openldap-technical September 2013

openldap-technical@openldap.org

72 participants
78 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

DIT for an academic institution
by Shali 9846303531 20 May '14

20 May '14

Dear All, I am new to these LDAP concepts , i have prepared a DIT for our organization with two academic institutions with each institution having different branches of study and also there is staff and students . i have attached the DIT , if am going through a wrong way kindly guide me. -- Thanks & Regards Shali.K.R Server Administrator

4 3

Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]
by Philippe MARASSE 05 Nov '13

05 Nov '13

Hello, I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config for the unique overlay : DN: cn=module{1},cn=config objectClass: olcModuleList objectClass: olcConfig objectClass: top cn: module{1} olcModuleLoad: {0}memberof olcModuleLoad: {1}refint olcModuleLoad: {2}unique olcModulePath: /usr/lib/ldap DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config objectClass: olcUniqueConfig objectClass: olcOverlayConfig objectClass: olcConfig objectClass: top olcOverlay: {4}unique olcUniqueURI: ldap:///?mail?sub olcUniqueURI: ldap:///?uid?sub assuming the configuration is good, I've tried to create 2 entries : uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the same mail : test(a)mydomain.com => created without error. change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works going back to test(a)mydomain.com => no error The first time, I've used the main administrative account. So I created a sub administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two entries with the same mail without error. I've tried to put slapd in debug mode, the only ting I've noticed is : 51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>, <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com> 51f7df1e *unique_modify: administrative bypass, skipping* 51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com") 51f7df1e bdb_entry_get: rc=0 If someone has a clue... Rgds -- Philippe MARASSE Service Informatique - Centre Hospitalier Henri Laborit CS 10587 - 370 avenue Jacques Coeur 86021 Poitiers Cedex Tel : 05.49.44.57.19

