Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 5 months
DIT for an academic institution
by Shali 9846303531
Dear All,
I am new to these LDAP concepts , i have prepared a DIT for our
organization with two academic institutions with each institution having
different branches of study and also there is staff and students . i have
attached the DIT , if am going through a wrong way kindly guide me.
--
Thanks & Regards
Shali.K.R
Server Administrator
9 years, 6 months
Re: MDB_PAGE_FULL
by Pieter Martin
Hi,
I am using lmdb to implement a graph db via java JNI.
Initial results are amazing.
Anyhow I am having trouble with deletions.
I am getting MDB_PAGE_FULL when trying to delete.
A simplified version of the code is as follows.
//set the key
...
while ((rc = mdb_cursor_get(vertexCursor, &key, &data,
MDB_SET_RANGE)) == 0) {
rc = mdb_cursor_del(vertexCursor, 0);
if (rc != 0) {
printf("removeVertex 4 %i\n", rc);
goto fail;
}
//set the key
...
}
The mdb_cursor_del returns a error code -30786 (MDB_PAGE_FULL) on about
the 38th loop.
if there are very few entries then the exception does not happen.
Is there something obvious that I am doing wrong to cause a
MDB_PAGE_FULL exception?
Thanks
Pieter
9 years, 10 months
slapd "olcreadonly" and syncrepl
by Olivier
Hi everyone,
I just configured a directory tuning readonly in the backend database :
olcDatabase={1}bdb,cn=config
...
olcreadonly: TRUE
Good : now if I try to change anything I get an "Server is unwilling to
perform (53)"
from the server, for axample :
# ldappasswd -h localhost -D "uid=olivier,ou=people" -W -S
"uid=guillard,ou=people"
New password:
Re-enter new password:
Enter LDAP Password:
Result: Server is unwilling to perform (53)
Additional info: operation restricted
On the other hand, I also have configured this directory to get
synchronized on another ldap server through a syncrepl directive, and I see
that the ldap synchronization works properly: if I change my password an
the master ldap, it's propagated on my "readonly" slave one.
This is good since this is exactly what I want.
However I have not found the confirmation of this behaviour in the
documentation (may be I missed something), that's why I ask here :
Is it correct to configure a olcreadonly directory to be slave through
syncrepl to another one ?
Thanks,
---
Olivier
9 years, 11 months
acl problem
by Mundry, Marvin
I have encountered an effect that I believe is a bug, but I might be wrong.
It would be nice if someone could confirm that my acls should be working, or in case they should not, give me a hint what I am doing
wrong.
Here is what I am trying to archive:
* there is one ldap provider (master) server that contains all attributes that are relevant for my organisation
* on the master there is a user allowing a highly secured consumer(slave) ldap server the replication of all attributes from the
master
* on the master there is a user allowing a low-security consumer(slave) ldap server the replication of all attributes from the
master except some critical ones
* on the master there is a user (cn=provisioninguser) that can read the accesslog. it is used by scripts to e.g. notify non-ldap
systems of password changes.
I would like to put the acls for the replication users (high and low security ldap slaves) on the databases and not the frontend to
avoid accidental modifications. All other acls should be on the frontend.
If I configure all my acls on the frontend only everything works as I think it should. If some acls are on the database the results
are rather weird (
the cn=provisioninguser can see only one value of the multi-valued reqMod attribte)
The following acl snippet only deals with accesslog access which is where I encounter the problem:
dn: olcDatabase={2}hdb,cn=config
olcAccess: {0}to dn.subtree="cn=accesslog"
attrs=reqMod val.regex="^topSecretAttribute:.*"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" none
by * break
dn: olcDatabase={2}hdb,cn=config
olcAccess: {1}to dn.subtree="cn=accesslog"
by dn.base="cn=replicationuser,dc=organisation,dc=com" read
by dn.base="cn=replication_low_security,dc=organisation,dc=com" read
by * break
dn: olcDatabase={-1}frontend,cn=config
olcAccess: {0}to dn.subtree="cn=accesslog"
by dn.base="cn=provisioninguser,dc=organisation,dc=com" read
by * none
*if the acls 1,2 and 3 are on "olcDatabase={-1}frontend,cn=config" (which they are not in the example above)
cn=provisioninguser,dc=organisation,dc=com can read all values from the multi-valued attribute reqMod (which is what I want).
