Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 3 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 2 months
(no subject)
by Ben Johnson
I posted this to openldap-bugs but I didn't see it actually posted to the archive so I'll try in openldap-technical. I have LMDB integrated and it's working smoothly except for this issue.
---- Original Message ----
I'm an author of an open source database called Sky (http://skydb.io/) and I'm interested in porting the backend off LevelDB and move it over to LMDB. I pulled down the LMDB code using the instructions on Ferenc Szalai's gomdb (https://github.com/szferi/gomdb) README:
git clone -b mdb.master --single-branch git://git.openldap.org/openldap.git
When I ran "make test" against the code it seems to run through most of the tests but I get a "Resource Busy" error at one point. Here's the full output:
https://gist.github.com/benbjohnson/5628725
I'm running Mac OS X 10.8.3 and here's the output of my gcc -v:
$ gcc -v
Using built-in specs.
Target: i686-apple-darwin11
Configured with: /private/var/tmp/llvmgcc42/llvmgcc42-2336.11~182/src/configure --disable-checking --enable-werror --prefix=/Applications/Xcode.app/Contents/Developer/usr/llvm-gcc-4.2 --mandir=/share/man --enable-languages=c,objc,c++,obj-c++ --program-prefix=llvm- --program-transform-name=/^[cg][^.-]*$/s/$/-4.2/ --with-slibdir=/usr/lib --build=i686-apple-darwin11 --enable-llvm=/private/var/tmp/llvmgcc42/llvmgcc42-2336.11~182/dst-llvmCore/Developer/usr/local --program-prefix=i686-apple-darwin11- --host=x86_64-apple-darwin11 --target=i686-apple-darwin11 --with-gxx-include-dir=/usr/include/c++/4.2.1
Thread model: posix
gcc version 4.2.1 (Based on Apple Inc. build 5658) (LLVM build 2336.11.00)
Let me know if you need any other info from me.
Ben Johnson
ben(a)skylandlabs.com
Ben Johnson
ben(a)skylandlabs.com
10 years, 3 months
Re: extend groupOfURLs
by Michael Ströder
Carlos.
please always follow-up on the mailing list so others can learn and answer as
well.
Carlos Santos wrote:
> ################################################################################
> - #
> - objectClass ( 1.3.6.1.4.1.5923.1.1.101
> - NAME 'dygroup'
> - DESC 'dynamic group'
> - SUP groupOfURLs
> - STRUCTURAL
> - MUST ( visibility $ groupname $ owner ) )
> -
> -
> -
> ################################################################################
When using this and starting slapd with -d config,stats then it outputs:
51a8b922 line 53 (objectClass ( 1.3.6.1.4.1.5923.1.1.101 NAME 'dygroup'
DESC 'dynamic group' SUP groupOfURLs STRUCTURAL
MUST ( visibility $ groupname $ owner ) ))
51a8b922
/home/michael/ftp/Linux/Networking/LDAP/OpenLDAP/schema/experimental.schema:
line 53 objectClass: AttributeType not found: "visibility"
So where's the attribute type description for 'visibility'?
=> always use debug options when starting slapd after working on custom schema
definitions.
Ciao, Michael.
10 years, 3 months
Substring Indexes on userPassword Attribute
by Tim Gustafson
Hi,
I have a need to find out how many of my users are using different
password hashing methods, so I went and tried to do this search:
ldapsearch -D uid=tjg,ou=People,dc=com -W -b ou=People,dc=com
'userPassword={SHA}*'
But that didn't return anything. So I figured maybe I needed to
create a substr index on that attribute. When I did that, slapindex
returned:
slapd.conf: line 82: substr index of attribute "userPassword" disallowed
Why is that? How can I do a search that would tell me which of my
users is using an SHA-hashed password?
--
Tim Gustafson
tjg(a)ucsc.edu
831-459-5354
Baskin Engineering, Room 313A
10 years, 3 months
Usage of the LDAP_OPT_X_SASL_GSS_CREDS
by Bernardo Pastorelli
Not sure if this is the right mailing list.
I'm developing an LDAP client that uses GSSAPI as the transport mechanism. I would like to set the credentials to use for binding my user, and it seems that it is possible to set them using the LDAP_OPT_X_SASL_GSS_CREDS option.
So I create the ldap context using ldap_initialize and then try to set the credentials using the option above, before calling the ldap_sasl_interactive_bind_s function for binding my user.
But the options setting operation fails. Looking at the code, I see that, to set the option, it is necessary that the pointers in the chain below are not null:
ld->ld_defconn->lconn_sasl_authctx
But they are null after initializing the ldap context. So, which function calls do I have to execute for being able to set credentials before calling the bind function?
Any alternative way?
Regards,
Bernardo Pastorelli
10 years, 3 months
How to make OpenLDAP use random (v4) UUIDs in entryUUID attribute
by dorian taylor
Hello,
It is my understanding that OpenLDAP keys its entries on UUIDs under
the hood. I have a system that makes extensive use of UUIDs as
canonical (and sometimes public-facing) identifiers, and would like to
tap into the UUIDs generated for the objects in the LDAP directory for
certain operations over those objects. The problem is I'm using type 4
(random) UUIDs [1] everywhere, and OpenLDAP uses type 1 (time-based).
