Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years, 6 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
8 years, 5 months
Non OpenLDAP use of LMDB
by Harry B
Hello,
I am planning to use LMDB to create a resonably large database, few TBs, >
500mil keys, on a Fusion IO flash storage. Memory to storage ratio of the
available hardware is about 1:10
Assuming the caching of "5 to 10%" of most-frequently-accessed data is good
enough for my use-case, is this a valid/legitimate use of LMDB ? Or am I
using the wrong tool for the job?
My other choices are RocksDB (haven't looked at it) or Postgres (using a
limited subset of features), the latter mainly because we already use it
across the company.
Any advice is appreciated.
Thanks
--
Harry
8 years, 11 months
allow to pass on "undefined" filters in meta
by Markus.Storm@t-systems.com
Hi
I've run into a problem trying to deploy back-meta in front of an Active Directory target.
I believe that to resolve it, I need to get a new option implemented.
I need to issue a request through a back-meta proxy . That query happens to contain a matching rule which is not implemented in OpenLDAP so slapd does not know to evaluate the query. The target that the query will ultimately be passed on to (an Active Directory) does know to process the query, though. OpenLDAP, however, considers the filter to be "undefined" and thus on relaying the request to the AD target, back-meta replaces a portion of the original query with a "(?=undefined)" filter as documented in e.g. slapd-meta manpage "noundeffilter" option.
But I need the original query to be passed on. It's in fact a _valid_ LDAP request, just OpenLDAP happens to be unable to parse it.
But at least in my setup, slapd does not have to do _anything_ about the query other than to pass it on, so I find it inacceptable that it replaces the query just because it doesn't understand it.
Please, can you add an option switch to the code to allow for passing on original queries *without* replacing undefined portions ?
I have not found any other solution to my problem. I tried to make OpenLDAP aware of the undefined portion by adding the matching rule to the schema but I failed. Seems that would need to be planted into the code, and not being a programmer, that's not as easy as it is with expanding the schema by some new attributes.
Also, while of course any parser/feature enhancement will always be appreciated, I would think that to implement the matching rule is not the best way of fixing things: I believe there will always be situations where OpenLDAP cannot parse the input while another LDAP server can.
For a proof of concept, I hacked servers/slapd/back-meta/map.c (around line 581 as of 2.4.39) and but - again, I'm not a programmer - I feel incapable of turning this into a full-blown patch free of side effects, also I want the modification to become available to anyone.
So I'm hoping for you to implement the switch mentioned above, maybe as a third possible setting for the "noundeffilter" option.
Thanks a lot in advance,
best regards
Markus Storm
9 years
translucent overlay add an attribute to all users in a OU and subtree
by Nicolas RENAULT
Hi,
(sorry for poor english)
I already ask here for meta and it's working (only have the date format
conversion problem but we are about to find alternative)
So the ldap proxy can search for a user and provide attributes from an
AD, Edir and openldap.
but now I want to add attributes to the edir and openldap users search
result to have as much as from a AD user
(example homeDrive)
I plan to use translucent to add these attributes, find that translucent
cannot be used with meta so create new slapd instance.
I have add base and OU into this instance
I read carefully http://www.openldap.org/doc/admin24/overlays.html , and
man slapo-translucent
I understand that they explain how to add attributes to only one group
here my questions
how can I add attributes to the translucent instance to all users in an
OU (and sub) ?
is there another way to do what I want to do ?
thanks all for responses
--
Nicolas
9 years, 1 month
Map NFShomedirectory to new value
by Frans Lanting - IT Admin
Hi Folks,
We are using an external OpenLDAP to authenticate users on a FreeBSD server
and would like to re-map the NFSHomeDirectory to a different location.
Currently that value looks like:
/afs/home.example.com/users/t/jsmith
We'd like to map it to something along the lines of:
/users/jsmith
If anyone could please point me in the right direction of how to do this,
I'd be much appreciated.
Cheers, Dan
9 years, 1 month
Ldap performance : help needed
by Jonas Kellens
Hello list,
I have the following rules in /etc/openldap/slapd.conf for about 250
users (cust1 -> cust250).
