Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
6 years, 12 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
7 years, 11 months
DIT for an academic institution
by Shali 9846303531
Dear All,
I am new to these LDAP concepts , i have prepared a DIT for our
organization with two academic institutions with each institution having
different branches of study and also there is staff and students . i have
attached the DIT , if am going through a wrong way kindly guide me.
--
Thanks & Regards
Shali.K.R
Server Administrator
9 years
Unique overlay not working, where is the misconfiguration ? [Debian 7 - 2.4.31]
by Philippe MARASSE
Hello,
I'm trying to enable unique overlay to enforce uniqueness of uid and mail attributes
with no luck. My server is debian 7 based with packaged slapd (2.4.31]. Here's the config
for the unique overlay :
DN: cn=module{1},cn=config
objectClass: olcModuleList
objectClass: olcConfig
objectClass: top
cn: module{1}
olcModuleLoad: {0}memberof
olcModuleLoad: {1}refint
olcModuleLoad: {2}unique
olcModulePath: /usr/lib/ldap
DN: olcOverlay={4}unique,olcDatabase={1}hdb,cn=config
objectClass: olcUniqueConfig
objectClass: olcOverlayConfig
objectClass: olcConfig
objectClass: top
olcOverlay: {4}unique
olcUniqueURI: ldap:///?mail?sub
olcUniqueURI: ldap:///?uid?sub
assuming the configuration is good, I've tried to create 2 entries :
uid=test,ou=people,dc=mydomain,dc=com and uid=test2,ou=people,dc=mydomain,dc=com with the
same mail : test(a)mydomain.com => created without error.
change mail to test2(a)mydomain.com on entry uid=test2,ou=people,dc=mydomain,dc=com works
going back to test(a)mydomain.com => no error
The first time, I've used the main administrative account. So I created a sub
administrator account, changed the ACLs, fine. Deleted the two entries, recreated the two
entries with the same mail without error.
I've tried to put slapd in debug mode, the only ting I've noticed is :
51f7df1e >>> dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e <<< dnPrettyNormal: <uid=test2,ou=people,dc=mydomain,dc=com>,
<uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e ==> unique_modify <uid=test2,ou=people,dc=mydomain,dc=com>
51f7df1e *unique_modify: administrative bypass, skipping*
51f7df1e bdb_dn2entry("uid=test2,ou=people,dc=mydomain,dc=com")
51f7df1e bdb_entry_get: rc=0
If someone has a clue...
Rgds
--
Philippe MARASSE
Service Informatique - Centre Hospitalier Henri Laborit
CS 10587 - 370 avenue Jacques Coeur
86021 Poitiers Cedex
Tel : 05.49.44.57.19
9 years, 6 months
another CSN too old N-WAY master
by Lanfeust troy
hi all,
sometimes my server a not in sync. because server ignoring entry:
do_syncrep2: rid=102 CSN too old, ignoring
20130923090023.266239Z#000000#002#000000
@(#) $OpenLDAP: slapd 2.4.33 (....)
4 server
host1 and host 2: only one database c=fr ( contain an ou=apps-ext )
host3 and host 4: tow database:
first ou=apps-ext (glued with c=fr ). writable by host1,2,3,4
second c=fr writable only by host1,2
ldap-int1 and ldap-int2 cn=config also into syncrepl mirrorMode
ldap-ext1 and ldap-ext2 cn=config also into syncrepl mirrorMode
Configuration:
grep serverID /etc/openldap/slapd.d/*
/etc/openldap/slapd.d/cn=config.ldif:olcServerID: 1 ldaps://ldap-int1.dom.fr
/etc/openldap/slapd.d/cn=config.ldif:olcServerID: 2 ldaps://ldap-int2.dom.fr
/etc/openldap/slapd.d/cn=config.ldif:olcServerID: 3 ldaps://
ldap-ext1.vlandata.dom.fr
/etc/openldap/slapd.d/cn=config.ldif:olcServerID: 4 ldaps://
ldap-ext2.vlandata.dom.fr
syncrepl:
ldap-int1 and ldap-int2 cn=config also into syncrepl
olcSyncrepl: {0}rid=101 provider=ldaps://ldap-int1.dom.frbinddn="uid=syncrepl
,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea
rchbase="c=fr" tls_reqcert=never type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +" timeout=1
olcSyncrepl: {1}rid=102 provider=ldaps://ldap-int2.cdoms.frbinddn="uid=syncrepl
,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea
rchbase="c=fr" tls_reqcert=never type=refreshAndPersist
interval=00:00:00:10
retry="5 5 300 +" timeout=1
olcSyncrepl: {2}rid=103 provider=ldaps://ldap-ext2.vlandata.dom.frbinddn="uid
=syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple
credentials=XX
