Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 4 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 3 months
idassert-authzFrom ignored
by Charles Bueche
Hi,
I have an OpenLDAP proxy using back_meta to talk to two back-ends
Microsoft AD servers.
My goal is to provide a single view of both AD trees.
Basically, it works, as long as I use a bind account which exists in one
of the back-end AD's.
However, to first search where an AD account is, I would like to use a
local account on the LDAP proxy. To my understanding, I need to use
database meta
suffix dc=proxy,dc=stuff,dc=ch
rootdn "cn=root,dc=proxy,dc=stuff,dc=ch"
rootpw "secret"
subordinate
...
idassert-bind
bindmethod=simple
binddn="CN=srvLDAP,..."
credentials="..."
mode=none
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=root,dc=proxy,dc=stuff,dc=ch"
The DN "cn=root,dc=proxy,dc=stuff,dc=ch" does exist in the proxy and can
do local searches. However, the account defined in the idassert is never
used, and the connections to the back-ends AD's fail. Respectively, I
think they are contacted using anonymous instead of the account I
specify (not sure about the anonymous part, the debug log isn't very
clear about it).
Hints welcome.
Below is a part of the relevant log if it helps.
Charles
..........
tls_read: want=64, got=64
0000: 65 87 ac 08 7e 49 8d 7f 95 3c d0 1f 09 57 b7 ce e...~I...<...W..
0010: d4 13 2e ac 57 c9 27 6b 58 f7 76 70 a1 95 10 3e ....W.'kX.vp...>
0020: e2 96 0d cf a1 d3 13 ff e7 0b b1 2f c0 6f dc 19 .........../.o..
0030: 93 38 07 b9 f7 e4 81 a8 e0 45 0e 97 ec 7f 21 a6 .8.......E....!.
TLS trace: SSL_connect:SSLv3 read finished A
ldap_int_poll: fd: -1 tm: 0
53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=4
53679e3b conn=1000 op=1 <<< meta_back_search_start[0]=4
53679e3b conn=1000 op=1 meta_back_search: ncandidates=1 cnd="*"
53679e3b conn=1000 op=1 >>> meta_search_dobind_init[0]
ldap_sasl_bind
ldap_send_initial_request
ldap_int_poll: fd: 12 tm: 0
ldap_is_sock_ready: 12
ldap_ndelay_off: 12
TLS trace: SSL_connect:before/connect initialization
tls_write: want=225, written=225
0000: 16 03 01 00 dc 01 00 00 d8 03 02 53 67 9e 3b 55 ...........Sg.;U
0010: 4b 2f ee 53 01 81 ee ca 6a 3f a0 ea 85 3a c9 7e K/.S....j?...:.~
0020: e3 01 d7 e6 d1 09 65 14 21 05 ef 00 00 66 c0 14 ......e.!....f..
0030: c0 0a c0 22 c0 21 00 39 00 38 00 88 00 87 c0 0f ...".!.9.8......
0040: c0 05 00 35 00 84 c0 12 c0 08 c0 1c c0 1b 00 16 ...5............
0050: 00 13 c0 0d c0 03 00 0a c0 13 c0 09 c0 1f c0 1e ................
0060: 00 33 00 32 00 9a 00 99 00 45 00 44 c0 0e c0 04 .3.2.....E.D....
0070: 00 2f 00 96 00 41 c0 11 c0 07 c0 0c c0 02 00 05 ./...A..........
0080: 00 04 00 15 00 12 00 09 00 14 00 11 00 08 00 06 ................
0090: 00 03 00 ff 01 00 00 49 00 0b 00 04 03 00 01 02 .......I........
00a0: 00 0a 00 34 00 32 00 0e 00 0d 00 19 00 0b 00 0c ...4.2..........
00b0: 00 18 00 09 00 0a 00 16 00 17 00 08 00 06 00 07 ................
00c0: 00 14 00 15 00 04 00 05 00 12 00 13 00 01 00 02 ................
00d0: 00 03 00 0f 00 10 00 11 00 23 00 00 00 0f 00 01 .........#......
