Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
7 years, 11 months
High load times with mdb
by Bill MacAllister
With the release of Debian 7 (wheezy) I was rebuilding a couple test
systems and was surprised to find that the load times I am seeing for
populating the mdb database with slapd have gone up dramatically. The
load for a master server that was taking about 10 minutes just took
35 minutes. The slave is worse. A normal load time is 20 minutes
and it is at 31 minutes now with an eta of about 2.5 hours. These
systems are using OpenLDAP 2.4.35.
Here are some relevent bits from the configuration.
dn: cn=config
olcToolThreads: 2
dn: olcDatabase={2}mdb,cn=config
olcDbCheckpoint: 1024 5
olcDbEnvFlags: writemap
olcDbEnvFlags: nometasync
olcDbNoSync: FALSE
olcDbMaxSize: 85899345920
The systems are Dell r610s with 16 gbyte of memory. Our database
is currently 3.2G on the master server.
I have been loading wheezy/2.4.35 databases for weeks now in
preparation upgrading the OS and installing the new version of OpenLDAP
on our production servers. This is the first time I have seen this.
I fiddled with the hardware enough to the point I don't think it is
a hardware problem. There is not really much tuning to do with mdb
and I would appreciate some suggestions for what to look at next.
Bill
--
Bill MacAllister
Infrastructure Delivery Group, Stanford University
9 years, 10 months
Re: High load times with mdb
by Bill MacAllister
--On Tuesday, June 25, 2013 12:58:54 PM -0700 Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Tuesday, June 25, 2013 12:38 PM -0700 Bill MacAllister <whm(a)stanford.edu> wrote:
>
>> The load starts out at a rate of about 2 M/s. In the past I remember
>> that dropping to something like 900 k/s and staying there. Now the
>> load starts in the same place, but after 30 seconds it alternates
>> between stalling out right, and a rate under 100 k/s. Dips as low as
>> under 10 k/s and sometimes as high at 700 k/s. (My undergraduate
>> degree was in watching water boil.)
>
> What is the partition type? ext4?
>
> What options are set for the partition in fstab?
This is what I am currently using. The UUID are obviously shortened
for readability.
UUID=blah1 / ext4 defaults,acl,noatime,errors=remount-ro 0 1
UUID=blah2 /var/cache/openafs ext4 defaults,noatime 0 2
UUID=blah3 /var/lib/ldap ext4 defaults,noatime 0 2
UUID=blah4 none swap sw 0 0
I also tried ext3 with the same results. This is on a raid-1. I have
also tried splitting the two disks and putting the OS on one and the
LDAP database on the other. None of this moved the problem.
It really has the feel of a resource exhaustion. The load is now
stalled in that the progress display is not updating. top does not
show slapd as doing anything.
Bill
--
Bill MacAllister
Infrastructure Delivery Group, Stanford University
9 years, 11 months
OpenLDAP Proxy using PKCS#11/SmartCard client authentication
by Stefan Scheidewig
Hello,
we have two LDAP instances. LDAP A acts as proxy for LDAP B using the
ldap-backend. Now we configured LDAP B to use client authentication. We
successfully established a connection to LDAP B using OpenSSL s_client
and the PKCS#11 engine (OpenSSL engine library). Now we want the LDAP
proxy to establish the connection using this pkcs11 engine (we compiled
the ldap proxy to use OpenSSL as TLS implementation). Is there a
posibility to tell the LDAP proxy to use the certificate and key from
the smartcard (e.g. something like pkcs11:slot_1-id_42) ?
Thank you in advance,
Stefan Scheidewig
--
Mit freundlichen Grüßen,
Stefan Scheidewig
T-Systems Multimedia Solutions GmbH
BU Content & Collaboration Solution
PF 54 Integrated Content Portals
Dipl.-Inf. Stefan Scheidewig
Softwareentwickler
Hausanschrift: Riesaer Str. 5, 01129 Dresden, Germany
Postanschrift: Postfach 10 02 24, 01072 Dresden, Germany
+49 351 2820 2924 (Tel)
+49 351 2820 5118 (Fax)
Stefan.Scheidewig(a)t-systems.com (E-Mail)
Internet: http://www.t-systems-mms.com
T-Systems Multimedia Solutions GmbH
Aufsichtsrat: Klaus Werner (Vorsitzender)
Geschäftsführung: Peter Klingenburg, Susanne Heger
Handelsregister: Amtsgericht Dresden HRB 11433
Sitz der Gesellschaft Dresden
Ust-IdNr.: DE 811 807 949
9 years, 11 months
ACL - grant access to subtree by regex
by Ole
Hi,
I'm really new to OpenLDAP and try to grant domain-admins access to
their domain-subtree in our historicaly grown LDAP Structure.
