August 2013 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

7 years

4
11
0 / 0

OpenLDAP and dynalogin (two-factor auth with HOTP)

by Daniel Pocock

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

7 years, 11 months

5
6
0 / 0

Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]

by Philippe MARASSE

Hello, I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config for the unique overlay : DN: cn=module{1},cn=config objectClass: olcModuleList objectClass: olcConfig objectClass: top cn: module{1} olcModuleLoad: {0}memberof olcModuleLoad: {1}refint olcModuleLoad: {2}unique olcModulePath: /usr/lib/ldap DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config objectClass: olcUniqueConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}unique olcUniqueURI: ldap:///?mail?sub olcUniqueURI: ldap:///?uid?sub assuming the configuration is good, I've tried to create 2 entries : uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the same mail : test(a)mydomain.com => created without error. change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works going back to test(a)mydomain.com => no error The first time, I've used the main administrative account. So I created a sub administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two entries with the same mail without error. I've tried to put slapd in debug mode, the only ting I've noticed is : 51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>, <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e *unique_modify: administrative bypass, skipping* 51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com") 51f7df1e bdb_entry_get: rc=0 If someone has a clue... Rgds -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19

9 years, 6 months

4
13
0 / 0

Re: separate login/password for several services?

by Andrew Findlay

On Fri, Aug 09, 2013 at 05:53:57PM +0300, Zeus Panchenko wrote: > To: Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> Please keep replies on the list so that they become searchable and everyone can benefit. > here is the diagram depicting what I am thinking about while talking :) > > https://www.dropbox.com/s/212kdpbiug9obkc/org-ldap-diagram-plane.png > I dedicate these DN-s for services, so each such DN *can and supposed to* > use any (in theory) uid in the entry, the user can ask for Do you reall want every user account on every service to have a different username? (i.e. the user cannot request to be known as 'fred' on both the SMTP service and the IMAP service? > in particular, I do not see another way to authenticate users of > different domains(for email)/realms(for xmpp) against the same LDAP DB That depends on how you provide the services. If the network address of the services used by domain-A users is different from that used by domain-B users then the server processes will know which domain they are serving. If the same network address is used to serve all domains then you do indeed require the uids to be unique across domains (but you probably do want to let fred(a)x.y.com use that ID for all services). > > It may be enough for you to simply prevent the non-uniqueness. You can > > do that using the 'unique' overlay: > > mmm ... will not it prevent non-uniqueness only for parent DN-s? while > what I'm trying to ask (I'm sorry for muddled up explanation what I mean) > about is - uniqueness for the uid *in* the entry ... so, the uniqueness > of the attribute `uid' among all DN-s containing authorizedService=target-service You could do that if you are prepared to have one config line for each service. Something like: overlay unique unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH) Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

9 years, 8 months

3
7
0 / 0

contextCSN values and MMR

by Michael Ströder

HI! Are contextCSN values on all replicas really in sync if changes were correctly replicated? I've implemented a monitoring check used with normal MMR setup (OpenLDAP 2.4.35, own build on Debian Squeeze) which also checks the contextCSN values on all replicas compared by server-id. Sometimes we observe, even in isolated tests, that contextCSN values for a certain server-id differ for quite a while (up to hours) even though the changes coming from that server were definitely replicated to all other replicas. After a while the contextCSN values get suddenly updated. Unfortunately this does not always happen. Any hint is highly appreciated. Ciao, Michael.

9 years, 8 months

4
19
0 / 0

ldap replication getting lost

by val john

Hi guys im running simple ldap replication setup , ldap slave node sites behind the firewall and port 389 is open to all and my ldap replication works fine for most of the time , (slave node getting updated real time ) But some times slave just stop getting the update from the master server , But when is restart slave ldap server replication start again , .... as fallows Aug 21 11:59:24 ldapmirror slapd[18107]: do_syncrep2: rid=004 cookie=rid=004,sid=002,csn=20130821160107.813479Z#000000#002#000000 Aug 21 11:59:24 ldapmirror slapd[18107]: syncrepl_entry: rid=004 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_MODIFY) Aug 21 11:59:24 ldapmirror slapd[18107]: <= bdb_equality_candidates: (entryUUID) not indexed Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004 be_search (0) Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004 uid=user1,ou=staff,dc=example,dc=com Aug 21 11:59:25 ldapmirror slapd[18107]: slap_queue_csn: queing 0xcc1060 20130821160107.813479Z#000000#002#000000 Aug 21 11:59:25 ldapmirror slapd[18107]: slap_graduate_commit_csn: removing 0xcc0a40 20130821160107.813479Z#000000#002#000000 Aug 21 11:59:25 ldapmirror slapd[18107]: syncrepl_entry: rid=004 be_modify uid=user1,ou=staff,dc=example,dc=com (0) Aug 21 11:59:25 ldapmirror slapd[18107]: slap_queue_csn: queing 0xcc1060 20130821160107.813479Z#000000#002#000000 Aug 21 11:59:25 ldapmirror slapd[18107]: slap_graduate_commit_csn: removing 0x1a55a70 20130821160107.813479Z#000000#002#000000 Ldap slave configuration .. syncrepl rid=004 provider=ldap://ldap.example.com bindmethod=simple binddn="cn=admin,ou=staff,dc=example,dc=com" credentials="passwd" searchbase="dc=example,dc=com" schemachecking=off type=refreshAndPersist retry="60 +" mirrormode on Is there any reason for such behavior , Please advice Thank You John

