openldap-technical March 2014

openldap-technical@openldap.org

89 participants
101 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

DIT for an academic institution
by Shali 9846303531 20 May '14

20 May '14

Dear All, I am new to these LDAP concepts , i have prepared a DIT for our organization with two academic institutions with each institution having different branches of study and also there is staff and students . i have attached the DIT , if am going through a wrong way kindly guide me. -- Thanks & Regards Shali.K.R Server Administrator

4 3

Weird DNS round-robin issue
by Dennis Leeuw 18 May '14

18 May '14

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi all, I hope I am on the right list for the problem I am experiencing. We have two subnets 192.168.196. 192.168.222. Our main LDAP servers run in 192.168.196. and are load-balanced by round-robin DNS. The 192.168.196. network is exhausted, so we added a new LDAP slave to 192.168.222. and added the IP address to the round-robin pool. But it seems that it is only used by other servers in the 192.168.222 network and not by servers in the 192.168.196. network This setup has now been running for 6 days, with nscd.conf: enable-cache hosts yes positive-time-to-live hosts 3600 negative-time-to-live hosts 20 suggested-size hosts 211 check-files hosts yes persistent hosts yes shared hosts yes max-db-size hosts 33554432 and nslcd.conf: uid nslcd gid ldap uri ldap://ldap.div.ourdomain.nl/ base dc=div,dc=ourdomain,dc=nl ssl no tls_cacertdir /etc/openldap/cacerts The LDAP server in the 192.168.222 range serves only 33 connections all from the 192.168.222 range, and the 2 hosts in the 192.168.196 range serve 599 and 706 connections. The last 2 servers do serve the 143.121.222. network also. So might there be some caching issue? $ getent ahost ldap.div.ourdomain.nl 192.168.196.190 STREAM ldap.div.ourdomain.nl 192.168.196.190 DGRAM 192.168.196.190 RAW 192.168.196.151 STREAM 192.168.196.151 DGRAM 192.168.196.151 RAW 192.168.222.179 STREAM 192.168.222.179 DGRAM 192.168.222.179 RAW Is this the right list for this question? And if so can someone help me understand what is going on? With kind regards, Dennis Leeuw - -- ICT Medewerker Divisie Biomedische Genetica UMC Utrecht Heidelberglaan 100 STR2.126 3584 CX Utrecht The Netherlands 06 27744048 intern: 64048 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQEcBAEBAgAGBQJTAyjwAAoJEMVYYpdbQscouGsH/3yXjh6zmLMDRaks18qe+yH7 oUrdatkENF7+WyxLz7ZzNL69gXyEwTANGGf9y7CYuqNu47PDs3SvNOM1/kgjy7pr CSN1t9acVb9i67JgOV2ed5fMHlOzOR+sevNKjsdEdKVXrYvcXnevLOD0KHhGlXeq Ips0Uqk8cusDXQZSUPab0aQNhWawyT1Tf4SQVAJbJ3OYEiFpHyPJXos2F4DIpYPJ 9FLn/dqV8sUNc9kaOHRjwcVYYAVyey9vX33xbYKr4pXKLd/ujaArBtwE1tyKvR2G JPz6Gw5sYK5JLjkmr1uzPAze46heiVFY6U1Vv7aMJ4ujuabBiU11Us2k4XuotPI= =UxBr -----END PGP SIGNATURE----- ------------------------------------------------------------------------------ De informatie opgenomen in dit bericht kan vertrouwelijk zijn en is uitsluitend bestemd voor de geadresseerde. Indien u dit bericht onterecht ontvangt, wordt u verzocht de inhoud niet te gebruiken en de afzender direct te informeren door het bericht te retourneren. Het Universitair Medisch Centrum Utrecht is een publiekrechtelijke rechtspersoon in de zin van de W.H.W. (Wet Hoger Onderwijs en Wetenschappelijk Onderzoek) en staat geregistreerd bij de Kamer van Koophandel voor Midden-Nederland onder nr. 30244197. Denk s.v.p aan het milieu voor u deze e-mail afdrukt. ------------------------------------------------------------------------------ This message may contain confidential information and is intended exclusively for the addressee. If you receive this message unintentionally, please do not use the contents but notify the sender immediately by return e-mail. University Medical Center Utrecht is a legal person by public law and is registered at the Chamber of Commerce for Midden-Nederland under no. 30244197. Please consider the environment before printing this e-mail.

