May 2013 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

6 years, 10 months

4
11
0 / 0

OpenLDAP and dynalogin (two-factor auth with HOTP)

by Daniel Pocock

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

7 years, 9 months

5
6
0 / 0

(no subject)

by Ben Johnson

I posted this to openldap-bugs but I didn't see it actually posted to the archive so I'll try in openldap-technical. I have LMDB integrated and it's working smoothly except for this issue. ---- Original Message ---- I'm an author of an open source database called Sky (http://skydb.io/) and I'm interested in porting the backend off LevelDB and move it over to LMDB. I pulled down the LMDB code using the instructions on Ferenc Szalai's gomdb (https://github.com/szferi/gomdb) README: git clone -b mdb.master --single-branch git://git.openldap.org/openldap.git When I ran "make test" against the code it seems to run through most of the tests but I get a "Resource Busy" error at one point. Here's the full output: https://gist.github.com/benbjohnson/5628725 I'm running Mac OS X 10.8.3 and here's the output of my gcc -v: $ gcc -v Using built-in specs. Target: i686-apple-darwin11 Configured with: /private/var/tmp/llvmgcc42/llvmgcc42-2336.11~182/src/configure --disable-checking --enable-werror --prefix=/Applications/Xcode.app/Contents/Developer/usr/llvm-gcc-4.2 --mandir=/share/man --enable-languages=c,objc,c++,obj-c++ --program-prefix=llvm- --program-transform-name=/^[cg][^.-]*$/s/$/-4.2/ --with-slibdir=/usr/lib --build=i686-apple-darwin11 --enable-llvm=/private/var/tmp/llvmgcc42/llvmgcc42-2336.11~182/dst-llvmCore/Developer/usr/local --program-prefix=i686-apple-darwin11- --host=x86_64-apple-darwin11 --target=i686-apple-darwin11 --with-gxx-include-dir=/usr/include/c++/4.2.1 Thread model: posix gcc version 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.11.00) Let me know if you need any other info from me. Ben Johnson ben(a)skylandlabs.com Ben Johnson ben(a)skylandlabs.com

9 years, 9 months

5
11
0 / 0

Re: extend groupOfURLs

by Michael Ströder

Carlos. please always follow-up on the mailing list so others can learn and answer as well. Carlos Santos wrote: > ################################################################################ > - # > - objectClass ( 1.3.6.1.4.1.5923.1.1.101 > - NAME 'dygroup' > - DESC 'dynamic group' > - SUP groupOfURLs > - STRUCTURAL > - MUST ( visibility $ groupname $ owner ) ) > - > - > - > ################################################################################ When using this and starting slapd with -d config,stats then it outputs: 51a8b922 line 53 (objectClass ( 1.3.6.1.4.1.5923.1.1.101 NAME 'dygroup' DESC 'dynamic group' SUP groupOfURLs STRUCTURAL MUST ( visibility $ groupname $ owner ) )) 51a8b922 /home/michael/ftp/Linux/Networking/LDAP/OpenLDAP/schema/experimental.schema: line 53 objectClass: AttributeType not found: "visibility" So where's the attribute type description for 'visibility'? => always use debug options when starting slapd after working on custom schema definitions. Ciao, Michael.

9 years, 9 months

2
5
0 / 0

Substring Indexes on userPassword Attribute

by Tim Gustafson

Hi, I have a need to find out how many of my users are using different password hashing methods, so I went and tried to do this search: ldapsearch -D uid=tjg,ou=People,dc=com -W -b ou=People,dc=com 'userPassword={SHA}*' But that didn't return anything. So I figured maybe I needed to create a substr index on that attribute. When I did that, slapindex returned: slapd.conf: line 82: substr index of attribute "userPassword" disallowed Why is that? How can I do a search that would tell me which of my users is using an SHA-hashed password? -- Tim Gustafson tjg(a)ucsc.edu 831-459-5354 Baskin Engineering, Room 313A

9 years, 9 months

4
8
0 / 0

Usage of the LDAP_OPT_X_SASL_GSS_CREDS

by Bernardo Pastorelli

Not sure if this is the right mailing list. I'm developing an LDAP client that uses GSSAPI as the transport mechanism. I would like to set the credentials to use for binding my user, and it seems that it is possible to set them using the LDAP_OPT_X_SASL_GSS_CREDS option. So I create the ldap context using ldap_initialize and then try to set the credentials using the option above, before calling the ldap_sasl_interactive_bind_s function for binding my user. But the options setting operation fails. Looking at the code, I see that, to set the option, it is necessary that the pointers in the chain below are not null: ld->ld_defconn->lconn_sasl_authctx But they are null after initializing the ldap context. So, which function calls do I have to execute for being able to set credentials before calling the bind function? Any alternative way? Regards, Bernardo Pastorelli

