Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
7 years, 11 months
Non OpenLDAP use of LMDB
by Harry B
Hello,
I am planning to use LMDB to create a resonably large database, few TBs, >
500mil keys, on a Fusion IO flash storage. Memory to storage ratio of the
available hardware is about 1:10
Assuming the caching of "5 to 10%" of most-frequently-accessed data is good
enough for my use-case, is this a valid/legitimate use of LMDB ? Or am I
using the wrong tool for the job?
My other choices are RocksDB (haven't looked at it) or Postgres (using a
limited subset of features), the latter mainly because we already use it
across the company.
Any advice is appreciated.
Thanks
--
Harry
8 years, 5 months
ldap sync
by Kolijn, P.
List,
I have been trying to configure a producer -> consumer setup with 2.4.39
and a mdb backend.
It seems to work, for awhile, but the sync stops when data.mdb is
approx 15M, about 1630 entries instead of the 50000 and about 400M...
If I do a slapadd of the data into my consumer it will grow beyond the
15M size...
--snip--
# ldap data
database mdb
maxsize 1073741824
directory /var/lib/ldap
suffix "dc=example,dc=com"
rootdn "cn=ldap_admin,dc=example,dc=com"
rootpw "{SSHA}0rvO4rPODnqNPqkbDv/vuKm8hXGS7mtG"
# Sync Consumer
# The indent is necessary
syncrepl rid=002
provider=ldap://ldapmaster.test.example.com
type=refreshAndPersist
retry="5 5 300 5"
searchbase="dc=example,dc=com"
filter="(objectclass=*)"
attrs="*"
scope=sub
schemachecking=off
bindmethod=simple
binddn="cn=replicator,dc=example,dc=com"
credentials="secret"
-- end snip --
I have set the global options:
-- snip --
sizelimit unlimited
timelimit unlimited
-- end snip --
...but that didn't help...
I have no clue why or where this is coming from or how to figure out
where it goes bottom up..
any pointers ?
thnx !
--
Pascal Kolijn
Vrije Universiteit Amsterdam
8 years, 6 months
Q: LDIF: use replace instead of add/delete?
by Ulrich Windl
Hello!
I have a question:
Is it always OK to use LDIF "replace", even if the attribute doesn't exist yet? If so, is it also OK to use "replace" with out specifying an attribute value instead of using "delete"?
I actually managed to do the first one, and the operation is logged as "replace" not as "add" in accesslog. I wrote a program that uses accesslog to create an "undo-LDIF" to undo recent changes on demand. Now with that "replace" having succeeded, the undo operation created for it would be the second case ("replace" with no new value).
Regards,
Ulrich
8 years, 6 months
Re: Antw: Cannot add to mdb
by Da Rock
On 26/11/2014 18:23, Ulrich Windl wrote:
> What you could try is (assuming you have debug symbols in your binary) attaching gdb to the running slapd to see where it is spending CPU time. I can't remember the commands precisely, but "bt (backtrace)" and "info threads" should point you in the right direction.
> Note that slapd will likely stop responding while gdb is attached, so you could also try to force a core dump for offline examination.
I'm not sure I follow here. How would this work? I attach gdb to the
running slapd I get, but if it stops how does that help me? I've only
had a little bit of experience with gdb...
How would I get a core dump, as well? That sounds like it might be more
useful.
>
> Maybe the gurus get a clue what may be wrong then...
>
> Regards,
> Ulrich
>
>>>> Da Rock <openldap-technical(a)herveybayaustralia.com.au> schrieb am 26.11.2014 um
> 01:31 in Nachricht <54751F73.3080902(a)herveybayaustralia.com.au>:
>> I'm trying to get openldap to play nice with mdb given that it is the
>> "recommended" database backend for it now- although the conf wasn't an
>> issue excepting I'm playing with the new cn=config setup we're expected
>> to use now as well (even though it is mainly broken).
