Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 5 months
Non OpenLDAP use of LMDB
by Harry B
Hello,
I am planning to use LMDB to create a resonably large database, few TBs, >
500mil keys, on a Fusion IO flash storage. Memory to storage ratio of the
available hardware is about 1:10
Assuming the caching of "5 to 10%" of most-frequently-accessed data is good
enough for my use-case, is this a valid/legitimate use of LMDB ? Or am I
using the wrong tool for the job?
My other choices are RocksDB (haven't looked at it) or Postgres (using a
limited subset of features), the latter mainly because we already use it
across the company.
Any advice is appreciated.
Thanks
--
Harry
8 years, 10 months
allow to pass on "undefined" filters in meta
by Markus.Storm@t-systems.com
Hi
I've run into a problem trying to deploy back-meta in front of an Active Directory target.
I believe that to resolve it, I need to get a new option implemented.
I need to issue a request through a back-meta proxy . That query happens to contain a matching rule which is not implemented in OpenLDAP so slapd does not know to evaluate the query. The target that the query will ultimately be passed on to (an Active Directory) does know to process the query, though. OpenLDAP, however, considers the filter to be "undefined" and thus on relaying the request to the AD target, back-meta replaces a portion of the original query with a "(?=undefined)" filter as documented in e.g. slapd-meta manpage "noundeffilter" option.
But I need the original query to be passed on. It's in fact a _valid_ LDAP request, just OpenLDAP happens to be unable to parse it.
But at least in my setup, slapd does not have to do _anything_ about the query other than to pass it on, so I find it inacceptable that it replaces the query just because it doesn't understand it.
Please, can you add an option switch to the code to allow for passing on original queries *without* replacing undefined portions ?
I have not found any other solution to my problem. I tried to make OpenLDAP aware of the undefined portion by adding the matching rule to the schema but I failed. Seems that would need to be planted into the code, and not being a programmer, that's not as easy as it is with expanding the schema by some new attributes.
Also, while of course any parser/feature enhancement will always be appreciated, I would think that to implement the matching rule is not the best way of fixing things: I believe there will always be situations where OpenLDAP cannot parse the input while another LDAP server can.
For a proof of concept, I hacked servers/slapd/back-meta/map.c (around line 581 as of 2.4.39) and but - again, I'm not a programmer - I feel incapable of turning this into a full-blown patch free of side effects, also I want the modification to become available to anyone.
So I'm hoping for you to implement the switch mentioned above, maybe as a third possible setting for the "noundeffilter" option.
Thanks a lot in advance,
best regards
Markus Storm
9 years
Re: Replication restores deleted user
by kevin sullivan
Thank you very much for the advice and the example config! I generally
convert my slapd.conf to cn=config, I just find it easier to use the
slapd.conf when debugging. But this gives me hope that my problem could be
an issue with the conversion of slapd.conf to cn=config or something that I
can find in your configuration.
Thank you again, and I will let you know what I find!
On Fri, Oct 31, 2014 at 3:40 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
> --On Friday, October 31, 2014 4:13 PM -0400 kevin sullivan <
> kevin4sullivan(a)gmail.com> wrote:
>
>
>>
>>
>>
>>
>> Quanah,
>>
>> Thank you for the suggestion to move to delta-syncrepl MMR.
>> Unfortunately, I am having problems setting this up properly. After
>> reading through some documentation, I thought it would be simple but when
>> I bring up slapd on my two servers, they both start using around 100% CPU
>> and in the debug output the two servers are constantly looping through
>> all of the objects in my DIT and saying that the objects have not changed:
>>
>> 5453d6b5 @(#) $OpenLDAP: slapd 2.4.39 (Jun 18 2014 05:19:18) $
>>
>> mockbuild@x86-028.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap
>> -2.4.39/openldap-2.4.39/build-servers/servers/slapd
>> 5453d6b5 hdb_monitor_db_open: monitoring disabled; configure monitor
>> database to enable
>> 5453d6b5 slapd starting
>> ...
