openldap-technical December 2013

openldap-technical@openldap.org

61 participants
73 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

DIT for an academic institution
by Shali 9846303531 20 May '14

20 May '14

Dear All, I am new to these LDAP concepts , i have prepared a DIT for our organization with two academic institutions with each institution having different branches of study and also there is staff and students . i have attached the DIT , if am going through a wrong way kindly guide me. -- Thanks & Regards Shali.K.R Server Administrator

4 3

Re: MDB_PAGE_FULL
by Pieter Martin 19 Jan '14

19 Jan '14

Hi, I am using lmdb to implement a graph db via java JNI. Initial results are amazing. Anyhow I am having trouble with deletions. I am getting MDB_PAGE_FULL when trying to delete. A simplified version of the code is as follows. //set the key ... while ((rc = mdb_cursor_get(vertexCursor, &key, &data, MDB_SET_RANGE)) == 0) { rc = mdb_cursor_del(vertexCursor, 0); if (rc != 0) { printf("removeVertex 4 %i\n", rc); goto fail; } //set the key ... } The mdb_cursor_del returns a error code -30786 (MDB_PAGE_FULL) on about the 38th loop. if there are very few entries then the exception does not happen. Is there something obvious that I am doing wrong to cause a MDB_PAGE_FULL exception? Thanks Pieter

3 3

slapd "olcreadonly" and syncrepl
by Olivier 31 Dec '13

31 Dec '13

Hi everyone, I just configured a directory tuning readonly in the backend database : olcDatabase={1}bdb,cn=config ... olcreadonly: TRUE Good : now if I try to change anything I get an "Server is unwilling to perform (53)" from the server, for axample : # ldappasswd -h localhost -D "uid=olivier,ou=people" -W -S "uid=guillard,ou=people" New password: Re-enter new password: Enter LDAP Password: Result: Server is unwilling to perform (53) Additional info: operation restricted On the other hand, I also have configured this directory to get synchronized on another ldap server through a syncrepl directive, and I see that the ldap synchronization works properly: if I change my password an the master ldap, it's propagated on my "readonly" slave one. This is good since this is exactly what I want. However I have not found the confirmation of this behaviour in the documentation (may be I missed something), that's why I ask here : Is it correct to configure a olcreadonly directory to be slave through syncrepl to another one ? Thanks, --- Olivier

1 0

acl problem
by Mundry, Marvin 30 Dec '13

30 Dec '13

I have encountered an effect that I believe is a bug, but I might be wrong. It would be nice if someone could confirm that my acls should be working, or in case they should not, give me a hint what I am doing wrong. Here is what I am trying to archive: * there is one ldap provider (master) server that contains all attributes that are relevant for my organisation * on the master there is a user allowing a highly secured consumer(slave) ldap server the replication of all attributes from the master * on the master there is a user allowing a low-security consumer(slave) ldap server the replication of all attributes from the master except some critical ones * on the master there is a user (cn=provisioninguser) that can read the accesslog. it is used by scripts to e.g. notify non-ldap systems of password changes. I would like to put the acls for the replication users (high and low security ldap slaves) on the databases and not the frontend to avoid accidental modifications. All other acls should be on the frontend. If I configure all my acls on the frontend only everything works as I think it should. If some acls are on the database the results are rather weird ( the cn=provisioninguser can see only one value of the multi-valued reqMod attribte) The following acl snippet only deals with accesslog access which is where I encounter the problem: dn: olcDatabase={2}hdb,cn=config olcAccess: {0}to dn.subtree="cn=accesslog" attrs=reqMod val.regex="^topSecretAttribute:.*" by dn.base="cn=replicationuser,dc=organisation,dc=com" read by dn.base="cn=replication_low_security,dc=organisation,dc=com" none by * break dn: olcDatabase={2}hdb,cn=config olcAccess: {1}to dn.subtree="cn=accesslog" by dn.base="cn=replicationuser,dc=organisation,dc=com" read by dn.base="cn=replication_low_security,dc=organisation,dc=com" read by * break dn: olcDatabase={-1}frontend,cn=config olcAccess: {0}to dn.subtree="cn=accesslog" by dn.base="cn=provisioninguser,dc=organisation,dc=com" read by * none *if the acls 1,2 and 3 are on "olcDatabase={-1}frontend,cn=config" (which they are not in the example above) cn=provisioninguser,dc=organisation,dc=com can read all values from the multi-valued attribute reqMod (which is what I want). >ldapsearch -D cn=provisioninguser,dc=organisation,dc=com -w 123 -b cn=accesslog reqDN=cn=user1,dc=organisation,dc=com reqMod dn: reqStart=20131227145130.000001Z,cn=accesslog reqMod: userPassword:= {SSHA}bmyaw8Xy1UftlTorPDQE9yLzruoxDnGq reqMod: topSecretAttribute:= topsecret reqMod: pwdChangedTime:= 20131227145130Z reqMod: entryCSN:= 20131227145130.917649Z#000000#000#000000 reqMod: modifiersName:= cn=admin reqMod: modifyTimestamp:= 20131227145130Z *if the acls 1 and 2 are on "olcDatabase={2}hdb,cn=config" and the 3rd one is on "olcDatabase={-1}frontend,cn=config" cn=provisioninguser,dc=organisation,dc=com can read only one value from the multi-valued attribute reqMod (why?). >ldapsearch -D cn=provisioninguser,dc=organisation,dc=com -w 123 -b cn=accesslog reqDN=cn=user1,dc=organisation,dc=com reqMod dn: reqStart=20131227145130.000001Z,cn=accesslog reqMod: userPassword:= {SSHA}bmyaw8Xy1UftlTorPDQE9yLzruoxDnGq Best regards, Marvin Mundry University of Hamburg Regional Computer Center (RRZ) Division Zentrale Dienste Schlueterstrasse 70 20146 Hamburg +49 (0)40 42838-9109