This is an extract for user 'cust22' and user 'cust23' :
access to dn.regex="ou=tbook[12345],ou=contacten,ou=cust22,dc=mydomain" attrs=children
by group.exact="cn=admins,ou=cust22,dc=mydomain" write
by * none break
access to dn.one="ou=tbook1,ou=contacten,ou=cust22,dc=mydomain"
by group.exact="cn=admins,ou=cust22,dc=mydomain" write
by group.exact="cn=tbook1,ou=gebruikers,ou=cust22,dc=mydomain" read
access to dn.one="ou=tbook2,ou=contacten,ou=cust22,dc=mydomain"
by group.exact="cn=admins,ou=cust22,dc=mydomain" write
by group.exact="cn=tbook2,ou=gebruikers,ou=cust22,dc=mydomain" read
access to dn.one="ou=tbook3,ou=contacten,ou=cust22,dc=mydomain"
by group.exact="cn=admins,ou=cust22,dc=mydomain" write
by group.exact="cn=tbook3,ou=gebruikers,ou=cust22,dc=mydomain" read
access to dn.one="ou=tbook4,ou=contacten,ou=cust22,dc=mydomain"
by group.exact="cn=admins,ou=cust22,dc=mydomain" write
by group.exact="cn=tbook4,ou=gebruikers,ou=cust22,dc=mydomain" read
access to dn.one="ou=tbook5,ou=contacten,ou=cust22,dc=mydomain"
by group.exact="cn=admins,ou=cust22,dc=mydomain" write
by group.exact="cn=tbook5,ou=gebruikers,ou=cust22,dc=mydomain" read
access to dn.regex="ou=tbook[12345],ou=contacten,ou=cust23,dc=mydomain" attrs=children
by group.exact="cn=admins,ou=cust23,dc=mydomain" write
by * none break
access to dn.one="ou=tbook1,ou=contacten,ou=cust23,dc=mydomain"
by group.exact="cn=admins,ou=cust23,dc=mydomain" write
by group.exact="cn=tbook1,ou=gebruikers,ou=cust23,dc=mydomain" read
access to dn.one="ou=tbook2,ou=contacten,ou=cust23,dc=mydomain"
by group.exact="cn=admins,ou=cust23,dc=mydomain" write
by group.exact="cn=tbook2,ou=gebruikers,ou=cust23,dc=mydomain" read
access to dn.one="ou=tbook3,ou=contacten,ou=cust23,dc=mydomain"
by group.exact="cn=admins,ou=cust23,dc=mydomain" write
by group.exact="cn=tbook3,ou=gebruikers,ou=cust23,dc=mydomain" read
access to dn.one="ou=tbook4,ou=contacten,ou=cust23,dc=mydomain"
by group.exact="cn=admins,ou=cust23,dc=mydomain" write
by group.exact="cn=tbook4,ou=gebruikers,ou=cust23,dc=mydomain" read
access to dn.one="ou=tbook5,ou=contacten,ou=cust23,dc=mydomain"
by group.exact="cn=admins,ou=cust23,dc=mydomain" write
by group.exact="cn=tbook5,ou=gebruikers,ou=cust23,dc=mydomain" read
I notice that there is a huge lack of performance (slow response times)
when over about 100 users. There are quite some access rules in
slapd.conf at that time.
There is about 8 seconds between query and response :
Sep 3 14:57:05 slap01 slapd[12908]: conn=1001 fd=13 ACCEPT from IP=xx.xx.xx.xx:1046 (IP=0.0.0.0:389)
Sep 3 14:57:05 slap01 slapd[12908]: conn=1001 op=0 BIND dn="cn=Ucust23,ou=cust23,dc=mydomain" method=128
Sep 3 14:57:05 slap01 slapd[12908]: conn=1001 op=0 BIND dn="cn=Ucust23,ou=cust23,dc=mydomain" mech=SIMPLE ssf=0
Sep 3 14:57:05 slap01 slapd[12908]: conn=1001 op=0 RESULT tag=97 err=0 text=
Sep 3 14:57:05 slap01 slapd[12908]: conn=1001 op=1 SRCH base="dc=mydomain" scope=2 deref=0 filter="(&(telephoneNumber=*)(sn=t*))"
Sep 3 14:57:05 slap01 slapd[12908]: conn=1001 op=1 SRCH attr=cn sn telephoneNumber
Sep 3 14:57:13 slap01 slapd[12908]: conn=1001 op=1 SEARCH RESULT tag=101 err=0 nentries=1 text=
Sep 3 14:57:13 slap01 slapd[12908]: conn=1001 op=2 ABANDON msg=2
Sep 3 14:57:13 slap01 slapd[12908]: conn=1001 op=3 UNBIND
Sep 3 14:57:13 slap01 slapd[12908]: conn=1001 fd=13 closed
Question : how can I get a better performance ? How can I adapt my
access rules for better performance ?
Thanks !
Kind Regards,
Jonas.