It is important to the system to some extent that these identifiers be
resistant to sequencing. As such, they really ought to be random.
Since it hasn't been deployed in production yet, the sanest course of
action seems to be to bend OpenLDAP to comply. (The alternative would
be to maintain a dictionary of some kind, which I'm not keen about.)
A survey of the code is as such: OpenLDAP doesn't appear to care which
version of UUID it uses save for the generator function itself. The
util library is hardcoded [2] to use type 1, and the entryUUID
attribute itself is constrained in the schema [3] to not permit
modification (where "modification" ostensibly also extends to adding
new records). I'm not too familiar with the source but at a glance it
appears to accommodate an entryUUID attribute as input [4].
I guess my question is: what's the best strategy?
* Relax NO-USER-MODIFY on the entryUUID schema entry and set it at the
application layer (easiest but most prone to problems)
* Hack uuid.c to use uuid_generate_random instead of uuid_generate
(easy, but introduces a maintenance problem)
* Create an overlay (no idea where to start but can figure it out)
* Figure out some way to make the UUID version configurable and send a
patch upstream (most work and would it even be desirable?)
Links:
1) http://tools.ietf.org/html/rfc4122#section-4.4
2) http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=librarie...
3) http://tools.ietf.org/html/rfc4530#section-2.4
4) http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=blob;f=servers/...
--
Dorian Taylor
http://doriantaylor.com/
10 years, 3 months
Re: use ldif backup with operational attributes in conjunction with slapadd?
by Meike Stone
2013/5/30 Quanah Gibson-Mount <quanah(a)zimbra.com>:
> --On Thursday, May 30, 2013 11:39 AM +0200 Meike Stone
> <meike.stone(a)googlemail.com> wrote:
>
>> Hello,
>>
>>
>> is it possible to use a ldif-backup with operation attributes
>> (ldapsearch ... '+' '*') with slapadd, to save the operation
>> attributes, if no slapcat backup is available? Are there any concerns?
>
>
> If you can't get a slapcat backup, how would you get a ldapsearch backup?
>
A seconds reason, why I try to prevent using slapcat on a productive system is:
=======================================================
slapd[4812]: bdb(ou=root): PANIC: Permission denied
slapd[4812]: bdb(ou=root): DB_ENV->log_newfh: 15752: DB_RUNRECOVERY:
Fatal error, run database recovery
slapd[4812]: bdb(ou=root): txn_checkpoint: failed to flush the buffer
cache: DB_RUNRECOVERY: Fatal error, run database recover
slapd[4812]: bdb(ou=root): PANIC: fatal region error detected; run recovery
slapd[4812]: null_callback : error code 0x50
slapd[4812]: syncrepl_updateCookie: rid=001 be_modify failed (80)
slapd[4812]: do_syncrepl: rid=001 rc 80 retrying (4 retries left)
=======================================================
This message I got today on a productive system while getting a ldif
via slapcat for setting up an syncrepl slave.
This shouldn happen, slapcat (8) manpage tells:
"For some backend types, your slapd(8) should not be running (at
least, not in read-write mode) when you do this to ensure consistency
of the
database. *It is always safe to run slapcat with the slapd-bdb(5)*,
slapd-hdb(5), and slapd-null(5) backends."
So using ldapsearch is more reliable for me ...
Kindly regards Meike
10 years, 3 months
Any issue on random OIDs?
by Geo P.C.
For our openldap server we created custom attributes by giving random OIDs
like 2.25.10.1, 2.25.10.100.10 etc . We are able to add custom attributes
and the LDAP server is working fine.
Please let us know is there any issue in giving random OIDs for attributes
and object classes. Also is there any issue in future while using this. Can
anyone please advise us on this.
Also I came to know that we can create OIDs without registering. From this
site http://www.itu.int/ITU-T/asn1/cgi-bin/uuid_generate I can create UUID
but from where I can convert this UUID to OID?
Suppose when we convert this UUID to decimal shall we can use it
permanently without any issue? Please help us on it
Thanks
Geo* <http://pcgeo.blogspot.in/>*
10 years, 3 months
About ldapwhoami
by Jacques Foucry
Hello folks,
I think I misunderstood something, but I can't make ldapwhoami working.
Mu openldap server work perfectly I and all my users can connect using
it. But whe I try to use ldapwhoami I get an error:
ldapwhoami -x -D uid=jfoucry,ou=people,dc=example,dc=com -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)
I am sure to use my LDAP password.
I try with -d1 to have debug, and I reach to right server.
What's going wrong?
Thanks in advance for your help,
regards,
Jacques
--
Jacques Foucry
*NOVΛSPARKS *
IT Manager
Tel : +33 (0)1 42 68 12 61
jacques.foucry(a)novasparks.com
10 years, 3 months
