Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 3 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 2 months
idassert-authzFrom ignored
by Charles Bueche
Hi,
I have an OpenLDAP proxy using back_meta to talk to two back-ends
Microsoft AD servers.
My goal is to provide a single view of both AD trees.
Basically, it works, as long as I use a bind account which exists in one
of the back-end AD's.
However, to first search where an AD account is, I would like to use a
local account on the LDAP proxy. To my understanding, I need to use
database meta
suffix dc=proxy,dc=stuff,dc=ch
rootdn "cn=root,dc=proxy,dc=stuff,dc=ch"
rootpw "secret"
subordinate
...
idassert-bind
bindmethod=simple
binddn="CN=srvLDAP,..."
credentials="..."
mode=none
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=root,dc=proxy,dc=stuff,dc=ch"
The DN "cn=root,dc=proxy,dc=stuff,dc=ch" does exist in the proxy and can
do local searches. However, the account defined in the idassert is never
used, and the connections to the back-ends AD's fail. Respectively, I
think they are contacted using anonymous instead of the account I
specify (not sure about the anonymous part, the debug log isn't very
clear about it).
Hints welcome.
Below is a part of the relevant log if it helps.
Charles
..........
tls_read: want=64, got=64
0000: 65 87 ac 08 7e 49 8d 7f 95 3c d0 1f 09 57 b7 ce e...~I...<...W..
0010: d4 13 2e ac 57 c9 27 6b 58 f7 76 70 a1 95 10 3e ....W.'kX.vp...>
0020: e2 96 0d cf a1 d3 13 ff e7 0b b1 2f c0 6f dc 19 .........../.o..
0030: 93 38 07 b9 f7 e4 81 a8 e0 45 0e 97 ec 7f 21 a6 .8.......E....!.
TLS trace: SSL_connect:SSLv3 read finished A
ldap_int_poll: fd: -1 tm: 0
53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=4
53679e3b conn=1000 op=1 <<< meta_back_search_start[0]=4
53679e3b conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*"
53679e3b conn=1000 op=1 >>> meta_search_dobind_init[0]
ldap_sasl_bind
ldap_send_initial_request
ldap_int_poll: fd: 12 tm: 0
ldap_is_sock_ready: 12
ldap_ndelay_off: 12
TLS trace: SSL_connect:before/connect initialization
tls_write: want=225, written=225
0000: 16 03 01 00 dc 01 00 00 d8 03 02 53 67 9e 3b 55 ...........Sg.;U
0010: 4b 2f ee 53 01 81 ee ca 6a 3f a0 ea 85 3a c9 7e K/.S....j?...:.~
0020: e3 01 d7 e6 d1 09 65 14 21 05 ef 00 00 66 c0 14 ......e.!....f..
0030: c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f ...".!.9.8......
0040: c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 ...5............
0050: 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e ................
0060: 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 .3.2.....E.D....
0070: 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 ./...A..........
0080: 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 ................
0090: 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 .......I........
00a0: 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c ...4.2..........
00b0: 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 ................
00c0: 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 ................
00d0: 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 .........#......
00e0: 01 .
TLS trace: SSL_connect:SSLv3 write client hello A
tls_read: want=5 error=Connection reset by peer
TLS trace: SSL_connect:error in SSLv3 read server hello A
TLS: can't connect: .
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 12
0000: 30 05 02 01 03 42 00 0....B.
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed
53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=0
53679e3b send_ldap_result: conn=1000 op=1 p=3
53679e3b send_ldap_result: err=0 matched="" text=""
53679e3b send_ldap_result: conn=1000 op=1 p=3
53679e3b send_ldap_result: err=0 matched="" text=""
53679e3b send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 11
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
tls_write: want=69, written=69
9 years, 1 month
how to use ppolicy schema
by Udai Singh Mehra (Vizury)
Hi,
I want to set password policies for my users in LDAP. Therefore i used the
ppolicy.schema and added it to cn=config. I also used the ppolicy to be
used as a olcOverLay Module. But I am unable to see a way to use it. I fail
to create a default password policy for all the users. Can anyone send me
some guidling steps as to how can I use the ppolicy.schema and set password
policies for my users. i am using openldap in Ubuntu 14.04 which has
everything set in slapd database.
thanks,
--
Udai Singh Mehra
Infrastructure Engineering and Operations
9 years, 2 months
LDAP limit of groups per user
by Julien Courtès
Hi,
I am experiencing an issue with posix groups.
I have a user which belongs to 28 posix groups but when I use the
command "id" on the user, I can't see all the groups whereas as root, I
can clearly see that this member belongs to much groups.