9 years, 1 month
Re: (ITS#7274) delta-syncrepl MMR infinite loop - like issue?
by Quanah Gibson-Mount
--On Thursday, September 25, 2014 2:46 PM +0200 Francesco Malvezzi
<francesco.malvezzi(a)unimore.it> wrote:
> During the setup of a mirror mode cluster, I enabled the syncprov after
> building the mirror.
>
> So maybe I run into ITS#7274:
> http://www.openldap.org/its/index.cgi/Documentation?id=7274;selectid=7274
> ;statetype=-1
>
> delta-syncrepl fails with:
> 1) ABANDON log messages on provider;
> 2) matching "delta-sync lost" log messages on consumer.
>
> Do I understand correctly: provider needs contextCSN value for SID=0 in
> order to have delta-syncrepl working?
No, that is not correct. ITS#7274 was invalid, and had to do very
specifically with the way in which I wrote a script to promote a
stand-alone master to MMR mode. It does not apply to your situation. More
likely, you would be hitting
<http://www.openldap.org/its/index.cgi/?findid=7849>.
--Quanah
--
Quanah Gibson-Mount
Server Architect
Zimbra, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
9 years, 1 month
undefined reference to gnutls_certificate_get_x509_cas -HELP
by lux-integ
Greetings
I am trying to compile openldap-2.4.39 on machine with linux (amd64 cpu) and
gnutls-3.3.8. I passed
--with-tls=gnutls to the configure options.
The 'make' ends in failue with the errors:-
" undefined reference to gnutls_certificate_get_x509_cas"
" undefined reference to gcry_control"
It compiles if I remove the --with-tls=gnutls option
but I want to use gnutls.
I would be grateful for some help.
Yours sincerely
luxInteg
9 years, 2 months
Syncrepl authentication via GSSAPI/SASL/Kerberos
by Steven Presser
Hi,
I'm running a pair of OpenLDAP servers on a network which primarily uses
kerberos for authentication. The two servers replicate data (via a
simple syncrepl master-slave setup). Right now, they're using simple
authentication. I'd like to move them to using kerberos authentication.
I've successfully gotten them to the point where the kerberos
authentication (appears) to succeed. However, replication doesn't
happen with the mysterious error "findbase failed! 32". I have found no
mention of this error, other than a couple of permissions-related
errors. I double-checked my permissions, so it's not that.
I've copied relevant portions of my slapd.conf below and would be happy
to provide more if required. I also have a syslog excerpt below.
Does anyone know what I should be looking at next or have an example of
a functional setup similar to what I've described?
Thanks,
Steve
Functioning syncrepl config:
syncrepl rid=1
provider=ldap://ldap1.pressers.name/
type=refreshAndPersist
retry="60 30 300 +"
searchbase="dc=pressers,dc=name"i
bindmethod=simple
binddn="cn=repl,dc=pressers,dc=name"
credentials="SOMEPASSWORD"
Config which fails mysteriously:
syncrepl rid=1
provider=ldap://ldap1.pressers.name/
type=refreshAndPersist
retry="60 30 300 +"
searchbase="dc=pressers,dc=name"i
bindmethod=sasl
saslmech=gssap
Finally, an excerpt for syslog on the master when the client attempts to
connect:
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 fd=18 ACCEPT from
IP=10.0.0.3:57149 (IP=0.0.0.0:389)
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=0 BIND dn="" method=163
Sep 30 13:11:09 hawking slapd[1620]: GSSAPI server step 1
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=0 RESULT tag=97 err=14
text=SASL(0): successful result:
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=1 BIND dn="" method=163
Sep 30 13:11:09 hawking slapd[1620]: GSSAPI server step 2
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=1 RESULT tag=97 err=14
text=SASL(0): successful result:
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND dn="" method=163
Sep 30 13:11:09 hawking slapd[1620]: GSSAPI server step 3
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND
authcid="ldap/mordor.pressers.name" authzid="ldap/mordor.pressers.name"
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 BIND
dn="uid=ldap/mordor.pressers.name,cn=gssapi,cn=auth" mech=GSSAPI
sasl_ssf=56 ssf=56
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=2 RESULT tag=97 err=0
text=
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=3 SRCH
base="dc=pressers,dc=name" scope=2 deref=0 filter="(objectClass=*)"
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=3 SRCH attr=* +
Sep 30 13:11:09 hawking slapd[1620]: findbase failed! 32
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=3 SEARCH RESULT
tag=101 err=32 nentries=0 text=
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 op=4 UNBIND
Sep 30 13:11:09 hawking slapd[1620]: conn=1005 fd=18 closed
9 years, 2 months
