openldap-technical June 2013

openldap-technical@openldap.org

58 participants
71 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

High load times with mdb
by Bill MacAllister 11 Jul '13

11 Jul '13

With the release of Debian 7 (wheezy) I was rebuilding a couple test systems and was surprised to find that the load times I am seeing for populating the mdb database with slapd have gone up dramatically. The load for a master server that was taking about 10 minutes just took 35 minutes. The slave is worse. A normal load time is 20 minutes and it is at 31 minutes now with an eta of about 2.5 hours. These systems are using OpenLDAP 2.4.35. Here are some relevent bits from the configuration. dn: cn=config olcToolThreads: 2 dn: olcDatabase={2}mdb,cn=config olcDbCheckpoint: 1024 5 olcDbEnvFlags: writemap olcDbEnvFlags: nometasync olcDbNoSync: FALSE olcDbMaxSize: 85899345920 The systems are Dell r610s with 16 gbyte of memory. Our database is currently 3.2G on the master server. I have been loading wheezy/2.4.35 databases for weeks now in preparation upgrading the OS and installing the new version of OpenLDAP on our production servers. This is the first time I have seen this. I fiddled with the hardware enough to the point I don't think it is a hardware problem. There is not really much tuning to do with mdb and I would appreciate some suggestions for what to look at next. Bill -- Bill MacAllister Infrastructure Delivery Group, Stanford University

3 5

Re: High load times with mdb
by Bill MacAllister 08 Jul '13

08 Jul '13

--On Tuesday, June 25, 2013 12:58:54 PM -0700 Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Tuesday, June 25, 2013 12:38 PM -0700 Bill MacAllister <whm(a)stanford.edu> wrote: > >> The load starts out at a rate of about 2 M/s. In the past I remember >> that dropping to something like 900 k/s and staying there. Now the >> load starts in the same place, but after 30 seconds it alternates >> between stalling out right, and a rate under 100 k/s. Dips as low as >> under 10 k/s and sometimes as high at 700 k/s. (My undergraduate >> degree was in watching water boil.) > > What is the partition type? ext4? > > What options are set for the partition in fstab? This is what I am currently using. The UUID are obviously shortened for readability. UUID=blah1 / ext4 defaults,acl,noatime,errors=remount-ro 0 1 UUID=blah2 /var/cache/openafs ext4 defaults,noatime 0 2 UUID=blah3 /var/lib/ldap ext4 defaults,noatime 0 2 UUID=blah4 none swap sw 0 0 I also tried ext3 with the same results. This is on a raid-1. I have also tried splitting the two disks and putting the OS on one and the LDAP database on the other. None of this moved the problem. It really has the feel of a resource exhaustion. The load is now stalled in that the progress display is not updating. top does not show slapd as doing anything. Bill -- Bill MacAllister Infrastructure Delivery Group, Stanford University

2 6

OpenLDAP Proxy using PKCS#11/SmartCard client authentication
by Stefan Scheidewig 01 Jul '13

01 Jul '13

Hello, we have two LDAP instances. LDAP A acts as proxy for LDAP B using the ldap-backend. Now we configured LDAP B to use client authentication. We successfully established a connection to LDAP B using OpenSSL s_client and the PKCS#11 engine (OpenSSL engine library). Now we want the LDAP proxy to establish the connection using this pkcs11 engine (we compiled the ldap proxy to use OpenSSL as TLS implementation). Is there a posibility to tell the LDAP proxy to use the certificate and key from the smartcard (e.g. something like pkcs11:slot_1-id_42) ? Thank you in advance, Stefan Scheidewig -- Mit freundlichen Grüßen, Stefan Scheidewig T-Systems Multimedia Solutions GmbH BU Content & Collaboration Solution PF 54 Integrated Content Portals Dipl.-Inf. Stefan Scheidewig Softwareentwickler Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany +49 351 2820 2924 (Tel) +49 351 2820 5118 (Fax) Stefan.Scheidewig(a)t-systems.com (E-Mail) Internet: http://www.t-systems-mms.com T-Systems Multimedia Solutions GmbH Aufsichtsrat: Klaus Werner (Vorsitzender) Geschäftsführung: Peter Klingenburg, Susanne Heger Handelsregister: Amtsgericht Dresden HRB 11433 Sitz der Gesellschaft Dresden Ust-IdNr.: DE 811 807 949

