Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 5 months
DIT for an academic institution
by Shali 9846303531
Dear All,
I am new to these LDAP concepts , i have prepared a DIT for our
organization with two academic institutions with each institution having
different branches of study and also there is staff and students . i have
attached the DIT , if am going through a wrong way kindly guide me.
--
Thanks & Regards
Shali.K.R
Server Administrator
9 years, 6 months
Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
by Turbo Fredriksson
[Sorry Howard for sending it to you personally. It was meant for the list.
I sent a copy to the list as well. I hope you don't mind if I send this reply
to the list. I've included every word, so not to take something out of
context.]
On Jan 30, 2014, at 6:17 PM, Howard Chu wrote:
>> Personally, I think it's spot on. It IS hard to configure an LDAP server, and
>> even harder to understand how it works (the object based part). Took me three
>> months first time, and I'm not an idiot.
>
> The object based part is *LDAP*, so that complaint is not specific to OpenLDAP.
Indeed.
But setting up something like Active Directory is something my aunt can/could
do. It probably won't scale to thousands (or maybe not even hundreds :) of
users, but it can be done with reasonable ease.
> The part about RedHat seems fairly accurate to me, it *is* true that they have their own commercial LDAP server to sell, and they have no great interest in OpenLDAP working well on their platforms.
>
>> Even today, I need to consult either my own book or the howto (or seriously
>> skim through the man pages) to setup a new server.
>
> And I still need to read the docs when configuring an Apache HTTP server. That's why we have manpages, there's nothing wrong about that.
Same here. Not my point (see the part at the bottom)...
>> And even worse if when you want to optimize the backend... There's a lot of
>> magic there....
>
> The LMDB backend has no tuning/optimization. That's one of the reasons it exists today.
Yeah, but isn't it quite slow with lmdb? I haven't tested that in years, so
I don't know. One wouldn't run it in production though?
>> And with the new config backend!? I haven't even had the time or energy to go
>> that far yet!
>>
> I think you (and everyone else) are blowing this way out of proportion. Compare the example from here
I know how it works and I don't really have that much problem with it, it's just
so much more difficult to setup (initially) and then maintain than a simple
text file.
It's way better, but it IS also more complicated (than just fire up an editor,
modify the part you want and then issue a service restart - can't be much
simpler than that)...
> http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example
>
> to the slapd.conf example
>
> http://www.openldap.org/doc/admin24/slapdconfig.html#Configuration%20File...
>
> They aren't that different, and anyone familiar with slapd.conf and LDIF files should have no trouble mapping concepts from one to the other.
>
> And if you aren't familiar with slapd.conf *and* LDIF then you don't know enough to be an LDAP administrator in the first place, you need to do more homework. That's just life.
I couldn't agree more! I've taken over more than my fair share of badly setup
and maintained OpenLDAP servers to get really pissed at all the ones not having
a clue what they're doing.
It's not just making a config file/backend to allow the server to start, it's
more planning on how the database should look like (where to put what and
what object classes to use and allow), setting up access control etc, etc. The
actually planing of the database (the content) is the most important part, and
it require quite a lot of reading and testing before it's understood properly to
be able to be used to any extent.
But then there's the integration to the rest of the system (pam login and what
not), Kerberos, SASL, etc, etc...
My point wasn't to argue about the validity of how the OpenLDAP server and it's
config file/backend work etc. I fully agree and have no problems with it.
My point was that the website isn't WRONG - it IS hard! Maybe it SHOULD be hard?
The whole concept of an LDAP server is a difficult subject, and shouldn't be
taken lightly.
Unfortunately, it seems that way to many beginners that have been installing
a distribution at home is starting to work as a Linux tech/admin thinking that
just because the've run it at their workstation at home for a couple of months
makes them good enough to work in a professional environment.
I see that in a lot of OpenSource project I'm part of. Complete noobs want to
use something complicated that require quite a lot of homework. And then comes
complaining when things go south! Or even worse, they bad mouth the project or
the technology!
(Open)LDAP is one of those many things that require a lot more from the admin
than say ... installing a mail server locally...
On Debian GNU/Linux that's practically automatic. Just answer a couple of
questions, and it works...
It's sad that the website in question (and from what one could take from this -
that people 'out there') actually thinks that this should be easy. But it's not
(technically) wrong...
--
There are no dumb questions,
unless a customer is asking them.