00e0: 01 .
TLS trace: SSL_connect:SSLv3 write client hello A
tls_read: want=5 error=Connection reset by peer
TLS trace: SSL_connect:error in SSLv3 read server hello A
TLS: can't connect: .
ldap_free_connection 1 1
ldap_send_unbind
ber_flush2: 7 bytes to sd 12
0000: 30 05 02 01 03 42 00 0....B.
ldap_write: want=7 error=Broken pipe
ldap_free_connection: actually freed
53679e3b conn=1000 op=1 <<< meta_search_dobind_init[0]=0
53679e3b send_ldap_result: conn=1000 op=1 p=3
53679e3b send_ldap_result: err=0 matched="" text=""
53679e3b send_ldap_result: conn=1000 op=1 p=3
53679e3b send_ldap_result: err=0 matched="" text=""
53679e3b send_ldap_response: msgid=2 tag=101 err=0
ber_flush2: 14 bytes to sd 11
0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........
tls_write: want=69, written=69
9 years, 1 month
Password Failure for one user
by brown wrap
I am trying to track down why one user all of a sudden can't log into a machine. He can use his LDAP passwd through our network, but gets an immediate login failure on a particular machine. I can 'su' to his account, from my account using his password, but when I try to log into this machine remotely, I get the failure and it terminates the sessions. There have been no changes to the system at all. I am looking for step to troubleshoot this issue. Thanks.
9 years, 2 months
syncrepl_del_nonpresent leading to directory implosion
by Aaron Bennett
Hi,
I've got a two-node MMR setup using syncrepl running 2.4.36 with back-bdb.
Last night, between 1/3 and 1/2 of the entries in our directory disappeared. Fortunately I have olcLogLeve=sync set, so I think I have a line on what happened...
I see this at 4AM long of the morning before the fun started:
Jul 7 04:19:30 zoot slapd[15011]: bdb(dc=clarku,dc=edu): Lock table is out of available lock entries
Jul 7 04:19:30 zoot slapd[15011]: => bdb_idl_insert_key: c_get failed: Cannot allocate memory (12)
Then many hours later:
Jul 7 15:04:30 zoot slapd[15011]: bdb(dc=clarku,dc=edu): Lock table is out of available lock entries
Jul 7 15:04:30 zoot slapd[15011]: => bdb_idl_delete_key: c_get failed: Cannot allocate memory (12)
Jul 7 15:04:30 zoot slapd[15011]: null_callback : error code 0x50
Jul 7 15:04:30 zoot slapd[15011]: slap_graduate_commit_csn: removing 0x7fa33c248a80 20140707190424.188580Z#000000#001#000000
Jul 7 15:04:30 zoot slapd[15011]: syncrepl_del_nonpresent: rid=001 be_delete cn=parents_ug_students,ou=Other,ou=Groups,dc=clarku,dc=edu (80)
This repeats itself several times:
Jul 7 16:41:09 zoot slapd[15011]: syncprov_matchops: skipping original sid 001
Jul 7 16:41:09 zoot slapd[15011]: bdb(dc=clarku,dc=edu): Lock table is out of available lock entries
Jul 7 16:41:09 zoot slapd[15011]: => bdb_idl_delete_key: c_get failed: Cannot allocate memory (12)
Jul 7 16:41:09 zoot slapd[15011]: null_callback : error code 0x50
Jul 7 16:41:09 zoot slapd[15011]: slap_graduate_commit_csn: removing 0x7fa37e4b4260 20140707204059.442906Z#000000#001#000000
Jul 7 16:41:09 zoot slapd[15011]: syncrepl_del_nonpresent: rid=001 be_delete cn=parents_ug_students,ou=Other,ou=Groups,dc=clarku,dc=edu (80)
