openldap-technical June 2015

openldap-technical@openldap.org

50 participants
49 discussions

Virtual list view problem
by Venish Khant 31 May '16

31 May '16

Hi all I am using cpan Net::LDAP module to access LDAP entries. I want to search LDAP entries using Net::LDAP search method. When I do search, I want some limited number of entries from search result, for this(searching) process I am using Net::LDAP::Control::VLV module. But I get error on VLV response control. Please, any one have idea about this error. * Error:* Died at vlv.pl line 50, This is my example. I changed the font style of line 50 #!/usr/bin/perl -w use Net::LDAP; use Net::LDAP::Control::VLV; use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE ); use Net::LDAP::Control::Sort; sub procentry { my ( $mesg, $entry) = @_; # Return if there is no entry to process if ( !defined($entry) ) { return; } print "dn: " . $entry->dn() . "\n"; @attrs = $entry->attributes(); foreach $attr (@attrs) { #printf("\t%s: %s\n", $attr, $entry->get_value($attr)); $attrvalue = $entry->get_value($attr,asref=>1); #print $attr.":". $entry->get_value($attr)."\n"; foreach $value(@$attrvalue) { print "$attr: $value\n"; } } $mesg->pop_entry; print "\n"; } $ldap = Net::LDAP->new( "localhost" ); # Get the first 20 entries $vlv = Net::LDAP::Control::VLV->new( before => 0, # No entries from before target entry after => 19, # 19 entries after target entry content => 0, # List size unknown offset => 1, # Target entry is the first ); my $sort = Net::LDAP::Control::Sort->new( order => 'cn' ); @args = ( base => "dc=example,dc=co,dc=in", scope => "subtree", filter => "(objectClass=inetOrgPerson)", callback => \&procentry, # Call this sub for each entry control => [ $sort, $vlv ], ); $mesg = $ldap->search( @args ); # Get VLV response control *($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;* $vlv->response( $resp ); # Set the control to get the last 20 entries $vlv->end; $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); # Now get the previous page $vlv->scroll_page( -1 ); $mesg = $ldap->search( @args ); # Get VLV response control ($resp) = $mes # Now page with first entry starting with "B" in the middle $vlv->before(9); # Change page to show 9 before $vlv->after(10); # Change page to show 10 after $vlv->assert("B"); # assert "B" $mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or die; $vlv->response( $resp ); -- Venish Khant www.deeproot.co.in

4 11

Problems with openLDAP + GSSAPI + JAVA
by Andreas Laesser 02 Jul '15

02 Jul '15

Hi @all I have a (maybe) a problem with my openldap server authenticating over a JAVA tool (Apache Directory Studio LDAP Browser V2.0.0.v20130628, jXplorer) via GSSAPI. When I do a ldapsearch from command line via GSSAPI it works fine... ~ % klist Ticket cache: FILE:/tmp/krb5cc_1086_lR4Nxxxxrs Default principal: admin(a)SPSC.TUGRAZ.AT Valid starting Expires Service principal 30/06/2015 10:54 02/07/2015 10:54 krbtgt/SPSC.TUGRAZ.AT(a)SPSC.TUGRAZ.AT renew until 10/07/2015 10:54 30/06/2015 10:54 02/07/2015 10:54 ldap/ldap1.spsc.tugraz.at(a)SPSC.TUGRAZ.AT renew until 10/07/2015 10:54 ~ % ldapsearch -H ldaps://ldap1.spsc.tugraz.at -b "dc=SPSC,dc=TUGRAZ,dc=AT" This works well.... but if I try the same from one of the two tools mentioned above it simply not bind or connects.... Does anybody had the same problems, or knows a solution? Thanks for help regards Andreas -- ========================================================================= _____________ / ___________/ Andreas Laesser / //_// /____/ Signal Proc.& Speech Communication Lab. __/ /___/ / __ Graz University of Technology /___//____//___/ Inffeldgasse 16c/EG | A-8010 Graz | Austria http://www.spsc.tugraz.at Tel: +43 (0)316 873 -4443 Fax: DW 104439 =========================================================================

4 4

OpenLDAP and dynalogin (two-factor auth with HOTP)
by Daniel Pocock 29 Jun '15

29 Jun '15

Some time ago I created the dynalogin ( http://www.dynalogin.org ) solution for two-factor authentication. I'm just contemplating how to make it easier to integrate, and making it convenient to use with OpenLDAP seems like a good strategy: can anyone comment on that? The initial thoughts that I have about the subject: - SASL based solution (dynalogin has digest capability already, so it could be adapted for SASL PLAIN or DIGEST-MD5) - should not prevent password logins (user should be able to use either password or HOTP code) - should enable people to use it indirectly (e.g. if someone already has pam_ldap working, they should be able to add dynalogin to their OpenLDAP server and get immediate benefit) - use cases: UNIX login, high-security webmail login, VPN and OpenID provider backed by OpenLDAP I know that SASL already supports OTP, but that is not HOTP, it is OPIE (or S/Key) RFC 2289: http://tools.ietf.org/html/rfc2289 whereas HOTP is RFC 4226: http://www.ietf.org/rfc/rfc4226.txt HOTP is considered more secure and more widely implemented.