3 3

"LDAP Injection" attacks
by Howard Chu 29 Dec '13

29 Dec '13

A paper and presentation making the rounds, claiming to show how webapps using LDAP are vulnerable to search filter spoofing attacks. http://www.youtube.com/watch?v=wtahzm_R8e4 http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepaper… Can't imagine that work like this gets peer-reviewed, because it's mostly garbage. They concoct a scenario in section 4.1.1 of their paper, supposedly showing how filter manipulation can allow a webapp user to bypass LDAP-based authentication. It's ridiculous drivel though, since LDAP-based authentication uses Bind requests and not search filters. Most LDAP deployments don't even give search/compare access to userPassword attributes in the first place. Just in case anybody out there might be bitten by this info - client-enforced security is no security at all. This is why slapd has such an extensive ACL engine - you enforce access controls on the server, and then it doesn't matter what kind of garbage requests your clients send to you, they can only ever access information that they were allowed to access. This is also why the old pam_ldap authorization scheme was such a bad idea, it relied on the LDAP client (pam_ldap) to correctly implement authorization, instead of the server. (Multiply that by hundreds or thousands of clients and you have an unmanageable, insecurable mess.) This is why we have nssov today. Of course, this is no excuse to be sloppy when writing your web apps. But if you've configured ACLs to adequately protect your data, then it doesn't matter how sloppy your clients are. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

4 9

write access issue
by Umar Draz 28 Dec '13

28 Dec '13

Hi I am trying to rename the (dn) entry through a normal user which is first authenticate it self, but I there is an error while renaming the dn entry text=no write access to old parent's children here is my slapd.conf access settings. # Sample access control policy: access to attrs=userPassword,shadowLastChange by self write by dn="cn=admin,dc=mydomain,dc=com" write by * auth access to * by self write by dn="cn=admin,dc=mydom,dc=com" write by * read Would you please help, what I need to set? Br. Umar