4 13

another CSN too old N-WAY master
by Lanfeust troy 10 Oct '13

10 Oct '13

hi all, sometimes my server a not in sync. because server ignoring entry: do_syncrep2: rid=102 CSN too old, ignoring 20130923090023.266239Z#000000#002#000000 @(#) $OpenLDAP: slapd 2.4.33 (....) 4 server host1 and host 2: only one database c=fr ( contain an ou=apps-ext ) host3 and host 4: tow database: first ou=apps-ext (glued with c=fr ). writable by host1,2,3,4 second c=fr writable only by host1,2 ldap-int1 and ldap-int2 cn=config also into syncrepl mirrorMode ldap-ext1 and ldap-ext2 cn=config also into syncrepl mirrorMode Configuration: grep serverID /etc/openldap/slapd.d/* /etc/openldap/slapd.d/cn=config.ldif:olcServerID: 1 ldaps://ldap-int1.dom.fr /etc/openldap/slapd.d/cn=config.ldif:olcServerID: 2 ldaps://ldap-int2.dom.fr /etc/openldap/slapd.d/cn=config.ldif:olcServerID: 3 ldaps:// ldap-ext1.vlandata.dom.fr /etc/openldap/slapd.d/cn=config.ldif:olcServerID: 4 ldaps:// ldap-ext2.vlandata.dom.fr syncrepl: ldap-int1 and ldap-int2 cn=config also into syncrepl olcSyncrepl: {0}rid=101 provider=ldaps://ldap-int1.dom.frbinddn="uid=syncrepl ,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea rchbase="c=fr" tls_reqcert=never type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 olcSyncrepl: {1}rid=102 provider=ldaps://ldap-int2.cdoms.frbinddn="uid=syncrepl ,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea rchbase="c=fr" tls_reqcert=never type=refreshAndPersist interval=00:00:00:10 retry="5 5 300 +" timeout=1 olcSyncrepl: {2}rid=103 provider=ldaps://ldap-ext2.vlandata.dom.frbinddn="uid =syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XX XXXX tls_reqcert=never searchbase="o=apps-ext,c=fr" type=refreshAndPersist r etry="5 5 300 +" timeout=1 olcSyncrepl: {3}rid=104 provider=ldaps://ldap-ext1.vlandata.dom.frbinddn="uid =syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXX XXXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist r etry="5 5 300 +" timeout=1 syncrepl host3 and host4: database apps-ext: olcSyncrepl: {0}rid=303 provider=ldaps://ldap-ext1.vlandata.dom.frbinddn="uid =syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXX XXXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist r etry="5 5 300 +" timeout=1 olcSyncrepl: {1}rid=304 provider=ldaps://ldap-ext2.vlandata.dom.frbinddn="uid =syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXX XXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist r etry="5 5 300 +" timeout=1 database c=fr: olcSyncrepl: {0}rid=201 provider=ldaps://ldap-int1.dom.frbinddn="uid=syncrepl ,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea rchbase="c=fr" tls_reqcert=never type=refreshOnly interval=00:00:00:10 retry= "5 5 300 +" timeout=1 olcSyncrepl: {1}rid=202 provider=ldaps://ldap-int2.dom.frbinddn="uid=syncrepl ,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXX tls _reqcert=never searchbase="c=fr" type=refreshOnly interval=00:00:00:10 retry= "5 5 300 +" timeout=1 log message into ldap-int1: ep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 LDAP_RES_INTERMEDIATE - NEW_COOKIE Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 NEW_COOKIE: rid=104,sid=003,csn=20130304121522.188962Z#000000#000#000000;20130920094938.821063Z#000000#001#000000;20130923081114.470856Z#000000#002#000000;20130920094950.036431Z#000000#003#000000;20130912174047.679980Z#000000#004#000000;20130304131428.455916Z#000000#00b#000000;20130304125618.164164Z#000000#00c#000000 Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 LDAP_RES_INTERMEDIATE - NEW_COOKIE Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 NEW_COOKIE: rid=104,sid=003,csn=20130304121522.188962Z#000000#000#000000;20130920094938.821063Z#000000#001#000000;20130923090023.733719Z#000000#002#000000;20130920094950.036431Z#000000#003#000000;20130912174047.679980Z#000000#004#000000;20130304131428.455916Z#000000#00b#000000;20130304125618.164164Z#000000#00c#000000 Sep 23 09:00:26 ldap-int1 slapd[30481]: slap_queue_csn: queing 0x7f3787471a90 20130923090023.733719Z#000000#002#000000 Sep 23 09:00:26 ldap-int1 slapd[30481]: slap_graduate_commit_csn: removing 0x7f37873baa10 20130923090023.733719Z#000000#002#000000 Sep 23 09:00:27 ldap-int1 slapd[30481]: syncprov_matchops: skipping original sid 002 Sep 23 09:00:27 ldap-int1 slapd[30481]: slap_graduate_commit_csn: removing 0x7f37803e9320 20130923090023.225026Z#000000#002#000000 Sep 23 09:00:27 ldap-int1 slapd[30481]: syncrepl_entry: rid=102 be_add cn=502257-dt-global-gridded-adt-ref,ou=affectations,ou=console,o=apps,c=fr (0) Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 cookie=rid=102,sid=002,csn=20130923090023.266239Z#000000#002#000000 Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 CSN too old, ignoring 20130923090023.266239Z#000000#002#000000 (cn=502257-dt-med-gridded-sla-ref,ou=affectations,ou=console,o=apps,c=fr) Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 cookie=rid=102,sid=002,csn=20130923090023.278474Z#000000#002#000000 Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 CSN too old, ignoring 20130923090023.278474Z#000000#002#000000 (cn=502257-dt-blacksea-alongtrack-sla-ref,ou=affectations,ou=console,o=apps,c=fr) time sync host1 ntpq> lpeers remote refid st t when poll reach delay offset jitter ============================================================================== *date.dom.fr 145.238.203.10 3 u 676 1024 377 1.592 0.284 0.018 +date2.dom.fr 145.238.203.10 3 u 295 1024 377 2.681 -0.410 0.326 host2 ntpq> lpeers remote refid st t when poll reach delay offset jitter ============================================================================== *date.dom.fr 145.238.203.10 3 u 954 1024 377 1.028 1.012 0.343 +date2.dom.fr 145.238.203.10 3 u 413 1024 377 2.171 0.098 0.606 does somebody see what is wrong . thanks

