Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 3 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 3 months
trouble with slapo-pcache
by btb@bitrate.net
hi-
i'm having a few different issues with slapo-pcache. i did a bit of searching in the its and did not find any items which seemed to match my symptoms. i'm using 2.4.31, on ubuntu 12.10.
the first is that i so to not be able to add, via ldapadd, additional olcPcacheTemplate attributes to the config entry. i was able to add the first one using ldapadd, but subsequent modify operations to add another complain "no equality matching rule":
>ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base
Enter LDAP Password:
dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
objectClass: olcPcacheConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}pcache
olcPcache: mdb 1000 100 1000 60
olcPcacheAttrset: 0 "*" "+"
olcPcacheTemplate: "(uid=)" 0 3600
>cat template.ldif
dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
changetype: modify
add: olcPcacheTemplate
olcPcacheTemplate: "(cn=)" 0 3600
>ldapadd -ZZxWH 'ldap://localhost/' -D 'cn=config' -f template.ldif
Enter LDAP Password:
modifying entry "olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config"
ldap_modify: Inappropriate matching (18)
additional info: modify/add: olcPcacheTemplate: no equality matching rule
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 STARTTLS
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 op=0 RESULT oid= err=0 text=
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 ACCEPT from IP=127.0.0.1:32916 (IP=0.0.0.0:389)
Oct 29 20:01:30 dsa1 slapd[8250]: conn=1003 fd=12 TLS established tls_ssf=128 ssf=128
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" method=128
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 BIND dn="cn=config" mech=SIMPLE ssf=0
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=1 RESULT tag=97 err=0 text=
Oct 29 20:01:32 dsa1 slapd[8250]: connection_input: conn=1003 deferring operation: binding
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD dn="olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config"
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 MOD attr=olcPcacheTemplate
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=2 RESULT tag=103 err=18 text=modify/add: olcPcacheTemplate: no equality matching rule
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 op=3 UNBIND
Oct 29 20:01:32 dsa1 slapd[8250]: conn=1003 fd=12 closed
adding the attribute "manually" [e.g. slapcat, modify ldif, slapadd] seems to be fine:
>ldapsearch -LLLZZxWH 'ldap://localhost/' -D 'cn=config' -b 'olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config' -s base
Enter LDAP Password:
dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
objectClass: olcPcacheConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}pcache
olcPcache: mdb 1000 100 1000 60
olcPcacheAttrset: 0 "*" "+"
olcPcacheTemplate: "(objectclass=)" 0 3600
olcPcacheTemplate: "(uid=)" 0 3600
my second problem is with caching when slapo-nssov is involved. it appears to not cache [QUERY NOT ANSWERABLE/QUERY NOT CACHEABLE] when a query occurs via nss:
>getent passwd flash
flash:x:2013:2013:flash gordon:/home/flash:/bin/bash
Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:42:15 deepfield slapd[12862]: 11r
Oct 31 08:42:15 deepfield slapd[12862]:
Oct 31 08:42:15 deepfield slapd[12862]: daemon: read active on 11
Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11)
Oct 31 08:42:15 deepfield slapd[12862]: connection_get(11): got connid=0
Oct 31 08:42:15 deepfield slapd[12862]: nssov: connection from uid=0 gid=0
Oct 31 08:42:15 deepfield slapd[12862]: nssov_passwd_byname(flash)
Oct 31 08:42:15 deepfield slapd[12862]: str2filter "(&(objectClass=posixAccount)(uid=flash))"
Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter
Oct 31 08:42:15 deepfield slapd[12862]: AND
Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter_list
Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter
Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY
Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0
Oct 31 08:42:15 deepfield slapd[12862]: begin get_filter
Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:42:15 deepfield slapd[12862]: EQUALITY
Oct 31 08:42:15 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0
Oct 31 08:42:15 deepfield slapd[12862]:
Oct 31 08:42:15 deepfield slapd[12862]: end get_filter_list
Oct 31 08:42:15 deepfield slapd[12862]: end get_filter 0
Oct 31 08:42:15 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=))
Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT ANSWERABLE
Oct 31 08:42:15 deepfield slapd[12862]: QUERY NOT CACHEABLE
Oct 31 08:42:15 deepfield slapd[12862]: =>ldap_back_getconn: conn 0xb51f8ee8 fetched refcnt=1.
