minsk
Systems and Software Engineer
WWW.METHODSTUDIOS.COM <http://www.methodstudios.com>
730 Arizona Ave, Santa Monica, CA 90401
O:+1 310 434 6500 <tel:+13104346500> // F:+1 310 434 6501
<tel:+13104346501>
Los Angeles
<http://www.methodstudios.com/signature/url/los-angeles><http://www.methodstudios.com/signature/url/los-angeles>
This e-mail and any attachments are intended only for use by the addressee(s) named herein and may contain confidential information. If you are not the intended recipient of this e-mail, you are hereby notified any dissemination, distribution or copying of this email and any attachments is strictly prohibited. If you receive this email in error, please immediately notify the sender by return email and permanently delete the original, any copy and any printout thereof. The integrity and security of e-mail cannot be guaranteed.
10 years, 1 month
Invalid credentials
by yan@seiner.com
I am setting up a simple LDAP server. I have a few entries that I am
playing with for user authentication. I have phpldapadmin set up and I
can verify that the passwords are correct.
However, when I test authentication usign ldapwhoami or ldapsearch
(anonymous) it always fails with invalid credentials or no records found.
Can anyone provide any clues on what might be going on?
yan@NewMoon:/etc$ ldapwhoami -x -W -D uid=yan,ou=People,dc=seiner,dc=lan
-H ldap://eluonhea1.seiner.lan/ -d 255
ldap_url_parse_ext(ldap://eluonhea1.seiner.lan/)
ldap_create
ldap_url_parse_ext(ldap://eluonhea1.seiner.lan:389/??base)
Enter LDAP Password:
ldap_sasl_bind
ldap_send_initial_request
ldap_new_connection 1 1 0
ldap_int_open_connection
ldap_connect_to_host: TCP eluonhea1.seiner.lan:389
ldap_new_socket: 3
ldap_prepare_socket: 3
ldap_connect_to_host: Trying 192.168.128.21:389
ldap_pvt_connect: fd: 3 tm: -1 async: 0
ldap_open_defconn: successful
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_dump: buf=0x7f567246c800 ptr=0x7f567246c800 end=0x7f567246c83c len=60
0000: 30 3a 02 01 01 60 35 02 01 03 04 22 75 69 64 3d 0:...`5...."uid=
0010: 79 61 6e 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 yan,ou=People,dc
0020: 3d 73 65 69 6e 65 72 2c 64 63 3d 6c 61 6e 80 0c =seiner,dc=lan..
0030: xx (password deleted)
ber_scanf fmt ({i) ber:
ber_dump: buf=0x7f567246c800 ptr=0x7f567246c805 end=0x7f567246c83c len=55
0000: 60 35 02 01 03 04 22 75 69 64 3d 79 61 6e 2c 6f `5...."uid=yan,o
0010: 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 73 65 69 6e u=People,dc=sein
xx (password deleted)
ber_flush2: 60 bytes to sd 3
0000: 30 3a 02 01 01 60 35 02 01 03 04 22 75 69 64 3d 0:...`5...."uid=
0010: 79 61 6e 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 yan,ou=People,dc
0020: 3d 73 65 69 6e 65 72 2c 64 63 3d 6c 61 6e 80 0c =seiner,dc=lan..
xx (password deleted)
ldap_write: want=60, written=60
0000: 30 3a 02 01 01 60 35 02 01 03 04 22 75 69 64 3d 0:...`5...."uid=
0010: 79 61 6e 2c 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 yan,ou=People,dc
0020: 3d 73 65 69 6e 65 72 2c 64 63 3d 6c 61 6e 80 0c =seiner,dc=lan..
xx (password deleted)
ldap_result ld 0x7f5672464250 msgid 1
wait4msg ld 0x7f5672464250 msgid 1 (infinite timeout)
wait4msg continue ld 0x7f5672464250 msgid 1 all 1
** ld 0x7f5672464250 Connections:
* host: eluonhea1.seiner.lan port: 389 (default)
refcnt: 2 status: Connected
last used: Thu Oct 31 09:42:03 2013
** ld 0x7f5672464250 Outstanding Requests:
* msgid 1, origid 1, status InProgress
outstanding referrals 0, parent count 0
ld 0x7f5672464250 request count 1 (abandoned 0)
** ld 0x7f5672464250 Response Queue:
Empty
ld 0x7f5672464250 response count 0
ldap_chkResponseList ld 0x7f5672464250 msgid 1 all 1
ldap_chkResponseList returns ld 0x7f5672464250 NULL
ldap_int_select
read1msg: ld 0x7f5672464250 msgid 1 all 1
ber_get_next
ldap_read: want=8, got=8
0000: 30 0c 02 01 01 61 07 0a 0....a..
ldap_read: want=6, got=6
0000: 01 31 04 00 04 00 .1....
ber_get_next: tag 0x30 len 12 contents:
ber_dump: buf=0x7f567246daa0 ptr=0x7f567246daa0 end=0x7f567246daac len=12
0000: 02 01 01 61 07 0a 01 31 04 00 04 00 ...a...1....
read1msg: ld 0x7f5672464250 msgid 1 message type bind
ber_scanf fmt ({eAA) ber:
ber_dump: buf=0x7f567246daa0 ptr=0x7f567246daa3 end=0x7f567246daac len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
read1msg: ld 0x7f5672464250 0 new referrals
read1msg: mark request completed, ld 0x7f5672464250 msgid 1
request done: ld 0x7f5672464250 msgid 1
res_errno: 49, res_error: <>, res_matched: <>
ldap_free_request (origid 1, msgid 1)
ldap_parse_result
ber_scanf fmt ({iAA) ber:
ber_dump: buf=0x7f567246daa0 ptr=0x7f567246daa3 end=0x7f567246daac len=9
0000: 61 07 0a 01 31 04 00 04 00 a...1....
ber_scanf fmt (}) ber:
ber_dump: buf=0x7f567246daa0 ptr=0x7f567246daac end=0x7f567246daac len=0
ldap_msgfree
ldap_err2string
ldap_bind: Invalid credentials (49)
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 3
0000: 30 05 02 01 02 42 00 0....B.
ldap_write: want=7, written=7
0000: 30 05 02 01 02 42 00 0....B.
ldap_free_connection: actually freed
=========================
slapd.conf
root@EluOnHea1:/etc/openldap# cat slapd.conf | grep -v ^# | grep -v ^$
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/inetorgperson.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
moduleload back_bdb.la
access to *
by self write
by users read
by anonymous auth
database ldif
suffix "dc=seiner,dc=lan"
rootdn "cn=admin,dc=seiner,dc=lan"
rootpw xxx
directory /usr/lib/openldap-data
10 years, 1 month