Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 5 months
Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]
by Philippe MARASSE
Hello,
I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes
with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config
for the unique overlay :
DN: cn=module{1},cn=config
objectClass: olcModuleList
objectClass: olcConfig
objectClass: top
cn: module{1}
olcModuleLoad: {0}memberof
olcModuleLoad: {1}refint
olcModuleLoad: {2}unique
olcModulePath: /usr/lib/ldap
DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {4}unique
olcUniqueURI: ldap:///?mail?sub
olcUniqueURI: ldap:///?uid?sub
assuming the configuration is good, I've tried to create 2 entries :
uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the
same mail : test(a)mydomain.com => created without error.
change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works
going back to test(a)mydomain.com => no error
The first time, I've used the main administrative account. So I created a sub
administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two
entries with the same mail without error.
I've tried to put slapd in debug mode, the only ting I've noticed is :
51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>,
<uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e *unique_modify: administrative bypass, skipping*
51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com")
51f7df1e bdb_entry_get: rc=0
If someone has a clue...
Rgds
--
Philippe MARASSE
Service Informatique - Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
10 years
olcAccess best practices
by Jancewicz, Russell
Hello,
I was wondering if there exists a best practices guide to crafting olcAccess rules?
For example:
Should I create a single entry per account I want to give access, granting all attributes they would need read/write access to with a particular filter?
Or would I be better off grouping access granting to members of the groups and adding individual rules for special edge cases?
Or are both these ideas off base and something else would be preferred?
Currently I am granting access by groups with access to collections of attributes, however as I am discovering that some accounts need access to those attributes with different filters my rules are continually shifting and growing.
Thank You,
-Russell Janceiwcz
University of Connecticut
10 years, 3 months
mdb fixes for 2.4.35?
by Patrick Lists
Hi,
Quanah mentioned in another posting to the list that there are some mdb
fixes for 2.4.35. Is there a patch available somewhere or a location
where I can download the source containing those fixes?
Regards,
Patrick
10 years, 3 months
N-Way Master replication no contextcsn
by espeake@oreillyauto.com
Trying a different method of replication to suit or need and I set up two
test servers for n-way master mirroring servers. Both servers have the
same configuration being fed to them through puppet. In the logs I can see
them bind and check cookies but I get CSN too old, ignoring
20110608165005.984980Z#000000#000#000000 (olcOverlay=
{4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in the
log is rid=002
cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and
then nothing else happens. If I make a change to user it never syncs to
the other server.
At this point I don't know what to look at or what you might want to look
at to help diagnose the problem. I followed the documentation in the admin
guide to set this up.
Any and all help is appreciated.
Thank you,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
10 years, 3 months
DR scenerio
by espeake@oreillyauto.com
Okay here is what we are wanting to do and I need to know if it is possible
with openLDAP. We have a main production ldap server v. 2.4.28 running on
Ubuntu 10.04 We are adding two servers that will handle authenication and
refer writes to the main provider server. What I would like to to setup
another provider in our DR site and have it pull replication from the main
LDAP server once a day, maybe twice. Then in turn that server would be the
provider for two consumers at the DR site that would handle auth requests
and refer write to the provider at the DR site. But the no changes at the
DR site would be written back to the main production provider. I don't
want someone testing something in the DR to be written back to production.
In a nut shell I want to have two systems that look the same and the
information for the second system would come from a sync with the first
system, but the second system would not be able to write back to the main
system.
Thanks,
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
10 years, 3 months
how to configure subsuffix?
by Zeus Panchenko
hi all,
I'm absolutely new to LDAP and need advice, please
how is it better/correct to configure database to implement "corporative
users tree" covered?
what I mean is structure for head office (ho), branch 1 of head office
(bo1), ... branch N of head office (boN):
- ho -+- bo1 -+- People
| +- Groups
| +- Hosts
...
|
+- boN -+- People
+- Groups
+- Hosts
I see it as core LDAP server which replicates db partially, to the
consequent branches
while trying to google the solution I found this (just what I described
as I believe):
http://www.centos.org/docs/5/html/CDS/ag/8.0/Configuring_Directory_Databa...
but it've occured not enough for me :(
so, may somebody advice, how to implement the structure in .ldif?
--
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
10 years, 3 months
Removing Overlays Using cn=config
by Tim Gustafson
Hi,
I would like to remove the "auditlog" overlay from one of my databases
on my OpenLDAP server that is running 2.4.35 and is configured via
cn=config.
But, when I try to remove the overlay object, I get:
0x35 (LDAP_UNWILLING_TO_PERFORM)
I Googled around about this, and found some older list messages about
not being able to delete overlays, but most of those messages are
years old and I was wondering if this has changed at all?
If not, what is the "proper" way to remove an overlay?
--
Tim Gustafson
tjg(a)ucsc.edu
831-459-5354
Baskin Engineering, Room 313A
10 years, 3 months