Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
6 years, 10 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
7 years, 9 months
idassert-authzFrom ignored
by Charles Bueche
Hi,
I have an OpenLDAP proxy using back_meta to talk to two back-ends
Microsoft AD servers.
My goal is to provide a single view of both AD trees.
Basically, it works, as long as I use a bind account which exists in one
of the back-end AD's.
However, to first search where an AD account is, I would like to use a
local account on the LDAP proxy. To my understanding, I need to use
database meta
suffix dc=proxy,dc=stuff,dc=ch
rootdn "cn=root,dc=proxy,dc=stuff,dc=ch"
rootpw "secret"
subordinate
...
idassert-bind
bindmethod=simple
binddn="CN=srvLDAP,..."
credentials="..."
mode=none
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=root,dc=proxy,dc=stuff,dc=ch"
The DN "cn=root,dc=proxy,dc=stuff,dc=ch" does exist in the proxy and can
do local searches. However, the account defined in the idassert is never
used, and the connections to the back-ends AD's fail. Respectively, I
think they are contacted using anonymous instead of the account I
specify (not sure about the anonymous part, the debug log isn't very
clear about it).
Hints welcome.
Below is a part of the relevant log if it helps.
Charles
..........
tls_read: want=64, got=64
0000: 65 87 ac 08 7e 49 8d 7f 95 3c d0 1f 09 57 b7 ce e...~I...<...W..
0010: d4 13 2e ac 57 c9 27 6b 58 f7 76 70 a1 95 10 3e ....W.'kX.vp...>
0020: e2 96 0d cf a1 d3 13 ff e7 0b b1 2f c0 6f dc 19 .........../.o..
0030: 93 38 07 b9 f7 e4 81 a8 e0 45 0e 97 ec 7f 21 a6 .8.......E....!.
TLS trace: SSL_connect:SSLv3 read finished A
ldap_int_poll: fd: -1 tm: 0
53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=4
53679e3b conn=1000 op=1 <<< meta_back_search_start[0]=4
53679e3b conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*"
53679e3b conn=1000 op=1 >>> meta_search_dobind_init[0]
ldap_sasl_bind
ldap_send_initial_request
ldap_int_poll: fd: 12 tm: 0
ldap_is_sock_ready: 12
ldap_ndelay_off: 12
TLS trace: SSL_connect:before/connect initialization
tls_write: want=225, written=225
0000: 16 03 01 00 dc 01 00 00 d8 03 02 53 67 9e 3b 55 ...........Sg.;U
0010: 4b 2f ee 53 01 81 ee ca 6a 3f a0 ea 85 3a c9 7e K/.S....j?...:.~
0020: e3 01 d7 e6 d1 09 65 14 21 05 ef 00 00 66 c0 14 ......e.!....f..
0030: c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f ...".!.9.8......
0040: c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 ...5............
0050: 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e ................
0060: 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 .3.2.....E.D....
0070: 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 ./...A..........
0080: 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 ................
0090: 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 .......I........
00a0: 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c ...4.2..........
00b0: 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 ................
00c0: 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 ................
00d0: 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 .........#......
00e0: 01 .
TLS trace: SSL_connect:SSLv3 write client hello A
tls_read: want=5 error=Connection reset by peer
TLS trace: SSL_connect:error in SSLv3 read server hello A
TLS: can't connect: .
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 12
0000: 30 05 02 01 03 42 00 0....B.
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed
53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=0
53679e3b send_ldap_result: conn=1000 op=1 p=3
53679e3b send_ldap_result: err=0 matched="" text=""
53679e3b send_ldap_result: conn=1000 op=1 p=3
53679e3b send_ldap_result: err=0 matched="" text=""
53679e3b send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 11
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
tls_write: want=69, written=69
8 years, 7 months
[LMDB] Single writer question
by Alain
If my memory serves me well, at some point Howard mentioned that LMDB was
looking at moving from a single environment writer to a single writer per
database. Am I just dreaming or did I see that? And if I'm not dreaming
then what is the status of this, as my experiment seem to show that there
is no performance gain to be have by splitting your data in more than one
db.
Thanks
Alain
8 years, 9 months
ITS #7161, ppolicy pwdFailureTime resolution should be better than 1 second
by Paul B. Henson
I realize that development discussion is supposed to go to
openldap-devel, but despite having subscribed to that a month ago, none
of my postings have gone through. I hear they are having some technical
difficulties with that list, so for the sake of this submission not
being indefinitely delayed, here it is.
Attached is a proposed patch to fix ITS #7161. It uses the same method
as the accesslog module to generate a subsecond generalized time,
appending the o_tincr value from the operation structure as fractional
seconds. The only other code that looks at the value of that attribute
calls parse_time to pull seconds out of it (ignoring the fractional
second part), so other than modifying the format the attribute is stored
in I don't believe there are any other changes required with this.
8 years, 9 months
Getting the list of members in an AD group
by Sankar P
Hi,
I have the SID of an AD group. I want to get the list of members who
belong to that group. All the documentation page that I search for
points me to the reverse only (i.e., getting all the groups membership
information of a user).
Can someone show me to the relevant way to get the users who belong to
a group whose SID I have ?
Thanks.
--
Sankar P
http://psankar.blogspot.com
8 years, 9 months
ldapsearch utf-8 results
by Nicolas Cauchie
Hello there
I use a Debian 7.4 server with ldapsearch to search data about users on
an Active Directory database.
When a result of a search contains specials characters (such as é, è,
à), no result is given, but if I delete special characters to the user
profile, it works.
How could I make it work with special caracters (guess it's a UTF-8
problem ?) ?