4 9

ACL - grant access to subtree by regex
by Ole 29 Jun '13

29 Jun '13

Hi, I'm really new to OpenLDAP and try to grant domain-admins access to their domain-subtree in our historicaly grown LDAP Structure. The Structure is like this: ou=somedomain.tld,ou=mail,dc=example,dc=tld ou=admins,ou=somedomain.tld,ou=mail,dc=example,dc=tld cn=admin(a)somedomain.tld,ou=admins,ou=somedomain.tld,ou=mail,dc=example,dc=tld The ACL I try to use (according to [1]) is: access to dn.regex=".+,ou=([^,]+),ou=mail,dc=example,dc=tld$" by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write by * break but it doesn't take effect. After hours of thinking about the problem and searching in the internet I still can't get the poit. Thank you for reading, Ole [1] http://www.openldap.org/faq/data/cache/973.html

2 4

Types of Groups, Structural objects and Inheritance
by Brendan Kearney 29 Jun '13

29 Jun '13

list members, As a caveat to my ACLs, most of my groups are the posixGroup class. from what i understand, that means i need to use set ACLs, instead of group ACLs. this does not seem to be a big deal, and is covered in the admin guide. that being said, i am looking to find out what the functional differences between a posixGroup and groupOfNames are? are there significant reasons to use one over the other? in my environment, i have the ability to recreate all the posixGroup objects as groupOfNames objects, if it would help with the creation of ACLs and other work to be done. is that a worthwhile effort? In my searching, i have found an explicit reason to keep using the posixGroup type, as NFSv4 ACLs can only use posixGroup types of groups. the dependency is because of the use of memberUid attributes. would there be any other explicit reasons to use one group type over another? my users have inetOrgPerson as their structural class, and as such i cannot add the NFSv4RemotePerson class to their list of objectClass attributes. the NFSv4RemotePerson class is structural as well. i have heard about the ability to create a hierarchy of objectClass objects so that an object can inherit the properties of all the SUP classes. is there a way i can create this hierarchy to allow multiple structural class attributes to be inherited by user objects? i have not found much info around doing this. are there any pointers? thanks in advance, brendan

3 3

Openldap-2.4.35 TLS/SSl
by Darouichi, Aziz 29 Jun '13

29 Jun '13

Hi, I am trying to configure TLS/SSL and I have a Cert from Geotrust . I configure slapd.conf with the followings: # TLS/SSL information # TLSCipherSuite HIGH:MEDIUM:+SSLv2 TLSCACertificateFile /opt/local/etc/openldap/GeoTrust_Global_CA.cer TLSCertificateFile /opt/local/etc/openldap/rhea.curry.edu.pem.cer TLSCertificateKeyFile /opt/local/etc/openldap/rhea.key.pem But when I check the cert using "openssl s_client -connect 192.168.60.43:636 -CApath /opt/local/etc/openldap/" I get CONNECTED(00000003) 140230373582504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177: --- no peer certificate available --- No client certificate CA names sent --- SSL handshake has read 0 bytes and written 321 bytes --- New, (NONE), Cipher is (NONE) Secure Renegotiation IS NOT supported Compression: NONE Expansion: NONE I checked the log I see TLS connection

3 2

LB health check during syncrepl refresh
by Michael Ströder 28 Jun '13

28 Jun '13

HI! Inspired by ITS#7616 and looking at our monitoring: If I bring up a syncrepl consumer with empty DB it seems contextCSN attribute is missing in DB base entry during refresh phase. This is nice because we could use that in the load-balancer health check to prevent clients to connect to this replica until all data is loaded into the consumer and contextCSN is present. So is it guaranteed that contextCSN is missing during lengthy refresh phase? Ciao, Michael.

2 1

Unable to edit cn=config
by Michael Roth 28 Jun '13

28 Jun '13

Hello openldap masters, I have a big issue and I'm praying someone can help me Am I able to change the ACL so I can edit cn=config to load a module in? If so how do I do that? How I setup my working LDAP with the script here: http://www.ghacks.net/2010/08/31/set-up-your-ldap-server-on-ubuntu-10-04/ I'm now using Ubuntu 12.04 Server x64 Working on this module here: http://raerek.blogspot.com/2012/06/sync-ldap-and-samba-passwords-using.html When I load changes into LDAP I'm denied. $ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif modifying entry "cn=module{0},cn=config" ldap_modify: Insufficient access (50) $ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif ldap_sasl_interactive_bind_s: Unknown authentication method (-6) additional info: SASL(-4): no mechanism available: $ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb olcAccess Enter LDAP Password: dn: olcDatabase={1}hdb,cn=config olcAccess: {0}to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=domain,dc=net" write by anonymous auth by self write by * none olcAccess: {1}to dn.base="" by * read olcAccess: {2}to * by dn="cn=admin,dc=domain,dc=net" write by * read Regards, ~Mike

2 6

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2013