6 14

OpenLDAP duplication
by 25Dollar Tech 30 Sep '13

30 Sep '13

Hello Team, I just want to know the below According to my understanding, LDAP authenticates (binds) with DN (distinguish name) and password. E.g. CN=bob, OU=Users,DC=test,DC=com. So OpenLDAP allows the same CN in a different OU. Is there any option to prevent it. ? -- *Thanks & Regards, 25dollarTech Team https://sites.google.com/site/25dollartech/* *Email: 25dollartechhelp(a)gmail.com*

4 3

ldapsearch: wildcard search do not list all entries
by Birgit Ohlenbusch 30 Sep '13

30 Sep '13

Hello, I had a curious problem with ldapsearch: A wildcard search like ldapsearch -LLL -Wx -h myldap -D cn=xx -b dc=xx -b "ou=Accounts,xx" uid='xyzzs*' uid lists only three entries: dn: uid=xyzzs146,ou=Accounts,xx uid: xyzzs146 dn: uid=xyzzs147,ou=Accounts,xx uid: xyzzs147 dn: uid=xyzzs148,ou=Accounts,xx uid: xyzzs148 though there exists more, which can be displayed with ldapsearch not specifying a filter or by specifying the object exactly like ldapsearch -LLL -Wx -h myldap -D cn=xx -b dc=xx -b "ou=Accounts,xx" uid='xyzzs020' uid Reindexing with slapindex solved the problem, ldapsearch with uid='xyzzs*' shows all those entries, not only three. But I'm afraid that this happens again. Can you tell me how somethink like this can happen and how I can prevent such a situation? The slapd is running on a RHLE 6.4 server, using a hdb database. We indexed olcDbIndex: objectClass pres,eq olcDbIndex: entryUUID eq olcDbIndex: entryCSN eq olcDbIndex: cn pres,eq olcDbIndex: uidNumber pres,eq olcDbIndex: gidNumber pres,eq olcDbIndex: CAUmailHost pres,eq olcDbIndex: memberUid pres,eq olcDbIndex: ou eq olcDbIndex: uniqueMember pres,eq olcDbIndex: uid pres,eq,sub Thanks in advance for your help Birgit