4 9

Re: Have you seen this FUD - IT pros suffer OpenLDAP configuration headaches ?
by Turbo Fredriksson 16 May '14

16 May '14

[Sorry Howard for sending it to you personally. It was meant for the list. I sent a copy to the list as well. I hope you don't mind if I send this reply to the list. I've included every word, so not to take something out of context.] On Jan 30, 2014, at 6:17 PM, Howard Chu wrote: >> Personally, I think it's spot on. It IS hard to configure an LDAP server, and >> even harder to understand how it works (the object based part). Took me three >> months first time, and I'm not an idiot. > > The object based part is *LDAP*, so that complaint is not specific to OpenLDAP. Indeed. But setting up something like Active Directory is something my aunt can/could do. It probably won't scale to thousands (or maybe not even hundreds :) of users, but it can be done with reasonable ease. > The part about RedHat seems fairly accurate to me, it *is* true that they have their own commercial LDAP server to sell, and they have no great interest in OpenLDAP working well on their platforms. > >> Even today, I need to consult either my own book or the howto (or seriously >> skim through the man pages) to setup a new server. > > And I still need to read the docs when configuring an Apache HTTP server. That's why we have manpages, there's nothing wrong about that. Same here. Not my point (see the part at the bottom)... >> And even worse if when you want to optimize the backend... There's a lot of >> magic there.... > > The LMDB backend has no tuning/optimization. That's one of the reasons it exists today. Yeah, but isn't it quite slow with lmdb? I haven't tested that in years, so I don't know. One wouldn't run it in production though? >> And with the new config backend!? I haven't even had the time or energy to go >> that far yet! >> > I think you (and everyone else) are blowing this way out of proportion. Compare the example from here I know how it works and I don't really have that much problem with it, it's just so much more difficult to setup (initially) and then maintain than a simple text file. It's way better, but it IS also more complicated (than just fire up an editor, modify the part you want and then issue a service restart - can't be much simpler than that)... > http://www.openldap.org/doc/admin24/slapdconf2.html#Configuration%20Example > > to the slapd.conf example > > http://www.openldap.org/doc/admin24/slapdconfig.html#Configuration%20File%2… > > They aren't that different, and anyone familiar with slapd.conf and LDIF files should have no trouble mapping concepts from one to the other. > > And if you aren't familiar with slapd.conf *and* LDIF then you don't know enough to be an LDAP administrator in the first place, you need to do more homework. That's just life. I couldn't agree more! I've taken over more than my fair share of badly setup and maintained OpenLDAP servers to get really pissed at all the ones not having a clue what they're doing. It's not just making a config file/backend to allow the server to start, it's more planning on how the database should look like (where to put what and what object classes to use and allow), setting up access control etc, etc. The actually planing of the database (the content) is the most important part, and it require quite a lot of reading and testing before it's understood properly to be able to be used to any extent. But then there's the integration to the rest of the system (pam login and what not), Kerberos, SASL, etc, etc... My point wasn't to argue about the validity of how the OpenLDAP server and it's config file/backend work etc. I fully agree and have no problems with it. My point was that the website isn't WRONG - it IS hard! Maybe it SHOULD be hard? The whole concept of an LDAP server is a difficult subject, and shouldn't be taken lightly. Unfortunately, it seems that way to many beginners that have been installing a distribution at home is starting to work as a Linux tech/admin thinking that just because the've run it at their workstation at home for a couple of months makes them good enough to work in a professional environment. I see that in a lot of OpenSource project I'm part of. Complete noobs want to use something complicated that require quite a lot of homework. And then comes complaining when things go south! Or even worse, they bad mouth the project or the technology! (Open)LDAP is one of those many things that require a lot more from the admin than say ... installing a mail server locally... On Debian GNU/Linux that's practically automatic. Just answer a couple of questions, and it works... It's sad that the website in question (and from what one could take from this - that people 'out there') actually thinks that this should be easy. But it's not (technically) wrong... -- There are no dumb questions, unless a customer is asking them. - Unknown

17 92

LDAP_OPT_X_TLS_CACERTDIR not working.
by Seshadri, Anitha 13 May '14

13 May '14

Hi, I would like to open a discussion with OpenLDAP team. I hope this is the right email address. If not please let me know the correct to which this mail should be directed to. Issue: We are currently using OpenLdap 2.4.16 version on Win 64 .We are using RSA and MES Shareadapter internally to build the openldap libs. I am getting the below error when I use Sha-256 (2048 key length) certificates: ldap_sasl_bind_s: Can't contact LDAP server (-1) error:14090086:SSL routines: SSL3_GET_SERVER_CERTIFICATE:certificate verify failed I am using the option LDAP_OPT_X_TLS_CACERTDIR and pass the cert directory which has the certificates. This fails. But the same passes when I use LDAP_OPT_X_TLS_CACERTFILE and point to the certicate which is of .pem format. Can you please let me know I am missing something here or is this a bug? Any help on this is appreciated. Thanks Anitha