3 4

Oracle OpenLDAP PPolicy ppolicy and the hierarchy
by David Barr 28 Dec '13

28 Dec '13

In Use: Oracle OpenLDAP 2.4.30, I cannot change to the OpenLDAP version that one can compile. Problem: I have the module and overlay in the conf files and slaptest says it's fine. Both files are from Openldap.org version 2.4.37But how do I test it? I have created unix shell scripts to do actions like add, delete, modify, view, etc. I can share these if requested. But I am unsure on the lock, unlock, policy stuff. Also, How should the OpenLDAP hierarchy look? Here's mine: dn: dc=bozo_company,dc=com ou: com objectClass: dcObject objectClass: organizationalUnit objectClass: top dc: bozo_company userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX dn: cn=Directory Administrators,dc=bozo_company,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Directory Administrators uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com dn: ou=Groups,dc=bozo_company,dc=com objectClass: top objectClass: organizationalUnit ou: Groups dn: ou=People,dc=bozo_company,dc=com objectClass: top objectClass: organizationalUnit ou: People dn: ou=Special Users,dc=bozo_company,dc=com objectClass: top objectClass: organizationalUnit ou: Special Users description: Special Administrative Accounts dn: cn=Accounting Managers,ou=groups,dc=bozo_company,dc=com objectClass: top objectClass: groupOfUniqueNames cn: Accounting Managers ou: groups description: People who can manage accounting entries uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com uniqueMember: uid=Replica,ou=People,dc=bozo_company,dc=com uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com dn: cn=HR Managers,ou=groups,dc=bozo_company,dc=com objectClass: top objectClass: groupOfUniqueNames cn: HR Managers ou: groups description: People who can manage HR entries uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com dn: cn=QA Managers,ou=groups,dc=bozo_company,dc=com objectClass: top objectClass: groupOfUniqueNames cn: QA Managers ou: groups description: People who can manage QA entries uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com dn: cn=PD Managers,ou=groups,dc=bozo_company,dc=com objectClass: top objectClass: groupOfUniqueNames cn: PD Managers ou: groups description: People who can manage engineer entries uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com dn: ou=Services,dc=bozo_company,dc=com ou: Services objectClass: top objectClass: organizationalUnit dn: ou=DML,ou=Services,dc=bozo_company,dc=com ou: DML objectClass: top objectClass: organizationalUnit dn: ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com ou: 1.0 objectClass: top objectClass: organizationalUnit dn: ou=UserForm,ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com ou: UserForm objectClass: top objectClass: organizationalUnit dn: ou=Configuration,ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com ou: Configuration objectClass: top objectClass: organizationalUnit dn: cn=Configuration:#ID#Configuration:SystemConfiguration,ou=Configuration,ou=1 .0,ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:SystemConfiguration dn: cn=Configuration:#ID#Configuration:CustomRoles,ou=Configuration,ou=1.0,ou=DM L,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:CustomRoles dn: cn=Configuration:#ID#Configuration:DmlManagedDirectory,ou=Configuration,ou=1 .0,ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:DmlManagedDirectory dn: cn=UserForm:#ID#UserForm:DefaultUserForm,ou=UserForm,ou=1.0,ou=DML,ou=Servic es,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultUserForm dn: cn=UserForm:#ID#UserForm:DefaultNtUserForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv ices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultNtUserForm dn: cn=UserForm:#ID#UserForm:DefaultHomeForm,ou=UserForm,ou=1.0,ou=DML,ou=Servic es,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultHomeForm dn: cn=UserForm:#ID#UserForm:DefaultDMLObjectForm,ou=UserForm,ou=1.0,ou=DML,ou=S ervices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultDMLObjectForm dn: cn=UserForm:#ID#UserForm:DefaultCreateForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv ices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultCreateForm dn: cn=UserForm:#ID#UserForm:DefaultObjectClassSelectionForm,ou=UserForm,ou=1.0, ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultObjectClassSelectionForm dn: cn=UserForm:#ID#UserForm:DefaultDisplayComponentFields,ou=UserForm,ou=1.0,ou =DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultDisplayComponentFields dn: cn=UserForm:#ID#UserForm:DefaultEditFieldForm,ou=UserForm,ou=1.0,ou=DML,ou=S ervices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultEditFieldForm dn: cn=UserForm:#ID#UserForm:DefaultListFormsForm,ou=UserForm,ou=1.0,ou=DML,ou=S ervices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultListFormsForm dn: cn=UserForm:#ID#UserForm:DefaultEditFormForm,ou=UserForm,ou=1.0,ou=DML,ou=Se rvices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultEditFormForm dn: cn=UserForm:#ID#UserForm:DefaultGroupForm,ou=UserForm,ou=1.0,ou=DML,ou=Servi ces,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultGroupForm dn: cn=UserForm:#ID#UserForm:DefaultFindLibrary,ou=UserForm,ou=1.0,ou=DML,ou=Ser vices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultFindLibrary dn: cn=UserForm:#ID#UserForm:DefaultGroupFilterForm,ou=UserForm,ou=1.0,ou=DML,ou =Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultGroupFilterForm dn: cn=UserForm:#ID#UserForm:DefaultOuForm,ou=UserForm,ou=1.0,ou=DML,ou=Services ,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultOuForm dn: cn=UserForm:#ID#UserForm:DefaultDomainForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv ices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultDomainForm dn: cn=UserForm:#ID#UserForm:DefaultLocalityForm,ou=UserForm,ou=1.0,ou=DML,ou=Se rvices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultLocalityForm dn: cn=UserForm:#ID#UserForm:DefaultFindForm,ou=UserForm,ou=1.0,ou=DML,ou=Servic es,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultFindForm dn: cn=UserForm:#ID#UserForm:DefaultSearchConfigForm,ou=UserForm,ou=1.0,ou=DML,o u=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultSearchConfigForm dn: cn=Configuration:#ID#Configuration:DefaultSearchOptions,ou=Configuration,ou= 1.0,ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:DefaultSearchOptions dn: cn=UserForm:#ID#UserForm:DefaultCOSTemplateForm,ou=UserForm,ou=1.0,ou=DML,ou =Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultCOSTemplateForm dn: cn=UserForm:#ID#UserForm:DefaultExtensionsEditForm,ou=UserForm,ou=1.0,ou=DML ,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultExtensionsEditForm dn: cn=UserForm:#ID#UserForm:DefaultManagedDirectoryForm,ou=UserForm,ou=1.0,ou=D ML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultManagedDirectoryForm dn: cn=UserForm:#ID#UserForm:DefaultOrganizationPickerForm,ou=UserForm,ou=1.0,ou =DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultOrganizationPickerForm dn: cn=UserForm:#ID#UserForm:DefaultListNamingAttributesForm,ou=UserForm,ou=1.0, ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultListNamingAttributesForm dn: cn=UserForm:#ID#UserForm:DefaultNamingAttributeForm,ou=UserForm,ou=1.0,ou=DM L,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultNamingAttributeForm dn: cn=UserForm:#ID#UserForm:DefaultRolesForm,ou=UserForm,ou=1.0,ou=DML,ou=Servi ces,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultRolesForm dn: cn=UserForm:#ID#UserForm:DefaultRoleForm,ou=UserForm,ou=1.0,ou=DML,ou=Servic es,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultRoleForm dn: cn=UserForm:#ID#UserForm:DefaultDeleteForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv ices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultDeleteForm dn: cn=UserForm:#ID#UserForm:DefaultDeleteGeneralPurposeForm,ou=UserForm,ou=1.0, ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultDeleteGeneralPurposeForm dn: cn=UserForm:#ID#UserForm:DefaultEnableForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv ices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultEnableForm dn: cn=UserForm:#ID#UserForm:DefaultDisableForm,ou=UserForm,ou=1.0,ou=DML,ou=Ser vices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultDisableForm dn: cn=UserForm:#ID#UserForm:DefaultRenameForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv ices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultRenameForm dn: cn=UserForm:#ID#UserForm:DefaultConfigBackupRestoreForm,ou=UserForm,ou=1.0,o u=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultConfigBackupRestoreForm dn: cn=UserForm:#ID#UserForm:DefaultBrowseForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv ices,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultBrowseForm dn: cn=Configuration:#ID#Configuration:ComponentProperties,ou=Configuration,ou=1 .0,ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:ComponentProperties dn: cn=Configuration:#ID#Configuration:DefaultFormConfiguration,ou=Configuration ,ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:DefaultFormConfiguration dn: cn=Configuration:#ID#Configuration:DefaultRoles,ou=Configuration,ou=1.0,ou=D ML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:DefaultRoles dn: cn=Configuration:#ID#Configuration:DefaultCapabilities,ou=Configuration,ou=1 .0,ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:DefaultCapabilities dn: cn=Configuration:#ID#Configuration:DefaultNamingAttributesConfiguration,ou=C onfiguration,ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:DefaultNamingAttributesConfiguration dn: cn=UserForm:#ID#UserForm:DefaultEditPasswordForm,ou=UserForm,ou=1.0,ou=DML,o u=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:DefaultEditPasswordForm dn: cn=Configuration:#ID#Configuration:WPSearchOptions,ou=Configuration,ou=1.0,o u=DML,ou=Services,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: Configuration:#ID#Configuration:WPSearchOptions