Oct 31 08:42:15 deepfield slapd[12862]: => ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))"
Oct 31 08:42:15 deepfield slapd[12862]: <= ldap_back_munge_filter "(&(objectClass=posixAccount)(uid=flash))" (0)
Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:42:15 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:42:15 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>
Oct 31 08:42:15 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net>
Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: conn=-1 op=0 p=0
Oct 31 08:42:15 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text=""
although i believe i have a matching query template defined in the config:
dn: olcDatabase={2}ldap,cn=config
objectClass: olcLDAPConfig
objectClass: olcDatabaseConfig
objectClass: olcConfig
objectClass: top
olcDatabase: {2}ldap
olcSuffix: dc=example,dc=net
olcLastMod: TRUE
olcReadOnly: TRUE
olcRootDN: uid=dit_admin,ou=role_accounts,ou=accounts,dc=example,dc=net
olcMonitoring: TRUE
olcDbURI: ldap://dsa1.example.net/
olcDbStartTLS: start tls_cacert="/etc/pki/trusted_roots/example_networks_roo
t_ca-cert.pem" tls_reqcert="demand"
olcDbACLBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services,ou=a
ccounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx" s
tarttls="critical" tls_cacert="/etc/pki/trusted_roots/example_networks_root
_ca-cert.pem" tls_reqcert="demand"
olcDbIDAssertBind: bindmethod=simple binddn="cn=slapd,ou=deepfield,ou=services
,ou=accounts,dc=example,dc=net" credentials="xxxxxxxxxxxxxxx"
structuralObjectClass: olcLDAPConfig
entryUUID: f24e435a-b35a-1031-8f37-336141b7bc90
creatorsName: cn=config
createTimestamp: 20121026014812Z
entryCSN: 20121031023501.089672Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20121031023501Z
dn: olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
objectClass: olcPcacheConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {0}pcache
olcPcache: mdb 1000 100 1000 60
olcPcacheAttrset: 0 "*" "+"
olcPcacheTemplate: "(objectClass=)" 0 3600
olcPcacheTemplate: "(uid=)" 0 3600
olcPcacheTemplate: "(&(objectClass=)(uid=))" 0 3600
olcPcacheBind: "(uid=)" 0 60 "sub" "dc=example,dc=net"
structuralObjectClass: olcPcacheConfig
entryUUID: ddb05d7e-b4fa-1031-811e-353e11fff366
creatorsName: cn=config
createTimestamp: 20121028032528Z
entryCSN: 20121030002115.179177Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20121030002115Z
dn: olcDatabase={0}mdb,olcOverlay={0}pcache,olcDatabase={2}ldap,cn=config
objectClass: olcPcacheDatabase
objectClass: olcMdbConfig
objectClass: olcDatabaseConfig
objectClass: olcConfig
objectClass: top
olcDatabase: {0}mdb
olcDbDirectory: /var/lib/ldap/example.net/
olcLastMod: TRUE
olcMaxDerefDepth: 15
olcDbNoSync: FALSE
olcDbIndex: certfingerprint eq
olcDbIndex: cn eq
olcDbIndex: default eq
olcDbIndex: description eq
olcDbIndex: entrycsn eq
olcDbIndex: entryuuid eq
olcDbIndex: gidnumber pres,eq
olcDbIndex: host eq
olcDbIndex: iphostnumber eq
olcDbIndex: ipserviceport eq
olcDbIndex: ipserviceprotocol eq
olcDbIndex: mail eq
olcDbIndex: maillocaladdress eq
olcDbIndex: member eq
olcDbIndex: memberof eq
olcDbIndex: memberuid eq
olcDbIndex: objectclass eq
olcDbIndex: rfc822mailmember eq
olcDbIndex: sudoUser eq
olcDbIndex: uid pres,eq,sub
olcDbIndex: uidnumber pres,eq
olcDbMode: 0600
olcDbSearchStack: 16
structuralObjectClass: olcMdbConfig
entryUUID: 88b37716-b590-1031-8c75-439de7087923
creatorsName: cn=config
createTimestamp: 20121028211650Z
entryCSN: 20121029021315.039143Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20121029021315Z
dn: olcOverlay={1}nssov,olcDatabase={2}ldap,cn=config
objectClass: olcNssOvConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
olcOverlay: {1}nssov
olcNssMap: group uniquemember member
olcNssPam: authz2dn hostservice
olcNssPamSession: sshd
olcNssPamSession: login
structuralObjectClass: olcNssOvConfig
entryUUID: 47ecaef0-b73e-1031-8761-9f0bff5d3212
creatorsName: cn=config
createTimestamp: 20121031003305Z
entryCSN: 20121031003305.637051Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20121031003305Z
and if i perform the same query using ldapsearch:
>ldapsearch -LLLZZxH 'ldap://localhost/' -D 'uid=flash,ou=people,ou=accounts,dc=example,dc=net' -w 'test' '(&(objectClass=posixAccount)(uid=flash))'
dn: uid=flash,ou=people,ou=accounts,dc=example,dc=net
initials: fg
givenName: flash
loginShell: /bin/bash
uidNumber: 2013
gidNumber: 2013
uid: flash
objectClass: posixAccount
objectClass: top
objectClass: shadowAccount
objectClass: inetOrgPerson
objectClass: organizationalPerson
objectClass: person
objectClass: extensibleObject
