Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
6 years, 9 months
OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock
Some time ago I created the dynalogin ( http://www.dynalogin.org )
solution for two-factor authentication.
I'm just contemplating how to make it easier to integrate, and making it
convenient to use with OpenLDAP seems like a good strategy: can anyone
comment on that?
The initial thoughts that I have about the subject:
- SASL based solution (dynalogin has digest capability already, so it
could be adapted for SASL PLAIN or DIGEST-MD5)
- should not prevent password logins (user should be able to use either
password or HOTP code)
- should enable people to use it indirectly (e.g. if someone already has
pam_ldap working, they should be able to add dynalogin to their OpenLDAP
server and get immediate benefit)
- use cases: UNIX login, high-security webmail login, VPN and OpenID
provider backed by OpenLDAP
I know that SASL already supports OTP, but that is not HOTP, it is OPIE
(or S/Key) RFC 2289:
http://tools.ietf.org/html/rfc2289
whereas HOTP is RFC 4226:
http://www.ietf.org/rfc/rfc4226.txt
HOTP is considered more secure and more widely implemented.
7 years, 9 months
Fwd: 2.4.40 memory leak?
by Sergey Esin
Hi all,
We're running OpenLDAP 2.4.40 (the latest available release) with just one
replica server (connected via TLS) and have the following picture -
http://i.imgur.com/om0lMiy.png
On the graph you can see memory consumption of the slapd process on the
host: in the beginngin it started without replica, then replica server was
connected (memory consumption became around 4 Gigs) and then OOM
(out-of-memory) killer on linux machine just killed the process.
There are ~400 000 users in our ldap database.
OpenLDAP was compiled from sources using "./configure --prefix=/ldap2440
--with-tls --enable-slapd".
Are there any ways to understand what's is going wrong and how to fix it?
This server is really important for us, please share any ideas how to make
it stable!
My DB_CONFIG is like below:
set_flags DB_LOG_AUTOREMOVE
set_cachesize 0 524288000 5
set_lg_regionmax 1048576
set_lg_max 10485760
set_lg_bsize 2097512
set_lk_max_locks 23000
set_lk_max_lockers 2300
set_lk_max_objects 2300
--
Regards,
Sergey
7 years, 11 months
can't chang ldap user passwd by self
by rockwang
hi,guys
I just setup a openldap server via compile command as following.
./configure --prefix=/opt/openldap
--enable-overlays=mod
--enalbe-dynamic=yes
--enable-modules=yes
--enable-ppolicy=yes
slapd.conf as below
include /opt/openldap/etc/openldap/schema/core.schema
include /opt/openldap/etc/openldap/schema/cosine.schema
include /opt/openldap/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/etc/openldap/schema/nis.schema
include /opt/openldap/etc/openldap/schema/openldap.schema
include /opt/openldap/etc/openldap/schema/ppolicy.schema
pidfile /opt/openldap/var/run/slapd.pid
argsfile /opt/openldap/var/run/slapd.args
access to attrs=userPassword
by self write
by anonymous auth
by dn.base="cn=Manager,dc=abc,dc=com"
by * none
access to *
by self write
by dn.base="cn=Manager,dc=abc,dc=com"
by * read
by * none
database bdb
suffix "dc=abc,dc=com"
rootdn "cn=Manager,dc=abc,dc=com"
rootpw 12345678
directory /opt/openldap/var/openldap-data
index cn,sn,uid pres,eq,approx,sub
index objectClass eq
loglevel -1
my question is user can't change his own password. I use following command
so I have different result.
when not add -x
is there error in my config file about acl. I have set pwdRest is true.
I need help. thks
7 years, 11 months
LMDB and HP-UX Itanium
by Kristian Amlie
I'm wondering if the LMDB database has been tested on HP-UX with the
Itanium processor? We are trying to use the database there and are
seeing strange errors that don't occur on other platforms. Examples are
assertions when trying to do cross process access and values not making
it into the database correctly.
I can provide more details, but I thought I would ask about the current
status first.
--
Kristian
7 years, 11 months
[lmdb] MDB_BAD_DBI error upon mdb_txn_commit (newbie question)
by HLaw
Dear list,
I am new to lmdb and my apologies if this is on something obvious.
I encountered the MDB_BAD_DBI error in a simple single process,
multi-threaded program using lmdb. The scenario is :
* One thread doing a relatively long write transaction
mdb_txn_begin -> mdb_dbi_open on several database -> (write) ->
mdb_txn_commit
* Another thread (or other threads) of the same process doing short
read-only transactions
mdb_txn_begin -> mdb_dbi_open on some of the database above ->
(read) -> mdb_txn_commit
As per the advice in the document I do not close the database directly.
Also the environment created / opened is shared by all threads, being in
the same process.
