October 2014 - openldap-technical

by Venish Khant

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

6 years, 12 months

4
11
0 / 0

OpenLDAP and dynalogin (two-factor auth with HOTP)

by Daniel Pocock

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

7 years, 11 months

5
6
0 / 0

Non OpenLDAP use of LMDB

by Harry B

Hello, I am planning to use LMDB to create a resonably large database, few TBs, > 500mil keys, on a Fusion IO flash storage. Memory to storage ratio of the available hardware is about 1:10 Assuming the caching of "5 to 10%" of most-frequently-accessed data is good enough for my use-case, is this a valid/legitimate use of LMDB ? Or am I using the wrong tool for the job? My other choices are RocksDB (haven't looked at it) or Postgres (using a limited subset of features), the latter mainly because we already use it across the company. Any advice is appreciated. Thanks -- Harry

8 years, 4 months

2
2
0 / 0

allow to pass on "undefined" filters in meta

by Markus.Storm＠t-systems.com

Hi I've run into a problem trying to deploy back-meta in front of an Active Directory target. I believe that to resolve it, I need to get a new option implemented. I need to issue a request through a back-meta proxy . That query happens to contain a matching rule which is not implemented in OpenLDAP so slapd does not know to evaluate the query. The target that the query will ultimately be passed on to (an Active Directory) does know to process the query, though. OpenLDAP, however, considers the filter to be "undefined" and thus on relaying the request to the AD target, back-meta replaces a portion of the original query with a "(?=undefined)" filter as documented in e.g. slapd-meta manpage "noundeffilter" option. But I need the original query to be passed on. It's in fact a _valid_ LDAP request, just OpenLDAP happens to be unable to parse it. But at least in my setup, slapd does not have to do _anything_ about the query other than to pass it on, so I find it inacceptable that it replaces the query just because it doesn't understand it. Please, can you add an option switch to the code to allow for passing on original queries *without* replacing undefined portions ? I have not found any other solution to my problem. I tried to make OpenLDAP aware of the undefined portion by adding the matching rule to the schema but I failed. Seems that would need to be planted into the code, and not being a programmer, that's not as easy as it is with expanding the schema by some new attributes. Also, while of course any parser/feature enhancement will always be appreciated, I would think that to implement the matching rule is not the best way of fixing things: I believe there will always be situations where OpenLDAP cannot parse the input while another LDAP server can. For a proof of concept, I hacked servers/slapd/back-meta/map.c (around line 581 as of 2.4.39) and but - again, I'm not a programmer - I feel incapable of turning this into a full-blown patch free of side effects, also I want the modification to become available to anyone. So I'm hoping for you to implement the switch mentioned above, maybe as a third possible setting for the "noundeffilter" option. Thanks a lot in advance, best regards Markus Storm