c: us
homeDirectory: /home/flash
sn: gordon
cn: flash gordon
displayName: flash_gordon
mail: user(a)example.com
it does seem to cache it:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: slap_listener_activate(8):
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 busy
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: >>> slap_listener(ldap:///)
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: listen=8, new connection on 18
Oct 31 08:55:37 deepfield slapd[12862]: daemon: added 18r (active) listener=(nil)
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 ACCEPT from IP=127.0.0.1:37220 (IP=0.0.0.0:389)
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x77, time 1351688137
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 do_extended
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 EXT oid=1.3.6.1.4.1.1466.20037
Oct 31 08:55:37 deepfield slapd[12862]: do_extended: oid=1.3.6.1.4.1.1466.20037
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 STARTTLS
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_extended: err=0 oid= len=0
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=1 tag=120 err=0
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=0 RESULT oid= err=0 text=
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): unable to get TLS client DN, error=49 id=1003
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 fd=18 TLS established tls_ssf=128 ssf=128
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x60, time 1351688137
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 do_bind
Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>
Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <uid=flash,ou=people,ou=accounts,dc=example,dc=net>, <uid=flash,ou=people,ou=accounts,dc=example,dc=net>
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128
Oct 31 08:55:37 deepfield slapd[12862]: do_bind: version=3 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" method=128
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: ndn: "uid=flash,ou=people,ou=accounts,dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: oc: "(null)", at: "(null)"
Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode:
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_get: found entry: "uid=flash,ou=people,ou=accounts,dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: mdb_entry_get: rc=0
Oct 31 08:55:37 deepfield slapd[12862]: str2filter "(uid=flash)"
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter
Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0
Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e250
Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 5 times)
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search
Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode:
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode
Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "entry" requested
Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted
Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd)
Oct 31 08:55:37 deepfield slapd[12862]: base_candidates: base: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" (0x00000004)
Oct 31 08:55:37 deepfield slapd[12862]: => test_filter
Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY
Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access to "uid=flash,ou=people,ou=accounts,dc=example,dc=net" "uid" requested
Oct 31 08:55:37 deepfield slapd[12862]: <= root access granted
Oct 31 08:55:37 deepfield slapd[12862]: => access_allowed: search access granted by manage(=mwrscxd)
Oct 31 08:55:37 deepfield slapd[12862]: <= test_filter 6
Oct 31 08:55:37 deepfield slapd[12862]: pc_bind_search: cache is stale, reftime: 1351688135, current time: 1351688137
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text=""
Oct 31 08:55:37 deepfield slapd[12862]: =>ldap_back_getconn: conn=1003 op=1: lc=0xb38f9788 inserted refcnt=1 rc=0
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 BIND dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net" mech=SIMPLE ssf=0
Oct 31 08:55:37 deepfield slapd[12862]: do_bind: v3 bind: "uid=flash,ou=people,ou=accounts,dc=example,dc=net" to "uid=flash,ou=people,ou=accounts,dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text=""
Oct 31 08:55:37 deepfield slapd[12862]: pc_setpw: CACHING BIND for uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("uid=flash,ou=people,ou=accounts,dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x4
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode:
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_decode
Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: 0x00000004: uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: <= acl_access_allowed: granted to database root
Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify_internal: replace userPassword
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_entry_encode(0x00000004): uid=flash,ou=people,ou=accounts,dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: mdb_modify: updated id=00000004 dn="uid=flash,ou=people,ou=accounts,dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: conn=1003 op=1 p=3
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_result: err=0 matched="" text=""
Oct 31 08:55:37 deepfield slapd[12862]: send_ldap_response: msgid=2 tag=97 err=0
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=1 RESULT tag=97 err=0 text=
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]: 18r
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: read active on 18
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18)
Oct 31 08:55:37 deepfield slapd[12862]: connection_get(18): got connid=1003
Oct 31 08:55:37 deepfield slapd[12862]: connection_read(18): checking for input on id=1003
Oct 31 08:55:37 deepfield slapd[12862]: op tag 0x63, time 1351688137
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 do_search
Oct 31 08:55:37 deepfield slapd[12862]: >>> dnPrettyNormal: <dc=example,dc=net>
Oct 31 08:55:37 deepfield slapd[12862]: <<< dnPrettyNormal: <dc=example,dc=net>, <dc=example,dc=net>
Oct 31 08:55:37 deepfield slapd[12862]: SRCH "dc=example,dc=net" 2 0
Oct 31 08:55:37 deepfield slapd[12862]: 0 60 0
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter
Oct 31 08:55:37 deepfield slapd[12862]: AND
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter_list
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter
Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on 1 descriptor
Oct 31 08:55:37 deepfield slapd[12862]: daemon: activity on:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=8 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: daemon: epoll: listen=9 active_threads=0 tvp=zero
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0
Oct 31 08:55:37 deepfield slapd[12862]: begin get_filter
Oct 31 08:55:37 deepfield slapd[12862]: EQUALITY
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter_list
Oct 31 08:55:37 deepfield slapd[12862]: end get_filter 0
Oct 31 08:55:37 deepfield slapd[12862]: filter: (&(objectClass=posixAccount)(uid=flash))
Oct 31 08:55:37 deepfield slapd[12862]: attrs:
Oct 31 08:55:37 deepfield slapd[12862]:
Oct 31 08:55:37 deepfield slapd[12862]: conn=1003 op=2 SRCH base="dc=example,dc=net" scope=2 deref=0 filter="(&(objectClass=posixAccount)(uid=flash))"
Oct 31 08:55:37 deepfield slapd[12862]: ==> limits_get: conn=1003 op=2 self="uid=flash,ou=people,ou=accounts,dc=example,dc=net" this="dc=example,dc=net"
Oct 31 08:55:37 deepfield slapd[12862]: query template of incoming query = (&(objectClass=)(uid=))
Oct 31 08:55:37 deepfield slapd[12862]: Entering QC, querystr = (&(objectClass=posixAccount)(uid=flash))
Oct 31 08:55:37 deepfield slapd[12862]: Lock QC index = 0xb867e350
Oct 31 08:55:37 deepfield slapd[12862]: Base of added query = dc=example,dc=net
Oct 31 08:55:37 deepfield slapd[12862]: QUERY ANSWERABLE (answered 1 times)
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_search
Oct 31 08:55:37 deepfield slapd[12862]: mdb_dn2entry("dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_dn2id("dc=example,dc=net")
Oct 31 08:55:37 deepfield slapd[12862]: <= mdb_dn2id: got id=0x1
Oct 31 08:55:37 deepfield slapd[12862]: => mdb_entry_decode:
what am i doing wrong?
-ben
10 years, 6 months
Is there any way to change structuralObjectClass of an LDAP entry?
by Marco Pizzoli
Hi all,
yes, I already know this is not possible. But I have a particular scenario
and maybe someone could give advice.
In an LDAP tree I inherited some times ago, I have entries created many
years ago by using a schema definition which implied an entry to acquire as
structuralObjectClass a custom objectClass.
This custom objectClass (let's say it's called custObjectClass) inherits
from inetOrgPerson and mandates some specific attributes.
Now, all entries are created expliciting the following objectClasses:
- top
- person
- organizationalPerson
- inetOrgPerson
- custObjectClass
The outcome is these entries have custObjectClass as structuralObjectClass.
Now, I would like to make some cleaning on this tree, and I would like to
change some schema definition on objects.
First of all, I would like to NOT have custObjectClass as
structuralObjectClass.
