openldap-technical May 2015

openldap-technical@openldap.org

47 participants
42 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

nss_ldap: failed to bind to LDAP ser
by Gokan Atmaca 01 Jun '15

01 Jun '15

I installed OpenLDAP. "ldapsearch -x" comes with everything. However, I get an error when I try to connect to the client as follows: Ldapcliet: (/var/log/auth.log) 02:49:58 debian8 nscd: nss_ldap: reconnecting to LDAP server (sleeping 1 seconds)... May 31 02:49:59 debian8 nscd: nss_ldap: could not connect to any LDAP server as (null) - Can't contact LDAP server May 31 02:49:59 debian8 nscd: nss_ldap: failed to bind to LDAP server ldapi://ldap01.gokan.local: Can't contact LDAP server May 31 02:49:59 debian8 nscd: nss_ldap: could not search LDAP server - Server is unavailable ====================== Ldapserver; # ldapsearch -x # extended LDIF # # LDAPv3 # base <dc=gokan,dc=local> (default) with scope subtree # filter: (objectclass=*) # requesting: ALL # # gokan.local dn: dc=gokan,dc=local objectClass: top objectClass: dcObject objectClass: organization o: gokan dc: gokan # admin, gokan.local dn: cn=admin,dc=gokan,dc=local objectClass: simpleSecurityObject objectClass: organizationalRole cn: admin description: LDAP administrator # IT, gokan.local dn: ou=IT,dc=gokan,dc=local objectClass: organizationalUnit objectClass: top ou: IT # Genel, IT, gokan.local dn: cn=Genel,ou=IT,dc=gokan,dc=local gidNumber: 500 cn: Genel objectClass: posixGroup objectClass: top # Gokhan Atmaca, Genel, IT, gokan.local dn: cn=Gokhan Atmaca,cn=Genel,ou=IT,dc=gokan,dc=local cn: Gokhan Atmaca givenName: Gokhan gidNumber: 500 homeDirectory: /home/users/gokhana sn: Atmaca loginShell: /bin/sh objectClass: inetOrgPerson objectClass: posixAccount objectClass: top uidNumber: 1000 uid: gokhana # search result search: 2 result: 0 Success # numResponses: 7 # numEntries: 6 ====================== Listening to the socket. tcp 0 0 0.0.0.0:389 0.0.0.0:* LISTEN 4409/slapd tcp6 0 0 :::389 :::* LISTEN 4409/slapd What could be the problem?

2 1

filling up, flushing and inserting again sometimes fails
by Dominik Taborsky 29 May '15

29 May '15

Hello, I'm playing around with LMDB and I'd like to know more about how it deletes items and reclaims space. I've been having some problems with this lately. For simplicity I'm testing smaller 20MiB DBs with data values of sizes from 40B to 4000B. The test checks all kinds of stuff, but mainly tries to do a few fillups and flushes in short sequence. The first cycle slowly increases the size of the data until the DB is full, then it flushes. Then 10 cycles of fillup-flush of static-sized data follow. For flushing I've been doing both mdb_drop and removing batches of stored data. I've tried batches of sizes between 2 and 100 items. The results differ very much, depending on all these parameters: (only the 10 equal cycles counted): batch:2, data size: 40B first three runs pass, 7 fail batch:50, data size: 40B first three runs pass, 7 fail batch:100, data size: 40B first three runs pass, 7 fail mdb_drop, data size: 40B first run only passes, all other 9 fail batch:20, data size: 400B all runs pass batch:100, data size: 400B all runs pass mdb_drop, data size: 400B all runs pass batch:2, data size: 4000B all runs pass batch:50, data size: 4000B first run only passes, all other 9 fail batch:100, data size: 4000B first run only passes, all other 9 fail mdb_drop, data size: 4000B all odd runs pass, all even runs fail Note: I've implemented a simple protection from hitting MDB_MAP_FULL by some arithmetic over fields in MDB_stat and MDB_envinfo structures. The protection reserves at least 32 pages - every insert checks whether it would violate this reservation and if so returns with an error. I've read through a previous thread[1] which was similar in its nature. From that I gathered I need 3 cleanup commits to reclaim all that space. This would explain why the 4000-byte runs succeeded only when flushing using batches of 2 (about 40 4KB-sized items fit into the DB). But it doesn't explain the 40-byte runs which should all succeed apart from the mdb_drop version. And I have no idea why mdb_drop works well in the 400-byte-sized case. Can anybody shed some light into this for me, please? What can I do about it? I need to provide some guarantee the DB will stay functional after fillup. Thanks, Dominik [1] http://www.openldap.org/lists/openldap-technical/201306/msg00116.html

