openldap-technical March 2015

openldap-technical@openldap.org

51 participants
70 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

Fwd: 2.4.40 memory leak?
by Sergey Esin 17 Apr '15

17 Apr '15

Hi all, We're running OpenLDAP 2.4.40 (the latest available release) with just one replica server (connected via TLS) and have the following picture - http://i.imgur.com/om0lMiy.png On the graph you can see memory consumption of the slapd process on the host: in the beginngin it started without replica, then replica server was connected (memory consumption became around 4 Gigs) and then OOM (out-of-memory) killer on linux machine just killed the process. There are ~400 000 users in our ldap database. OpenLDAP was compiled from sources using "./configure --prefix=/ldap2440 --with-tls --enable-slapd". Are there any ways to understand what's is going wrong and how to fix it? This server is really important for us, please share any ideas how to make it stable! My DB_CONFIG is like below: set_flags DB_LOG_AUTOREMOVE set_cachesize 0 524288000 5 set_lg_regionmax 1048576 set_lg_max 10485760 set_lg_bsize 2097512 set_lk_max_locks 23000 set_lk_max_lockers 2300 set_lk_max_objects 2300 -- Regards, Sergey

2 4

can't chang ldap user passwd by self
by rockwang 13 Apr '15

13 Apr '15

hi,guys I just setup a openldap server via compile command as following. ./configure --prefix=/opt/openldap --enable-overlays=mod --enalbe-dynamic=yes --enable-modules=yes --enable-ppolicy=yes slapd.conf as below include /opt/openldap/etc/openldap/schema/core.schema include /opt/openldap/etc/openldap/schema/cosine.schema include /opt/openldap/etc/openldap/schema/inetorgperson.schema include /opt/openldap/etc/openldap/schema/nis.schema include /opt/openldap/etc/openldap/schema/openldap.schema include /opt/openldap/etc/openldap/schema/ppolicy.schema pidfile /opt/openldap/var/run/slapd.pid argsfile /opt/openldap/var/run/slapd.args access to attrs=userPassword by self write by anonymous auth by dn.base="cn=Manager,dc=abc,dc=com" by * none access to * by self write by dn.base="cn=Manager,dc=abc,dc=com" by * read by * none database bdb suffix "dc=abc,dc=com" rootdn "cn=Manager,dc=abc,dc=com" rootpw 12345678 directory /opt/openldap/var/openldap-data index cn,sn,uid pres,eq,approx,sub index objectClass eq loglevel -1 my question is user can't change his own password. I use following command so I have different result. when not add -x is there error in my config file about acl. I have set pwdRest is true. I need help. thks

4 6

LMDB and HP-UX Itanium
by Kristian Amlie 08 Apr '15

08 Apr '15

I'm wondering if the LMDB database has been tested on HP-UX with the Itanium processor? We are trying to use the database there and are seeing strange errors that don't occur on other platforms. Examples are assertions when trying to do cross process access and values not making it into the database correctly. I can provide more details, but I thought I would ask about the current status first. -- Kristian

3 11

[lmdb] MDB_BAD_DBI error upon mdb_txn_commit (newbie question)
by HLaw 08 Apr '15

08 Apr '15

Dear list, I am new to lmdb and my apologies if this is on something obvious. I encountered the MDB_BAD_DBI error in a simple single process, multi-threaded program using lmdb. The scenario is : * One thread doing a relatively long write transaction mdb_txn_begin -> mdb_dbi_open on several database -> (write) -> mdb_txn_commit * Another thread (or other threads) of the same process doing short read-only transactions mdb_txn_begin -> mdb_dbi_open on some of the database above -> (read) -> mdb_txn_commit As per the advice in the document I do not close the database directly. Also the environment created / opened is shared by all threads, being in the same process. All is fine when these threads execute separately, but if the read transaction thread(s) open the database and commit within the time span of the write transaction in another thread, the above error occurs upon attempt to commit the write transaction. I have done a search on the MDB_BAD_DBI error and noticed the commit below. https://gitorious.org/mdb/mdb/commit/0401f2deed75a83d2de790b8a1313e1792e5a0… Upon a brief look into this and the source of lmdb, my understanding is that the error is due to the increment of lmdb's internal sequence numbers of the database kept by the environment (by the read thread when the read transaction commits). When the write thread subsequently tries to commit, the database sequence number kept privately by the write transaction (copied from the environment when the transaction began) does not match that of the environment, causing the error. To avoid this in a single process multi-threaded environment, it seems that no read transactions could commit on databases while they are involved in a write transaction, i.e. I need to complete all read transactions before a write transaction on the same database could begin. Alternatively, to have concurrent read transactions with a write transaction, the read transactions have to take place in a separate process (such that they would not share the same environment and caught by the above error). Grateful if anyone could kindly enlighten me on whether the understanding is correct, or if I am doing something contrary to the how lmdb should be used. Thank you very much. - H Law