9 years, 10 months

1
0
0 / 0

How to make OpenLDAP use random (v4) UUIDs in entryUUID attribute

by dorian taylor

Hello, It is my understanding that OpenLDAP keys its entries on UUIDs under the hood. I have a system that makes extensive use of UUIDs as canonical (and sometimes public-facing) identifiers, and would like to tap into the UUIDs generated for the objects in the LDAP directory for certain operations over those objects. The problem is I'm using type 4 (random) UUIDs [1] everywhere, and OpenLDAP uses type 1 (time-based). It is important to the system to some extent that these identifiers be resistant to sequencing. As such, they really ought to be random. Since it hasn't been deployed in production yet, the sanest course of action seems to be to bend OpenLDAP to comply. (The alternative would be to maintain a dictionary of some kind, which I'm not keen about.) A survey of the code is as such: OpenLDAP doesn't appear to care which version of UUID it uses save for the generator function itself. The util library is hardcoded [2] to use type 1, and the entryUUID attribute itself is constrained in the schema [3] to not permit modification (where "modification" ostensibly also extends to adding new records). I'm not too familiar with the source but at a glance it appears to accommodate an entryUUID attribute as input [4]. I guess my question is: what's the best strategy? * Relax NO-USER-MODIFY on the entryUUID schema entry and set it at the application layer (easiest but most prone to problems) * Hack uuid.c to use uuid_generate_random instead of uuid_generate (easy, but introduces a maintenance problem) * Create an overlay (no idea where to start but can figure it out) * Figure out some way to make the UUID version configurable and send a patch upstream (most work and would it even be desirable?) Links: 1) http://tools.ietf.org/html/rfc4122#section-4.4 2) http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=librarie... 3) http://tools.ietf.org/html/rfc4530#section-2.4 4) http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/... -- Dorian Taylor http://doriantaylor.com/

9 years, 10 months

2
4
0 / 0

Re: use ldif backup with operational attributes in conjunction with slapadd?

by Meike Stone

2013/5/30 Quanah Gibson-Mount <quanah(a)zimbra.com>: > --On Thursday, May 30, 2013 11:39 AM +0200 Meike Stone > <meike.stone(a)googlemail.com> wrote: > >> Hello, >> >> >> is it possible to use a ldif-backup with operation attributes >> (ldapsearch ... '+' '*') with slapadd, to save the operation >> attributes, if no slapcat backup is available? Are there any concerns? > > > If you can't get a slapcat backup, how would you get a ldapsearch backup? > A seconds reason, why I try to prevent using slapcat on a productive system is: ======================================================= slapd[4812]: bdb(ou=root): PANIC: Permission denied slapd[4812]: bdb(ou=root): DB_ENV->log_newfh: 15752: DB_RUNRECOVERY: Fatal error, run database recovery slapd[4812]: bdb(ou=root): txn_checkpoint: failed to flush the buffer cache: DB_RUNRECOVERY: Fatal error, run database recover slapd[4812]: bdb(ou=root): PANIC: fatal region error detected; run recovery slapd[4812]: null_callback : error code 0x50 slapd[4812]: syncrepl_updateCookie: rid=001 be_modify failed (80) slapd[4812]: do_syncrepl: rid=001 rc 80 retrying (4 retries left) ======================================================= This message I got today on a productive system while getting a ldif via slapcat for setting up an syncrepl slave. This shouldn happen, slapcat (8) manpage tells: "For some backend types, your slapd(8) should not be running (at least, not in read-write mode) when you do this to ensure consistency of the database. *It is always safe to run slapcat with the slapd-bdb(5)*, slapd-hdb(5), and slapd-null(5) backends." So using ldapsearch is more reliable for me ... Kindly regards Meike

9 years, 10 months

2
2
0 / 0

Any issue on random OIDs?

by Geo P.C.

For our openldap server we created custom attributes by giving random OIDs like 2.25.10.1, 2.25.10.100.10 etc . We are able to add custom attributes and the LDAP server is working fine. Please let us know is there any issue in giving random OIDs for attributes and object classes. Also is there any issue in future while using this. Can anyone please advise us on this. Also I came to know that we can create OIDs without registering. From this site http://www.itu.int/ITU-T/asn1/cgi-bin/uuid_generate I can create UUID but from where I can convert this UUID to OID? Suppose when we convert this UUID to decimal shall we can use it permanently without any issue? Please help us on it Thanks Geo* <http://pcgeo.blogspot.in/>*

9 years, 10 months

2
4
0 / 0

About ldapwhoami

by Jacques Foucry

Hello folks, I think I misunderstood something, but I can't make ldapwhoami working. Mu openldap server work perfectly I and all my users can connect using it. But whe I try to use ldapwhoami I get an error: ldapwhoami -x -D uid=jfoucry,ou=people,dc=example,dc=com -W Enter LDAP Password: ldap_bind: Invalid credentials (49) I am sure to use my LDAP password. I try with -d1 to have debug, and I reach to right server. What's going wrong? Thanks in advance for your help, regards, Jacques -- Jacques Foucry *NOVΛSPARKS * IT Manager Tel : +33 (0)1 42 68 12 61 jacques.foucry(a)novasparks.com

9 years, 10 months

3
5
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2013