>>
>> My issue is that it seems to not respond like the older bdb/hdb
>> databases. And when I say respond, I mean it hangs the ldapadd and makes
>> slapd go into conniptions. I see slapd go to 100% WCPU and not come down
>> as well as going into a uwait state. I've left it going for 10 minutes
>> or more with no change, and I'm only adding 1 small entry of less the 10
>> lines. Strangely, I can still view other entries in the specific db as
>> well access the rest of the server, which I won't complain about (aren't
>> threads a wonderful invention? ).
>>
>> So coming to the experts - got a fix at all? Or should I just go back to
>> ye olde db backends? At this point I have a db I can't add anything to.
>>
>> And before anyone asks, there is practically nothing in the logs that I
>> can see; and I set the logging to everything (-1). I see recognition of
>> the user in the acl and then nothing. The only possible curious entry is
>> some blank lines and a number (that changes each time), so nothing
>> informative.
>>
>> I set it up using the cn=config (and I'm still not entirely convinced
>> that I will keep cn=config, but apparently it could be gone next version
>> according to the grapevine, so the consensus is to suck it up and get
>> used to it or your panties will get in a bunch and around your ankles
>> when the upgrade comes along), and I've got only olcDBMaxSize.
>> olcSizeLimit (not sure exactly which of these 2 can go just yet),
>> olcDBMode, olcDBDirectory, and olcDatabase and the obviously root attrs.
>> My max size I've set larger than 50M (so 7 digits) which is larger than
>> what I have in another db so far, and I figure I can add more if needed
>> - currently it is sitting at 64k.
>>
>> I'm using FreeBSD 9.1, ports Openldap version is 2.4.40_1 with bdb/hdb
>> and mdb set in config. But I notice lmdb is not installed as a
>> dependency - is this right?
>>
>> I've been on this for near a week now with no further advancement so any
>> help would be very welcome at this point. No googling seems to find
>> anything remotely similar either.
>>
>> TIA
>
>
>
8 years, 6 months
Have problem searching against ldap server after asyn sasl bind
by Qian Li
Hi All,
Recently, I tried to write a ldap client to do ldap search asynchronously,
but failed to perform search operation after a successful async sasl
(digest-md5) bind.
I’ve tried some code, but only succeeded in searching in synchronized sasl
bind.
I compared the captured sync and async packets:
In sync bind, the search packets were encrypted.
In async bind, after sasl (digest-md5) binding to ldap server
asynchronously (by calling ldap_sasl_interactive_bind() twice),
ldap_search_ext() was called. But the search packet was in plain text. Then
the ldap server reset the connection or just didn’t response (in the case
of MSAD).
Did I use the ldap API incorrectly? Or async sasl bind doesn’t support
search operation?
Any suggestion will be appreciated and sorry for my poor English.
8 years, 6 months
Re: OpenLDAP incroyable!
by Quanah Gibson-Mount
--On Wednesday, November 26, 2014 12:13 PM +0100 Onno van der Straaten
<onno.van.der.straaten(a)gmail.com> wrote:
>
> And....another one. Amazing. So hard to understand the OpenLDAP
> interface. Might just as well have been in Chinese.
>
>
>
> $ ldapmodify -h zimbra.server.com -p 389 -D "cn=config" -f
> olc_password_hash.ldif -W
> ldap_initialize( ldap://zimbra.onknows.com:389 )
> Enter LDAP Password:
> replace olcPasswordHash:
> {SSHA}
> modifying entry "olcDatabase={-1}frontend,cn=config"
> modify complete
>
>
> So the "modify complete" sort of suggestive of some kind of success
> completion or change applied. One would think. No.
>
>
> The olcPasswordHash was "modified complete" to have exact same value as
> before. Sort of expected OpenLDAP to be "unwilling to perform", which
> often it is. Not now. It just is "willing to ignore". Almost human.
Your list of complaints so far:
a) You told OpenLDAP to load a file that didn't exist
b) You modified a file, by hand, where the first comment in the file is:
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
c) In doing (b), you failed to preserve proper file permissions
d) You failed to use the correct tools for doing what you wanted to do,
after you broke the configuration (slapcat/slapadd)
I'm not really sure what to make of your above complaint. It seems you are
saying you think it is an error for ldap to replace a value with itself?
All LDAP servers will do that with a replace operation.