8 years, 6 months

3
4
0 / 0

Re: Replication restores deleted user

by kevin sullivan

Thank you very much for the advice and the example config! I generally convert my slapd.conf to cn=config, I just find it easier to use the slapd.conf when debugging. But this gives me hope that my problem could be an issue with the conversion of slapd.conf to cn=config or something that I can find in your configuration. Thank you again, and I will let you know what I find! On Fri, Oct 31, 2014 at 3:40 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Friday, October 31, 2014 4:13 PM -0400 kevin sullivan < > kevin4sullivan(a)gmail.com> wrote: > > >> >> >> >> >> Quanah, >> >> Thank you for the suggestion to move to delta-syncrepl MMR. >> Unfortunately, I am having problems setting this up properly. After >> reading through some documentation, I thought it would be simple but when >> I bring up slapd on my two servers, they both start using around 100% CPU >> and in the debug output the two servers are constantly looping through >> all of the objects in my DIT and saying that the objects have not changed: >> >> 5453d6b5 @(#) $OpenLDAP: slapd 2.4.39 (Jun 18 2014 05:19:18) $ >> >> mockbuild@x86-028.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap >> -2.4.39/openldap-2.4.39/build-servers/servers/slapd >> 5453d6b5 hdb_monitor_db_open: monitoring disabled; configure monitor >> database to enable >> 5453d6b5 slapd starting >> ... >> 5453d6b5 syncrepl_message_to_entry: rid=001 DN: dc=example,dc=com, UUID: >> 1cfcd560-f564-1033-9f47-b521eabdb6ad >> 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) >> 5453d6b5 syncrepl_entry: rid=001 inserted UUID >> 1cfcd560-f564-1033-9f47-b521eabdb6ad >> 5453d6b5 dn_callback : entries have identical CSN dc=example,dc=com >> 20141031161001.910968Z#000000#000#000000 >> 5453d6b5 syncrepl_entry: rid=001 be_search (0) >> 5453d6b5 syncrepl_entry: rid=001 dc=example,dc=com >> 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored >> (dc=example,dc=com) >> 5453d6b5 syncrepl_message_to_entry: rid=001 DN: >> ou=users,dc=example,dc=com, UUID: 1cfe8cf2-f564-1033-9f48-b521eabdb6ad >> 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) >> 5453d6b5 syncrepl_entry: rid=001 inserted UUID >> 1cfe8cf2-f564-1033-9f48-b521eabdb6ad >> 5453d6b5 dn_callback : entries have identical CSN >> ou=users,dc=example,dc=com 20141031161001.922234Z#000000#000#000000 >> 5453d6b5 syncrepl_entry: rid=001 be_search (0) >> 5453d6b5 syncrepl_entry: rid=001 ou=users,dc=example,dc=com >> 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored >> (ou=users,dc=example,dc=com) >> ..... >> 5453d6b5 do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT >> 5453d6b5 do_syncrep2: rid=001 cookie= >> ... Repeated forever ... >> >> Am I configuring something incorrectly? >> >> To refresh your memory, I am running 2.4.39-8. I have two servers >> (server1 and server2) that I want to setup in delta-syncrepl MMR >> MirrorMode. >> > > Hi Kevin, > > I stopped using the deprecated slapd.conf format years ago, as it's prone > to misuse and incorrect setup. Your supplied config is an example of why > it's a bad idea to use slapd.conf (For example, you have serverID under the > database section, when it's a global option, etc). I'd strongly advise you > to switch to using cn=config so that you can have an actual validated > configuration. It also makes troubleshooting a lot easier to do. > > Aside from that, your log simply shows the server comparing each entry > between the two servers... Sounds like they didn't start out believing they > were in sync and are trying to get there. > > Here's an example of my config, using cn=config (slapcat export) minus the > schema: > > <http://pastebin.com/nv1WNX2y> > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

8 years, 6 months

3
10
0 / 0

Kernel segfault slapd

by Scot Hollingsworth

Issue: slapd keeps crashing about twice a day on multiple servers. I updated the kernel and openldap but still see the problem. Anyone point me in the right direction? Log: kernel: slapd[4435]: segfault at 4 ip 00d1984f sp acc3d270 error 4 in slapd[bcc000+215000] System: openldap-2.4.39-8.el6.i686 openldap-clients-2.4.39-8.el6.i686 openldap-servers-2.4.39-8.el6.i686 Kernel: 2.6.32-504.el6.i686 -- Thanks. Scot H -- The mission of the Rankin County School District is to prepare every student with the cognitive and social skills necessary to be productive members of an ever-changing global society. -- This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error.

8 years, 6 months

4
4
0 / 0

journal of changes

by Zeus Panchenko

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 hi, is there way to have something like, I'd call, "journal of changes" where it could be saved all changes (modifications and deletions in particular) for each object what I'm talking about is *whole* history of the actions the object has undergone after creation - -- Zeus V. Panchenko jid:zeus@im.ibs.dn.ua IT Dpt., I.B.S. LLC GMT+2 (EET) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1 iEYEARECAAYFAlRHeGUACgkQr3jpPg/3oyrwuQCgygBCJzX239kZSvAWUj+eDarN adwAni+d1KSGElOeeHBw10zXb400pSzG =QEn7 -----END PGP SIGNATURE-----

8 years, 6 months

2
2
0 / 0

Re: Need information on alock file in data directory of OpenLDAP 2.4.39

by pramod kulkarni

I am runing slapcat command like this, slapcat -f slapd.conf -l backup.ldif is it wrong ? On Thu, Oct 30, 2014 at 10:20 PM, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Thursday, October 30, 2014 11:16 PM +0100 pramod kulkarni < > pammu.kulkarni(a)gmail.com> wrote: > > > 5452a973 The first database does not allow slapcat; using the first >> available on e (2) >> > > You're running slapcat incorrectly if you get this message. > > In any case, as already noted, the correct solution is to move to using > back-mdb, and stop using the deprecated BDB based backend. > > > --Quanah > > > > -- > > Quanah Gibson-Mount > Server Architect > Zimbra, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