Jul 7 16:52:44 zoot slapd[2179]: bdb(dc=clarku,dc=edu): Lock table is out of available lock entries
Jul 7 16:52:44 zoot slapd[2179]: => bdb_idl_delete_key: c_get failed: Cannot allocate memory (12)
Jul 7 16:52:44 zoot slapd[2179]: null_callback : error code 0x50
Jul 7 16:52:44 zoot slapd[2179]: slap_graduate_commit_csn: removing 0x7f74581dae70 20140707205225.029175Z#000000#001#000000
Jul 7 16:52:44 zoot slapd[2179]: syncrepl_del_nonpresent: rid=001 be_delete cn=parents_ug_students,ou=Other,ou=Groups,dc=clarku,dc=edu (80)
Jul 7 16:52:44 zoot slapd[2179]: slap_queue_csn: queing 0x7f7458be8470 20140707205225.029175Z#000000#001#000000
Jul 7 16:52:44 zoot slapd[2179]: slap_graduate_commit_csn: removing 0x7f74581ad2e0 20140707205225.029175Z#000000#001#000000
Then we get (possibly unrelated) a lengthy list of nonpresent_callbacks (tons more then I list here):
Jul 7 17:06:24 zoot slapd[2179]: nonpresent_callback: rid=001 present UUID 5111f346-871c-1033-8d4b-f5dbd10b8ca0, dn uid=rvenkatachalam,ou=Users,dc=clarku,dc=edu
Jul 7 17:06:24 zoot slapd[2179]: nonpresent_callback: rid=001 present UUID 1e3d94e4-8ce8-1033-8d6a-f5dbd10b8ca0, dn cn=BIOL399-09-SU14,ou=Courses,ou=Groups,dc=clarku,dc=edu
Jul 7 17:06:24 zoot slapd[2179]: nonpresent_callback: rid=001 present UUID 45843aa6-91b8-1033-81a9-ff6ec337b146, dn cn=MSPC3090-01-F14,ou=Courses,ou=Groups,dc=clarku,dc=edu
Jul 7 17:06:24 zoot slapd[2179]: nonpresent_callback: rid=001 present UUID 4dd09f16-921b-1033-8d8e-f5dbd10b8ca0, dn cn=msit3710-01-f14,ou=DL,ou=Groups,dc=clarku,dc=edu
Jul 7 17:06:24 zoot slapd[2179]: nonpresent_callback: rid=001 present UUID 0b3e8d76-9607-1033-81cf-ff6ec337b146, dn cn=acct5411-01-f14,ou=DL,ou=Groups,dc=clarku,dc=edu
Jul 7 17:06:24 zoot slapd[2179]: nonpresent_callback: rid=001 present UUID a698a278-9677-1033-81ee-ff6ec337b146, dn cn=ESL0051-E1-F14,ou=Courses,ou=Groups,dc=clarku,dc=edu
Jul 7 17:06:24 zoot slapd[2179]: nonpresent_callback: rid=001 present UUID ccf94c1c-979c-1033-8dc9-f5dbd10b8ca0, dn uid=dgunarajasingam,ou=Users,dc=clarku,dc=edu
Followed by another lock table / del_nonpresent:
Jul 7 17:06:24 zoot slapd[2179]: bdb(dc=clarku,dc=edu): Lock table is out of available lock entries
Jul 7 17:06:24 zoot slapd[2179]: => bdb_idl_delete_key: c_del id failed: Cannot allocate memory (12)
Jul 7 17:06:24 zoot slapd[2179]: null_callback : error code 0x50
Jul 7 17:06:24 zoot slapd[2179]: slap_graduate_commit_csn: removing 0x7f73e016cb40 20140707210614.062782Z#000000#001#000000
Jul 7 17:06:24 zoot slapd[2179]: syncrepl_del_nonpresent: rid=001 be_delete cn=parents_ug_students,ou=Other,ou=Groups,dc=clarku,dc=edu (80)
Jul 7 17:06:24 zoot slapd[2179]: slap_queue_csn: queing 0x7f73e0f0eaa0 20140707210614.062782Z#000000#001#000000
Jul 7 17:06:24 zoot slapd[2179]: slap_graduate_commit_csn: removing 0x7f73e0f180c0 20140707210614.062782Z#000000#001#000000
That repeats itself @ 18:07, 18:47, 18:55. Then the train departs for crazy town... notice this is the other node:
ul 7 18:55:59 animal slapd[10389]: nonpresent_callback: rid=002 nonpresent UUID 0e6fea9e-9279-1033-8d97-f5dbd10b8ca0, dn cn=MSPC3070-01-F14,ou=Courses,ou=Groups,dc=clarku,dc=edu
Jul 7 18:55:59 animal slapd[10389]: nonpresent_callback: rid=002 nonpresent UUID f710e364-958c-1033-8da2-f5dbd10b8ca0, dn cn=MKT5900-01-F14,ou=Courses,ou=Groups,dc=clarku,dc=edu
Jul 7 18:55:59 animal slapd[10389]: nonpresent_callback: rid=002 nonpresent UUID 815ece60-965e-1033-8dab-f5dbd10b8ca0, dn cn=ESL0067-M1-F14,ou=Courses,ou=Groups,dc=clarku,dc=edu
Jul 7 18:55:59 animal slapd[10389]: nonpresent_callback: rid=002 nonpresent UUID f9d8a408-96cf-1033-8db0-f5dbd10b8ca0, dn cn=eng2950-01-su14,ou=DL,ou=Groups,dc=clarku,dc=edu
Jul 7 18:55:59 animal slapd[10389]: nonpresent_callback: rid=002 nonpresent UUID 480d8cbc-96d3-1033-8dbf-f5dbd10b8ca0, dn cn=esl0011-e1-f14,ou=DL,ou=Groups,dc=clarku,dc=edu
Jul 7 18:55:59 animal slapd[10389]: nonpresent_callback: rid=002 nonpresent UUID ccf94c1c-979c-1033-8dc9-f5dbd10b8ca0, dn uid=dgunarajasingam,ou=Users,dc=clarku,dc=edu
Jul 7 18:55:59 animal slapd[10389]: slap_graduate_commit_csn: removing 0x7f59c8eddc00 20140707225554.051198Z#000000#002#000000
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete cn=MPA3950-03-SU14,ou=Courses,ou=Groups,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete cn=MSIT3950-0R-SU14,ou=Courses,ou=Groups,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete uid=zbamberger,ou=Users,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete uid=dgunarajasingam,ou=Users,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete uid=hmunawar,ou=Users,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete cn=scrn2940-01-su14,ou=DL,ou=Groups,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete cn=eng2940-02-su14,ou=DL,ou=Groups,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete cn=id2940-02-su14,ou=DL,ou=Groups,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete cn=msit3950-0p-su14,ou=DL,ou=Groups,dc=clarku,dc=edu (0)
Jul 7 18:55:59 animal slapd[10389]: syncprov_matchops: skipping original sid 002
Jul 7 18:55:59 animal slapd[10389]: syncrepl_del_nonpresent: rid=002 be_delete cn=mspc3060-0p-su14,ou=DL,ou=Groups,dc=clarku,dc=edu (0)
That goes on, deleting things, until my pager exploded when some critical role accounts got nuked and our radius servers died. I pulled an LDIF when I realized what was happening and between 18:55 and 19:35, our LDIF went from 75MB to 45MB - so about 30MB of stuff disappeared.
What happened? Did I get hit by an oddball BDB/Syncrepl behavior? Do I have a bad misconfiguration in my replication setup?
Thanks for your time,
Aaron
----
Manager of Systems Administration
Clark University ITS
9 years, 2 months
Outlook LDAP Addressbook Browsing - Add ORDERING caseIgnoreOrderingMatch on CN or NAME core attributes without source code modification and re-compilition
by Richard LEGER
Hi,
We currently used openldap as provided out of the box (binary) by Ubuntu
12.04 LTS.
We need to enable Outlook LDAP Addressook browsing when used with our
OpenLDAP current setup.
