April 2013 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

7 years, 4 months

4
11
0 / 0

OpenLDAP and dynalogin (two-factor auth with HOTP)

by Daniel Pocock

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

8 years, 3 months

5
6
0 / 0

Modern Password Hashes in Openldap?

by Chris Hiestand

Since SSHA-1 is weak these days I'd like to switch to PBKDF2, Bcrypt or the like with key stretching. Since Openldap does not support relatively strong hashes, do you guys use SASL to store stronger hashes? If so, what kind of backend are you using to store hashes? Background: OclHashcat can generate tens of billions of SHA-1 hashes per second with off-the-shelf hardware. But it can only generate thousands of bcrypt hashes per second on similar hadware: https://hashcat.net/forum/thread-1541.html .

10 years, 5 months

4
4
0 / 0

RE: Chaining stops working after slapd restart

by Quanah Gibson-Mount

--On Monday, April 29, 2013 6:56 PM +0000 jeevan kc <jeev_biz(a)hotmail.com> wrote: > > No, I'm fully using cn=config on Openldap 2.4.30 . I'm working on the > chain overlay for the past couple of weeks and when now I finally was > able to get it working, I found I could modify the slaves until I restart > the server. After I restart the server the chaining doesn't work it says > "strong authentication required". So the chaining basically worked only > just before I restarted the server. > Thanks Please do not top post. Please keep replies to the list. Please verify whether or not you can reproduce this with OpenLDAP 2.4.35. Thanks, Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

10 years, 5 months

4
5
0 / 0

Debian Squeeze: Slapd subtree disappears, but ldapsearch finds it | unable to allocate memory for mutex; resize mutex region

by Denny Schierz

hi, on the last hour I had a very strange problem: I have a Debian Squeeze with Slapd installed and it was working a long time, but today one subtree disappears completely from the ldap browser (Apache Directory Studio). I wasn't accessible anymore, but with ldapsearch I was able to see the tree. Also I tried to add the LDIF again to the LDAP, but slapd says: "... exists ...." The only way to get it back working again, was to restore the plain BDB files from the backupjob yesterday. I absolutely don't know, what happens. The only thing I changed, I reinstalled the second LDAP (n-way master) on a new host, with a config only and let the second ldap synchronize with the main LDAP. After ~20-40 minutes the job was done and the second was up to date. That was yesterday. - The subtree was also missing on the second LDAP ... so, the synchronizing did the same ... So, I deleted all *dbd* *log* on ldap2 (after the restore from the main LDAP) and wanted to synchronizing again the full tree ... but I get many warnings: dc=...... unable to allocate memory for mutex; resize mutex region any suggestions? cu denny