9 years, 8 months

5
5
0 / 0

Slapd High CPU usage on Solaris 9

by Luca Polidoro

Hello, I am writing to to submit a case that has been happening in the last 2 weeks in our infrastructure. This is structured as follows: 1 provider: Solaris 9 SPARC - Sun Fire V490 - last OS patch level CPU: 4-1500 Mhz RAM: 32 GB OpenLDAP version used: Berkeley DB 2.4.23 and 4.8.30 (with database bdb) all 64-bit 18 consumer: Solaris 9 SPARC - last OS patch level with different types of features (CPU, RAM) On the following consumer products: Consumer 1: Solaris 9 SPARC - Sun Fire 480R - last OS patch level CPU: 4-900 Mhz RAM: 8 GB Consumer 2: Solaris 9 SPARC - Sun Fire 480R - last OS patch level CPU: 4-1050 Mhz RAM: 8 GB Consumer 3: Solaris 9 SPARC - Sun Fire 480R - last OS patch level CPU: 4-1050 Mhz RAM: 8 GB Consumer 4: Solaris 9 SPARC - Sun Fire V210 - last OS patch level CPU: 2-1336 Mhz RAM: 8 GB we are noticing an increase in the cpu used by the slapd process. In fact, the process is constantly between 85% and 95%, and became completely unusable and then we are forced to restart. LDAP with 1.000.000 objects. This is the consumer's slapd.conf (I have omitted parts of the ACL, includes, etc..): # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # # # VERSION v2 - Digital Tru64 # allow bind_v2 Some include ... # # tuning parameters - START # ------------------------------ # conn_max_pending 1000 conn_max_pending_auth 1000 idletimeout 500 sizelimit unlimited threads 8 timelimit 500 disallow bind_anon # # tuning parameters - END # ---------------------------- # ... ####################################################################### # bdb database definitions ####################################################################### database bdb suffix "xxxxxxxxxxxx" rootdn "cn=root,ou=ldapusers,xxxxx" directory /var/openldap-2.4.23_64/var/openldap-data #####disallow limit for syncuser limits dn.children="ou=syncusers,xxxx" size=unlimited index objectClass,entryCSN,entryUUID eq index ou eq,sub,subinitial,subany,subfinal index uidOwner eq index uid eq index memberUid eq #shm_key 1100 cachesize 1000000 cachefree 10000 dncachesize 1000000 idlcachesize 1000000 searchstack 16 checkpoint 1024 10 overlay ppolicy ppolicy_default "cn=Standard,ou=Policies,xxxx" ppolicy_use_lockout ############################SYNCREPL CONF syncrepl rid=011 provider=ldap://xxxxxx type=refreshAndPersist interval=00:00:15:00 retry="15 10 120 +" searchbase="xxxxx" filter="(objectClass=*)" attrs="*,+" scope=sub schemachecking=on bindmethod=simple binddn="xxxxxx" credentials=xxxx ############################SYNCREPL CONF These are the bdb files: 420M dn2id.bdb 30M entryCSN.bdb 32M entryUUID.bdb 1,4G id2entry.bdb 18M memberUid.bdb 4,9M objectClass.bdb 5,3M ou.bdb 17M uid.bdb 17M uidOwner.bdb this is DB CONFIG: ----------------------------------------------------------- ########################################## ########################################### #set_cachesize 0 300000000 10 #set_lg_regionmax 262144 #set_lg_bsize 2097152 ########################################### ########################################### # replaces lockdetect directive #set_lk_detect DB_LOCK_EXPIRE set_lk_detect DB_LOCK_DEFAULT # uncomment if dbnosync required #AGGIUNTO TUTTO #set_flags DB_TXN_WRITE_NOSYNC ####AGGIUNTO set_flags DB_LOG_AUTOREMOVE # multiple set_flags directives allowed # sets max log size = 5M (BDB default=10M) set_lg_max 25242880 set_lg_dir /var/openldap-2.4.23_64/logs set_cachesize 2 274726912 1 # sets a database cache of 5M and # allows fragmentation # does NOT replace slapd.conf cachesize # this is a database parameter #txn_checkpoint 128 15 0 # replaces checkpoint in slap.conf # writes checkpoint if 128K written or every 15 mins # 0 = no writes - no update set_lk_max_locks 2500 set_lk_max_lockers 2500 set_lk_max_objects 2500 --------------------------------------------------- We have tried to change the number of threads bringing them to 16, we lowered the parameters idletimeout and timelimit, but without result. Appreciate your feedback. Thanks, Luca