All is fine when these threads execute separately, but if the read
transaction thread(s) open the database and commit within the time span
of the write transaction in another thread, the above error occurs upon
attempt to commit the write transaction.
I have done a search on the MDB_BAD_DBI error and noticed the commit below.
https://gitorious.org/mdb/mdb/commit/0401f2deed75a83d2de790b8a1313e1792e5...
Upon a brief look into this and the source of lmdb, my understanding is
that the error is due to the increment of lmdb's internal sequence
numbers of the database kept by the environment (by the read thread when
the read transaction commits). When the write thread subsequently tries
to commit, the database sequence number kept privately by the write
transaction (copied from the environment when the transaction began)
does not match that of the environment, causing the error.
To avoid this in a single process multi-threaded environment, it seems
that no read transactions could commit on databases while they are
involved in a write transaction, i.e. I need to complete all read
transactions before a write transaction on the same database could
begin. Alternatively, to have concurrent read transactions with a
write transaction, the read transactions have to take place in a
separate process (such that they would not share the same environment
and caught by the above error).
Grateful if anyone could kindly enlighten me on whether the
understanding is correct, or if I am doing something contrary to the how
lmdb should be used.
Thank you very much.
- H Law
7 years, 11 months
Very slow ldapserach
by Saša-Stjepan Bakša
Hi,
Year ago we have tested openldap with back_mdb and it was fantastic. Search
worked as a charm. Database was filled with 20 mil. users and serach
returned some 20 k results per sec (my colegue did the test).
Now we need that setup for some tests and we encountered very slow response
- 1 search for user data with some aliased data need 8 to 20 seconds to be
retrieved.
ldapsearch -h 10.14.252.104 -p 389 -D cn=admin,dc=spr -w test -s sub -a
always -b num=1234563123,dc=num,dc=SPR ObjectClass=*
num=1234563123,dc=num,dc=SPR is alias to uid
aliasedObjectName: uid=1234563123,ds=USERS,o=STANDARD,dc=spr
We build our openldap from git source. We have tried new as older versions
as well and no change is seen.
Hardware: SuperMicro, 2xQuad core, 32 GB RAM, RAID 10 storage.
HP blade 2xQuad core, 64 GB RAM sorage 2 disks in mirror.
Results are the same and not depending on hardware.
Openldap ver:
root@centdevel openldap# git log
commit 68d9aa207f51b4d1ef29bb9876e7da8c7eaf0eee
Author: Quanah Gibson-Mount <quanah(a)openldap.org>
Date: Tue Apr 8 21:16:52 2014 -0500
ITS#7430, ITS#6359
OS is Centos 6.4 (also tryed on Centos 6.6)numx
mdb config part is:
[root@spr2 cn=config]# cat olcDatabase\=\{1\}mdb.ldif
# AUTO-GENERATED FILE - DO NOT EDIT!! Use ldapmodify.
# CRC32 2c245069
dn: olcDatabase={1}mdb
objectClass: olcDatabaseConfig
objectClass: olcMdbConfig
olcDatabase: {1}mdb
olcDbDirectory: /opt/openldap/var/openldap-data
olcSuffix: dc=spr
olcAccess: {0}to attrs=userPassword,shadowLastChange by self write by
anonymou
s auth by dn="cn=admin,dc=spr" write by * none
olcAccess: {1}to attrs=shadowLastChange by self write by * read
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to * by self write by dn="cn=admin,dc=spr" write by * read
olcLastMod: TRUE
olcRootDN: cn=admin,dc=spr
olcRootPW:: xyzdgsdsadeew
olcDbCheckpoint: 4096 10
olcDbNoSync: TRUE
olcDbIndex: objectClass eq
olcDbIndex: uid eq
olcDbIndex: num eq
olcDbIndex: numx eq
olcDbIndex: Username eq
olcDbIndex: entryCSN eq
olcDbIndex: entryUUID eq
olcDbIndex: contextCSN eq
olcDbMaxSize: 16106127360
structuralObjectClass: olcMdbConfig
entryUUID: 21ac150c-6b30-1034-9009-81396a683c5e
creatorsName: cn=admin,cn=config
createTimestamp: 20150330135513Z
entryCSN: 20150330135513.544218Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20150330135513Z
MDB database stat:
[root@spr2 openldap]# /opt/openldap/sbin/mdb_stat
/opt/openldap/var/openldap-data/ -e -rr -a
Environment Info
Map address: (nil)
Map size: 16106127360
Page size: 4096
Max pages: 3932160
Number of pages used: 1523336
Last transaction ID: 16058165
Max readers: 126
Number of readers used: 0
Reader Table Status
(no active readers)
0 stale readers cleared.