10 years, 5 months

7
19
0 / 0

slapd 2.4.33 changes 'dc' to 'ou' after cn=schema,cn=config modification

by Igor Zinovik

Hello. I'm running openldap 2.4.33 with on-line configuration (slapd-config). Before running slapd with on-line configuration i developed my own schema and after that i converted old fashioned slapd.conf to slapd.d. Today i modified one attribute in my schema from this: olcAttributeTypes: {9}( 2.16.840.1.113730.3.1.217 NAME 'spamassassin' DESC 'Sp amAssassin user preferences settings' EQUALITY caseExactMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 ) to this olcAttributeTypes: {9}( 2.16.840.1.113730.3.1.217 NAME 'spamassassin' DESC 'Sp amAssassin user preferences settings' SUP name ) I was binded to cn=config with DN that is not part of that tree, my dn was uid=zinovik,ou=people,dc=...,dc=ru So after that change i noticed that i see following messages while running slaptest: ldap1:~ $ sudo slaptest -vF /etc/openldap/slapd.d 51800ba4 PROXIED attributeDescription "OU" inserted. 51800ba4 PROXIED attributeDescription "DC" inserted. config file testing succeeded I pointed out that this happened because i modified entries in cn=config with modifierName not being part of cn=config namespace. But that is not a problem. Problem happens when i do following ldap1:~ $ cat example.com.ldif dn: dc=example.com,ou=Mail,dc=...,dc=ru objectClass: top objectClass: domain objectClass: amavisAccount dc: example.com amavisLocal: TRUE ldap1:~ $ ldapadd -v -ZZxWD uid=zinovik,ou=people,dc=...,dc=ru -f example.com.ldif add objectClass: top domain amavisAccount add dc: example.com add amavisLocal: TRUE adding new entry "dc=example.com,ou=Mail,dc=...,dc=ru" modify complete ldap1:~ $ ldapsearch -LLLZZxWD uid=zinovik,ou=people,dc=...,dc=ru -b ou=Mail,dc=...,dc=ru -s one '(&)' Enter LDAP Password: dn: dc=example.com,ou=Mail,dc=...,dc=ru objectClass: top objectClass: domain objectClass: amavisAccount ou: example.com amavisLocal: TRUE Why i do not see 'dc' attribute in this entry and why 'ou' appeared? Trace of this operation: 51800cc6 >>> dnPrettyNormal: <dc=example.com,ou=Mail,dc=...,dc=ru> 51800cc6 <<< dnPrettyNormal: <dc=example.com,ou=Mail,dc=...,dc=ru>, <dc=example.com,ou=mail,dc=...,dc=ru> 51800cc6 ==> unique_add <dc=example.com,ou=Mail,dc=...,dc=ru> 51800cc6 oc_check_required entry (dc=example.com,ou=Mail,dc=...,dc=ru), objectClass "domain" 51800cc6 oc_check_required entry (dc=example.com,ou=Mail,dc=...,dc=ru), objectClass "amavisAccount" 51800cc6 oc_check_allowed type "objectClass" 51800cc6 oc_check_allowed type "dc" 51800cc6 oc_check_allowed type "amavisLocal" 51800cc6 oc_check_allowed type "structuralObjectClass" 51800cc6 mdb_dn2entry("dc=example.com,ou=mail,dc=...,dc=ru") 51800cc6 => mdb_dn2id("dc=example.com,ou=mail,dc=...,dc=ru") 51800cc6 <= mdb_dn2id: get failed: MDB_NOTFOUND: No matching key/data pair found (-30798) 51800cc6 => mdb_entry_decode: 51800cc6 <= mdb_entry_decode 51800cc6 mdb_dn2entry("cn=ldap admins,ou=groups,dc=...,dc=ru") 51800cc6 => mdb_dn2id("cn=ldap admins,ou=groups,dc=...,dc=ru") 51800cc6 <= mdb_dn2id: got id=0xfab 51800cc6 => mdb_entry_decode: 51800cc6 <= mdb_entry_decode 51800cc6 mdb_entry_get: rc=0 51800cc6 => mdb_dn2id_add 0x1f19: "dc=example.com,ou=mail,dc=...,dc=ru" 51800cc6 <= mdb_dn2id_add 0x1f19: 0 51800cc6 => index_entry_add( 7961, "dc=example.com,ou=Mail,dc=...,dc=ru" ) 51800cc6 <= index_entry_add( 7961, "dc=example.com,ou=Mail,dc=...,dc=ru" ) success 51800cc6 => mdb_entry_encode(0x00001f19): dc=example.com,ou=Mail,dc=...,dc=ru 51800cc6 <= mdb_entry_encode(0x00001f19): dc=example.com,ou=Mail,dc=...,dc=ru 51800cc6 mdb_add: added id=00001f19 dn="dc=example.com,ou=Mail,dc=...,dc=ru" 51800cc6 send_ldap_result: conn=1000 op=2 p=3 When i try to modify attribute: dn: dc=example.com,ou=Mail,dc=...,dc=ru changetype: modify add: dc dc: example.com I get: modifying entry "dc=example.com,ou=Mail,dc=...,dc=ru" ldap_modify: Object class violation (65) additional info: attribute 'ou' not allowed Even my root object lost its 'dc' attribute somehow: ldap1: ~$ ldapsearch -LLLZZxWD uid=zinovik,ou=people,dc=...,dc=ru -b dc=...,dc=ru -s base '(&)' dn: dc=...,dc=ru ou: ... objectClass: organization objectClass: dcObject o: my organization If it matters i use slapd-mdb as storage backend. I did not changed 'dc' and 'ou': ldap1:~ $ ldapsearch -LLLZZxWD uid=zinovik,ou=people,dc=...,dc=ru -b 'cn={0}core,cn=schema,cn=config' '(&)' olcAttributeTypes|egrep -e "'(ou|dc)'" Enter LDAP Password: olcAttributeTypes: {8}( 2.5.4.11 NAME ( 'ou' 'organizationalUnitName' ) DESC ' olcAttributeTypes: {49}( 0.9.2342.19200300.100.1.25 NAME ( 'dc' 'domainCompone I do not use slapo-rwm. Here are my overlays for dc=...,dc=ru: dn: olcOverlay={0}memberof,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcMemberOf olcOverlay: {0}memberof olcMemberOfDangling: ignore olcMemberOfRefInt: TRUE olcMemberOfGroupOC: groupOfNames olcMemberOfMemberAD: member dn: olcOverlay={1}refint,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcRefintConfig olcOverlay: {1}refint olcRefintAttribute: seeAlso olcRefintAttribute: uniqueMember olcRefintAttribute: member olcRefintNothing: cn=EMPTY dn: olcOverlay={2}unique,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig objectClass: olcUniqueConfig olcOverlay: {2}unique olcUniqueURI: ldap:///ou=Hosts,dc=...,dc=ru?ipHostNumber?sub olcUniqueURI: ldap:///ou=People,dc=...,dc=ru?uid,uidNumber?sub olcUniqueURI: ldap:///ou=Groups,dc=...,dc=ru?cn,gidNumber?sub olcUniqueURI: ldap:///ou=Mail,dc=...,dc=ru?mail,mailLocalAddress?sub dn: olcOverlay={3}syncprov,olcDatabase={1}mdb,cn=config objectClass: olcOverlayConfig olcOverlay: {3}syncprov olcSpCheckpoint: 200 20 olcSpSessionlog: 100

10 years, 5 months

1
0
0 / 0

slapschema and slapd-mdb

by Igor Zinovik

Hello. Is it safe to run slapschema with slapd-mdb(5) (while slapd is running in r/w mode)?