Thanks in advance
Nicolas
--
signature -----
8 years, 10 months
Incremental ACLs somehow do not work
by Dominik George
Hi,
I have these ACLs in place:
olcAccess: {0}to dn.base="dc=teckids,dc=org"
by group.exact="cn=ldapadmin,ou=Groups,dc=teckids,dc=org" manage
by dn="cn=admin,dc=teckids,dc=org" manage
by self read continue
by * auth break
olcAccess: {1}to dn.base="ou=Mailinglists,dc=teckids,dc=org"
by dn.exact="gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth" read
continue
by * break
olcAccess: {2}to attrs=userPassword,shadowLastChange,loginShell
by self write continue
by anonymous auth continue
by * break
olcAccess: {3}to dn.subtree="ou=People,dc=teckids,dc=org"
attrs=cn,uid,loginShell,homeDirectory,uidNumber,gidNumber,gecos
by dn="cn=nslcd,dc=teckids,dc=org" read continue
by * break
olcAccess: {4}to dn.subtree="ou=People,dc=teckids,dc=org"
attrs=uid,mailLocalAddress,mailRoutingAddress
by dn="cn=postfix,dc=teckids,dc=org" read continue
by * break
olcAccess: {5}to dn.subtree="ou=Members,ou=People,dc=teckids,dc=org"
attrs=employeeNumber
by dn.subtree="ou=Board,ou=Members,ou=People,dc=teckids,dc=org" read
continue
by * none stop
olcAccess: {6}to dn.subtree="ou=Members,ou=People,dc=teckids,dc=org"
by dn.subtree="ou=Members,ou=People,dc=teckids,dc=org" read continue
by * break
olcAccess: {7}to dn.subtree="ou=Groups,dc=teckids,dc=org"
by dn="cn=nslcd,dc=teckids,dc=org" read continue
by * break
olcAccess: {8}to dn.subtree="ou=Domains,dc=teckids,dc=org"
by dn="cn=postfix,dc=teckids,dc=org" read continue
by * break
olcAccess: {9}to attrs=cn,uid,userPassword
by * auth break
But still, even a simple bind fails because it somehow does not get the auth
privileges defined in the first stanza.
The ACL log says: http://paste.ubuntu.com/7544324/
What did I miss?
Cheers,
Nik
8 years, 10 months
Req for How to configure LMDB Database as backend
by Varadharajan S
I'm attempting to setup OpenLDAP 2.4.39 on Ubuntu 14.04 LTS and am getting
lost on how to switch from the default hdb/bdb backend to mdb.
On http://www.openldap.org/doc/admin24/backends.html#Overview in the 11.4.
LMDB section it states:
11.4.2. back-mdb Configuration
Unlike the HDB/BDB backends, the mdb backend can be instantiated with very
few configuration lines:
include ./schema/core.schema
database mdb
directory ./mdb
suffix "dc=example,dc=com"
rootdn "cn=mdb,dc=example,dc=com"
rootpw mdb
maxsize 1073741824
However it doesn't state where to make these entries.
After installing OpenLDAP through dpkg or apt-get, I have an
/etc/ldap/slapd.d/cn=config directory, which contains a file named
olcDatabase={1}hdb.ldif. A grep of the directory returns other files
containing various entries referencing hdb.
Can anyone advise or provide a link on how to remove the hdb/bdb database
configurations and how to use mdb?
I've been googling the better part of this morning and while I have found a
few howto's and guide's, they all just have bits of "do this" with no
specification of where to do it or in what file. Or am I just missing
something in general?
Also, even if i try to reconfigure through #dpkg-reconfigure slapd doesn't
ask while in the database selection ? It's having option to select bdb or
hdb only.In our organization we are using 389 DS already and once we saw
this LMDB feature in openldap, we are planning to migrate slapd.But while
starting itself, we are struck.Please help us on the same.If possible
include the clear configurarion steps in the official doc.
Regards,
Varad
8 years, 10 months
Quick question re: memberOf and refInt overlays
by Mark Cairney
Hi,
I suspect the answer is going to turn out to be blindingly obvious but I
noticed this when reviewing my config of the 2 overlays mentioned and I
thought this looked a little bit odd:
dn: olcOverlay={1}memberof,olcDatabase={1}hdb,cn=config
objectClass: olcMemberOf
objectClass: olcOverlayConfig
olcOverlay: {1}memberof
olcMemberOfDangling: ignore
olcMemberOfGroupOC: groupOfNames
olcMemberOfMemberAD: member
olcMemberOfMemberOfAD: memberOf
olcMemberOfRefInt: TRUE
dn: olcOverlay={3}refint,olcDatabase={1}hdb,cn=config
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRefintConfig
objectClass: top
olcOverlay: {3}refint
olcRefintAttribute: member
olcRefintAttribute: memberOf
So I have olcMemberOfRefint set to TRUE in the memberOf overlay and
olcRefintAttribute: memberOf set in the refint overlay.
Is this correct or should it only be defined in one of these overlays?
If it is defined in both overlays as it currently is, can this cause
issues such as contention/deadlocking as there are 2 overlays
essentially trying to do the same thing. Or does it not actually matter?
I'm using an HDB backend just in case that makes any difference.
Kind regards,
Mark
--
/****************************
Mark Cairney
ITI UNIX Section
Information Services
University of Edinburgh
Tel: 0131 650 6565
Email: Mark.Cairney(a)ed.ac.uk
*******************************/
The University of Edinburgh is a charitable body, registered in
Scotland, with registration number SC005336.
8 years, 10 months