- Unknown
9 years, 6 months
ldap_add: Object class violation (65), additional info: attribute 'host' not allowed
by W Forum W
Hi
I try to add a user but the host attribute is not accept (everything
else is fine)
ldapadd -x -W -D "cn=admin,dc=example,dc=com" -f user.ldif
Enter LDAP Password:
adding new entry "uid=user,ou=Users,dc=example,dc=comt"
ldap_add: Object class violation (65)
additional info: attribute 'host' not allowed
how can i add a host attribute
i have following schema installed
core.schema
cosine.schema
nis.schema
inetorgperson.schema
samba.schema
thanks in advance
9 years, 9 months
OpenLDAP slapd problems - ldap_result: Can't contact LDAP server (-1) --- Low Sensitivity/Aerospace Internal Use Only
by Warron S French
Low Sensitivity/Aerospace Internal Use Only
Working on a CentOS-6.5 server, running LTB Project's slapd-2.4.38.
Someone suggested I implement a cn=admin,cn=config for a cn=config setup.
(I don't know how to technically word that).
Anyway, I need to make TLS-related changes and was told to do the
following command:
ldapmodify -x -D "cn=admin,cn=config" -W -d 256
...then at the blank line type the following, each on a single line:
Dn: cn=config
Changetype: modify
Add: olcTLSCipherSuite
OlcTLSCipherSuite: HIGH:MEDIUM+TLSv1+SSLv3
<CTRL-D>
I have been getting an error reponse of:
ldap_result: Can't contact LDAP server (-1)
This __ONLY__ occurs after I hit <CTRL-D>, not before. Yes, the daemon,
slapd, is actually running, but after this failure it abruptly stops. I
know this because in a separate terminal on the same system, I am running
a while-loop with a ps -e | grep slapd in it.
Please note the "-x" option according to the man page for ldapmodify is
supposed to Use simple authentication instead of SASL.
Thank you all for your help, hopefully you can:
1) tell me what this error means, and
2) how to fix my problem so that I can complete the olcTLSxxxx changes I
need to implement.
Warron French, MBA, SCSA
The Aerospace Corporation
Sr. UNIX SA & Storage Admin
Mailstop: CH1-230
Desk: 571-307-5311
Cell: 703-967-8936
Low Sensitivity/Aerospace Internal Use Only
9 years, 9 months
java API for SAML integration
by Jignesh Patel
We have been using SimpleSAMLphp with openldap 2.4.33.
Is there any Java API available which can provide similar functionality?
Jignesh Patel
Chief Architect
iCare.com LLC
14001 NW 4th Street Sunrise, FL 33325
O: 954-616-5604
F: 954-616-5609
jignesh(a)icare.com
CONFIDENTIALITY NOTE: The information contained in this transmission is privileged and confidential information intended only for the use of the individual or entity named above. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this transmission in error, please immediately reply to the sender that you have received this communication in error and then delete it. Thank you.
9 years, 9 months
RE: Syncrepl and mmr
by Quanah Gibson-Mount
--On Friday, January 31, 2014 4:34 PM -0500 "Borresen, John - 0442 - MITLL"
<John.Borresen(a)ll.mit.edu> wrote:
> I have turned off TLS for the time being.
>
> Now, I think it is an ACLs issue that I need to figure out...seeing the
> following:
>
> ldap_write: want=531 error=Broken pipe
> 52ec16ae ber_flush2 failed errno=32 reason="Broken pipe"
> 52ec16ae connection_closing: readying conn=1074 sd=22 for close
> 52ec16ae send_search_entry: conn 1074 ber write failed.
> 52ec16ae connection_resched: attempting closing conn=1074 sd=22
> 52ec16ae connection_close: conn=1074 sd=22
> 52ec16ae daemon: removing 22
> 52ec16ae conn=1074 fd=22 closed (connection lost on write)
> 52ec16ae daemon: activity on 1 descriptor
> 52ec16ae daemon: activity on:52ec16ae
> 52ec16ae daemon: epoll: listen=7 active_threads=0 tvp=zero
That would not be an acl issue. broken pipes, flushing problems, etc... I
generally see that with firewalls causing problems.
--Quanah
--
Quanah Gibson-Mount
Architect - Server
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years, 9 months
problem with accessing secure ldap
by c chupela
I've been tasked with figuring out why a redhat 6.4 server w/openldap v2.4.23 is not accessible.
This server is a test server. I have a production server that is working properly, and I've gone thru and compared config files, etc, but haven't found any differences.
I'm a newbie with this, so my understanding is still somewhat limited. Here's what I've done or checked so far:
- iptables is not running
- if I run netstat, I can see port 389/port 636 in listening state:
tcp 0 0 0.0.0.0:636 0.0.0.0:* LISTEN 5603/slapd
tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 5603/slapd
tcp 0 0 :::636 :::* LISTEN 5603/slapd
tcp 0 0 :::389 :::* LISTEN 5603/slapd
I can telnet to port 389 on this server from another server, but not to port 636 - putty will throw back an immediate 'connection closed by remote host' message.
I'm not seeing any slapd related messages in /var/log/messages.
What else can I check on here?
Thanks
Chris
9 years, 9 months