>ldapsearch -D cn=provisioninguser,dc=organisation,dc=com -w 123 -b cn=accesslog reqDN=cn=user1,dc=organisation,dc=com reqMod
dn: reqStart=20131227145130.000001Z,cn=accesslog
reqMod: userPassword:= {SSHA}bmyaw8Xy1UftlTorPDQE9yLzruoxDnGq
reqMod: topSecretAttribute:= topsecret
reqMod: pwdChangedTime:= 20131227145130Z
reqMod: entryCSN:= 20131227145130.917649Z#000000#000#000000
reqMod: modifiersName:= cn=admin
reqMod: modifyTimestamp:= 20131227145130Z
*if the acls 1 and 2 are on "olcDatabase={2}hdb,cn=config" and the 3rd one is on "olcDatabase={-1}frontend,cn=config"
cn=provisioninguser,dc=organisation,dc=com can read only one value from the multi-valued attribute reqMod (why?).
>ldapsearch -D cn=provisioninguser,dc=organisation,dc=com -w 123 -b cn=accesslog reqDN=cn=user1,dc=organisation,dc=com reqMod
dn: reqStart=20131227145130.000001Z,cn=accesslog
reqMod: userPassword:= {SSHA}bmyaw8Xy1UftlTorPDQE9yLzruoxDnGq
Best regards,
Marvin Mundry
University of Hamburg
Regional Computer Center (RRZ)
Division Zentrale Dienste
Schlueterstrasse 70
20146 Hamburg
+49 (0)40 42838-9109
9 years, 11 months
"LDAP Injection" attacks
by Howard Chu
A paper and presentation making the rounds, claiming to show how webapps using
LDAP are vulnerable to search filter spoofing attacks.
http://www.youtube.com/watch?v=wtahzm_R8e4
http://www.blackhat.com/presentations/bh-europe-08/Alonso-Parada/Whitepap...
Can't imagine that work like this gets peer-reviewed, because it's mostly
garbage. They concoct a scenario in section 4.1.1 of their paper, supposedly
showing how filter manipulation can allow a webapp user to bypass LDAP-based
authentication. It's ridiculous drivel though, since LDAP-based authentication
uses Bind requests and not search filters. Most LDAP deployments don't even
give search/compare access to userPassword attributes in the first place.
Just in case anybody out there might be bitten by this info - client-enforced
security is no security at all. This is why slapd has such an extensive ACL
engine - you enforce access controls on the server, and then it doesn't matter
what kind of garbage requests your clients send to you, they can only ever
access information that they were allowed to access. This is also why the old
pam_ldap authorization scheme was such a bad idea, it relied on the LDAP
client (pam_ldap) to correctly implement authorization, instead of the server.
(Multiply that by hundreds or thousands of clients and you have an
unmanageable, insecurable mess.) This is why we have nssov today.
Of course, this is no excuse to be sloppy when writing your web apps. But if
you've configured ACLs to adequately protect your data, then it doesn't matter
how sloppy your clients are.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
9 years, 11 months
write access issue
by Umar Draz
Hi
I am trying to rename the (dn) entry through a normal user which is first
authenticate it self, but I there is an error while renaming the dn entry
text=no write access to old parent's children
here is my slapd.conf access settings.
# Sample access control policy:
access to attrs=userPassword,shadowLastChange
by self write
by dn="cn=admin,dc=mydomain,dc=com" write
by * auth
access to *
by self write
by dn="cn=admin,dc=mydom,dc=com" write
by * read
Would you please help, what I need to set?
Br.
Umar
9 years, 11 months
Oracle OpenLDAP PPolicy ppolicy and the hierarchy
by David Barr
In Use: Oracle OpenLDAP 2.4.30, I cannot change to the OpenLDAP version that one can compile.
Problem: I have the module and overlay in the conf files and slaptest says it's fine. Both files are from Openldap.org version 2.4.37But how do I test it?
I have created unix shell scripts to do actions like add, delete, modify, view, etc. I can share these if requested.
But I am unsure on the lock, unlock, policy stuff.
Also, How should the OpenLDAP hierarchy look?