According to past posts on the OpenLDAP technical mailing list, there seems
to be two requirements:
- Add ORDERING caseIgnoreOrderingMatch in the definition of core schema
attribute CN (or Name)
- Enable LDAP Virtual List View (VLV - OID: 2.16.840.1.113730.3.4.9)
control and Server Side Control (SSS - OID: 1.2.840.113556.1.4.473) control
on the OpenLDAP server
### Modify (or extend, or replace) definition of core schema attribute
As per those posts below, it is possible to mofidy core schema attribute(s)
by updating source code and recompiling openldap.
http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/201001/m...
http://www.openldap.org/cgi-bin/wilma_hiliter/openldap-technical/201212/m...
Unfortunately this is not an option for us.
Is there other way(s) via a local schema or else to modify/extend
definition of OpenLDAP core attributes without modifying source code and
recompiling?
Via ldpamodify or via the creation of a module/overlay maybe that could be
loaded via openldap configuration file slapd.conf at startup?
The slapd.conf method would be our preference at the moment.
As last resort, if not technically possible via slapd.conf, would using the
OpenLDAP On-Line Configuration (OLC - cn=config - slapd.config) method
instead allow such extend/modification of core schema attributes?
If yes how?
We are aware that may render our ldapserver no longer fully RFC compliant,
but we need to be pragmatic here to provide an effective solution to
end-users.
We already use our own local LDAP schema definition anyway :-)
Thank in advance for your any help/enlightenment you could provide.
### VLV and SSS Control(s) have been enabled as follow
# Added the following in /etc/ldap/sldap.conf
(...)
moduleload sssvlv
overlay sssvlv
sssvlv-max 8
sssvlv-maxkeys 5
#sssvlv-maxperconn 5 <-- this option is not currently availabe in current
database backend version
(...)
# Restart ldap server
/etc/init.d/slapd restart
# Check
ldapsearch -x -b '' -s base '(ObjectClass=*)' + -D
"uid=richard,ou=people,dc=example,dc=com" -W
(...)
supportedControl: 2.16.840.1.113730.3.4.9 <-- LDAP Virtual List View (VLV)
supportedControl: 1.2.840.113556.1.4.473 <-- Server Side Control (SSS)
(...)
Regards,
Richard Leger
9 years, 2 months
Adding and attribute and editing a matchingRuleUse in the subschema
by espeake@oreillyauto.com
On our current server running 2.4.31 we have an operational attribute in
the schema labeled pwdFailureTime. I have done:
slapcat -n 0 -l /tmp/<my_config>.ldif on our production server. I have
also used an LDAP browser to export the schema.
When I do a a slapadd -F /etc/your/config/goes/here/ -n 0
-l /tmp/<my_config>.ldif I do get the config loaded. I have confirmed
that I am loading all of the same modules on both servers and that the
config files match. What I don't have is the pwdFailureTime attribute
which I need since it is in the data file as well, making it so I cannot
import my data either. This is what the attribute looks like in the
subschema:
attributeTypes: ( 1.3.6.1.4.1.42.2.27.8.1.19 NAME 'pwdFailureTime' DESC
'The timestamps of the last consecutive authentication failures' EQUALITY
generalizedTimeMatch ORDERING generalizedTimeOrderingMatch SYNTAX
1.3.6.1.4.1.1466.115.121.1.24 NO-USER-MODIFICATION USAGE
directoryOperation )
Here is the matchingRuleUse:
matchingRuleUse: ( 2.5.13.27 NAME 'generalizedTimeMatch' APPLIES
( createTimesta
mp $ modifyTimestamp $ pwdChangedTime $ pwdAccountLockedTime $
pwdFailureTime $
pwdGraceUseTime $ birthDate $ hireDate $ statusDate $ openDate ) )
>From other posts that I have read I cannot edit the subschema directly and
that makes sense since that would be the fastest way to kill a server. I
have tried doing an ldap modify to dn: cn={4}ppolicy,cn=schema,cn=config
and I get a syntax error in trying to number the attribute.
The new version is 2.4.39 running on ubuntu 12.04 with 3.13 kernel.
