openldap-technical February 2015

openldap-technical@openldap.org

66 participants
63 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

LMDB and HP-UX Itanium
by Kristian Amlie 08 Apr '15

08 Apr '15

I'm wondering if the LMDB database has been tested on HP-UX with the Itanium processor? We are trying to use the database there and are seeing strange errors that don't occur on other platforms. Examples are assertions when trying to do cross process access and values not making it into the database correctly. I can provide more details, but I thought I would ask about the current status first. -- Kristian

3 11

Multiple programs not able to read LMDB concurrently
by Sravan Kumar Reddy Javaji 02 Apr '15

02 Apr '15

Hello Everyone, I am trying to access same LMDB source using multiple programs at the same time. I set max_readers to 2 at the time of creating environment by the first program, but still second program is not able to read the LMDB. Could some one please let me know how could I implement this feature? - Thanks and Regards, Sravan

2 2

nssov not working after upgrading nss-pam-ldapd
by btb＠bitrate.net 17 Mar '15

17 Mar '15

i use the nss and pam stub libraries from nss-pam-ldapd [no nslcd] with nssov. i've just upgraded nss-pam-ldapd from 0.8.13 to 0.9.4. at the moment, i'm using openldap version 2.4.31. after upgrading nss-pam-ldapd, nss and pam stopped working with ldap, and i see this in slapd's debug log: 54acaf72 daemon: activity on 1 descriptor 54acaf72 daemon: activity on:54acaf72 13r54acaf72 54acaf72 daemon: read active on 13 54acaf72 daemon: epoll: listen=7 active_threads=0 tvp=NULL 54acaf72 daemon: epoll: listen=8 active_threads=0 tvp=NULL 54acaf72 connection_get(13) 54acaf72 connection_get(13): got connid=0 54acaf72 daemon: activity on 1 descriptor 54acaf72 daemon: activity on:54acaf72 54acaf72 daemon: epoll: listen=7 active_threads=0 tvp=NULL 54acaf72 daemon: epoll: listen=8 active_threads=0 tvp=NULL 54acaf72 nssov: connection from uid=0 gid=0 54acaf72 nssov: wrong nslcd version id (33554432) how can i find out what nslcd version id is required, and what version is present in each of the components? thanks -ben

3 5

RE24 testing call (2.4.41)
by Quanah Gibson-Mount 02 Mar '15

02 Mar '15

If you know how to build OpenLDAP manually, and would like to participate in testing the next set of code for the 2.4.41 release, please do so. Generally, get the code for RE24: <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> Configure & build. Execute the test suite (via make test) after it is built. Thanks! --Quanah -- Quanah Gibson-Mount Platform Architect Zimbra, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

Case Sensitive Binds
by Bram Cymet 27 Feb '15

27 Feb '15

Hi, I am using openldap 2.4.26. My system ignores case when doing binds: Feb 27 16:08:08 devauth slapd[2437]: conn=2723 op=1 BIND dn="uid=Bcymet(a)cbnco.com,ou=test_websales_users,dc=ls,dc=cbn" method=128 Feb 27 16:08:08 devauth slapd[2437]: => bdb_entry_get: found entry: "uid=bcymet(a)cbnco.com,ou=test_websales_users,dc=ls,dc=cbn" So this happily binds with bcymet(a)cbnco.com or Bcymet(a)cbnco.com and returns the same entry. Is this a configuration error on my part? Is it possible to have case sensitive binds and if so what do I have to change? Thanks, -- Bram Cymet Software Developer Canadian Bank Note Co. Ltd. 613-608-9752

3 2

main: TLS init def ctx failed: -1
by jeevan kc 27 Feb '15

27 Feb '15

Hi all,I followed the TLS directives and was able to generate cacert, servercert and server key and also sign it. I also did the configuration o to /usr/local/etc/openldap/slapd.d/cn=config.ldif: § olcTLSCACertificateFile: /usr/local/etc/openldap/cacert.pem § olcTLSCertificateFile: /usr/local/etc/openldap/servercrt.pem § olcTLSCertificateKeyFile: /usr/local/etc/openldap/serverkey.pem Everything was working fine but when I shut down slapd, it doesn't start and gives me this error daemon: IPv6 socket() failed errno=97 (Address family not supported by protocol)Feb 26 15:28:56 lap00551 slapd[14775]: main: TLS init def ctx failed: -1 Can Someone please tell me what the error is and how I fix the issue? Thanks Jeevan

3 4

openldap 2.4.23 password reset sync issue
by Rakesh Rajasekharan 27 Feb '15

27 Feb '15

Hi There, I am using openldap 2.4.23 and trying to set up mirror mode replciation with 2 masters I have been able to set this up and the sync initially appeared to work fine . However, i noticed that the password resets are not getting synced . I am able to login to one of the master server on which I did the change but not on the other and any of the clients. Heres my slapd.conf serverID 1 database bdb suffix "dc=ldap,dc=qa,dc=test,dc=com" checkpoint 1024 15 rootdn "cn=ldapadmin,dc=ldap,dc=qa,dc=test,dc=com" loglevel 256 sizelimit 500 rootpw secret overlay ppolicy ppolicy_default "cn=default,ou=policies,dc=ldap,dc=qa,dc=test,dc=com" ppolicy_use_lockout ppolicy_hash_cleartext directory /mnt1/ldapdata index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN,entryUUID eq syncrepl rid=001 provider="ldaps://ldap1-test" binddn="uid=syncrepl,ou=People,dc=ldap,dc=qa,dc=test,dc=com" bindmethod=simple credentials="secret" searchbase="dc=ldap,dc=qa,dc=test,dc=com" type=refreshAndPersist interval=00:00:00:10 retry="5 10 60 +" timeout=1 schemachecking=off scope=sub tls_cacert=/etc/openldap/sslcerts/Standby.pem mirrormode true overlay syncprov syncprov-checkpoint 50 10 syncprov-sessionlog 100 any inputs on how can i get through this issue. Thanks, Rakesh

3 3

ldapsearch gives partial results
by Emmanuel Dreyfus 26 Feb '15

26 Feb '15

Hello I have a problem with ldapsearch sometimes returning partial results. The result code is still 0 (success), but the list of object is limited to 63 or 127 (it seems there is a 2^n-1 pattern) items instead of expected 136. It will happen after 10 to 15 requests that return the complete result. The filter is below. It can happen even if only DN are requested (no attributes): (&(|(ou=example1)(ou=example2))(objectClass=netExamplePerson) (!(netExampleHidden=TRUE))(netExempleActive=TRUE)) This is OpenLDAP 2.4.40, BDB 4.8.30. All attributes in the filter are indexed, and it happens after the openldap-data directory has been cleared and everything has been reconstructed from scratch. -- Emmanuel Dreyfus manu(a)netbsd.org

4 8

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical February 2015