XXXX tls_reqcert=never searchbase="o=apps-ext,c=fr" type=refreshAndPersist
r
etry="5 5 300 +" timeout=1
olcSyncrepl: {3}rid=104 provider=ldaps://ldap-ext1.vlandata.dom.frbinddn="uid
=syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple
credentials=XXX
XXXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist
r
etry="5 5 300 +" timeout=1
syncrepl host3 and host4:
database apps-ext:
olcSyncrepl: {0}rid=303 provider=ldaps://ldap-ext1.vlandata.dom.frbinddn="uid
=syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple
credentials=XXX
XXXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist
r
etry="5 5 300 +" timeout=1
olcSyncrepl: {1}rid=304 provider=ldaps://ldap-ext2.vlandata.dom.frbinddn="uid
=syncrepl,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple
credentials=XXX
XXX searchbase="o=apps-ext,c=fr" tls_reqcert=never type=refreshAndPersist r
etry="5 5 300 +" timeout=1
database c=fr:
olcSyncrepl: {0}rid=201 provider=ldaps://ldap-int1.dom.frbinddn="uid=syncrepl
,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXXX sea
rchbase="c=fr" tls_reqcert=never type=refreshOnly interval=00:00:00:10
retry=
"5 5 300 +" timeout=1
olcSyncrepl: {1}rid=202 provider=ldaps://ldap-int2.dom.frbinddn="uid=syncrepl
,ou=system,ou=dom,o=domgroup,c=fr" bindmethod=simple credentials=XXXXX tls
_reqcert=never searchbase="c=fr" type=refreshOnly interval=00:00:00:10
retry=
"5 5 300 +" timeout=1
log message into ldap-int1:
ep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104
LDAP_RES_INTERMEDIATE - NEW_COOKIE
Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 NEW_COOKIE:
rid=104,sid=003,csn=20130304121522.188962Z#000000#000#000000;20130920094938.821063Z#000000#001#000000;20130923081114.470856Z#000000#002#000000;20130920094950.036431Z#000000#003#000000;20130912174047.679980Z#000000#004#000000;20130304131428.455916Z#000000#00b#000000;20130304125618.164164Z#000000#00c#000000
Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104
LDAP_RES_INTERMEDIATE - NEW_COOKIE
Sep 23 09:00:26 ldap-int1 slapd[30481]: do_syncrep2: rid=104 NEW_COOKIE:
rid=104,sid=003,csn=20130304121522.188962Z#000000#000#000000;20130920094938.821063Z#000000#001#000000;20130923090023.733719Z#000000#002#000000;20130920094950.036431Z#000000#003#000000;20130912174047.679980Z#000000#004#000000;20130304131428.455916Z#000000#00b#000000;20130304125618.164164Z#000000#00c#000000
Sep 23 09:00:26 ldap-int1 slapd[30481]: slap_queue_csn: queing
0x7f3787471a90 20130923090023.733719Z#000000#002#000000
Sep 23 09:00:26 ldap-int1 slapd[30481]: slap_graduate_commit_csn: removing
0x7f37873baa10 20130923090023.733719Z#000000#002#000000
Sep 23 09:00:27 ldap-int1 slapd[30481]: syncprov_matchops: skipping
original sid 002
Sep 23 09:00:27 ldap-int1 slapd[30481]: slap_graduate_commit_csn: removing
0x7f37803e9320 20130923090023.225026Z#000000#002#000000
Sep 23 09:00:27 ldap-int1 slapd[30481]: syncrepl_entry: rid=102 be_add
cn=502257-dt-global-gridded-adt-ref,ou=affectations,ou=console,o=apps,c=fr
(0)
Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102
cookie=rid=102,sid=002,csn=20130923090023.266239Z#000000#002#000000
Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 CSN too old,
ignoring 20130923090023.266239Z#000000#002#000000
(cn=502257-dt-med-gridded-sla-ref,ou=affectations,ou=console,o=apps,c=fr)
Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102
cookie=rid=102,sid=002,csn=20130923090023.278474Z#000000#002#000000
Sep 23 09:00:27 ldap-int1 slapd[30481]: do_syncrep2: rid=102 CSN too old,
ignoring 20130923090023.278474Z#000000#002#000000
(cn=502257-dt-blacksea-alongtrack-sla-ref,ou=affectations,ou=console,o=apps,c=fr)
time sync
host1
ntpq> lpeers
remote refid st t when poll reach delay offset
jitter
==============================================================================
*date.dom.fr 145.238.203.10 3 u 676 1024 377 1.592 0.284
0.018
+date2.dom.fr 145.238.203.10 3 u 295 1024 377 2.681 -0.410
0.326
host2
ntpq> lpeers
remote refid st t when poll reach delay offset
jitter
==============================================================================
*date.dom.fr 145.238.203.10 3 u 954 1024 377 1.028 1.012
0.343
+date2.dom.fr 145.238.203.10 3 u 413 1024 377 2.171 0.098
0.606
does somebody see what is wrong .