>> 5453d6b5 syncrepl_message_to_entry: rid=001 DN: dc=example,dc=com, UUID:
>> 1cfcd560-f564-1033-9f47-b521eabdb6ad
>> 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
>> 5453d6b5 syncrepl_entry: rid=001 inserted UUID
>> 1cfcd560-f564-1033-9f47-b521eabdb6ad
>> 5453d6b5 dn_callback : entries have identical CSN dc=example,dc=com
>> 20141031161001.910968Z#000000#000#000000
>> 5453d6b5 syncrepl_entry: rid=001 be_search (0)
>> 5453d6b5 syncrepl_entry: rid=001 dc=example,dc=com
>> 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored
>> (dc=example,dc=com)
>> 5453d6b5 syncrepl_message_to_entry: rid=001 DN:
>> ou=users,dc=example,dc=com, UUID: 1cfe8cf2-f564-1033-9f48-b521eabdb6ad
>> 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
>> 5453d6b5 syncrepl_entry: rid=001 inserted UUID
>> 1cfe8cf2-f564-1033-9f48-b521eabdb6ad
>> 5453d6b5 dn_callback : entries have identical CSN
>> ou=users,dc=example,dc=com 20141031161001.922234Z#000000#000#000000
>> 5453d6b5 syncrepl_entry: rid=001 be_search (0)
>> 5453d6b5 syncrepl_entry: rid=001 ou=users,dc=example,dc=com
>> 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored
>> (ou=users,dc=example,dc=com)
>> .....
>> 5453d6b5 do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT
>> 5453d6b5 do_syncrep2: rid=001 cookie=
>> ... Repeated forever ...
>>
>> Am I configuring something incorrectly?
>>
>> To refresh your memory, I am running 2.4.39-8. I have two servers
>> (server1 and server2) that I want to setup in delta-syncrepl MMR
>> MirrorMode.
>>
>
> Hi Kevin,
>
> I stopped using the deprecated slapd.conf format years ago, as it's prone
> to misuse and incorrect setup. Your supplied config is an example of why
> it's a bad idea to use slapd.conf (For example, you have serverID under the
> database section, when it's a global option, etc). I'd strongly advise you
> to switch to using cn=config so that you can have an actual validated
> configuration. It also makes troubleshooting a lot easier to do.
>
> Aside from that, your log simply shows the server comparing each entry
> between the two servers... Sounds like they didn't start out believing they
> were in sync and are trying to get there.
>
> Here's an example of my config, using cn=config (slapcat export) minus the
> schema:
>
> <http://pastebin.com/nv1WNX2y>
>
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
9 years
Kernel segfault slapd
by Scot Hollingsworth
Issue:
slapd keeps crashing about twice a day on multiple servers. I updated the
kernel and openldap but still see the problem. Anyone point me in the
right direction?
Log:
kernel: slapd[4435]: segfault at 4 ip 00d1984f sp acc3d270 error 4 in
slapd[bcc000+215000]
System:
openldap-2.4.39-8.el6.i686
openldap-clients-2.4.39-8.el6.i686
openldap-servers-2.4.39-8.el6.i686
Kernel:
2.6.32-504.el6.i686
--
Thanks.
Scot H
--
The mission of the Rankin County School District is to prepare every
student with the cognitive and social skills necessary to be productive
members of an ever-changing global society.
--
This email and any attachments to it may be confidential and are intended
solely for the use of the individual to whom it is addressed. If you are
not the intended recipient of this email, you must neither take any action
based upon its contents, nor copy or show it to anyone. Please contact the
sender if you believe you have received this email in error.
9 years
journal of changes
by Zeus Panchenko
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
hi,
is there way to have something like, I'd call, "journal of changes"
where it could be saved all changes (modifications and deletions in
particular) for each object
what I'm talking about is *whole* history of the actions the object has
undergone after creation
- --
Zeus V. Panchenko jid:zeus@im.ibs.dn.ua
IT Dpt., I.B.S. LLC GMT+2 (EET)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
iEYEARECAAYFAlRHeGUACgkQr3jpPg/3oyrwuQCgygBCJzX239kZSvAWUj+eDarN
adwAni+d1KSGElOeeHBw10zXb400pSzG
=QEn7
-----END PGP SIGNATURE-----
9 years
Re: Need information on alock file in data directory of OpenLDAP 2.4.39
by pramod kulkarni
I am runing slapcat command like this, slapcat -f slapd.conf -l backup.ldif
is it wrong ?
On Thu, Oct 30, 2014 at 10:20 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
> --On Thursday, October 30, 2014 11:16 PM +0100 pramod kulkarni <
> pammu.kulkarni(a)gmail.com> wrote:
>
>
> 5452a973 The first database does not allow slapcat; using the first
>> available on e (2)
>>
>
> You're running slapcat incorrectly if you get this message.
>
> In any case, as already noted, the correct solution is to move to using
> back-mdb, and stop using the deprecated BDB based backend.