5 6

slapo-sock
by Lalot Dominique 26 Jun '15

26 Jun '15

Hello, I am trying to understand how the sock overlay works. I'am partly successfull in getting the entries, so the unix socket is working. What I want to do, is acting as a trigger each time an entry is added I receive the data, but I don't know how to say; "that's OK add it" to mdm backend I just answer "RESULT\n"; So the ldapadd is considered successfull, but in fact no entry is added. Is there a way to do that? I have some difficulties to understand the way it works Thanks Dom

3 10

db_stat find high cpu usage
by Fabián M Sales 26 Jun '15

26 Jun '15

Hello list. I have a server not performing well - openldap shows high cpu usage and iowait of server is high db_stat -h /var/lib/ldap -c 555 Last allocated locker ID 0x7fffffff Current maximum unused locker ID 9 Number of lock modes 1000 Maximum number of locks possible 1000 Maximum number of lockers possible 1000 Maximum number of lock objects possible 40 Number of lock object partitions 10 Number of current locks 645 Maximum number of locks at any one time 18 Maximum number of locks in any one bucket 0 Maximum number of locks stolen by for an empty partition 0 Maximum number of locks stolen for any one partition 141 Number of current lockers 152 Maximum number of lockers at any one time 10 Number of current lock objects 623 Maximum number of lock objects at any one time 6 Maximum number of lock objects in any one bucket 0 Maximum number of objects stolen by for an empty partition 0 Maximum number of objects stolen for any one partition 1237M Total number of locks requested (1237918767) 1237M Total number of locks released (1237917421) 0 Total number of locks upgraded 103 Total number of locks downgraded 492M Lock requests not available due to conflicts, for which we waited (492996269) 1336 Lock requests not available due to conflicts, for which we did not wait 0 Number of deadlocks 0 Lock timeout value 0 Number of locks that have timed out 0 Transaction timeout value 0 Number of transactions that have timed out 736KB The size of the lock region 3685M The number of partition locks that required waiting (135%) 3665M The maximum number of times any partition lock was waited for (108%) 19810 The number of object queue operations that required waiting (0%) 2443M The number of locker allocations that required waiting (58%) 0 The number of region locks that required waiting (0%) 6 Maximum hash bucket length Are the lines in red really correct or just side effects ? How do I go about it ? I can have anything else? Increase cache? How? db_stat -h /var/lib/ldap -m 12MB 514KB 24B Total cache size 1 Number of caches 1 Maximum number of caches 12MB 520KB Pool individual cache size 0 Maximum memory-mapped file size 0 Maximum open file descriptors 0 Maximum sequential buffer writes 0 Sleep after writing maximum sequential buffers 0 Requested pages mapped into the process' address space 788M Requested pages found in the cache (21%) 2867M Requested pages not found in the cache (2867396236) 740 Pages created in the cache 2863M Pages read into the cache (2863007508) 228732 Pages written from the cache to the backing file 2865M Clean pages forced from the cache (2865409816) 206860 Dirty pages forced from the cache 0 Dirty pages written by trickle-sync thread 681 Current total page count 681 Current clean page count 0 Current dirty page count 2053 Number of hash buckets used for page location 1567M Total number of times hash chains searched for a page (1567726752) 6 The longest hash chain searched for a page 597M Total number of hash chain entries checked for page (597110368) 2479M The number of hash bucket locks that required waiting (61%) 2211M The maximum number of times any hash bucket lock was waited for (771%) 73M The number of region locks that required waiting (4%) 0 The number of buffers frozen 0 The number of buffers thawed 0 The number of frozen buffers freed 2867M The number of page allocations (2867487657) 2436M The number of hash buckets examined during allocations (2436374360) 4110 The maximum number of hash buckets examined for an allocation 2867M The number of pages examined during allocations (2867478740) 17 The max number of pages examined for an allocation 76217 Threads waited on page I/O Thanks very Much. -- Firma Institucional *Fabián* *M. Sales *Soporte Técnico & I.T.I Linux *DonWeb * La Actitud Es Todo www.DonWeb.com ------------------------------------------------------------------------ Nota de confidencialidad: Este mensaje y archivos adjuntos al mismo son confidenciales, de uso exclusivo para el destinatario del mismo. La divulgación y/o uso del mismo sin autorización por parte de DonWeb.com queda prohibida. DonWeb.com no se hace responsable del mensaje por la falsificación y/o alteración del mismo. De no ser Ud el destinatario del mismo y lo ha recibido por error, por favor, notifique al remitente y elim?elo de su sistema. Confidentiality Note: This message and any attachments (the message) are confidential and intended solely for the addressees. Any unauthorised use or dissemination is prohibited by DonWeb.com. DonWeb.com shall not be liable for the message if altered or falsified. If you are not the intended addressee of this message, please cancel it immediately and inform the sender Nota de Confidencialidade: Esta mensagem e seus eventuais anexos podem conter dados confidenciais ou privilegiados. Se você os recebeu por engano ou não é um dos destinatários aos quais ela foi endereçada, por favor destrua-a e a todos os seus eventuais anexos ou copias realizadas, imediatamente. É proibida a retenção, distribuição, divulgação ou utilização de quaisquer informações aqui contidas. Por favor, informenos sobre o recebimento indevido desta mensagem, retornando-a para o autor.