8 years, 7 months

6
8
0 / 0

Re: Kernel segfault slapd

by Dominik George

Hi Scott, > Thanks for responding Nik. I have rsyslog 5.8.10-9 running but I do see > the following.... > > rsyslogd-2177: imuxsock lost 426 messages from pid 17944 due to > rate-limiting > > > This is repeated multiple times. I guess that 17944 is the PID of your running slapd. In this case, you are having the same issue as I once had - slapd will segfault sometimes when syslog drops its messages. https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689025 Updatign to Debian wheeze fixes the issue. -nik

8 years, 7 months

3
3
0 / 0

Re: Replication restores deleted user

by Quanah Gibson-Mount

--On Friday, October 31, 2014 4:13 PM -0400 kevin sullivan <kevin4sullivan(a)gmail.com> wrote: > > > > > > Quanah, > > Thank you for the suggestion to move to delta-syncrepl MMR. > Unfortunately, I am having problems setting this up properly. After > reading through some documentation, I thought it would be simple but when > I bring up slapd on my two servers, they both start using around 100% CPU > and in the debug output the two servers are constantly looping through > all of the objects in my DIT and saying that the objects have not changed: > > 5453d6b5 @(#) $OpenLDAP: slapd 2.4.39 (Jun 18 2014 05:19:18) $ > > mockbuild@x86-028.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap > -2.4.39/openldap-2.4.39/build-servers/servers/slapd > 5453d6b5 hdb_monitor_db_open: monitoring disabled; configure monitor > database to enable > 5453d6b5 slapd starting > ... > 5453d6b5 syncrepl_message_to_entry: rid=001 DN: dc=example,dc=com, UUID: > 1cfcd560-f564-1033-9f47-b521eabdb6ad > 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) > 5453d6b5 syncrepl_entry: rid=001 inserted UUID > 1cfcd560-f564-1033-9f47-b521eabdb6ad > 5453d6b5 dn_callback : entries have identical CSN dc=example,dc=com > 20141031161001.910968Z#000000#000#000000 > 5453d6b5 syncrepl_entry: rid=001 be_search (0) > 5453d6b5 syncrepl_entry: rid=001 dc=example,dc=com > 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored > (dc=example,dc=com) > 5453d6b5 syncrepl_message_to_entry: rid=001 DN: > ou=users,dc=example,dc=com, UUID: 1cfe8cf2-f564-1033-9f48-b521eabdb6ad > 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD) > 5453d6b5 syncrepl_entry: rid=001 inserted UUID > 1cfe8cf2-f564-1033-9f48-b521eabdb6ad > 5453d6b5 dn_callback : entries have identical CSN > ou=users,dc=example,dc=com 20141031161001.922234Z#000000#000#000000 > 5453d6b5 syncrepl_entry: rid=001 be_search (0) > 5453d6b5 syncrepl_entry: rid=001 ou=users,dc=example,dc=com > 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored > (ou=users,dc=example,dc=com) > ..... > 5453d6b5 do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT > 5453d6b5 do_syncrep2: rid=001 cookie= > ... Repeated forever ... > > Am I configuring something incorrectly? > > To refresh your memory, I am running 2.4.39-8. I have two servers > (server1 and server2) that I want to setup in delta-syncrepl MMR > MirrorMode. Hi Kevin, I stopped using the deprecated slapd.conf format years ago, as it's prone to misuse and incorrect setup. Your supplied config is an example of why it's a bad idea to use slapd.conf (For example, you have serverID under the database section, when it's a global option, etc). I'd strongly advise you to switch to using cn=config so that you can have an actual validated configuration. It also makes troubleshooting a lot easier to do. Aside from that, your log simply shows the server comparing each entry between the two servers... Sounds like they didn't start out believing they were in sync and are trying to get there. Here's an example of my config, using cn=config (slapcat export) minus the schema: <http://pastebin.com/nv1WNX2y> --Quanah -- Quanah Gibson-Mount Server Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

8 years, 7 months

1
0
0 / 0

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical October 2014