thanks
9 years, 7 months
OpenLDAP duplication
by 25Dollar Tech
Hello Team,
I just want to know the below
According to my understanding, LDAP authenticates (binds) with DN
(distinguish name) and password. E.g. CN=bob, OU=Users,DC=test,DC=com.
So OpenLDAP allows the same CN in a different OU.
Is there any option to prevent it. ?
--
*Thanks & Regards,
25dollarTech Team
https://sites.google.com/site/25dollartech/*
*Email: 25dollartechhelp(a)gmail.com*
9 years, 8 months
ldapsearch: wildcard search do not list all entries
by Birgit Ohlenbusch
Hello,
I had a curious problem with ldapsearch:
A wildcard search like
ldapsearch -LLL -Wx -h myldap -D cn=xx -b dc=xx -b "ou=Accounts,xx" uid='xyzzs*' uid
lists only three entries:
dn: uid=xyzzs146,ou=Accounts,xx
uid: xyzzs146
dn: uid=xyzzs147,ou=Accounts,xx
uid: xyzzs147
dn: uid=xyzzs148,ou=Accounts,xx
uid: xyzzs148
though there exists more, which can be displayed with ldapsearch not specifying a filter or by specifying the object
exactly like
ldapsearch -LLL -Wx -h myldap -D cn=xx -b dc=xx -b "ou=Accounts,xx" uid='xyzzs020' uid
Reindexing with slapindex solved the problem, ldapsearch with uid='xyzzs*' shows all those entries, not only three.
But I'm afraid that this happens again. Can you tell me how somethink like this can happen and how I can prevent such a
situation?
The slapd is running on a RHLE 6.4 server, using a hdb database.
We indexed
olcDbIndex: objectClass pres,eq
olcDbIndex: entryUUID eq
olcDbIndex: entryCSN eq
olcDbIndex: cn pres,eq
olcDbIndex: uidNumber pres,eq
olcDbIndex: gidNumber pres,eq
olcDbIndex: CAUmailHost pres,eq
olcDbIndex: memberUid pres,eq
olcDbIndex: ou eq
olcDbIndex: uniqueMember pres,eq
olcDbIndex: uid pres,eq,sub
Thanks in advance for your help
Birgit
9 years, 8 months
Kudos to all who contributed to MDB
by Brent Bice
I've started testing an LDAP server here using MDB and ran across a
few caveats that might be of use to others looking into using it. But
first off, let me say a hearty THANKS to anyone who's contributed to it.
In this first OpenLDAP server I've converted over to MDB it's
*dramatically* faster and it's definitely nice to not worry about having
to setup script/s to occasionally (carefully) commit/flush DB logs, etc.
One caveat that might be worth mentioning in release notes
somewhere... Not all implementations of memory mapped I/O are created
equal. I ran into this a long time back when I wrote a multi-threaded
quicksort program for a friend to had to sort text files bigger than 10
gigs and didn't want to wait for the unix sort command. :-) The program
I banged together for him used memory mapped I/O and one of the things I
found was that while Solaris would let me memory map a file bigger than
I had physical or virtual memory for, linux wouldn't. It appeared that
some versions of the 2.x kernels wouldn't let me memory-map a file
bigger than the total *virtual* memory size, and I think MDB is running
into the same limitation. On a SLES11 system, for instance with the
2.6.32.12 kernel, I can't specify a maxsize bigger than the total of my
physical memory and swap space. So just something to keep in mind if
you're using MDB on the 2.x kernels - you may need a big swap area even
though the memory mapped I/O routines in the kernel seem to be smart
enough to avoid swapping like mad.