Here's mine:
dn: dc=bozo_company,dc=com
ou: com
objectClass: dcObject
objectClass: organizationalUnit
objectClass: top
dc: bozo_company
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dn: cn=Directory Administrators,dc=bozo_company,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Directory Administrators
uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com
uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com
dn: ou=Groups,dc=bozo_company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Groups
dn: ou=People,dc=bozo_company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: People
dn: ou=Special Users,dc=bozo_company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Special Users
description: Special Administrative Accounts
dn: cn=Accounting Managers,ou=groups,dc=bozo_company,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: Accounting Managers
ou: groups
description: People who can manage accounting entries
uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com
uniqueMember: uid=Replica,ou=People,dc=bozo_company,dc=com
uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com
dn: cn=HR Managers,ou=groups,dc=bozo_company,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: HR Managers
ou: groups
description: People who can manage HR entries
uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com
uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com
dn: cn=QA Managers,ou=groups,dc=bozo_company,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: QA Managers
ou: groups
description: People who can manage QA entries
uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com
uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com
dn: cn=PD Managers,ou=groups,dc=bozo_company,dc=com
objectClass: top
objectClass: groupOfUniqueNames
cn: PD Managers
ou: groups
description: People who can manage engineer entries
uniqueMember: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com
uniqueMember: cn=david.barr,ou=People,dc=bozo_company,dc=com
dn: ou=Services,dc=bozo_company,dc=com
ou: Services
objectClass: top
objectClass: organizationalUnit
dn: ou=DML,ou=Services,dc=bozo_company,dc=com
ou: DML
objectClass: top
objectClass: organizationalUnit
dn: ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com
ou: 1.0
objectClass: top
objectClass: organizationalUnit
dn: ou=UserForm,ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com
ou: UserForm
objectClass: top
objectClass: organizationalUnit
dn: ou=Configuration,ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com
ou: Configuration
objectClass: top
objectClass: organizationalUnit
dn: cn=Configuration:#ID#Configuration:SystemConfiguration,ou=Configuration,ou=1
.0,ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:SystemConfiguration
dn: cn=Configuration:#ID#Configuration:CustomRoles,ou=Configuration,ou=1.0,ou=DM
L,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:CustomRoles
dn: cn=Configuration:#ID#Configuration:DmlManagedDirectory,ou=Configuration,ou=1
.0,ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:DmlManagedDirectory
dn: cn=UserForm:#ID#UserForm:DefaultUserForm,ou=UserForm,ou=1.0,ou=DML,ou=Servic
es,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultUserForm
dn: cn=UserForm:#ID#UserForm:DefaultNtUserForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv
ices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultNtUserForm
dn: cn=UserForm:#ID#UserForm:DefaultHomeForm,ou=UserForm,ou=1.0,ou=DML,ou=Servic
es,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultHomeForm
dn: cn=UserForm:#ID#UserForm:DefaultDMLObjectForm,ou=UserForm,ou=1.0,ou=DML,ou=S
ervices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultDMLObjectForm
dn: cn=UserForm:#ID#UserForm:DefaultCreateForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv
ices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultCreateForm
dn: cn=UserForm:#ID#UserForm:DefaultObjectClassSelectionForm,ou=UserForm,ou=1.0,
ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultObjectClassSelectionForm
dn: cn=UserForm:#ID#UserForm:DefaultDisplayComponentFields,ou=UserForm,ou=1.0,ou
=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultDisplayComponentFields
dn: cn=UserForm:#ID#UserForm:DefaultEditFieldForm,ou=UserForm,ou=1.0,ou=DML,ou=S
ervices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultEditFieldForm
dn: cn=UserForm:#ID#UserForm:DefaultListFormsForm,ou=UserForm,ou=1.0,ou=DML,ou=S
ervices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultListFormsForm
dn: cn=UserForm:#ID#UserForm:DefaultEditFormForm,ou=UserForm,ou=1.0,ou=DML,ou=Se
rvices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultEditFormForm
dn: cn=UserForm:#ID#UserForm:DefaultGroupForm,ou=UserForm,ou=1.0,ou=DML,ou=Servi
ces,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultGroupForm
dn: cn=UserForm:#ID#UserForm:DefaultFindLibrary,ou=UserForm,ou=1.0,ou=DML,ou=Ser