I.e., there is significant user error present here, and you got yourself
into a bad spot, and made it worse via your own actions. A lack of
understanding how to use a piece of software does not indicate the software
itself is flawed. I will agree that it takes some time to learn how to
work with LDAP in general, regardless of it is OpenLDAP, 389, Apache DS,
etc. It may indeed be best in your case, to have a graphical UI hiding the
grisly details from you, since those details are apparently causing
significant challenge in your case. However, in the long run, it pays off
significantly to understand the technology you're attempting to use.
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
8 years, 6 months
ldap update multiple entry by a single command
by Shashi Ranjan
Hello,
I need to update multiple entries in single LDAP modify request for a particular object class.
Otherwise I need to first search all the contact and then update one by one. In my case I want to update " l " parameter.
l: mysite --> l: newsite
Is there any way to update it in single LDAP modify request.
dn: cn=test1,ou=comp,ou=people,dc=example,dc= com
contactCompany: comp
objectClass: cmmContact
l: mysite
dn: cn=test2,ou=comp,ou=people,dc= example,dc= com
contactCompany: comp
objectClass: cmmContact
l: mysite
dn: cn=test3,ou=comp,ou=people,dc= example,dc=com
contactCompany: comp
objectClass: cmmContact
l: mysite
P.S.: I am new to OpenLDAP.
Thanks & Regards,
Shashi Ranjan
"DISCLAIMER: This message is proprietary to Aricent and is intended solely for the use of the individual to whom it is addressed. It may contain privileged or confidential information and should not be circulated or used for any purpose other than for what it is intended. If you have received this message in error, please notify the originator immediately. If you are not the intended recipient, you are notified that you are strictly prohibited from using, copying, altering, or disclosing the contents of this message. Aricent accepts no responsibility for loss or damage arising from the use of the information transmitted by this email including damage from virus."
8 years, 6 months
Syncrepl N-Way multimaster replication - Configuration issue on Rhel6
by coma
Hello everybody,
i'm currently tring to configure N-Way multimaster replication, and
i'm facing two issues with olcServerId and slapd -h options.
For information:
I'm running on Rhel6.6 with openldap 2.4.39-8.
I'm running slapd on non-standard ports (11389 for ldap and ldap with
TLS, and 11390 for ldaps)
I've tried on standard ports but same issues.
I've configured the replication following these two procedures:
https://access.redhat.com/solutions/273533
http://www.openldap.org/doc/admin24/replication.html#N-Way%20Multi-Master
- First Issue details:
When i'm adding olcServerID's on both servers, using following ldif:
cat <<EOF | ldapmodify -Y EXTERNAL -H ldapi:///
dn: cn=config
changetype: modify
replace: olcServerID
olcServerID: 1 ldap://server1-test1.test.com
olcServerID: 2 ldap://server2-test1.test.com
EOF
i'm no longer able to restart slapd. Error is: read_config: no
serverID / URL match found. Check slapd -h arguments.
To resolve it, i've tried to add the URL of my servers in
correspondant /etc/sysconfig/ldapExample:
SLAPD_LDAP=no
SLAPD_LDAPI=yes
SLAPD_LDAPS=no
SLAPD_URLS="ldap://server1-test1.test.com:11389
ldaps://server1-test1.test.com:11390"
But issue "Error is: read_config: no serverID / URL match found." is
always present event after a server reboot and a full openldap
reinstallationn.
- Second issue détails (replication disabled, serverID's removed):
With /etc/sysconfig/ldap configured as:
SLAPD_LDAP=no
SLAPD_LDAPI=yes
SLAPD_LDAPS=no
SLAPD_URLS="ldap://:11389 ldaps://:11390"
i'm able to connect on port 11389/11390 with clear, starttls and SSL
using a ldap browser or ldapsearch,
But with /etc/sysconfig/ldap configured as:
SLAPD_LDAP=no
SLAPD_LDAPI=yes
SLAPD_LDAPS=no
SLAPD_URLS="ldap://server1-test1.test.com:11389
ldaps://server1-test1.test.com:11390"
i'm not able to connect anymore.
Can you please help me on this?
Thanks in advance,
8 years, 6 months