On a newish ubuntu system with a 3.5 kernel this doesn't seem to be
an issue - tell OpenLDAP to use whatever maxsize you want and it just
works. :-)
I'd also only use MDB on a 64 bit linux system. One of the other
headaches I remember running into with memory mapped I/O was adding in
support for 64 bit I/O on 32 bit systems. Best to avoid that whole mess
and just use a 64 bit OS in the first place.
Lastly... At the risk of making Howard and Quanah cringe... :-) The
OpenLDAP DB I've been testing this with is the back-end to an email
tracking tool I setup several years ago. More as an excuse to
edjimicate myself on the java API for LDAP than anything else, I wrote a
quick bit of java that watches postfix and sendmail logs and writes
pertinent bits of info into an LDAP database, and a few PHP scripts to
then query that database for things like to/from addresses, queue IDs,
and message IDs. 'Makes it easy for junior admins to quickly search
through gigabytes of logs to see what path an email took to get from
point A to point B, who all received it (after it went through one or
more list servers and a few aliases got de-ref'd, etc).
Yeah, it's an utter abuse of LDAP which is supposed to be
write-rarely and read-mostly, especially as our postfix relays handle
anywhere from 1 to 10 messages per second on average. :-) But what the
heck, it works fine and was a fun weekend project. It's also served as
a way to stress-test new versions of OpenLDAP before I deploy them
elsewhere. :-)
Anyway, thanks again to everyone who contributed to MDB. It's lots
faster than BerkeleyDB in all of my testing so far. 'Looking forward to
gradually shifting more of my LDAP servers over to it.
Brent
9 years, 8 months
building SLES packages on openSuSE Build Service
by Marc Patermann
Hi,
I used to build newer versions of openldap on openSuSE Build Service
derived from the ones at network:ldap (from Ralf Haferkamp; which is
stuck at .33). I did this for 2.4.33, .34 and .35.
When I tried to build 2.4.36 something changed (at the build service?)
and now my builds - even the older ones, which built fine before - fail
with the following errors:
[ 399s] E: openldap2 64bit-portability-issue dn2id.c:738
[ 399s] E: openldap2 64bit-portability-issue id2entry.c:123
What may have caused this?
Marc
9 years, 8 months
Re: separate login/password for several services?
by Andrew Findlay
On Fri, Aug 09, 2013 at 05:53:57PM +0300, Zeus Panchenko wrote:
> To: Andrew Findlay <andrew.findlay(a)skills-1st.co.uk>
Please keep replies on the list so that they become searchable
and everyone can benefit.
> here is the diagram depicting what I am thinking about while talking :)
>
> https://www.dropbox.com/s/212kdpbiug9obkc/org-ldap-diagram-plane.png
> I dedicate these DN-s for services, so each such DN *can and supposed to*
> use any (in theory) uid in the entry, the user can ask for
Do you reall want every user account on every service to have a
different username? (i.e. the user cannot request to be known as
'fred' on both the SMTP service and the IMAP service?
> in particular, I do not see another way to authenticate users of
> different domains(for email)/realms(for xmpp) against the same LDAP DB
That depends on how you provide the services. If the network address
of the services used by domain-A users is different from that used by
domain-B users then the server processes will know which domain they
are serving. If the same network address is used to serve all domains
then you do indeed require the uids to be unique across domains (but
you probably do want to let fred(a)x.y.com use that ID for all
services).
> > It may be enough for you to simply prevent the non-uniqueness. You can
> > do that using the 'unique' overlay:
>
> mmm ... will not it prevent non-uniqueness only for parent DN-s? while
> what I'm trying to ask (I'm sorry for muddled up explanation what I mean)
> about is - uniqueness for the uid *in* the entry ... so, the uniqueness
> of the attribute `uid' among all DN-s containing authorizedService=target-service
You could do that if you are prepared to have one config line for each
service. Something like:
overlay unique
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SMTP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=IMAP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=POP3)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=XMPP)
unique_uri ldap:///ou=People,dc=org?uid?sub?(authorizedService=SSH)
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
9 years, 8 months