Is there a limit of posix groups per user?
If yes, how to increase it?
Thanks
Julien Courtès
9 years, 2 months
zero copy jni lib for lmdb
by Kristoffer Sjögren
Hi
I'm experimenting a bit with developing a JNI library for LMDB that utilize
zero copy buffers. As you may know there is a project called lmdbjni [1]
already but it does buffer copy only.
I must admit that my C and JNI skills is not really that great, so please
forgive any stupidity on my part.
Anyway, i'm taking the sun.misc.Unsafe (no bounds checking) approach for
memory allocation and pass memory addresses through JNI to LMDB for both
writes and reads and at the moment I have implemented put, get, begin,
commit [2].
I suspect that something is wrong because the performance between the
buffer copy and zero copy isn't really that big. lmdbjni is even faster
sometimes, write commits specifically is almost twice as fast.
The test write 1M entries with a 4 bytes key (1-1M) and 128 bytes value
(random) committed in one go. LMDB is configured identically both
implementations with 4GB MDB_WRITEMAP. I run Linux 3.2.0 with Intel(R)
Core(TM)2 Quad CPU Q6600 @ 2.40GHz.
JProfiler show no signs of bottlenecks in Java in my implementation, most
time is spent on the native methods put and commit. The opposite is true
for lmdbjni where most time is spent creating and writing Java byte
buffers, while native put and commit is just a fraction of that time.
Not sure exactly the significance of the gcc compiler but here is how I do
it.
gcc -g -Wall -O2 -Wbad-function-cast -Wno-write-strings -fPIC -shared
-I$JAVA_HOME/include -I$JAVA_HOME/include/linux -Isrc/main/native
src/main/native/jlmdb.c src/main/native/liblmdb.a -o
target/linux64/libjlmdb.so
- What could be the reason for "slow(er)" commits?
- How much faster can I expect properly implemented zero copying to be?
- Maybe lmdbjni have defacto standard optimizations that me as a C noobie
might have overlooked?
- Are there any performance counters, tracepoints or similar that might be
of interest to find where latency is spent?
Greatful for any tips or pointers on how to track the problem down.
Cheers,
-Kristoffer
[1] https://github.com/chirino/lmdbjni
[2] JNI
MDB_env *mdb_env;
MDB_dbi dbi;
JNIEXPORT jlong JNICALL Java_NativeLmdb_put (JNIEnv * env, jobject obj,
jlong tx, jlong keyAddress, jlong keySize, jlong valAddress, jlong valSize)
{
MDB_val mdb_key, mdb_val;
mdb_key.mv_data = (void *)(intptr_t) keyAddress;
mdb_key.mv_size = (size_t) keySize;
mdb_val.mv_data = (void *)(intptr_t) valAddress;
mdb_val.mv_size = (size_t) valSize;
int rc = mdb_put((MDB_txn *) (intptr_t) tx, dbi, &mdb_key, &mdb_val, 0);
return rc;
}
JNIEXPORT jlong JNICALL Java_NativeLmdb_get (JNIEnv *env, jobject o, jlong
tx, jlong a, jlong s) {
MDB_val mdb_key, mdb_val;
mdb_key.mv_data = (void *)(intptr_t) a;
mdb_key.mv_size = (size_t) s;
int rc = mdb_get((MDB_txn *) (intptr_t) tx, dbi, &mdb_key, &mdb_val);
if (rc == 0) {
return (intptr_t) mdb_val.mv_data;
}
return -1;
}
JNIEXPORT void JNICALL
Java_org_deephacks_lmdb_NativeLmdb_mdb_1txn_1begin(JNIEnv *env, jobject
obj, jlongArray array) {
jlong *nArray = (*env)->GetLongArrayElements(env, array, NULL);
MDB_txn *txn;
mdb_txn_begin(mdb_env, NULL, 0, &txn);
nArray[0] = (jlong) txn;
(*env)->ReleaseLongArrayElements(env, array, nArray, 0);
}
JNIEXPORT void JNICALL Java_NativeLmdb_mdb_1txn_1begin(JNIEnv *env, jobject
obj, jlongArray tx) {
jlong *nArray = (*env)->GetLongArrayElements(env, array, NULL);
MDB_txn *txn;
mdb_txn_begin(mdb_env, NULL, 0, &txn);
tx[0] = (jlong) txn;
(*env)->ReleaseLongArrayElements(env, tx, nArray, 0);
}
JNIEXPORT jint JNICALL Java_NativeLmdb_mdb_1txn_1commit(JNIEnv *env,
jobject obj, jlong tx) {
return (jint)mdb_txn_commit((MDB_txn *)(intptr_t)tx);
}
JNIEXPORT void JNICALL Java_NativeLmdb_open (JNIEnv * env, jobject obj) {
mdb_env_create(&mdb_env);
mdb_env_set_mapsize(mdb_env, 4294967296);
mdb_env_open(mdb_env, "/tmp/testdb", MDB_WRITEMAP, 0664);
MDB_txn *txn;
mdb_txn_begin(mdb_env, NULL, 0, &txn);
mdb_open(txn, NULL, 0, &dbi);
mdb_txn_commit(txn);
}
9 years, 2 months
Syncrepl and problem with ldap_sasl_bind_s failed?
