openldap-technical November 2013

openldap-technical@openldap.org

73 participants
72 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

DIT for an academic institution
by Shali 9846303531 20 May '14

20 May '14

Dear All, I am new to these LDAP concepts , i have prepared a DIT for our organization with two academic institutions with each institution having different branches of study and also there is staff and students . i have attached the DIT , if am going through a wrong way kindly guide me. -- Thanks & Regards Shali.K.R Server Administrator

4 3

"LDAP Injection" attacks
by Howard Chu 29 Dec '13

29 Dec '13

A paper and presentation making the rounds, claiming to show how webapps using LDAP are vulnerable to search filter spoofing attacks. http://www.youtube.com/watch?v=wtahzm_R8e4 http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper… Can't imagine that work like this gets peer-reviewed, because it's mostly garbage. They concoct a scenario in section 4.1.1 of their paper, supposedly showing how filter manipulation can allow a webapp user to bypass LDAP-based authentication. It's ridiculous drivel though, since LDAP-based authentication uses Bind requests and not search filters. Most LDAP deployments don't even give search/compare access to userPassword attributes in the first place. Just in case anybody out there might be bitten by this info - client-enforced security is no security at all. This is why slapd has such an extensive ACL engine - you enforce access controls on the server, and then it doesn't matter what kind of garbage requests your clients send to you, they can only ever access information that they were allowed to access. This is also why the old pam_ldap authorization scheme was such a bad idea, it relied on the LDAP client (pam_ldap) to correctly implement authorization, instead of the server. (Multiply that by hundreds or thousands of clients and you have an unmanageable, insecurable mess.) This is why we have nssov today. Of course, this is no excuse to be sloppy when writing your web apps. But if you've configured ACLs to adequately protect your data, then it doesn't matter how sloppy your clients are. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

4 9

Storing graph data structure with MDB_FIXEDMAP
by Aris Setyawan 16 Dec '13

16 Dec '13

Hi, I'm new in this list. I plan to store graph data structure (vertex and edge) in LMDB. The "edge" data value of a record will contain a pointer which is pointing to the address of "vertex" data value. So, I must make it sure that data value address is not changing during operation. According to the doc, I can use MDB_FIXEDMAP. And from the doc: "... the memory map will always reside at the same virtual address and pointers used to reference data items in the database will be constant across multiple invocations. ..." Spesifically: "... pointers used to reference data items in the database will be constant ..." Is this mean that I must allocate memory to write data using mdb_put with MDB_RESERVE flag?

2 3

RE24 testing call (OpenLDAP 2.4.37)
by Quanah Gibson-Mount 15 Dec '13

15 Dec '13

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.37 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanah -- Quanah Gibson-Mount Architect - Server Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

12 32

Unable to add umlaut character dn to the openLDAP 2.4.32
by pramod kulkarni 29 Nov '13

29 Nov '13

Hi , I am having trouble in adding user with dn having umlaut characters using ldapmodify tool,It is giving invalid syntax what I need to do ? please help dn:uid=Röichard,ou=newUsers,dc=cricbox,dc=in ldap_add: Invalid DN syntax (34) additional info: invalid DN Regards, pk

3 3

OLC configuration
by Jacques Foucry 28 Nov '13

28 Nov '13

Hello folks, I think I can use and manage a small LDAP. I can configure it but... with the old slapd.conf method. I need to configue a new one and it's time for me to understand the OLC configuration way. Did you have a good tuto (in french?) to help to help me? The official docs are to hard for me. Thanks in advance, Jacques Foucry -- Jacques Foucry *NOVΛSPARKS * IT Manager Tel : +33 (0)1 42 68 12 61 jacques.foucry(a)novasparks.com

2 1

p12 files for user-auth in slapd.conf question
by lux-integ 28 Nov '13

28 Nov '13

Greetings, I am a complete beginner leaning to use openldap. I read through a few of the manuals online. I am finding the access-control manual ( http://www.openldap.org/doc/admin24/access-control.html ) the hardest to understand. I would like to know if it is possible to authenticate users using p12 (pkcs12 certificates/key pair ) and IF SO what would be a) the standard shemas to be included in slapd.conf to make this possible ? , b) the entry for olcAccess ( in slapd.conf) for users to be authenticared via their p12 files ? , b) the location and storage method in the database for these .p12 files ? or IF NOT SO what is the recommended equivalent to p12 files and how would they be deployed.? thanks in advance sincerely luxInteg

2 1

OpenLDAP with ppolicy and SSSD configuration question.
by Viviano, Brad 28 Nov '13

28 Nov '13

Hello, I've searched the archives of this list, the web as best I can, and have this same question asked to the sssd-devel mailing list and can not seem to find an answer this my question. I have a RHEL 6.4 server with OpenLDAP 2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's from Redhat. I have ppolicy configured in slapd and on another RHEL6.4 system have sssd setup as a client. Everything works fine with password expires, grace periods, etc and sssd, if the user has to enter their password. But, if the user is using an SSH public key, setting the account as locked or the password is expired still allows them to log in. I can't seem to find a good solution that forces the user to change their password before they can login. The specifics are. sshd_config is configured to use PAM. My pam.d auth config is standard for RHEL6 which is: auth required pam_env.so auth sufficient pam_fprintd.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid >= 500 quiet auth sufficient pam_sss.so use_first_pass auth required pam_deny.so I've confirmed that when a user logs in from ssh with both password and ssh keys, they are going through the PAM sss.so just fine, by turning up the debugging levels and watching the logs. I've read everything I can find on sssd and it appears that for all cases of LDAP, sssd wants a single true/false value along the lines of nsAccountLocked. I can't find anything in ppolicy that sets true/false for account locked like other LDAP implementations do, all ppolicy seems to provide is pwdAccountLockedTime. While the issue seems more like a limitation on sssd's side, I thought I'd ask on this list to see if anyone has been able to come up with a solution or if there is something in ppolicy I am missing for a true/false on, is DN=X locked or not. Thanks, -Brad Viviano =================================================== Brad Viviano High Performance Computing & Scientific Visualization Lockheed Martin, Supporting the EPA Research Triangle Park, NC 919-541-2696 HSCSS Task Order Lead - Ravi Nair 919-541-5467 - Nair.Ravi(a)epa.gov High Performance Computing Subtask Lead - Durward Jones 919-541-5043 - Jones.Durward(a)epa.gov Environmental Modeling and Visualization Lead - Heidi Paulsen 919-541-1834 - Paulsen.Heidi(a)epa.gov

7 24

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical November 2013