3 5

Kudos to all who contributed to MDB
by Brent Bice 30 Sep '13

30 Sep '13

I've started testing an LDAP server here using MDB and ran across a few caveats that might be of use to others looking into using it. But first off, let me say a hearty THANKS to anyone who's contributed to it. In this first OpenLDAP server I've converted over to MDB it's *dramatically* faster and it's definitely nice to not worry about having to setup script/s to occasionally (carefully) commit/flush DB logs, etc. One caveat that might be worth mentioning in release notes somewhere... Not all implementations of memory mapped I/O are created equal. I ran into this a long time back when I wrote a multi-threaded quicksort program for a friend to had to sort text files bigger than 10 gigs and didn't want to wait for the unix sort command. :-) The program I banged together for him used memory mapped I/O and one of the things I found was that while Solaris would let me memory map a file bigger than I had physical or virtual memory for, linux wouldn't. It appeared that some versions of the 2.x kernels wouldn't let me memory-map a file bigger than the total *virtual* memory size, and I think MDB is running into the same limitation. On a SLES11 system, for instance with the 2.6.32.12 kernel, I can't specify a maxsize bigger than the total of my physical memory and swap space. So just something to keep in mind if you're using MDB on the 2.x kernels - you may need a big swap area even though the memory mapped I/O routines in the kernel seem to be smart enough to avoid swapping like mad. On a newish ubuntu system with a 3.5 kernel this doesn't seem to be an issue - tell OpenLDAP to use whatever maxsize you want and it just works. :-) I'd also only use MDB on a 64 bit linux system. One of the other headaches I remember running into with memory mapped I/O was adding in support for 64 bit I/O on 32 bit systems. Best to avoid that whole mess and just use a 64 bit OS in the first place. Lastly... At the risk of making Howard and Quanah cringe... :-) The OpenLDAP DB I've been testing this with is the back-end to an email tracking tool I setup several years ago. More as an excuse to edjimicate myself on the java API for LDAP than anything else, I wrote a quick bit of java that watches postfix and sendmail logs and writes pertinent bits of info into an LDAP database, and a few PHP scripts to then query that database for things like to/from addresses, queue IDs, and message IDs. 'Makes it easy for junior admins to quickly search through gigabytes of logs to see what path an email took to get from point A to point B, who all received it (after it went through one or more list servers and a few aliases got de-ref'd, etc). Yeah, it's an utter abuse of LDAP which is supposed to be write-rarely and read-mostly, especially as our postfix relays handle anywhere from 1 to 10 messages per second on average. :-) But what the heck, it works fine and was a fun weekend project. It's also served as a way to stress-test new versions of OpenLDAP before I deploy them elsewhere. :-) Anyway, thanks again to everyone who contributed to MDB. It's lots faster than BerkeleyDB in all of my testing so far. 'Looking forward to gradually shifting more of my LDAP servers over to it. Brent

4 6

building SLES packages on openSuSE Build Service
by Marc Patermann 30 Sep '13

30 Sep '13

Hi, I used to build newer versions of openldap on openSuSE Build Service derived from the ones at network:ldap (from Ralf Haferkamp; which is stuck at .33). I did this for 2.4.33, .34 and .35. When I tried to build 2.4.36 something changed (at the build service?) and now my builds - even the older ones, which built fine before - fail with the following errors: [ 399s] E: openldap2 64bit-portability-issue dn2id.c:738 [ 399s] E: openldap2 64bit-portability-issue id2entry.c:123 What may have caused this? Marc

2 1

Re: separate login/password for several services?
by Andrew Findlay 30 Sep '13

30 Sep '13

On Fri, Aug 09, 2013 at 05:53:57PM +0300, Zeus Panchenko wrote: > To: Andrew Findlay <andrew.findlay(a)skills-1st.co.uk> Please keep replies on the list so that they become searchable and everyone can benefit. > here is the diagram depicting what I am thinking about while talking :) > > https://www.dropbox.com/s/212kdpbiug9obkc/org-ldap-diagram-plane.png > I dedicate these DN-s for services, so each such DN *can and supposed to* > use any (in theory) uid in the entry, the user can ask for Do you reall want every user account on every service to have a different username? (i.e. the user cannot request to be known as 'fred' on both the SMTP service and the IMAP service? > in particular, I do not see another way to authenticate users of > different domains(for email)/realms(for xmpp) against the same LDAP DB That depends on how you provide the services. If the network address of the services used by domain-A users is different from that used by domain-B users then the server processes will know which domain they are serving. If the same network address is used to serve all domains then you do indeed require the uids to be unique across domains (but you probably do want to let fred(a)x.y.com use that ID for all services). > > It may be enough for you to simply prevent the non-uniqueness. You can > > do that using the 'unique' overlay: > > mmm ... will not it prevent non-uniqueness only for parent DN-s? while > what I'm trying to ask (I'm sorry for muddled up explanation what I mean) > about is - uniqueness for the uid *in* the entry ... so, the uniqueness > of the attribute `uid' among all DN-s containing authorizedService=target-service You could do that if you are prepared to have one config line for each service. Something like: overlay unique unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP) unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH) Andrew -- ----------------------------------------------------------------------- | From Andrew Findlay, Skills 1st Ltd | | Consultant in large-scale systems, networks, and directory services | | http://www.skills-1st.co.uk/ +44 1628 782565 | -----------------------------------------------------------------------

3 7

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical September 2013