openldap-technical June 2014

openldap-technical@openldap.org

38 participants
30 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

idassert-authzFrom ignored
by Charles Bueche 22 Aug '14

22 Aug '14

Hi, I have an OpenLDAP proxy using back_meta to talk to two back-ends Microsoft AD servers. My goal is to provide a single view of both AD trees. Basically, it works, as long as I use a bind account which exists in one of the back-end AD's. However, to first search where an AD account is, I would like to use a local account on the LDAP proxy. To my understanding, I need to use database meta suffix dc=proxy,dc=stuff,dc=ch rootdn "cn=root,dc=proxy,dc=stuff,dc=ch" rootpw "secret" subordinate ... idassert-bind bindmethod=simple binddn="CN=srvLDAP,..." credentials="..." mode=none flags=non-prescriptive idassert-authzFrom "dn.exact:cn=root,dc=proxy,dc=stuff,dc=ch" The DN "cn=root,dc=proxy,dc=stuff,dc=ch" does exist in the proxy and can do local searches. However, the account defined in the idassert is never used, and the connections to the back-ends AD's fail. Respectively, I think they are contacted using anonymous instead of the account I specify (not sure about the anonymous part, the debug log isn't very clear about it). Hints welcome. Below is a part of the relevant log if it helps. Charles .......... tls_read: want=64, got=64 0000: 65 87 ac 08 7e 49 8d 7f 95 3c d0 1f 09 57 b7 ce e...~I...<...W.. 0010: d4 13 2e ac 57 c9 27 6b 58 f7 76 70 a1 95 10 3e ....W.'kX.vp...> 0020: e2 96 0d cf a1 d3 13 ff e7 0b b1 2f c0 6f dc 19 .........../.o.. 0030: 93 38 07 b9 f7 e4 81 a8 e0 45 0e 97 ec 7f 21 a6 .8.......E....!. TLS trace: SSL_connect:SSLv3 read finished A ldap_int_poll: fd: -1 tm: 0 53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=4 53679e3b conn=1000 op=1 <<< meta_back_search_start[0]=4 53679e3b conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*" 53679e3b conn=1000 op=1 >>> meta_search_dobind_init[0] ldap_sasl_bind ldap_send_initial_request ldap_int_poll: fd: 12 tm: 0 ldap_is_sock_ready: 12 ldap_ndelay_off: 12 TLS trace: SSL_connect:before/connect initialization tls_write: want=225, written=225 0000: 16 03 01 00 dc 01 00 00 d8 03 02 53 67 9e 3b 55 ...........Sg.;U 0010: 4b 2f ee 53 01 81 ee ca 6a 3f a0 ea 85 3a c9 7e K/.S....j?...:.~ 0020: e3 01 d7 e6 d1 09 65 14 21 05 ef 00 00 66 c0 14 ......e.!....f.. 0030: c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f ...".!.9.8...... 0040: c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 ...5............ 0050: 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e ................ 0060: 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 .3.2.....E.D.... 0070: 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 ./...A.......... 0080: 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 ................ 0090: 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 .......I........ 00a0: 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c ...4.2.......... 00b0: 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 ................ 00c0: 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 ................ 00d0: 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 .........#...... 00e0: 01 . TLS trace: SSL_connect:SSLv3 write client hello A tls_read: want=5 error=Connection reset by peer TLS trace: SSL_connect:error in SSLv3 read server hello A TLS: can't connect: . ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 12 0000: 30 05 02 01 03 42 00 0....B. ldap_write: want=7 error=Broken pipe ldap_free_connection: actually freed 53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=0 53679e3b send_ldap_result: conn=1000 op=1 p=3 53679e3b send_ldap_result: err=0 matched="" text="" 53679e3b send_ldap_result: conn=1000 op=1 p=3 53679e3b send_ldap_result: err=0 matched="" text="" 53679e3b send_ldap_response: msgid=2 tag=101 err=0 ber_flush2: 14 bytes to sd 11 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........ tls_write: want=69, written=69

1 1

Promoting slave to master LDAP server
by Bruno Furtado 03 Jul '14

03 Jul '14

Hi all, can I promote a LDAP slave server to master? Best regards, -- Bruno Furtado

2 1

how to use ppolicy schema
by Udai Singh Mehra (Vizury) 30 Jun '14

30 Jun '14

Hi, I want to set password policies for my users in LDAP. Therefore i used the ppolicy.schema and added it to cn=config. I also used the ppolicy to be used as a olcOverLay Module. But I am unable to see a way to use it. I fail to create a default password policy for all the users. Can anyone send me some guidling steps as to how can I use the ppolicy.schema and set password policies for my users. i am using openldap in Ubuntu 14.04 which has everything set in slapd database. thanks, -- Udai Singh Mehra Infrastructure Engineering and Operations

