Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
6 years, 9 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
7 years, 8 months
DIT for an academic institution
by Shali 9846303531
Dear All,
I am new to these LDAP concepts , i have prepared a DIT for our
organization with two academic institutions with each institution having
different branches of study and also there is staff and students . i have
attached the DIT , if am going through a wrong way kindly guide me.
--
Thanks & Regards
Shali.K.R
Server Administrator
8 years, 10 months
"LDAP Injection" attacks
by Howard Chu
A paper and presentation making the rounds, claiming to show how webapps using
LDAP are vulnerable to search filter spoofing attacks.
http://www.youtube.com/watch?v=wtahzm_R8e4
http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepap...
Can't imagine that work like this gets peer-reviewed, because it's mostly
garbage. They concoct a scenario in section 4.1.1 of their paper, supposedly
showing how filter manipulation can allow a webapp user to bypass LDAP-based
authentication. It's ridiculous drivel though, since LDAP-based authentication
uses Bind requests and not search filters. Most LDAP deployments don't even
give search/compare access to userPassword attributes in the first place.
Just in case anybody out there might be bitten by this info - client-enforced
security is no security at all. This is why slapd has such an extensive ACL
engine - you enforce access controls on the server, and then it doesn't matter
what kind of garbage requests your clients send to you, they can only ever
access information that they were allowed to access. This is also why the old
pam_ldap authorization scheme was such a bad idea, it relied on the LDAP
client (pam_ldap) to correctly implement authorization, instead of the server.
(Multiply that by hundreds or thousands of clients and you have an
unmanageable, insecurable mess.) This is why we have nssov today.
Of course, this is no excuse to be sloppy when writing your web apps. But if
you've configured ACLs to adequately protect your data, then it doesn't matter
how sloppy your clients are.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 2 months
Storing graph data structure with MDB_FIXEDMAP
by Aris Setyawan
Hi,
I'm new in this list.
I plan to store graph data structure (vertex and edge) in LMDB. The
"edge" data value of a record will contain a pointer which is pointing
to the address of "vertex" data value. So, I must make it sure that
data value address is not changing during operation. According to the
doc, I can use MDB_FIXEDMAP.
And from the doc:
"... the memory map will always reside at the same virtual address and
pointers used to reference data items in the database will be constant
across multiple invocations. ..."
Spesifically: "... pointers used to reference data items in the
database will be constant ..."
Is this mean that I must allocate memory to write data using mdb_put
with MDB_RESERVE flag?
9 years, 3 months
Unable to add umlaut character dn to the openLDAP 2.4.32
by pramod kulkarni
Hi ,
I am having trouble in adding user with dn having umlaut characters using
ldapmodify tool,It is giving invalid syntax
what I need to do ?
please help
dn:uid=Röichard,ou=newUsers,dc=cricbox,dc=in
ldap_add: Invalid DN syntax (34)
additional info: invalid DN
Regards,
pk
9 years, 3 months
OLC configuration
by Jacques Foucry
Hello folks,
I think I can use and manage a small LDAP. I can configure it but...
with the old slapd.conf method.
I need to configue a new one and it's time for me to understand the OLC
configuration way.
Did you have a good tuto (in french?) to help to help me? The official
docs are to hard for me.
Thanks in advance,
Jacques Foucry
--
Jacques Foucry
*NOVΛSPARKS *
IT Manager
Tel : +33 (0)1 42 68 12 61
jacques.foucry(a)novasparks.com
9 years, 3 months
p12 files for user-auth in slapd.conf question
by lux-integ
Greetings,
I am a complete beginner leaning to use openldap.
I read through a few of the manuals online. I am finding the access-control
manual
( http://www.openldap.org/doc/admin24/access-control.html ) the hardest to
understand.
I would like to know if it is possible to authenticate users using p12
(pkcs12 certificates/key pair ) and IF SO what would be
a) the standard shemas to be included in slapd.conf to make this possible ?
,
b) the entry for olcAccess ( in slapd.conf) for users to be authenticared
via their p12 files ? ,
b) the location and storage method in the database for these .p12 files
?
or
IF NOT SO what is the recommended equivalent to p12 files and how would
they be deployed.?
thanks in advance
sincerely
luxInteg
9 years, 3 months
OpenLDAP with ppolicy and SSSD configuration question.
by Viviano, Brad
Hello,
I've searched the archives of this list, the web as best I can, and have this same question asked to the sssd-devel mailing list and can not seem to find an answer this my question. I have a RHEL 6.4 server with OpenLDAP 2.4.23-32.el6_4.1 and sssd 1.9.2-129.el6, both installed as standard RPM's from Redhat. I have ppolicy configured in slapd and on another RHEL6.4 system have sssd setup as a client. Everything works fine with password expires, grace periods, etc and sssd, if the user has to enter their password. But, if the user is using an SSH public key, setting the account as locked or the password is expired still allows them to log in. I can't seem to find a good solution that forces the user to change their password before they can login.
The specifics are. sshd_config is configured to use PAM. My pam.d auth config is standard for RHEL6 which is:
auth required pam_env.so
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth sufficient pam_sss.so use_first_pass
auth required pam_deny.so
I've confirmed that when a user logs in from ssh with both password and ssh keys, they are going through the PAM sss.so just fine, by turning up the debugging levels and watching the logs. I've read everything I can find on sssd and it appears that for all cases of LDAP, sssd wants a single true/false value along the lines of nsAccountLocked. I can't find anything in ppolicy that sets true/false for account locked like other LDAP implementations do, all ppolicy seems to provide is pwdAccountLockedTime.
While the issue seems more like a limitation on sssd's side, I thought I'd ask on this list to see if anyone has been able to come up with a solution or if there is something in ppolicy I am missing for a true/false on, is DN=X locked or not.
Thanks,
-Brad Viviano
===================================================
Brad Viviano
High Performance Computing & Scientific Visualization
Lockheed Martin, Supporting the EPA
Research Triangle Park, NC
919-541-2696
HSCSS Task Order Lead - Ravi Nair
919-541-5467 - Nair.Ravi(a)epa.gov
High Performance Computing Subtask Lead - Durward Jones
919-541-5043 - Jones.Durward(a)epa.gov
Environmental Modeling and Visualization Lead - Heidi Paulsen
919-541-1834 - Paulsen.Heidi(a)epa.gov
9 years, 3 months