9 years, 8 months

3
4
0 / 0

SyncRepl Chaining

by espeake＠oreillyauto.com

I believe we are very close to our goal of a master/slave syncrepl configuration. I have a master that through refreshAndPersist instantly updates the slave servers. The issue I am having is is passing on updates to the master server for writing the updated information. This is the error message I get. ldap_modify: Strong(er) authentication required (8) I have set up chainingin bother the {-1}frontend database and the {1}hdb database. My understanding of what I read in man slapd-conf is that any attributes used in the {-1}frontend makes these global and I should not need that setup anywhere else unless I need to override the settings fro an individual DB. TLS with openSSL is setup through the compiling of the openldap. I am attaching the slapcat from my master. Any and all help is appreciated. (See attached file: config-20130819-master.ldif) Thank you, Eric Speake Web Systems Administrator O'Reilly Auto PartsThis communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

9 years, 8 months

2
1
0 / 0

overlay accesslog entrydn conflict problem (err=68)

by gottabogh

Hi all, I have a problem with overlay accesslog. Here is my overlay configuration: overlay accesslog logdb dc=log,dc=ciccio.it logops all logold (objectclass=inetOrgPerson) logpurge 10+00:00 08:00 logsuccess FALSE If I try: ldapwhoami -H ldap://myserver -D "uid=myuser,ou=People,dc= ciccio.it" -W I obtain this in the log: Aug 26 12:01:04 myserver slapd-dblog[12708]: conn=1003 op=19 ADD dn="reqStart=20130826100104.000000Z,dc=log,dc=ciccio.it" Aug 26 12:01:04 myserver slapd-dblog[12708]: conn=1003 op=19 RESULT tag=105 err=0 text= Aug 26 12:01:04 myserver slapd-dblog[12708]: conn=1005 op=12 ADD dn="reqStart=20130826100104.000000Z,dc=log,dc=ciccio.it" Aug 26 12:01:04 myserver slapd-dblog[12708]: conn=1005 op=12 RESULT tag=105 err=68 text= Aug 26 12:01:04 myserver slapd-dblog[12708]: conn=1003 op=20 ADD dn="reqStart=20130826100104.000004Z,dc=log,dc=ciccio.it" Aug 26 12:01:04 myserver slapd-dblog[12708]: conn=1003 op=20 RESULT tag=105 err=0 text= And those are the entries in the dblog: # 20130826100104.000000Z, log.ciccio.it dn: reqStart=20130826100104.000000Z,dc=log,dc=ciccio.it objectClass: auditSearch reqStart: 20130826100104.000000Z reqEnd: 20130826100104.000001Z reqType: search reqSession: 1011 reqAuthzID: cn=Manager,dc=ciccio.it reqDN: uid=myuser,ou=People,dc=ciccio.it reqResult: 0 reqScope: base reqDerefAliases: never reqAttrsOnly: FALSE reqFilter: (objectClass=groupOfNames) reqAttr: member reqEntries: 0 reqTimeLimit: -1 reqSizeLimit: 1 # 20130826100104.000004Z, log.ciccio.it dn: reqStart=20130826100104.000004Z,dc=log,dc=ciccio.it objectClass: auditObject reqStart: 20130826100104.000004Z reqEnd: 20130826100104.000005Z reqType: unbind reqSession: 1011 reqAuthzID: uid=myuser,ou=People,dc=ciccio.it Like you can see there are a search and a unbind, but not the bind operation. I think that err=68 is because ldapwhoami is composed of search, bind, unbind. Since the first two operation are executed at the same time and the dn of a new entry is generated using reqStart, the bind operation takes error 68 (LDAP_ALREADY_EXISTS). How can I get around this problem? Can I modify generation of entrydn in the dblog? For example compose it in this way: "reqStart=xxxx,reqType=yyyy,dc=log,dc=ciccio.it" Thanks a lot, Fabio.

9 years, 8 months

2
1
0 / 0

Fw: SyncRepl Chaining

by espeake＠oreillyauto.com

Bumping. Eric Speake Web Systems Administrator O'Reilly Auto Parts ----- Forwarded by Eric Speake/OReilly on 08/20/2013 07:39 AM ----- From: Eric Speake/OReilly To: openldap-technical(a)openldap.org Date: 08/19/2013 09:46 AM Subject: SyncRepl Chaining I believe we are very close to our goal of a master/slave syncrepl configuration. I have a master that through refreshAndPersist instantly updates the slave servers. The issue I am having is is passing on updates to the master server for writing the updated information. This is the error message I get. ldap_modify: Strong(er) authentication required (8) I have set up chainingin bother the {-1}frontend database and the {1}hdb database. My understanding of what I read in man slapd-conf is that any attributes used in the {-1}frontend makes these global and I should not need that setup anywhere else unless I need to override the settings fro an individual DB. TLS with openSSL is setup through the compiling of the openldap. I am attaching the slapcat from my master. Any and all help is appreciated. (See attached file: config-20130819-master.ldif) Thank you, Eric Speake Web Systems Administrator O'Reilly Auto PartsThis communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.

9 years, 8 months

1
1
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2013