1 0

LDAP limit of groups per user
by Julien Courtès 30 Jun '14

30 Jun '14

Hi, I am experiencing an issue with posix groups. I have a user which belongs to 28 posix groups but when I use the command "id" on the user, I can't see all the groups whereas as root, I can clearly see that this member belongs to much groups. Is there a limit of posix groups per user? If yes, how to increase it? Thanks Julien Courtès

2 2

zero copy jni lib for lmdb
by Kristoffer Sjögren 29 Jun '14

29 Jun '14

Hi I'm experimenting a bit with developing a JNI library for LMDB that utilize zero copy buffers. As you may know there is a project called lmdbjni [1] already but it does buffer copy only. I must admit that my C and JNI skills is not really that great, so please forgive any stupidity on my part. Anyway, i'm taking the sun.misc.Unsafe (no bounds checking) approach for memory allocation and pass memory addresses through JNI to LMDB for both writes and reads and at the moment I have implemented put, get, begin, commit [2]. I suspect that something is wrong because the performance between the buffer copy and zero copy isn't really that big. lmdbjni is even faster sometimes, write commits specifically is almost twice as fast. The test write 1M entries with a 4 bytes key (1-1M) and 128 bytes value (random) committed in one go. LMDB is configured identically both implementations with 4GB MDB_WRITEMAP. I run Linux 3.2.0 with Intel(R) Core(TM)2 Quad CPU Q6600 @ 2.40GHz. JProfiler show no signs of bottlenecks in Java in my implementation, most time is spent on the native methods put and commit. The opposite is true for lmdbjni where most time is spent creating and writing Java byte buffers, while native put and commit is just a fraction of that time. Not sure exactly the significance of the gcc compiler but here is how I do it. gcc -g -Wall -O2 -Wbad-function-cast -Wno-write-strings -fPIC -shared -I$JAVA_HOME/include -I$JAVA_HOME/include/linux -Isrc/main/native src/main/native/jlmdb.c src/main/native/liblmdb.a -o target/linux64/libjlmdb.so - What could be the reason for "slow(er)" commits? - How much faster can I expect properly implemented zero copying to be? - Maybe lmdbjni have defacto standard optimizations that me as a C noobie might have overlooked? - Are there any performance counters, tracepoints or similar that might be of interest to find where latency is spent? Greatful for any tips or pointers on how to track the problem down. Cheers, -Kristoffer [1] https://github.com/chirino/lmdbjni [2] JNI MDB_env *mdb_env; MDB_dbi dbi; JNIEXPORT jlong JNICALL Java_NativeLmdb_put (JNIEnv * env, jobject obj, jlong tx, jlong keyAddress, jlong keySize, jlong valAddress, jlong valSize) { MDB_val mdb_key, mdb_val; mdb_key.mv_data = (void *)(intptr_t) keyAddress; mdb_key.mv_size = (size_t) keySize; mdb_val.mv_data = (void *)(intptr_t) valAddress; mdb_val.mv_size = (size_t) valSize; int rc = mdb_put((MDB_txn *) (intptr_t) tx, dbi, &mdb_key, &mdb_val, 0); return rc; } JNIEXPORT jlong JNICALL Java_NativeLmdb_get (JNIEnv *env, jobject o, jlong tx, jlong a, jlong s) { MDB_val mdb_key, mdb_val; mdb_key.mv_data = (void *)(intptr_t) a; mdb_key.mv_size = (size_t) s; int rc = mdb_get((MDB_txn *) (intptr_t) tx, dbi, &mdb_key, &mdb_val); if (rc == 0) { return (intptr_t) mdb_val.mv_data; } return -1; } JNIEXPORT void JNICALL Java_org_deephacks_lmdb_NativeLmdb_mdb_1txn_1begin(JNIEnv *env, jobject obj, jlongArray array) { jlong *nArray = (*env)->GetLongArrayElements(env, array, NULL); MDB_txn *txn; mdb_txn_begin(mdb_env, NULL, 0, &txn); nArray[0] = (jlong) txn; (*env)->ReleaseLongArrayElements(env, array, nArray, 0); } JNIEXPORT void JNICALL Java_NativeLmdb_mdb_1txn_1begin(JNIEnv *env, jobject obj, jlongArray tx) { jlong *nArray = (*env)->GetLongArrayElements(env, array, NULL); MDB_txn *txn; mdb_txn_begin(mdb_env, NULL, 0, &txn); tx[0] = (jlong) txn; (*env)->ReleaseLongArrayElements(env, tx, nArray, 0); } JNIEXPORT jint JNICALL Java_NativeLmdb_mdb_1txn_1commit(JNIEnv *env, jobject obj, jlong tx) { return (jint)mdb_txn_commit((MDB_txn *)(intptr_t)tx); } JNIEXPORT void JNICALL Java_NativeLmdb_open (JNIEnv * env, jobject obj) { mdb_env_create(&mdb_env); mdb_env_set_mapsize(mdb_env, 4294967296); mdb_env_open(mdb_env, "/tmp/testdb", MDB_WRITEMAP, 0664); MDB_txn *txn; mdb_txn_begin(mdb_env, NULL, 0, &txn); mdb_open(txn, NULL, 0, &dbi); mdb_txn_commit(txn); }