3 2

Moving From Debian 2.4.31/hdb to LTB 2.4.39/mdb
by Andy Dorman 13 May '14

13 May '14

Hi. We have been using OpenLDAP for about 11 years now and have an MMR set up with 2 masters and 18 delta-syncrepl clients/slaves, all but 3 slaves are currently using back_hdb. Our beta test server and two load balancers are using back_mdb. The db is not too big with about 50,000 entries, 9 indexes (7 eq & 2 sub) and the slapdump ldif is about 41 MB. All our servers are Debian "testing" with a few packages from unstable and even experimental so we have the latest security and feature fixes for the work we do (email security filtering). Unfortunately, even the "bleeding edge" debian releases are waaaay behind in OpenLDAP. Last year we lost our system admin that set all this up, and I have been on a very steep learning curve since then. At this time I believe we need to move to a current version of OpenLDAP via ltb-project and switch to mdb, but I have run into a couple of questions we need to resolve first. FWIW, I would dearly like to help out the Debian community and compile & maintain an up-to-date version of OpenLDAP for them, but I need at least a couple more years of experience before it is even marginally safe to have other companies depending on my expertise with debian packaging. Anyway, after reading the OpenLDAP & ltb-project docs I have a couple of questions for anyone already using the ltb-project debian release, slapd.d & mdb. I hope the answers will help make our and others' transition go more smoothly. So here we go.... Question #1. I see that slapd.conf is deprecated and we should move to a slapd.d config db. However, the slapd.conf file (with git & cfengine) meets 3 key requirements for our service's configuration management: (1) audit trail, (2) peer review & staff notification, (3) automatic, staggered release to all servers so our users experience 0 downtime. I do not yet see an "easy" way to meet the first two requirements using slapd.d. To satisfy #3 I hope we can just update our master server slapd.d and config changes will be replicated to the slaves. Someone please correct me if I am wrong about that. To meet the requirement for an audit trail & staff review & notification, in the absence of someone's experience and/or knowledge from this group, we currently plan to use our ticket-tracking system (Request Tracker). Within an RT queue dedicated to our db systems we will document, review & manage slapd.d changes prior to actually making a change in the master which will then (I hope) propagate through delta-syncrepl. How does anyone else that is using slapd.d with an MMR setup with multiple client/slaves take care of their needs for an audit trail, peer review/staff notification, and release to all those servers? Question #2. This may be a simple one....When reading the latest OpenLDAP docs at http://www.openldap.org/doc/admin24/slapdconf2.html I noticed that there are no references to back_mdb in the configuration documentation...Specifically, "Table 5.2: Database Backends" and "Table 6.2: Database Backends" do not show an "mdb" option. Is this an oversight or is mdb going away already or am I completely confused? I suspect the answer is #3 ;-) Basically I need to know what to use in the "backend" & "database" directives (slapd.conf) or "olcBackend" attribute (slapd.d) if we want the mdb backend? Thank you for your insights and any information you can share. -- Andy Dorman Ironic Design, Inc. AnteSpam.com, ComeHome.net CONFIDENTIALITY NOTICE: This message is for the named person's use only. It may contain confidential, proprietary or legally privileged information. No confidentiality or privilege is waived or lost by any erroneous transmission. If you receive this message in error, please immediately destroy it and notify the sender. You must not, directly or indirectly, use, disclose, distribute, or copy any part of this message if you are not the intended recipient.

2 1

Problem after migration openldap 2.3.43 to 2.4.23 --> 32 No Such Object
by Jonas Kellens 14 Apr '14