vices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultFindLibrary
dn: cn=UserForm:#ID#UserForm:DefaultGroupFilterForm,ou=UserForm,ou=1.0,ou=DML,ou
=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultGroupFilterForm
dn: cn=UserForm:#ID#UserForm:DefaultOuForm,ou=UserForm,ou=1.0,ou=DML,ou=Services
,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultOuForm
dn: cn=UserForm:#ID#UserForm:DefaultDomainForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv
ices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultDomainForm
dn: cn=UserForm:#ID#UserForm:DefaultLocalityForm,ou=UserForm,ou=1.0,ou=DML,ou=Se
rvices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultLocalityForm
dn: cn=UserForm:#ID#UserForm:DefaultFindForm,ou=UserForm,ou=1.0,ou=DML,ou=Servic
es,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultFindForm
dn: cn=UserForm:#ID#UserForm:DefaultSearchConfigForm,ou=UserForm,ou=1.0,ou=DML,o
u=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultSearchConfigForm
dn: cn=Configuration:#ID#Configuration:DefaultSearchOptions,ou=Configuration,ou=
1.0,ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:DefaultSearchOptions
dn: cn=UserForm:#ID#UserForm:DefaultCOSTemplateForm,ou=UserForm,ou=1.0,ou=DML,ou
=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultCOSTemplateForm
dn: cn=UserForm:#ID#UserForm:DefaultExtensionsEditForm,ou=UserForm,ou=1.0,ou=DML
,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultExtensionsEditForm
dn: cn=UserForm:#ID#UserForm:DefaultManagedDirectoryForm,ou=UserForm,ou=1.0,ou=D
ML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultManagedDirectoryForm
dn: cn=UserForm:#ID#UserForm:DefaultOrganizationPickerForm,ou=UserForm,ou=1.0,ou
=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultOrganizationPickerForm
dn: cn=UserForm:#ID#UserForm:DefaultListNamingAttributesForm,ou=UserForm,ou=1.0,
ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultListNamingAttributesForm
dn: cn=UserForm:#ID#UserForm:DefaultNamingAttributeForm,ou=UserForm,ou=1.0,ou=DM
L,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultNamingAttributeForm
dn: cn=UserForm:#ID#UserForm:DefaultRolesForm,ou=UserForm,ou=1.0,ou=DML,ou=Servi
ces,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultRolesForm
dn: cn=UserForm:#ID#UserForm:DefaultRoleForm,ou=UserForm,ou=1.0,ou=DML,ou=Servic
es,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultRoleForm
dn: cn=UserForm:#ID#UserForm:DefaultDeleteForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv
ices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultDeleteForm
dn: cn=UserForm:#ID#UserForm:DefaultDeleteGeneralPurposeForm,ou=UserForm,ou=1.0,
ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultDeleteGeneralPurposeForm
dn: cn=UserForm:#ID#UserForm:DefaultEnableForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv
ices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultEnableForm
dn: cn=UserForm:#ID#UserForm:DefaultDisableForm,ou=UserForm,ou=1.0,ou=DML,ou=Ser
vices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultDisableForm
dn: cn=UserForm:#ID#UserForm:DefaultRenameForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv
ices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultRenameForm
dn: cn=UserForm:#ID#UserForm:DefaultConfigBackupRestoreForm,ou=UserForm,ou=1.0,o
u=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultConfigBackupRestoreForm
dn: cn=UserForm:#ID#UserForm:DefaultBrowseForm,ou=UserForm,ou=1.0,ou=DML,ou=Serv
ices,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultBrowseForm
dn: cn=Configuration:#ID#Configuration:ComponentProperties,ou=Configuration,ou=1
.0,ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:ComponentProperties
dn: cn=Configuration:#ID#Configuration:DefaultFormConfiguration,ou=Configuration
,ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:DefaultFormConfiguration
dn: cn=Configuration:#ID#Configuration:DefaultRoles,ou=Configuration,ou=1.0,ou=D
ML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:DefaultRoles
dn: cn=Configuration:#ID#Configuration:DefaultCapabilities,ou=Configuration,ou=1
.0,ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:DefaultCapabilities
dn: cn=Configuration:#ID#Configuration:DefaultNamingAttributesConfiguration,ou=C
onfiguration,ou=1.0,ou=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:DefaultNamingAttributesConfiguration
dn: cn=UserForm:#ID#UserForm:DefaultEditPasswordForm,ou=UserForm,ou=1.0,ou=DML,o
u=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:DefaultEditPasswordForm
dn: cn=Configuration:#ID#Configuration:WPSearchOptions,ou=Configuration,ou=1.0,o
u=DML,ou=Services,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: Configuration:#ID#Configuration:WPSearchOptions
dn: cn=UserForm:#ID#UserForm:WPSearchLibrary,ou=UserForm,ou=1.0,ou=DML,ou=Servic
es,dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:WPSearchLibrary
dn: cn=UserForm:#ID#UserForm:WPSearchForm,ou=UserForm,ou=1.0,ou=DML,ou=Services,