Obviously I could slapcat my slapd engine, change the ldif and then
re-import as new. But I would prefer to not switch off my slapd engine in
the meantime. I can't afford that, to be honest...
One idea I had was to create a replica consumer, change on it the schema
definition (custObjectClass inheriting from TOP and being auxiliary instead
of structural), and let the replication create the entries with the correct
"structurality".
I self-discovered this way is not viable, considering OL refuses to insert
an entry with source structuralObjectClass not being defined structural on
the slave as well.
Now I'm asking for help to the community. Any hint welcome. How would you
do?
Thanks in advance
Marco
10 years, 7 months
additional info: objectClasses: value #0 invalid per syntax
by Jimmy Royer
Hello,
I am starting out with openldap and I don't know it that much. I got
the error mentioned in the title when trying to add an object class,
which is apparently a very common one per my google searches. I've
read that common causes are:
* extraneous white space (especially trailing white space)
* improperly encoded characters (LDAPv3 uses UTF-8 encoded Unicode)
* empty values (few syntaxes allow empty values)
This is the object class file I am trying to add, I picked it as an
example on some website, to have something minimal and make it easier
to test:
# cat exObjectClasses.ldif
dn: cn=schema
changetype: modify
add: objectClasses
objectClasses: ( 2.16.840.1.113730.3.2.2.9
NAME 'blogger'
DESC 'Someone who has a blog'
SUP inetOrgPerson STRUCTURAL
MAY blog )
I've checked if there was any trailing spaces at the end with the following:
# cat -vte exObjectClasses.ldif
dn: cn=schema$
changetype: modify$
add: objectClasses$
objectClasses: ( 2.16.840.1.113730.3.2.2.9$
NAME 'blogger'$
DESC 'Someone who has a blog'$
SUP inetOrgPerson STRUCTURAL$
MAY blog )$
I've made sure the file is UTF-8:
# iconv -f ASCII -t UTF-8 exObjectClasses.ldif > exObjectClasses.ldif.utf8
And I don't think there are any empty values defined in the LDIF file.
So when I type this command, I still have the "invalid per syntax
error:
# ldapmodify -x -W -H "ldaps://127.0.0.1" -D
cn=Manager,dc=modelsolv,dc=com -f exObjectClasses.ldif
Enter LDAP Password:
modifying entry "cn=schema"
ldap_modify: Invalid syntax (21)
additional info: objectClasses: value #0 invalid per syntax
This is the content of the /etc/openldap/slapd.conf file:
# cat slapd.conf
#
# See slapd.conf(5) for details on configuration options.
# This file should NOT be world readable.
#
include /etc/openldap/schema/corba.schema
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/duaconf.schema
include /etc/openldap/schema/dyngroup.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/java.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