by Eivind Olsen
Hello.
I'm struggling a bit with setting up syncrepl replication between two
OpenLDAP servers (using version 2.4.39 compiled by the LTB project, on top
of RHEL6, if that matters in this case).
Does anyone here have some suggestions on what I should look deeper into
here? Is it a known newbie-error I'm making? I can post configuration
files, describe how I attempt to set up the replication etc.
The two servers have a replicated cn=config, in addition to two suffixes
with their own HDB backend. The first of those suffixes are meant for
administrative data, replication user account, etc., and the second suffix
is for some end-user accounts/settings.
I seem to have managed to get the first HDB backend to replicate, but I
can't get the 2nd to work for some reason (most likely because I'm doing
something wrong).
When I start OpenLDAP with some debug logging, I see several log line, but
the first ones that catches my interest looks like:
53ac30ff slapd starting
53ac30ff slap_client_connect: URI=ldap://ldap01-testing.aminor.no
DN="cn=replicator,ou=admins,ou=internal,o=aminor" ldap_sasl_bind_s failed
(49)
53ac30ff do_syncrepl: rid=005 rc 49 retrying (4 retries left)
(this was seen on the node ldap02-testing.aminor.no. The hostnames exist
in DNS internally, the two nodes can see each other on the IP level etc.)
Both the working and non-working suffix are configured to use the same
replication user (which lives in the 1st suffix).
In my case, I have 2 hdb backends, one seems to replicate just fine, the
other doesn't. I can use ldapsearch on the suffix for that non-replicating
hdb from both nodes to both nodes, and get replies back (running
ldapsearch -x, with -D and -w giving the cn=replicator,ou=admins...etc.
and password).
I went to the #openldap IRC channel and asked about this issue earlier
today, and I saw another person ask about the same "ldap_sasl_bind_s
failed (49)" error message as well. He was using a somewhat older OpenLDAP
though (2.4.23) on Debian though.
Regards
Eivind Olsen
9 years, 3 months
mdb maxsize too big - no specific error message?
by Marc Patermann
Hi,
is there no specific error message if the mdb maxsize is too big (for
the containing filesystem)?
I used my ansible (great tool!) playbook to create an ldap server in a
test VM. This was only 8 GB small. My initial slapadd failed and I did
not why. (On my "real hardware" test machine this was all fine.)
"mdb_db_open: cannot be opened, err 112, Restore from Backup!"
If this is what "err 112" means, it should better say "maxsize too big"
or something.
It took me some time to figure out, my disk was to small for my config.
Marc
9 years, 3 months
slapd dead. pls advise how I can restart it
by Eileen(=^ω^=)
Hi team,
My LDAP service had an unexpected blackout, it can’t be started. could you pls advise how I can restart it?
When I check the slapd status:
[root@nplserver1 ~]# service slapd status
slapd dead but pid file exists àbut I can’t find any pid file
When I start slapd, below will be come.
[root@nplserver1 openldap]# slapd start -d 256
@(#) $OpenLDAP: slapd 2.4.23 (Feb 22 2013 01:50:21) $
mockbuild@c6b7.bsys.dev.centos.org:/builddir/build/BUILD/openldap-2.4.23/openldap-2.4.23/build-servers/servers/slapd
bdb(dc=npl,dc=tmsr): unable to join the environment
bdb_db_open: database "dc=npl,dc=tmsr" cannot be opened, err 11. Restore from backup!
bdb(dc=npl,dc=tmsr): txn_checkpoint interface requires an environment configured for the transaction subsystem
bdb_db_close: database "dc=npl,dc=tmsr": txn_checkpoint failed: Invalid argument (22).
backend_startup_one (type=bdb, suffix="dc=npl,dc=tmsr"): bi_db_open failed! (11)
bdb_db_close: database "dc=npl,dc=tmsr": alock_close failed
slapd stopped.
And I can’t find any process in 389 port.
best wishes
Eileen
9 years, 3 months