dc=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:WPSearchForm
dn: cn=UserForm:#ID#UserForm:WPViewForm,ou=UserForm,ou=1.0,ou=DML,ou=Services,dc
=bozo_company,dc=com
objectClass: top
objectClass: applicationProcess
description::
cn: UserForm:#ID#UserForm:WPViewForm
dn: cn=clownadmin,ou=Special Users,dc=bozo_company,dc=com
sn: clownadmin
ou: People
ou: Special Users
cn: clownadmin
objectClass: top
objectClass: person
objectClass: organizationalPerson
userPassword: {SHA}ZC/bQou6tU8wl3TJ6dCoSasxgVA=
dn: uid=Replica,ou=People,dc=bozo_company,dc=com
uid: Replica
cn: Replica
objectClass: account
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
userPassword: {SSHA}xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
shadowLastChange: 13761
shadowMax: 99999
shadowWarning: 7
loginShell: /bin/bash
uidNumber: 22222
gidNumber: 100
homeDirectory: /tmp
gecos: Replica userid for slave LDAP servers
dn: cn=david.m.barr,ou=People,dc=bozo_company,dc=com
uid: david.m.barr
sn: david.m.barr
ou: People
cn: david.m.barr
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: uidObject
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
pwdCheckModule:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
pwdAttribute: userPassword
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dn: cn=Test.user02,ou=People,dc=bozo_company,dc=com
uid: Test.user02
sn: Test.user02
ou: People
cn: Test.user02
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: uidObject
objectClass: pwdPolicyChecker
objectClass: pwdPolicy
pwdCheckModule:: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
pwdAttribute: userPassword
pwdLockout: TRUE
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dn: cn=Test.user04,ou=People,dc=bozo_company,dc=com
uid: Test.user04
sn: Test.user04
ou: People
cn: Test.user04
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: uidObject
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
dn: ou=Policies,dc=bozo_company,dc=com
objectClass: top
objectClass: organizationalUnit
ou: Policies
dn: cn=Password Policy,ou=Policies,dc=bozo_company,dc=com
objectClass: top
objectClass: pwdPolicy
objectClass: person
description: The default password policy
pwdAllowUserChange: TRUE
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdExpireWarning: 3600
pwdFailureCountInterval: 30
pwdGraceAuthNLimit: 5
pwdInHistory: 5
pwdLockout: TRUE
pwdLockoutDuration: 0
pwdMaxAge: 5184000
pwdMaxFailure: 5
pwdMinAge: 3600
pwdMinLength: 5
pwdMustChange: TRUE
pwdSafeModify: FALSE
sn: Password Policy
cn: Password Policy
dn: ou=Standard Policy,ou=Policies,dc=bozo_company,dc=com
objectClass: top
objectClass: organizationalUnit
objectClass: pwdPolicy
objectClass: pwdPolicyChecker
ou: Standard Policy
pwdAttribute: userPassword
pwdCheckQuality: 2
pwdMaxFailure: 3
pwdMustChange: TRUE
pwdSafeModify: TRUE
pwdLockoutDuration: 0
pwdCheckModule: ou=Standard Policy,ou=Policies,dc=bozo_company,dc=com
pwdAllowUserChange: TRUE
description: Standard Password Policy
pwdMaxAge: 7776002
pwdExpireWarning: 432000
pwdFailureCountInterval: 120
pwdMinLength: 14
pwdInHistory: 10
pwdGraceAuthNLimit: 0
pwdMinAge: 86400
dn: cn=accesslogname,dc=bozo_company,dc=com
objectClass: top
objectClass: person
objectClass: organizationalPerson
ou: accesslogname
description: accesslog
sn: accesslogname
cn: accesslogname
dn: cn=john.d.doe,ou=People,dc=bozo_company,dc=com
uid: john.d.doe
sn: john.d.doe
ou: People
cn: john.d.doe
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: uidObject
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Anyone out there who can help?
-David
dbc(a)usa.net
________________________________
CONFIDENTIALITY NOTICE: The information contained in this electronic mail (email) transmission (including attachments), is intended by MCLANE ADVANCED TECHNOLOGIES for the use of the named individual or entity to which it is addressed and may contain information that is privileged, confidential and/or protected as a trade secret. It is not intended for transmission to, or receipt by, any individual or entity other than the named addressee(s). If you have received this email in error, please delete it (including attachments) and any copies thereof without printing, copying or forwarding it, and notify the sender of the error by email reply immediately.
9 years, 11 months
recursion in olcLimits
by Mundry, Marvin
Hi,
is there a way in openldap to define limits (search result size limits) for the members of a group and the members of sub groups of
that group recursively (i.e. something like the setspec syntax for acls)?
for acls the recursion could be done via:
access to
dn.subtree="ou=branch1,dc=organization,dc=com"
by set="[cn=chiefcommanders,ou=groups,dc=organization,dc=com]/member* & user" manage
the "group[/oc[/at]]=<pattern>" form what I understand does not allow to recursively resolve members of sub groups.
Thanks,
Marvin
9 years, 11 months