>
>
> --Quanah
>
>
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
9 years
Re: Kernel segfault slapd
by Dominik George
Hi Scott,
> Thanks for responding Nik. I have rsyslog 5.8.10-9 running but I do see
> the following....
>
> rsyslogd-2177: imuxsock lost 426 messages from pid 17944 due to
> rate-limiting
>
>
> This is repeated multiple times.
I guess that 17944 is the PID of your running slapd.
In this case, you are having the same issue as I once had - slapd will
segfault sometimes when syslog drops its messages.
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=689025
Updatign to Debian wheeze fixes the issue.
-nik
9 years
Re: Replication restores deleted user
by Quanah Gibson-Mount
--On Friday, October 31, 2014 4:13 PM -0400 kevin sullivan
<kevin4sullivan(a)gmail.com> wrote:
>
>
>
>
>
> Quanah,
>
> Thank you for the suggestion to move to delta-syncrepl MMR.
> Unfortunately, I am having problems setting this up properly. After
> reading through some documentation, I thought it would be simple but when
> I bring up slapd on my two servers, they both start using around 100% CPU
> and in the debug output the two servers are constantly looping through
> all of the objects in my DIT and saying that the objects have not changed:
>
> 5453d6b5 @(#) $OpenLDAP: slapd 2.4.39 (Jun 18 2014 05:19:18) $
>
> mockbuild@x86-028.build.eng.bos.redhat.com:/builddir/build/BUILD/openldap
> -2.4.39/openldap-2.4.39/build-servers/servers/slapd
> 5453d6b5 hdb_monitor_db_open: monitoring disabled; configure monitor
> database to enable
> 5453d6b5 slapd starting
> ...
> 5453d6b5 syncrepl_message_to_entry: rid=001 DN: dc=example,dc=com, UUID:
> 1cfcd560-f564-1033-9f47-b521eabdb6ad
> 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
> 5453d6b5 syncrepl_entry: rid=001 inserted UUID
> 1cfcd560-f564-1033-9f47-b521eabdb6ad
> 5453d6b5 dn_callback : entries have identical CSN dc=example,dc=com
> 20141031161001.910968Z#000000#000#000000
> 5453d6b5 syncrepl_entry: rid=001 be_search (0)
> 5453d6b5 syncrepl_entry: rid=001 dc=example,dc=com
> 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored
> (dc=example,dc=com)
> 5453d6b5 syncrepl_message_to_entry: rid=001 DN:
> ou=users,dc=example,dc=com, UUID: 1cfe8cf2-f564-1033-9f48-b521eabdb6ad
> 5453d6b5 syncrepl_entry: rid=001 LDAP_RES_SEARCH_ENTRY(LDAP_SYNC_ADD)
> 5453d6b5 syncrepl_entry: rid=001 inserted UUID
> 1cfe8cf2-f564-1033-9f48-b521eabdb6ad
> 5453d6b5 dn_callback : entries have identical CSN
> ou=users,dc=example,dc=com 20141031161001.922234Z#000000#000#000000
> 5453d6b5 syncrepl_entry: rid=001 be_search (0)
> 5453d6b5 syncrepl_entry: rid=001 ou=users,dc=example,dc=com
> 5453d6b5 syncrepl_entry: rid=001 entry unchanged, ignored
> (ou=users,dc=example,dc=com)
> .....
> 5453d6b5 do_syncrep2: rid=001 LDAP_RES_SEARCH_RESULT
> 5453d6b5 do_syncrep2: rid=001 cookie=
> ... Repeated forever ...
>
> Am I configuring something incorrectly?
>
> To refresh your memory, I am running 2.4.39-8. I have two servers
> (server1 and server2) that I want to setup in delta-syncrepl MMR
> MirrorMode.
Hi Kevin,
I stopped using the deprecated slapd.conf format years ago, as it's prone
to misuse and incorrect setup. Your supplied config is an example of why
it's a bad idea to use slapd.conf (For example, you have serverID under the
database section, when it's a global option, etc). I'd strongly advise you
to switch to using cn=config so that you can have an actual validated
configuration. It also makes troubleshooting a lot easier to do.
Aside from that, your log simply shows the server comparing each entry
between the two servers... Sounds like they didn't start out believing they
were in sync and are trying to get there.
Here's an example of my config, using cn=config (slapcat export) minus the
schema:
<http://pastebin.com/nv1WNX2y>
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years