2 3

Syncrepl and problem with ldap_sasl_bind_s failed?
by Eivind Olsen 27 Jun '14

27 Jun '14

Hello. I'm struggling a bit with setting up syncrepl replication between two OpenLDAP servers (using version 2.4.39 compiled by the LTB project, on top of RHEL6, if that matters in this case). Does anyone here have some suggestions on what I should look deeper into here? Is it a known newbie-error I'm making? I can post configuration files, describe how I attempt to set up the replication etc. The two servers have a replicated cn=config, in addition to two suffixes with their own HDB backend. The first of those suffixes are meant for administrative data, replication user account, etc., and the second suffix is for some end-user accounts/settings. I seem to have managed to get the first HDB backend to replicate, but I can't get the 2nd to work for some reason (most likely because I'm doing something wrong). When I start OpenLDAP with some debug logging, I see several log line, but the first ones that catches my interest looks like: 53ac30ff slapd starting 53ac30ff slap_client_connect: URI=ldap://ldap01-testing.aminor.no DN="cn=replicator,ou=admins,ou=internal,o=aminor" ldap_sasl_bind_s failed (49) 53ac30ff do_syncrepl: rid=005 rc 49 retrying (4 retries left) (this was seen on the node ldap02-testing.aminor.no. The hostnames exist in DNS internally, the two nodes can see each other on the IP level etc.) Both the working and non-working suffix are configured to use the same replication user (which lives in the 1st suffix). In my case, I have 2 hdb backends, one seems to replicate just fine, the other doesn't. I can use ldapsearch on the suffix for that non-replicating hdb from both nodes to both nodes, and get replies back (running ldapsearch -x, with -D and -w giving the cn=replicator,ou=admins...etc. and password). I went to the #openldap IRC channel and asked about this issue earlier today, and I saw another person ask about the same "ldap_sasl_bind_s failed (49)" error message as well. He was using a somewhat older OpenLDAP though (2.4.23) on Debian though. Regards Eivind Olsen

3 6

mdb maxsize too big - no specific error message?
by Marc Patermann 25 Jun '14

25 Jun '14

Hi, is there no specific error message if the mdb maxsize is too big (for the containing filesystem)? I used my ansible (great tool!) playbook to create an ldap server in a test VM. This was only 8 GB small. My initial slapadd failed and I did not why. (On my "real hardware" test machine this was all fine.) "mdb_db_open: cannot be opened, err 112, Restore from Backup!" If this is what "err 112" means, it should better say "maxsize too big" or something. It took me some time to figure out, my disk was to small for my config. Marc

2 1

slapd dead. pls advise how I can restart it
by Eileen(=^ω^=) 25 Jun '14

25 Jun '14

Hi team, My LDAP service had an unexpected blackout, it can’t be started. could you pls advise how I can restart it? When I check the slapd status: [root@nplserver1 ~]# service slapd status slapd dead but pid file exists àbut I can’t find any pid file When I start slapd, below will be come. [root@nplserver1 openldap]# slapd start -d 256 @(#) $OpenLDAP: slapd 2.4.23 (Feb 22 2013 01:50:21) $ mockbuild@c6b7.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd bdb(dc=npl,dc=tmsr): unable to join the environment bdb_db_open: database "dc=npl,dc=tmsr" cannot be opened, err 11. Restore from backup! bdb(dc=npl,dc=tmsr): txn_checkpoint interface requires an environment configured for the transaction subsystem bdb_db_close: database "dc=npl,dc=tmsr": txn_checkpoint failed: Invalid argument (22). backend_startup_one (type=bdb, suffix="dc=npl,dc=tmsr"): bi_db_open failed! (11) bdb_db_close: database "dc=npl,dc=tmsr": alock_close failed slapd stopped. And I can’t find any process in 389 port.‍ best wishes Eileen

7 8

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2014