Thanks
Eric Speake
Web Systems Administrator
O'Reilly Auto Parts
(417) 862-2674 Ext. 1975
This communication and any attachments are confidential, protected by Communications Privacy Act 18 USCS � 2510, solely for the use of the intended recipient, and may contain legally privileged material. If you are not the intended recipient, please return or destroy it immediately. Thank you.
9 years, 2 months
SASL not honoring slapo-ppolicy
by Achilleas Mantzios
Hello list,
I have managed successfully to setup a fully functional openldap server on FreeBSD.
So far, I had success with : ppolicy, ACLs, legacy SQL exposed as LDAP, SASL authentication.
My only problem thus far is combining SASL with ppolicy. When binding with classic simple
authentication using -D dn, then ppolicy overlay has the expected effect.
However when using SASL (SASL/SCRAM-SHA-1) with -U, while it works correctly converting uid to DN
with authz-regexp, it does not seem to look for ppolicy (default or derived from pwdPolicySubentry).
Moreover, enforced violations of ppolicy (e.g. failed attempted authentications >= pwdMaxFailure)
when done via SASL seem to have no effect on ppolicy attributes, e.g. pwdAccountLockedTime,
while they work fine when binding with simple authentication.
Is there any way to overcome this? Or is ppolicy honored only via simple DN binds?
--
Achilleas Mantzios
Head of IT DEV
IT DEPT
Dynacom Tankers Mgmt
9 years, 2 months
Re: creating a cn=config modules
by Greg Treantos
I have read the documentation and cannot figure out how to create a new dit
so I can add the module I need. If you can be more specific on what I
should be looking for that would be great. But no where have I found that
points how to create the cn=module{0} dit so it can be populated. I don't
know maybe I'm asking the wrong questions.
from the docs
5.2.2. cn=module
If support for dynamically loaded modules was enabled when configuring
slapd, cn=module entries may be used to specify sets of modules to load.
Module entries must have the olcModuleList objectClass.
I don't have a cn=module dit, how do I create it?
On Wed, Jul 9, 2014 at 6:26 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
> --On Wednesday, July 09, 2014 6:59 PM -0400 Greg Treantos <
> gtreanto(a)gmail.com> wrote:
>
>
>> From the man pages ldapadd is just a hardlink to ldapmodify, but I tried
>> and got the same error
>>
>>
>>
>> ldapadd -Y EXTERNAL -H ldapi:/// -v -f ldapMdynalist.ldif
>> ldap_initialize( ldapi:///??base )
>> SASL/EXTERNAL authentication started
>> SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
>> SASL SSF: 0
>> add olcModuleLoad:
>> {0}/usr/lib64/openldap/memberof.la
>>
>
> The above is invalid. I strongly advise you to read the documentation.
>
> Also, you should not be touching or creating any files inside the
> cn=config database.
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
Greg
http://www.linkedin.com/in/gregtreantos
9 years, 2 months
Re: creating a cn=config modules
by Greg Treantos
>From the man pages ldapadd is just a hardlink to ldapmodify, but I tried
and got the same error
ldapadd -Y EXTERNAL -H ldapi:/// -v -f ldapMdynalist.ldif
ldap_initialize( ldapi:///??base )
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
add olcModuleLoad:
{0}/usr/lib64/openldap/memberof.la
modifying entry "cn=module{0},cn=config"
ldap_modify: No such object (32)
matched DN: cn=config
I also tried this before and after touching cn=module{0} with ldap:ldap as
the owner/group
On Wed, Jul 9, 2014 at 5:50 PM, Quanah Gibson-Mount <quanah(a)zimbra.com>
wrote:
> --On Wednesday, July 09, 2014 6:23 PM -0400 Greg Treantos <
> gtreanto(a)gmail.com> wrote:
>
>
>>
>> Here is what the cn=config directory looks like. As you can see there is
>> no olcDatabase={x}module.ldif file so my question is how do you create
>> one.
>>
>
> Modify is for objects that exist. Try using ldapadd.
>
>
> --Quanah
>
> --
>
> Quanah Gibson-Mount
> Server Architect
> Zimbra, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
--
Greg
http://www.linkedin.com/in/gregtreantos
9 years, 2 months