10 years, 5 months

1
0
0 / 0

replicating a special objectclass with a seperate syncrepl statement

by Al

Hi, I am wondering if it is possible to have two syncrepl statements on a consumer that pull from the same source, but do so with a different set of parameters and filters that ensure their is no overlap. Below is an example of what I am interested in trying: olcSyncRepl: rid=001 provider=ldap://server1.example.com binddn="MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshAndPersist retry="5 5 300 5" timeout=1 filter="(!(objectclass=mygroup))" olcSyncRepl: rid=002 provider=ldap://server1.example.com binddn="MANAGERDN" bindmethod=simple credentials=$PASSWD searchbase="$BASEDN" type=refreshOnly interval=00:00:10:00 retry="5 5 300 5" timeout=1 filter="(objectclass=mygroup)" Basically, I am interested in syncing certain groups occasionally (they have a custom objectclass), but everything else as quickly as possible. Thanks! Al

10 years, 5 months

1
0
0 / 0

Chaining stops working after slapd restart

by jeevan kc

Hi, I am trying to setup a chain overlay to allow writes to a read-only slave to be chained up to the master. dn: olcOverlay={0}chain,olcDatabase={-1}frontend,cn=configchangetype: add objectClass: olcOverlayConfig objectClass: olcChainConfig olcOverlay: {0}chain dn: olcDatabase=ldap,olcOverlay={0}chain,olcDatabase={-1}frontend,cn=config changetype: add objectClass: olcLDAPConfig objectClass: olcChainDatabase olcDBURI: ldap://10.1.0.3/ olcDbIDAssertBind: bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials=********** mode=self This works until I have to restart the slave ldap server. Can anyone help me fix this problem?

10 years, 5 months

2
1
0 / 0

slow replication

by Meike Stone

Hello, I've a problem with the speed of replication. I've set up openldap 2.4.33 with a Master and one consumer. At the moment the full replaction takes abaout 32hours. No LDAP operations are made on master or consumer during this time. (I know, i depends on Hardware too, but the two servers are fast ) How long should it need, to replicate a DB from about 6GByte (id2entry.bdb + dn2id.bdb) with 1.6M DN's and about 66M Attributes. Replication is configured with RefreshAndPersist, no DeltaSync. Both servers are on the same IP segment, connected via gigabit ethernet switch. I played in test environment with different parameters: - shm_key - dbnosync - switched off all indexes on consumer except entryUUID and entryCSN - different bdb cachesize - noatime, relatime - ext3/xfs I locked on disk via iostat (nothing seen), no io waits with top, looked on network, but max 5Mbit/s is used, I listen with strace on slapd and I see, that slapd is reading from Network and wrinting it to id2entiry.bdb. Before each Test, I deleted complete ldap db (except DB_CONFIG) and shared memory ipcrm -m Are there similar limitations, that will trigger slow replication like BDB_IDL_LOGN? How can I accelerate this Replication. I'm of the opinion that it was significantly faster with a smaller database. Thanks and kindly regards Meike Configuration: -------------------- Configuration is only a test configuration, some values differs, some are commented out because of playing with them. # Master (Provider) ========================================================== include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/rfc2307bis.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov sizelimit -1 timelimit 300 tool-threads 8 threads 8 serverID 001 ######################################## database bdb suffix "ou=root" rootdn "cn=admin,ou=root" #loglevel stats sync loglevel 0 rootpw <password> directory /DATA/ldap #cachesize 500000 #dncachesize 500000 #idlcachesize 150000 cachefree 500 dirtyread dbnosync shm_key 7 checkpoint 4096 15 index objectClass,entryUUID,entryCSN eq index cn eq,sub index ownattributes .... overlay syncprov syncprov-checkpoint 100 5 # Consumer ========================================================== include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/yast.schema include /etc/openldap/schema/rfc2307bis.schema pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args modulepath /usr/lib/ldap moduleload back_bdb moduleload syncprov sizelimit -1 timelimit 300 serverID 002 #loglevel stats sync loglevel 0 ######################################## database bdb suffix "ou=root" rootdn "cn=admin,ou=root" checkpoint 4096 15 rootpw <password> directory /DATA/ldap dbnosync shm_key 7 checkpoint 4096 15 #cachesize 100000 #dncachesize 100000 #idlcachesize 150000 #cachefree 500 #dirtyread syncrepl rid=020 provider=ldap://192.168.1.10 type=refreshAndPersist retry="5 5 300 +" searchbase="ou=root" attrs="*,+" bindmethod=simple binddn="cn=admin,ou=root" credentials=<password> index entryUUID,entryCSN eq #index cn eq,sub mirrormode FALSE

10 years, 5 months

3
5
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2013