(no active readers)
Status of Main DB
Tree depth: 1
Branch pages: 0
Leaf pages: 1
Overflow pages: 0
Entries: 11
Status of ad2i
Tree depth: 1
Branch pages: 0
Leaf pages: 1
Overflow pages: 0
Entries: 38
Status of contextCSN
Tree depth: 0
Branch pages: 0
Leaf pages: 0
Overflow pages: 0
Entries: 0
Status of dn2i
Tree depth: 4
Branch pages: 2937
Leaf pages: 333338
Overflow pages: 0
Entries: 16000069
Status of entryCSN
Tree depth: 3
Branch pages: 3
Leaf pages: 307
Overflow pages: 0
Entries: 8000034
Status of entryUUID
Tree depth: 3
Branch pages: 259
Leaf pages: 62932
Overflow pages: 0
Entries: 8000034
Status of id2e
Tree depth: 4
Branch pages: 4446
Leaf pages: 1000005
Overflow pages: 0
Entries: 8000034
Status of numx
Tree depth: 3
Branch pages: 128
Leaf pages: 22295
Overflow pages: 0
Entries: 2000004
Status of num
Tree depth: 3
Branch pages: 129
Leaf pages: 22325
Overflow pages: 0
Entries: 2000004
Status of objectClass
Tree depth: 1
Branch pages: 0
Leaf pages: 1
Overflow pages: 0
Entries: 29
Status of Username
Tree depth: 0
Branch pages: 0
Leaf pages: 0
Overflow pages: 0
Entries: 0
Status of uid
Tree depth: 3
Branch pages: 34
Leaf pages: 7883
Overflow pages: 0
Entries: 1000004
Build config:
make clean
./configure --enable-hdb=no \
--enable-bdb=no \
--enable-monitor=yes \
--prefix=/opt/openldap \
--enable-local=yes \
--enable-accesslog=yes \
--enable-syncprov=yes \
--enable-debug=yes
make depend
make #STRIP=''
rm -r /opt/openldap/etc/openldap/schema
make install #STRIP=''
removing debug has no efect
Do you have any hint for us?
Br
Sasa
7 years, 11 months
Multiple programs not able to read LMDB concurrently
by Sravan Kumar Reddy Javaji
Hello Everyone,
I am trying to access same LMDB source using multiple programs at the same
time. I set max_readers to 2 at the time of creating environment by the
first program, but still second program is not able to read the LMDB. Could
some one please let me know how could I implement this feature?
-
Thanks and Regards,
Sravan
7 years, 11 months
disable logins with ACLs
by Igor Shmukler
Hello,
I am trying to disable user logins for expired trial users.
After searching online, finally found a useful thread from this very
list archived http://www.openldap.org/lists/openldap-technical/201111/msg00165.html
I accidentally tried to mess with userPassword hash, but it did not work me.
Since in that thread Michael showed/shared a better way to achieve the
same goal of disabling users with ACLs, I am trying to copy his
method.
I attempted to follow Michael's example. It has not worked yet. Below
is my script:
dn: olcDatabase={3}hdb,cn=config
changetype: modify
replace: olcAccess
olcAccess: {0}to attrs=userPassword,shadowLastChange
filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended))
by dn="cn=config" write by * none
olcAccess: {1}to attrs=userPassword,shadowLastChange
filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended)))
by self write by anonymous auth
by dn="cn=admin,dc=directory,dc=apple,dc=com" write
by dn="cn=config" write by * none
olcAccess: {2}to dn.base="" by * read
olcAccess: {3}to *
filter=(&(objectClass=inetOrgPerson)(serviceLevel=suspended))
by dn="cn=config" write
by * none
olcAccess: {4}to *
filter=(&(objectClass=inetOrgPerson)(!(serviceLevel=suspended)))
by self write
by dn="cn=admin,dc=directory,dc=apple,dc=com" write
by dn="cn=config" write
by * read
Currently, ldapmodify(1) is failing with an implementation specific
error, likely due to messed-up syntax or something. The additional
info: <olcAccess> handler exited with 1
Michael's example is not written for OLC, so I managed to do something
wrong. Any ideas?
Thank you,
Igor Shmukler
7 years, 12 months
sane ppolicy choices
by Igor Shmukler
Hello,
I am trying to implement a trial [period] for new customers, using the
OpenLDAP password policy overlay.
I was thinking about setting a combination of pwdMaxAge, pwdMustChange
and pwdAllowUserChange.
Basically, the best idea I have had is to set MaxAge to the length of
trial [in seconds] then in a user changes the password while in trial
mode, calculate MaxAge as (trial_length - time_passed), then at the
end setting MustChange to true and AllowUserChange to false [until the
trial has been converted].
Is that a sane policy? Should I be doing something totally different?
Please advise.
Sincerely,
Igor Shmukler
7 years, 12 months
