openldap-technical July 2013

openldap-technical@openldap.org

68 participants
86 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]
by Philippe MARASSE 05 Nov '13

05 Nov '13

Hello, I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config for the unique overlay : DN: cn=module{1},cn=config objectClass: olcModuleList objectClass: olcConfig objectClass: top cn: module{1} olcModuleLoad: {0}memberof olcModuleLoad: {1}refint olcModuleLoad: {2}unique olcModulePath: /usr/lib/ldap DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config objectClass: olcUniqueConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}unique olcUniqueURI: ldap:///?mail?sub olcUniqueURI: ldap:///?uid?sub assuming the configuration is good, I've tried to create 2 entries : uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the same mail : test(a)mydomain.com => created without error. change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works going back to test(a)mydomain.com => no error The first time, I've used the main administrative account. So I created a sub administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two entries with the same mail without error. I've tried to put slapd in debug mode, the only ting I've noticed is : 51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>, <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e *unique_modify: administrative bypass, skipping* 51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com") 51f7df1e bdb_entry_get: rc=0 If someone has a clue... Rgds -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19

4 13

RE24 testing call (OpenLDAP 2.4.36)
by Quanah Gibson-Mount 12 Aug '13

12 Aug '13

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.36 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanah -- Quanah Gibson-Mount Lead Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

8 17

olcAccess best practices
by Jancewicz, Russell 02 Aug '13

02 Aug '13

Hello, I was wondering if there exists a best practices guide to crafting olcAccess rules? For example: Should I create a single entry per account I want to give access, granting all attributes they would need read/write access to with a particular filter? Or would I be better off grouping access granting to members of the groups and adding individual rules for special edge cases? Or are both these ideas off base and something else would be preferred? Currently I am granting access by groups with access to collections of attributes, however as I am discovering that some accounts need access to those attributes with different filters my rules are continually shifting and growing. Thank You, -Russell Janceiwcz University of Connecticut

2 1

mdb fixes for 2.4.35?
by Patrick Lists 02 Aug '13

02 Aug '13

Hi, Quanah mentioned in another posting to the list that there are some mdb fixes for 2.4.35. Is there a patch available somewhere or a location where I can download the source containing those fixes? Regards, Patrick

4 9

N-Way Master replication no contextcsn
by espeake＠oreillyauto.com 02 Aug '13

02 Aug '13

Trying a different method of replication to suit or need and I set up two test servers for n-way master mirroring servers. Both servers have the same configuration being fed to them through puppet. In the logs I can see them bind and check cookies but I get CSN too old, ignoring 20110608165005.984980Z#000000#000#000000 (olcOverlay= {4}syncprov,olcDatabase={1}hdb,cn=config) THen the last slapd entry in the log is rid=002 cookie=rid=002,sid=002,csn=20110915141524.047299Z#000000#000#000000 and then nothing else happens. If I make a change to user it never syncs to the other server. At this point I don't know what to look at or what you might want to look at to help diagnose the problem. I followed the documentation in the admin guide to set this up. Any and all help is appreciated. Thank you, Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

5 9

DR scenerio
by espeake＠oreillyauto.com 01 Aug '13

01 Aug '13

Okay here is what we are wanting to do and I need to know if it is possible with openLDAP. We have a main production ldap server v. 2.4.28 running on Ubuntu 10.04 We are adding two servers that will handle authenication and refer writes to the main provider server. What I would like to to setup another provider in our DR site and have it pull replication from the main LDAP server once a day, maybe twice. Then in turn that server would be the provider for two consumers at the DR site that would handle auth requests and refer write to the provider at the DR site. But the no changes at the DR site would be written back to the main production provider. I don't want someone testing something in the DR to be written back to production. In a nut shell I want to have two systems that look the same and the information for the second system would come from a sync with the first system, but the second system would not be able to write back to the main system. Thanks, Eric Speake Web Systems Administrator O'Reilly Auto Parts This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

2 1

how to configure subsuffix?
by Zeus Panchenko 01 Aug '13

01 Aug '13

hi all, I'm absolutely new to LDAP and need advice, please how is it better/correct to configure database to implement "corporative users tree" covered? what I mean is structure for head office (ho), branch 1 of head office (bo1), ... branch N of head office (boN): - ho -+- bo1 -+- People | +- Groups | +- Hosts ... | +- boN -+- People +- Groups +- Hosts I see it as core LDAP server which replicates db partially, to the consequent branches while trying to google the solution I found this (just what I described as I believe): http://www.centos.org/docs/5/html/CDS/ag/8.0/Configuring_Directory_Database… but it've occured not enough for me :( so, may somebody advice, how to implement the structure in .ldif? -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET)

2 2

Removing Overlays Using cn=config
by Tim Gustafson 01 Aug '13

01 Aug '13

Hi, I would like to remove the "auditlog" overlay from one of my databases on my OpenLDAP server that is running 2.4.35 and is configured via cn=config. But, when I try to remove the overlay object, I get: 0x35 (LDAP_UNWILLING_TO_PERFORM) I Googled around about this, and found some older list messages about not being able to delete overlays, but most of those messages are years old and I was wondering if this has changed at all? If not, what is the "proper" way to remove an overlay? -- Tim Gustafson tjg(a)ucsc.edu 831-459-5354 Baskin Engineering, Room 313A

4 3

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical July 2013