4 5

Very slow ldapserach
by Saša-Stjepan Bakša 07 Apr '15

07 Apr '15

Hi, Year ago we have tested openldap with back_mdb and it was fantastic. Search worked as a charm. Database was filled with 20 mil. users and serach returned some 20 k results per sec (my colegue did the test). Now we need that setup for some tests and we encountered very slow response - 1 search for user data with some aliased data need 8 to 20 seconds to be retrieved. ldapsearch -h 10.14.252.104 -p 389 -D cn=admin,dc=spr -w test -s sub -a always -b num=1234563123,dc=num,dc=SPR ObjectClass=* num=1234563123,dc=num,dc=SPR is alias to uid aliasedObjectName: uid=1234563123,ds=USERS,o=STANDARD,dc=spr We build our openldap from git source. We have tried new as older versions as well and no change is seen. Hardware: SuperMicro, 2xQuad core, 32 GB RAM, RAID 10 storage. HP blade 2xQuad core, 64 GB RAM sorage 2 disks in mirror. Results are the same and not depending on hardware. Openldap ver: root@centdevel openldap# git log commit 68d9aa207f51b4d1ef29bb9876e7da8c7eaf0eee Author: Quanah Gibson-Mount <quanah(a)openldap.org> Date: Tue Apr 8 21:16:52 2014 -0500 ITS#7430, ITS#6359 OS is Centos 6.4 (also tryed on Centos 6.6)numx mdb config part is: [root@spr2 cn=config]# cat olcDatabase\=\{1\}mdb.ldif # AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify. # CRC32 2c245069 dn: olcDatabase={1}mdb objectClass: olcDatabaseConfig objectClass: olcMdbConfig olcDatabase: {1}mdb olcDbDirectory: /opt/openldap/var/openldap-data olcSuffix: dc=spr olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by anonymou s auth by dn="cn=admin,dc=spr" write by * none olcAccess: {1}to attrs=shadowLastChange by self write by * read olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * by self write by dn="cn=admin,dc=spr" write by * read olcLastMod: TRUE olcRootDN: cn=admin,dc=spr olcRootPW:: xyzdgsdsadeew olcDbCheckpoint: 4096 10 olcDbNoSync: TRUE olcDbIndex: objectClass eq olcDbIndex: uid eq olcDbIndex: num eq olcDbIndex: numx eq olcDbIndex: Username eq olcDbIndex: entryCSN eq olcDbIndex: entryUUID eq olcDbIndex: contextCSN eq olcDbMaxSize: 16106127360 structuralObjectClass: olcMdbConfig entryUUID: 21ac150c-6b30-1034-9009-81396a683c5e creatorsName: cn=admin,cn=config createTimestamp: 20150330135513Z entryCSN: 20150330135513.544218Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20150330135513Z MDB database stat: [root@spr2 openldap]# /opt/openldap/sbin/mdb_stat /opt/openldap/var/openldap-data/ -e -rr -a Environment Info Map address: (nil) Map size: 16106127360 Page size: 4096 Max pages: 3932160 Number of pages used: 1523336 Last transaction ID: 16058165 Max readers: 126 Number of readers used: 0 Reader Table Status (no active readers) 0 stale readers cleared. (no active readers) Status of Main DB Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 11 Status of ad2i Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 38 Status of contextCSN Tree depth: 0 Branch pages: 0 Leaf pages: 0 Overflow pages: 0 Entries: 0 Status of dn2i Tree depth: 4 Branch pages: 2937 Leaf pages: 333338 Overflow pages: 0 Entries: 16000069 Status of entryCSN Tree depth: 3 Branch pages: 3 Leaf pages: 307 Overflow pages: 0 Entries: 8000034 Status of entryUUID Tree depth: 3 Branch pages: 259 Leaf pages: 62932 Overflow pages: 0 Entries: 8000034 Status of id2e Tree depth: 4 Branch pages: 4446 Leaf pages: 1000005 Overflow pages: 0 Entries: 8000034 Status of numx Tree depth: 3 Branch pages: 128 Leaf pages: 22295 Overflow pages: 0 Entries: 2000004 Status of num Tree depth: 3 Branch pages: 129 Leaf pages: 22325 Overflow pages: 0 Entries: 2000004 Status of objectClass Tree depth: 1 Branch pages: 0 Leaf pages: 1 Overflow pages: 0 Entries: 29 Status of Username Tree depth: 0 Branch pages: 0 Leaf pages: 0 Overflow pages: 0 Entries: 0 Status of uid Tree depth: 3 Branch pages: 34 Leaf pages: 7883 Overflow pages: 0 Entries: 1000004 Build config: make clean ./configure --enable-hdb=no \ --enable-bdb=no \ --enable-monitor=yes \ --prefix=/opt/openldap \ --enable-local=yes \ --enable-accesslog=yes \ --enable-syncprov=yes \ --enable-debug=yes make depend make #STRIP='' rm -r /opt/openldap/etc/openldap/schema make install #STRIP='' removing debug has no efect Do you have any hint for us? Br Sasa