14 Apr '14

Hello, I have a working openLDAP server version 2.3.43. My configuration there works : the correct users have the correct access. I have set up a new openLDAP-server with newer version 2.3.43. I have no working openLDAP on version 2.3.43. I have tried with the new syntax and with the command /usr/sbin/slaptest -f /etc/openldap/slapd.conf -v to use the build in converion tool, but I always got : ldap_bind: Invalid credentials (49) So I forgot this conversion and continued with the "old" slapd.conf file. But in this configuration (which is just a copy/paste of my openLDAP 2.3.43) no user can query the LDAP entries. So this is the setup : I have a user : cn=U101001,ou=101001,dc=mydomain This user is member of the group : cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain These members can read entries in the tree : ou=tbook1,ou=contacten,ou=101001,dc=mydomain I have in slapd.conf : access to dn.one="ou=tbook1,ou=contacten,ou=101001,dc=mydomain" by group.exact="cn=admins,ou=101001,dc=mydomain" write by group.exact="cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain" read This user cn=U101001,ou=101001,dc=mydomain really exists (if you should doubt) : # extended LDIF # # LDAPv3 # base <cn=U101001,ou=101001,dc=mydomain> with scope subtree # filter: (objectclass=*) # requesting: ALL # # U101001, 101001, mydomain dn: cn=U101001,ou=101001,dc=mydomain cn: U101001 sn: U101001 objectClass: inetOrgPerson objectClass: top userPassword:: e1NTSEF9OVBTNmltR3ZpUEhzK1JRQVpickNVdVR5cS9Iejg5TzY= # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 The group cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain also really exists (if you should doubt) : # tbook1, gebruikers, 101001, mydomain dn: cn=tbook1,ou=gebruikers,ou=101001,dc=mydomain cn: tbook1 member: cn=U101001,ou=101001,dc=mydomain objectClass: groupOfNames objectClass: top # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 When I query the LDAP-tree ou=tbook1,ou=contacten,ou=101001,dc=mydomain with my root-account (cn=Manager,dc=mydomain), the I get results : [root@ldap1 ]# ldapsearch -x -D 'cn=Manager,dc=mydomain' -b "ou=tbook1,ou=contacten,ou=101001,dc=mydomain" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <ou=tbook1,ou=contacten,ou=101001,dc=mydomain> with scope subtree # filter: (objectclass=*) # requesting: ALL # # tbook1, contacten, 101001, mydomain dn: ou=tbook1,ou=contacten,ou=101001,dc=mydomain ou: tbook1 objectClass: organizationalUnit objectClass: top ...<cut>... # search result search: 2 result: 0 Success # numResponses: 5 # numEntries: 4 But when I query this same LDAP-tree with my user cn=U101001,ou=101001,dc=mydomain, I get : [root@ldap1 openldap]# ldapsearch -x -D 'cn=U101001,ou=101001,dc=mydomain' -b "dc=mydomain" -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <dc=mydomain> with scope subtree # filter: (objectclass=*) # requesting: ALL # # search result search: 2 result: 32 No such object # numResponses: 1 I also have phpLDAPadmin installed and there I see that there are definitely enries in the LDAP-directory ou=tbook1,ou=contacten,ou=101001,dc=mydomain. So why does my user cn=U101001,ou=101001,dc=mydomain fails to get results ?? Kind regards, Jonas.

6 21

回复： mirror mode question
by Eileen(=^ω^=) 09 Apr '14

09 Apr '14

Hi Michael and Dieter, Thanks for your kindly replies. In my case, I didn't use any SASL or TLS but "simple" method with operation mode of user/password authenticated. However, I need the rootpw hashed (not cleartext) and the 2 servers (master & slave) synchronized. Could you pls advise how i should modify the syncrepl part? or could you pls provide a sample of the slapd.conf file configuration? Best regards, Eileen ------------------ 原始邮件 ------------------ 发件人: "Michael Ströder";<michael(a)stroeder.com>; 发送时间: 2014年3月5日(星期三) 下午4:09 收件人: "Dieter Klünter"<dieter(a)dkluenter.de>; "openldap-technical"<openldap-technical(a)openldap.org>; 主题: Re: mirror mode & sasl question Dieter Klünter wrote: > Am Wed, 5 Mar 2014 14:38:04 +0800 > schrieb "Eileen(=^ω^=)" <123784635(a)qq.com>: >> This is Eileen from China SINAP. I am a beginner for openldap soft. I >> encountered a problem in my study on two LDAP services replication. >> I have 2 LDAP services, one name LDPA1, the other is LDAP2 . I want >> to make them synchronously in mirror mode. But when I set LDAP >> services rootpw both in hash, the 2 LDAP serivces can’t be >> synchronous. My question is >> 1. if I set my rootpw in hash, my bindmethod must be SASL? If I >> must use sasl method, can I put the sasl service in the same ldap >> service? If bindmethod=sasl then what is the saslmech should be? >> 2. If I change to sasl method, do I need change my database >> record? > > In order to use sasl, passwords must be cleartext and you should > configure an apropriate authz-regexp, see man slapd.conf(5) > You may use any sasl mechanism that you sasl framework provides. > [...] To be more precise: In order to use password-based SASL mechs the passwords have to be stored in clear-text. Well, if working with SASL and TLS (LDAPS, StartTLS) one should consider using client certs and SASL/EXTERNAL for replication. Ciao, Michael.

4 7

Converting from slapd.d back to slapd.conf
by Sven Jourgensen 03 Apr '14

03 Apr '14

Is there a tool to perform the reverse operation, and convert the newer cn=config configuration back into a slapd.conf? Thanks. s.

9 17

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2014