include /etc/openldap/schema/openldap.schema
include /etc/openldap/schema/ppolicy.schema
include /etc/openldap/schema/collective.schema
# Allow LDAPv2 client connections. This is NOT the default.
allow bind_v2
# Do not enable referrals until AFTER you have a working directory
# service AND an understanding of referrals.
#referral ldap://root.openldap.org
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
# Load dynamic backend modules
# - modulepath is architecture dependent value (32/64-bit system)
# - back_sql.la overlay requires openldap-server-sql package
# - dyngroup.la and dynlist.la cannot be used at the same time
# modulepath /usr/lib/openldap
# modulepath /usr/lib64/openldap
# moduleload accesslog.la
# moduleload auditlog.la
# moduleload back_sql.la
# moduleload chain.la
# moduleload collect.la
# moduleload constraint.la
# moduleload dds.la
# moduleload deref.la
# moduleload dyngroup.la
# moduleload dynlist.la
# moduleload memberof.la
# moduleload pbind.la
# moduleload pcache.la
# moduleload ppolicy.la
# moduleload refint.la
# moduleload retcode.la
# moduleload rwm.la
# moduleload seqmod.la
# moduleload smbk5pwd.la
# moduleload sssvlv.la
# moduleload syncprov.la
# moduleload translucent.la
# moduleload unique.la
# moduleload valsort.la
# The next three lines allow use of TLS for encrypting connections using a
# dummy test certificate which you can generate by running
# /usr/libexec/openldap/generate-server-cert.sh. Your client software may balk
# at self-signed certificates, however.
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "\"OpenLDAP Server\""
TLSCertificateKeyFile /etc/openldap/certs/password
# Sample security restrictions
# Require integrity protection (prevent hijacking)
# Require 112-bit (3DES or better) encryption for updates
# Require 63-bit encryption for simple bind
# security ssf=1 update_ssf=112 simple_bind=64
# Sample access control policy:
# Root DSE: allow anyone to read it
# Subschema (sub)entry DSE: allow anyone to read it
# Other DSEs:
# Allow self write access
# Allow authenticated users read access
# Allow anonymous users to authenticate
# Directives needed to implement policy:
# access to dn.base="" by * read
# access to dn.base="cn=Subschema" by * read
# access to *
# by self write
# by users read
# by anonymous auth
#
# if no access controls are present, the default policy
# allows anyone and everyone to read anything but restricts
# updates to rootdn. (e.g., "access to * by * read")
#
# rootdn can always read and write EVERYTHING!
# enable on-the-fly configuration (cn=config)
database config
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
manage
by * none
# enable server status monitoring (cn=monitor)
database monitor
access to *
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth"
read
by dn.exact="cn=Manager,dc=my-domain,dc=com" read
by * none
#######################################################################
# database definitions
#######################################################################
database bdb
suffix "dc=modelsolv,dc=com"
checkpoint 1024 15
rootdn "cn=Manager,dc=modelsolv,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw SECRET
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass eq,pres
index ou,cn,mail,surname,givenname eq,pres,sub
index uidNumber,gidNumber,loginShell eq,pres
index uid,memberUid eq,pres,sub
index nisMapName,nisMapEntry eq,pres,sub
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 starttls=critical
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com(a)EXAMPLE.COM
I was able to add a few entries in LDAP so far. So I know I am able to
reach the server, the connection is fine, and LDAP is somewhat
functional. But I can't modify the schema with objectclasses.
Is there anything obvious that I am doing wrong? Do you have any
recommendation for debugging further?
Regards,
Jimmy Royer
10 years, 7 months
Limit on number of attrs in replica conf?
by Marco Pizzoli
Hi all,
Is it possible I discovered a limit on the number of attributes I can
specify on the "attrs" parameter of the replica directive in slapd.conf?
In my config file, for the replica directive, I explicited a long list of
attributes. On the provider side I can see, on the provider slapd logs,
that only 8 of the attrs I specified on the replica directive are actually
asked. Plus objectClass, structuralObjectClass and entryCSN.
Is that the expected behaviour?
I already checked on the man page and I don't see this limitation explicited
Thanks in advance
Marco
10 years, 7 months
internal_modify in overlays
by Tim Watts
Hi,
Does anyone know of a bit of code I can look at that does an *internal*
(completed inline) LDAP_MOD_REPLACE operation on one attribute without
chaining (ie it does a return 0)?
I've found Sun docs for doing this in a slapi plugin but not an openldap
slapd plugin.
Reason:
Basically, I've been hacking on smbkrb5pwd.c and discovered if I do a
"return 0;" at the end, I can prevent chaining (not documented but found
some openldap hacking - denyop.c - that demonstrated this).
At this point, smbkrb5pwd.c has changed our MIT Kerberos principal's
password, and "return 0" prevenrs_modsts slapd from chaining onto the
code that tries to set a local hash into userPassword. And it does it
without causing a nasty client error.
I thought: would it not be nice to set userPassword: to
{SASL}UID(a)KERB.REALM now... Each user's auth method gets switched upon
the first successful password change that propagates to kerberos.
However, all the existing overlays seem to set extra attributes by
setting up a request in ->rs_mods off the original request. I assume
these get actioned after a "return SLAP_CB_CONTINUE".
So - how do set an attribute if we are halting the chain at our overlay?
Cheers :)
Tim
--
Tim Watts
Personal Blog: http://squiddy.blog.dionic.net/
http://www.sensorly.com/ Crowd mapping of 2G/3G/4G mobile signal coverage
10 years, 7 months
Re: meta backend subtree directive ignored by conversion to cn=config
by francesco.policastro@selex-es.com
I see.
So I need to look at ACL, because my real meta configuration contains two
trees coming from different forests, sharing nothing.
It's the result of a merge of two companies, each with its AD, and I use
OpenLDAP to authenticate users against a single meta domain, after a long
job to rename many users who just shared the only object I did not want,
i.e. the sAMAccountNname.