4 8

Multiple programs not able to read LMDB concurrently
by Sravan Kumar Reddy Javaji 02 Apr '15

02 Apr '15

Hello Everyone, I am trying to access same LMDB source using multiple programs at the same time. I set max_readers to 2 at the time of creating environment by the first program, but still second program is not able to read the LMDB. Could some one please let me know how could I implement this feature? - Thanks and Regards, Sravan

2 2

disable logins with ACLs
by Igor Shmukler 31 Mar '15

31 Mar '15

Hello, I am trying to disable user logins for expired trial users. After searching online, finally found a useful thread from this very list archived http://www.openldap.org/lists/openldap-technical/201111/msg00165.html I accidentally tried to mess with userPassword hash, but it did not work me. Since in that thread Michael showed/shared a better way to achieve the same goal of disabling users with ACLs, I am trying to copy his method. I attempted to follow Michael's example. It has not worked yet. Below is my script: dn: olcDatabase={3}hdb,cn=config changetype: modify replace: olcAccess olcAccess: {0}to attrs=userPassword,shadowLastChange filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended)) by dn="cn=config" write by * none olcAccess: {1}to attrs=userPassword,shadowLastChange filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended))) by self write by anonymous auth by dn="cn=admin,dc=directory,dc=apple,dc=com" write by dn="cn=config" write by * none olcAccess: {2}to dn.base="" by * read olcAccess: {3}to * filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended)) by dn="cn=config" write by * none olcAccess: {4}to * filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended))) by self write by dn="cn=admin,dc=directory,dc=apple,dc=com" write by dn="cn=config" write by * read Currently, ldapmodify(1) is failing with an implementation specific error, likely due to messed-up syntax or something. The additional info: <olcAccess> handler exited with 1 Michael's example is not written for OLC, so I managed to do something wrong. Any ideas? Thank you, Igor Shmukler

1 0

sane ppolicy choices
by Igor Shmukler 31 Mar '15

31 Mar '15

Hello, I am trying to implement a trial [period] for new customers, using the OpenLDAP password policy overlay. I was thinking about setting a combination of pwdMaxAge, pwdMustChange and pwdAllowUserChange. Basically, the best idea I have had is to set MaxAge to the length of trial [in seconds] then in a user changes the password while in trial mode, calculate MaxAge as (trial_length - time_passed), then at the end setting MustChange to true and AllowUserChange to false [until the trial has been converted]. Is that a sane policy? Should I be doing something totally different? Please advise. Sincerely, Igor Shmukler

3 5

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical March 2015