2 5

authenticate LDAP to email server
by robert k Wild 26 Jun '15

26 Jun '15

sorry im posting again as my first post i wasnt subscribed to this mailing list but now i am hi all, i have installed dovecot+ postfix email server and a LDAP server, if i create users on the LDAP server can dovecot pick up the usernames and create a mailbox for the individual users as atm if i want to create an email address for users i add the user to the email server and make a directory for the users mailbox and have to chmod and chown also just another question, can i set up mail groups on dovecot? cheers rob -- Regards, Robert K Wild.

3 2

Overlay for applying business logic filters to LDAP modifies/deletes
by Bannister, Mark 26 Jun '15

26 Jun '15

Hi, I'm setting up a new OpenLDAP infrastructure on Solaris, where the directory will be critical and we need to keep a tight control on the changes made to it. The changes will come from an external feed, and as an extra safety measure to protect against software bugs that could otherwise cripple our infrastructure, we would like to put an overlay into the directory server that will make sure that the changes being made to the directory do not break some basic business rules we are defining. The rules will be along these lines: - Do not allow more than 10% of entries underneath a given DIT to be modified in less than a 24 hour period - Entries underneath a given DIT must have a specified list of object classes and attributes defined - Do not permit modrdn under a given DIT - Attribute values match a particular defined set of REs (I can do this with the constraint overlay) - Some critical entries cannot be modified or removed (I can do this with access control lists) - Some attributes not used in the DN must be unique (I can do this with the unique overlay) So I'm ok with the last three, but any suggestions for the first three? Has anyone else implemented similar overlays already? Thanks & regards, Mark Bannister. ________________________________ NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies; do not disclose, use or act upon the information; and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.

2 1

Waiting for initial replication to complete
by Bannister, Mark 26 Jun '15

26 Jun '15

Hi, When I first set-up a new OpenLDAP consumer (syncrepl) it can take 5-10 minutes to sync the data from the master server. The script I've written that configures the replica needs to know when the initial full replication is complete. At the moment I'm testing to see if all the top-level containers are in place, and then waiting a little longer, but this seems pretty fragile to me. Is there a more accurate way of determining once the initial syncrepl is complete? Thanks, Mark. ________________________________ NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies; do not disclose, use or act upon the information; and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers If you cannot access these links, please notify us by reply message and we will send the contents to you. By messaging with Morgan Stanley you consent to the foregoing.

2 1

Remove bdb log files automatically
by PRATIK SINGAL 24 Jun '15

24 Jun '15

Hello Can any one suggest me the configuration to remove the old log files automatically . And also if we will need to set a checkpoint variable in slapd.conf

3 3

Replacement for ldap_sort_entries
by Côme BERNIGAUD 24 Jun '15

24 Jun '15

Hello, I’m trying to get rid of the -DLDAP_DEPRECATED=1 option when building the php-ldap module. For other functions it went fine but the php function ldap_sort is using ldap_sort_entries which is deprecated with no replacement. As I can’t remove ldap_sort from PHP API, I need to find a way to replace this function call if I want to get rid of deprecated calls. I tried copy/pasting the function code to see if I could built it myself but then it complains about incomplete type for LDAPMessage, which seems internal to libldap. Any idea about a replacement for this function? Côme

3 4

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical June 2015