Thanks,
Francesco
10 years, 7 months
Re: meta backend subtree directive ignored by conversion to cn=config
by Pierangelo Masarati
> Sorry!
> I mistyped the uri where the user is found (this happens because I saw
> this behaviour on the real configuration and I had to massage it).
> The search command, issued from the openldap server itself, is:
>
> ldapsearch -xLLL -H ldap:/// -D ""cn=LdapBindUser,dc=newco,dc=com" -w
> secret1 -E pr=647/noprompt -b 'DC=newco,DC=com' 'sn=policastro' dn
>
> I find two records, one correct and one unexpected:
>
> dn: cn=Policastro
> Francesco,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" (matches the
> line marked with *)
>
> dn: cn=Policastro Francesco,ou=UsersDisable,dc=second,dc=newco,dc=com
OK, I got the point. You're probably misusing this feature. If you want
to prevent a portion of the subtree from being returned, you need to use
ACL.
The subtree-{in|ex}clude is only used during candidate selection. This
means that it is used while deciding whether or not an operation must be
propagated to a specific target.
For example, let's say that target #1 is rooted at "ou=Sub 1,dc=org", and
target #2 is rooted at "dc=org", and it is known that target #2 does not
contain a subtree named "ou=Sub 1,dc=org", adding
subtree-exclude "ou=Sub 1,dc=org"
to target #2 prevents searches whose searchBase is (a subordinate of)
"ou=Sub 1,dc=org" to span target #2 in addition to target #1.
p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano
10 years, 7 months
Re: meta backend subtree directive ignored by conversion to cn=config
by francesco.policastro@selex-es.com
Sorry!
I mistyped the uri where the user is found (this happens because I saw
this behaviour on the real configuration and I had to massage it).
The search command, issued from the openldap server itself, is:
ldapsearch -xLLL -H ldap:/// -D ""cn=LdapBindUser,dc=newco,dc=com" -w
secret1 -E pr=647/noprompt -b 'DC=newco,DC=com' 'sn=policastro' dn
I find two records, one correct and one unexpected:
dn: cn=Policastro
Francesco,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" (matches the
line marked with *)
dn: cn=Policastro Francesco,ou=UsersDisable,dc=second,dc=newco,dc=com
Francesco Policastro
From:
Pierangelo Masarati <masarati(a)aero.polimi.it>
To:
<openldap-technical(a)openldap.org>
Date:
27/02/2013 10:36
Subject:
Re: meta backend subtree directive ignored by conversion to cn=config
Sent by:
<openldap-technical-bounces(a)OpenLDAP.org>
On 02/26/2013 02:19 PM, francesco.policastro(a)selex-es.com wrote:
> Even worse: if I start the server using slapd.conf, not cn=config, the
> subtree-include directives seem to be ignored.
> With reference to the previously attached file if I search users from
the
> root ( "dc=newco,dc=com") I find them also outside the included
subtrees;
> e.g I find users under "ou=UsersDisable,
> ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com".
> Is it there anything wrong in my config file? Did I misunderstand the
> directive?
According to your configuration file, whose relevant directives I
summarized below, the entry
"ou=UsersDisable,ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com"
matches the 3rd subtree-include of the 1st target (marked with [*]).
So it seems to behave as intended.
p.
-----
database meta
suffix "dc=newco,dc=com"
...
uri "ldap://server1.it.domain1.com/dc=first,dc=newco,dc=com"
...
subtree-include "ou=Applications,ou=Groups
Shared,dc=first,dc=newco,dc=com"
subtree-include "ou=Users,ou=1st-location,dc=first,dc=newco,dc=com"
subtree-include "ou=Users,ou=2nd-location,dc=first,dc=newco,dc=com" [*]
subtree-include "ou=Users,ou=3rd-location,dc=first,dc=newco,dc=com"
...
uri
"ldap://server2.domain2.net/ou=organizationalUnit,dc=second,dc=newco,dc=com"
...
subtree-include
"ou=Users,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com"
subtree-include
"ou=My-ou,ou=1st-location,ou=organizationalUnit,dc=second,dc=newco,dc=com"
subtree-include "ou=Remote
Sites,ou=organizationalUnit,dc=second,dc=newco,dc=com"
--
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano
10 years, 7 months