1 1

H350
by Charles Hindmarsh 27 May '15

27 May '15

Good afternoon I'm new to the Open LDAP software, but I have configured it on a windows server and all looks good. I now need to add a h350 schema to the installation and wondered if anyone had come across or developed a h350 schema file. I did try and follow some instructions found here : http://www.manualslib.com/manual/666642/Tandberg-Vcs.html?page=182 however the process failed under the first instruction : dn: commUniqueld=LeedsMeetingroom1, ou=h350, dc=TTGROUP, dc=com I am able to add other user objects etc, so the LDAP service is working. I am guessing that the dn "commUniqueld" value is misunderstood by openLdap and therefore fails. Any help would be greatly appreciated. Charles Hindmarsh Turner & Townsend Turner & Townsend plc Queen’s Award for Enterprise: International Trade 2014 Construction Consultant of the Year | Building Awards 2014, 2013 Global Consultant of the Year | NCE/ACE Consultants of the Year 2013 Outstanding International Business | British Expertise International Awards 2013 For further information and registration details visit our website http://www.turnerandtownsend.com This email and any attachments (“the email”) is confidential and may also be privileged, is subject to copyright and may be read, copied and used only by the intended recipient. The recipient is responsible for virus checking this email. If you are not the intended recipient please immediately notify us, delete and do not use, disclose, distribute, copy, print or rely on this email or any part of it. Turner & Townsend does not accept any liability for any loss or damage from your receipt or use of this email. Please consider the environment before printing this email.

4 5

hiding a naming context
by Craig White 26 May '15

26 May '15

Back with a further clarification and trying to solve a problem for our programmers. ldapsearch -x -H ldapi:/// -s base -b '' namingContext "*" + -D $ROOTDN -W Enter LDAP Password: # extended LDIF # # LDAPv3 # base <> with scope baseObject # filter: (objectclass=*) # requesting: namingContext * + # # dn: objectClass: top objectClass: OpenLDAProotDSE structuralObjectClass: OpenLDAProotDSE configContext: cn=config namingContexts: cn=accesslog namingContexts: dc=example,dc=com monitorContext: cn=Monitor supportedControl: 1.3.6.1.4.1.4203.1.9.1.1 supportedControl: 2.16.840.1.113730.3.4.18 supportedControl: 2.16.840.1.113730.3.4.2 supportedControl: 1.3.6.1.4.1.4203.1.10.1 supportedControl: 1.2.840.113556.1.4.319 supportedControl: 1.2.826.0.1.3344810.2.3 supportedControl: 1.3.6.1.1.13.2 supportedControl: 1.3.6.1.1.13.1 supportedControl: 1.3.6.1.1.12 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8 supportedFeatures: 1.3.6.1.1.14 supportedFeatures: 1.3.6.1.4.1.4203.1.5.1 supportedFeatures: 1.3.6.1.4.1.4203.1.5.2 supportedFeatures: 1.3.6.1.4.1.4203.1.5.3 supportedFeatures: 1.3.6.1.4.1.4203.1.5.4 supportedFeatures: 1.3.6.1.4.1.4203.1.5.5 supportedLDAPVersion: 3 supportedSASLMechanisms: GSSAPI supportedSASLMechanisms: PLAIN supportedSASLMechanisms: LOGIN supportedSASLMechanisms: EXTERNAL entryDN: subschemaSubentry: cn=Subschema # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 So our programmers want me to filter out 'namingContexts: cn=accesslog' for them (please don't ask). # cat naming_context.ldif dn: olcDatabase={-1}frontend,cn=config changetype: modify add: olcAccess olcAccess: {0}to dn.exact="" attrs=namingContext val/distinguishedNameMatch="cn=accesslog transitional" by * none ldapmodify -H ldapi:/// -Y EXTERNAL -f naming_context.ldif SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 modifying entry "olcDatabase={-1}frontend,cn=config" ldap_modify: Other (e.g., implementation specific) error (80) additional info: <olcAccess> handler exited with 1 Anyone want to hit me with a clue stick so I can hide the 'cn=accesslog' database from my programmers so they don't have to rewrite code?

4 9

How to check the login history of users on openldap
by Peng Yu 25 May '15

25 May '15

Hi, I setup ubuntu servers to use an openldap for login authentication. I want to check who have logged in all the servers. A logic place to check is at the central openldap server. But I am not sure how to do. Could any of you let me know? -- Regards, Peng

3 5

How to add a user with root permission?
by Peng Yu 25 May '15

25 May '15

Hi, I using openldap to manage users of a number of ubnutu servers. But I don't find a way to give users root permission on these servers? Could anybody show me how to do this with openldap? Thanks. -- Regards, Peng

2 2

rfc2252 big integer
by Raffael Sahli 21 May '15

21 May '15

Hi Which syntax should I use if 1.3.6.1.4.1.1466.115.121.1.27 is not big enough? 1.3.6.1.4.1.1466.115.121.1.36? (I don't see a kind of big integer) Thanks -- Raffael Sahli

2 1

openldap: 3+ multi datacentre replication
by hab 19 May '15

19 May '15

Could you share any experience setting-up/expanding (large) ldap server to multi data centres(DC)? What strategy do you use - mesh or ring topology? Looking for examples where 3+ DCs with failover(master/master or master/slave) ldap setup in each DC. Is ring topology better than mesh as ldap has to only deal with less connections? Would be nice if you can mention any scaling issues?

2 1

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical May 2015