The Structure is like this:
ou=somedomain.tld,ou=mail,dc=example,dc=tld
ou=admins,ou=somedomain.tld,ou=mail,dc=example,dc=tld
cn=admin(a)somedomain.tld,ou=admins,ou=somedomain.tld,ou=mail,dc=example,dc=tld
The ACL I try to use (according to [1]) is:
access to dn.regex=".+,ou=([^,]+),ou=mail,dc=example,dc=tld$"
by dn.onelevel,expand="ou=admins,ou=$1,ou=mail,dc=example,dc=tld" write
by * break
but it doesn't take effect. After hours of thinking about the problem
and searching in the internet I still can't get the poit.
Thank you for reading,
Ole
[1] http://www.openldap.org/faq/data/cache/973.html
9 years, 11 months
Types of Groups, Structural objects and Inheritance
by Brendan Kearney
list members,
As a caveat to my ACLs, most of my groups are the posixGroup class.
from what i understand, that means i need to use set ACLs, instead of
group ACLs. this does not seem to be a big deal, and is covered in the
admin guide. that being said, i am looking to find out what the
functional differences between a posixGroup and groupOfNames are? are
there significant reasons to use one over the other? in my environment,
i have the ability to recreate all the posixGroup objects as
groupOfNames objects, if it would help with the creation of ACLs and
other work to be done. is that a worthwhile effort?
In my searching, i have found an explicit reason to keep using the
posixGroup type, as NFSv4 ACLs can only use posixGroup types of groups.
the dependency is because of the use of memberUid attributes. would
there be any other explicit reasons to use one group type over another?
my users have inetOrgPerson as their structural class, and as such i
cannot add the NFSv4RemotePerson class to their list of objectClass
attributes. the NFSv4RemotePerson class is structural as well. i have
heard about the ability to create a hierarchy of objectClass objects so
that an object can inherit the properties of all the SUP classes. is
there a way i can create this hierarchy to allow multiple structural
class attributes to be inherited by user objects? i have not found much
info around doing this. are there any pointers?
thanks in advance,
brendan
9 years, 11 months
Openldap-2.4.35 TLS/SSl
by Darouichi, Aziz
Hi,
I am trying to configure TLS/SSL and I have a Cert from Geotrust . I configure slapd.conf with the followings:
# TLS/SSL information
# TLSCipherSuite HIGH:MEDIUM:+SSLv2
TLSCACertificateFile /opt/local/etc/openldap/GeoTrust_Global_CA.cer
TLSCertificateFile /opt/local/etc/openldap/rhea.curry.edu.pem.cer
TLSCertificateKeyFile /opt/local/etc/openldap/rhea.key.pem
But when I check the cert using "openssl s_client -connect 192.168.60.43:636 -CApath /opt/local/etc/openldap/" I get
CONNECTED(00000003)
140230373582504:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake failure:s23_lib.c:177:
---
no peer certificate available
---
No client certificate CA names sent
---
SSL handshake has read 0 bytes and written 321 bytes
---
New, (NONE), Cipher is (NONE)
Secure Renegotiation IS NOT supported
Compression: NONE
Expansion: NONE
I checked the log I see TLS connection
9 years, 11 months
LB health check during syncrepl refresh
by Michael Ströder
HI!
Inspired by ITS#7616 and looking at our monitoring:
If I bring up a syncrepl consumer with empty DB it seems contextCSN attribute
is missing in DB base entry during refresh phase.
This is nice because we could use that in the load-balancer health check to
prevent clients to connect to this replica until all data is loaded into the
consumer and contextCSN is present.
So is it guaranteed that contextCSN is missing during lengthy refresh phase?
Ciao, Michael.
9 years, 11 months
Unable to edit cn=config
by Michael Roth
Hello openldap masters,
I have a big issue and I'm praying someone can help me
Am I able to change the ACL so I can edit cn=config to load a module in? If
so how do I do that?
How I setup my working LDAP with the script here:
http://www.ghacks.net/2010/08/31/set-up-your-ldap-server-on-ubuntu-10-04/
I'm now using Ubuntu 12.04 Server x64
Working on this module here:
http://raerek.blogspot.com/2012/06/sync-ldap-and-samba-passwords-using.html
When I load changes into LDAP I'm denied.
$ sudo ldapmodify -Q -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif
modifying entry "cn=module{0},cn=config"
ldap_modify: Insufficient access (50)
$ sudo ldapmodify -Y EXTERNAL -H ldapi:/// -f smbkrb5pwd_load.ldif
ldap_sasl_interactive_bind_s: Unknown authentication method (-6)
additional info: SASL(-4): no mechanism available:
$ ldapsearch -xLLL -b cn=config -D cn=admin,cn=config -W olcDatabase=hdb
olcAccess
Enter LDAP Password:
dn: olcDatabase={1}hdb,cn=config
olcAccess: {0}to attrs=userPassword,shadowLastChange by
dn="cn=admin,dc=domain,dc=net" write by anonymous auth by self write by *
none
olcAccess: {1}to dn.base="" by * read
olcAccess: {2}to * by dn="cn=admin,dc=domain,dc=net" write by * read
Regards,
~Mike
9 years, 11 months