dn: cn=UserForm:#ID#UserForm:WPSearchLibrary,ou=UserForm,ou=1.0,ou=DML,ou=Servic es,dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:WPSearchLibrary dn: cn=UserForm:#ID#UserForm:WPSearchForm,ou=UserForm,ou=1.0,ou=DML,ou=Services, dc=bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:WPSearchForm dn: cn=UserForm:#ID#UserForm:WPViewForm,ou=UserForm,ou=1.0,ou=DML,ou=Services,dc =bozo_company,dc=com objectClass: top objectClass: applicationProcess description:: cn: UserForm:#ID#UserForm:WPViewForm dn: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com sn: clownadmin ou: People ou: Special Users cn: clownadmin objectClass: top objectClass: person objectClass: organizationalPerson userPassword: {SHA}ZC/bQou6tU8wl3TJ6dCoSasxgVA= dn: uid=Replica,ou=People,dc=bozo_company,dc=com uid: Replica cn: Replica objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx shadowLastChange: 13761 shadowMax: 99999 shadowWarning: 7 loginShell: /bin/bash uidNumber: 22222 gidNumber: 100 homeDirectory: /tmp gecos: Replica userid for slave LDAP servers dn: cn=david.m.barr,ou=People,dc=bozo_company,dc=com uid: david.m.barr sn: david.m.barr ou: People cn: david.m.barr objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdCheckModule:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX pwdAttribute: userPassword userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX dn: cn=Test.user02,ou=People,dc=bozo_company,dc=com uid: Test.user02 sn: Test.user02 ou: People cn: Test.user02 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject objectClass: pwdPolicyChecker objectClass: pwdPolicy pwdCheckModule:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX pwdAttribute: userPassword pwdLockout: TRUE userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX dn: cn=Test.user04,ou=People,dc=bozo_company,dc=com uid: Test.user04 sn: Test.user04 ou: People cn: Test.user04 objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX dn: ou=Policies,dc=bozo_company,dc=com objectClass: top objectClass: organizationalUnit ou: Policies dn: cn=Password Policy,ou=Policies,dc=bozo_company,dc=com objectClass: top objectClass: pwdPolicy objectClass: person description: The default password policy pwdAllowUserChange: TRUE pwdAttribute: userPassword pwdCheckQuality: 2 pwdExpireWarning: 3600 pwdFailureCountInterval: 30 pwdGraceAuthNLimit: 5 pwdInHistory: 5 pwdLockout: TRUE pwdLockoutDuration: 0 pwdMaxAge: 5184000 pwdMaxFailure: 5 pwdMinAge: 3600 pwdMinLength: 5 pwdMustChange: TRUE pwdSafeModify: FALSE sn: Password Policy cn: Password Policy dn: ou=Standard Policy,ou=Policies,dc=bozo_company,dc=com objectClass: top objectClass: organizationalUnit objectClass: pwdPolicy objectClass: pwdPolicyChecker ou: Standard Policy pwdAttribute: userPassword pwdCheckQuality: 2 pwdMaxFailure: 3 pwdMustChange: TRUE pwdSafeModify: TRUE pwdLockoutDuration: 0 pwdCheckModule: ou=Standard Policy,ou=Policies,dc=bozo_company,dc=com pwdAllowUserChange: TRUE description: Standard Password Policy pwdMaxAge: 7776002 pwdExpireWarning: 432000 pwdFailureCountInterval: 120 pwdMinLength: 14 pwdInHistory: 10 pwdGraceAuthNLimit: 0 pwdMinAge: 86400 dn: cn=accesslogname,dc=bozo_company,dc=com objectClass: top objectClass: person objectClass: organizationalPerson ou: accesslogname description: accesslog sn: accesslogname cn: accesslogname dn: cn=john.d.doe,ou=People,dc=bozo_company,dc=com uid: john.d.doe sn: john.d.doe ou: People cn: john.d.doe objectClass: top objectClass: person objectClass: organizationalPerson objectClass: uidObject userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Anyone out there who can help? -David dbc(a)usa.net ________________________________ CONFIDENTIALITY NOTICE: The information contained in this electronic mail (email) transmission (including attachments), is intended by MCLANE ADVANCED TECHNOLOGIES for the use of the named individual or entity to which it is addressed and may contain information that is privileged, confidential and/or protected as a trade secret. It is not intended for transmission to, or receipt by, any individual or entity other than the named addressee(s). If you have received this email in error, please delete it (including attachments) and any copies thereof without printing, copying or forwarding it, and notify the sender of the error by email reply immediately.

8 17

recursion in olcLimits
by Mundry, Marvin 27 Dec '13

27 Dec '13

Hi, is there a way in openldap to define limits (search result size limits) for the members of a group and the members of sub groups of that group recursively (i.e. something like the setspec syntax for acls)? for acls the recursion could be done via: access to dn.subtree="ou=branch1,dc=organization,dc=com" by set="[cn=chiefcommanders,ou=groups,dc=organization,dc=com]/member* & user" manage the "group[/oc[/at]]=<pattern>" form what I understand does not allow to recursively resolve members of sub groups. Thanks, Marvin

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical December 2013