Virtual list view problem
by Venish Khant
Hi all
I am using cpan Net::LDAP module to access LDAP entries. I want to
search LDAP entries using Net::LDAP search method. When I do search, I
want some limited number of entries from search result, for
this(searching) process I am using Net::LDAP::Control::VLV module. But
I get error on VLV response control. Please, any one have idea about
this error.
*
Error:* Died at vlv.pl line 50,
This is my example. I changed the font style of line 50
#!/usr/bin/perl -w
use Net::LDAP;
use Net::LDAP::Control::VLV;
use Net::LDAP::Constant qw( LDAP_CONTROL_VLVRESPONSE );
use Net::LDAP::Control::Sort;
sub procentry {
my ( $mesg, $entry) = @_;
# Return if there is no entry to process
if ( !defined($entry) ) {
return;
}
print "dn: " . $entry->dn() . "\n";
@attrs = $entry->attributes();
foreach $attr (@attrs) {
#printf("\t%s: %s\n", $attr, $entry->get_value($attr));
$attrvalue = $entry->get_value($attr,asref=>1);
#print $attr.":". $entry->get_value($attr)."\n";
foreach $value(@$attrvalue) {
print "$attr: $value\n";
}
}
$mesg->pop_entry;
print "\n";
}
$ldap = Net::LDAP->new( "localhost" );
# Get the first 20 entries
$vlv = Net::LDAP::Control::VLV->new(
before => 0, # No entries from before target entry
after => 19, # 19 entries after target entry
content => 0, # List size unknown
offset => 1, # Target entry is the first
);
my $sort = Net::LDAP::Control::Sort->new( order => 'cn' );
@args = ( base => "dc=example,dc=co,dc=in",
scope => "subtree",
filter => "(objectClass=inetOrgPerson)",
callback => \&procentry, # Call this sub for each entry
control => [ $sort, $vlv ],
);
$mesg = $ldap->search( @args );
# Get VLV response control
*($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;*
$vlv->response( $resp );
# Set the control to get the last 20 entries
$vlv->end;
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mesg->control( LDAP_CONTROL_VLVRESPONSE ) or die;
$vlv->response( $resp );
# Now get the previous page
$vlv->scroll_page( -1 );
$mesg = $ldap->search( @args );
# Get VLV response control
($resp) = $mes
# Now page with first entry starting with "B" in the middle
$vlv->before(9); # Change page to show 9 before
$vlv->after(10); # Change page to show 10 after
$vlv->assert("B"); # assert "B"
$mesg = $ldap->search( @args );g->control( LDAP_CONTROL_VLVRESPONSE ) or
die;
$vlv->response( $resp );
--
Venish Khant
www.deeproot.co.in
7 years
ACL to allow all but one OU
by Olaf Hopp
Hi listers,
I have ~40 departments in several ou's and I need an ACL to allow
access for one user to all but one OU.
I do not want to forbid that ou in question and thus implicitly allowing all the others.
I want to formulate this explicitly, so I can directly see what is allowed.
Moreover the names of the ou's are very similar to each other, something like:
ou=aaaa,dc=...
ou=abaa,dc=...
ou=bbaa,dc=...
ou=bbbb,dc=...
and suppose I want to disallow access to the ou=abaa.
I ended up with two ACLs:
the first one to forbid ou=abaa:
access to dn.sub=ou=abaa,dc=.... \
attrs=entry
by dn=uid=foo,dc=.... none
by * break
and then allowing access to all ou's with
access to dn.regex=ou=[^,]+,dc=... \
attrs=....
by dn=uid=foo,dc=...
by * break
Is it possible to formulate this with just one ACL ?
I tried something like "ou=!abaa" with just the second ACL but failed.
Then I tried ou=[^a][^b][^a][^a]
but this matches also the ou=bbbb to wich the uid=foo should have access.
Thanks, Olaf
--
Karlsruher Institut für Technologie (KIT)
ATIS - Abt. Technische Infrastruktur, Fakultät für Informatik
Dipl.-Geophys. Olaf Hopp
- Leitung IT-Dienste -
Am Fasanengarten 5, Gebäude 50.34, Raum 009
76131 Karlsruhe
Telefon: +49 721 608-43973
Fax: +49 721 608-46699
E-Mail: Olaf.Hopp(a)kit.edu
atis.informatik.kit.edu
www.kit.edu
KIT - Universität des Landes Baden-Württemberg und nationales Forschungszentrum in der Helmholtz-Gemeinschaft
Das KIT ist seit 2010 als familiengerechte Hochschule zertifiziert.
7 years, 9 months
Replication speed and data sizing (mdb)
by Brian Wright
We are using 2.4.39. I realize there are newer versions available, but
at the time when we started our LDAP project, this was the version
available.
We are testing n-way master replication along with a large number of
records using lmdb. Here's the config:
* 8 way replication with 8 nodes (each node having 7 other connections)
* 50k records
* Inserting the records into one cluster node to replicate to all the rest
The problems obvserved:
* Some nodes are faster at replication than others. In general, the
time to complete replication is slower than expected. In my test
environment I found that 50k records can take up to 2 hours for some
nodes to complete. The fastest nodes complete in 1.5 hours. Because
these records are brand new insertions, delta based replication
wouldn't help here.
* When the replication is completed, some of the data.mdb files are
larger than others (sometimes by an order of magnitude).
We would like to understand the reason behind these two problems above.
First, the replication system seems unusually slow. Second, we need to
understand why the data.mdb file grows sometimes far larger on one node
than the rest of the nodes. For example, in our production environment,
while most nodes were around 1GB in data size, one node stored in excess
of 40GB in data.mdb. In my testing lab, my the 50k record insertion left
most nodes with a data.mdb size of 150MB. On one of the nodes, the data
size was 262MB.
Note that I've also tried alternative replication connectivity
approaches to attempt to reduce the number of connections per server,
but that did not improve replication performance or the varying data
sizes in the end.
If updating to a newer version helps resolve the above observed
problems, please let me know.
Any tuning or debugging advice here would be appreciated.
Thanks.
--
Signature
*Brian Wright*
*Sr. UNIX Systems Engineer *
901 Mariners Island Blvd Suite 200
San Mateo, CA 94404 USA
*Email *brianw(a)marketo.com <mailto:brianw@marketo.com>
*Phone *+1.650.539.3530**
*****www.marketo.com <http://www.marketo.com/>*
Marketo Logo
7 years, 9 months
search with a wildcard works, with exactly matching string it doesn't
by Gregory House
Hi
If I run a query against my directory with this filter:
"(myDeviceId=ZZZ-07430.08.12345678*)"
it returns a match showing precisely that myDeviceId =
"ZZZ-07430.08.12345678"
If I use this filter, without the wildcard and just the actual value
"(myDeviceId=ZZZ-07430.08.12345678)"
it returns no match.
Even if I change the attribute value to something very simple like "x" I
still need to include a wildcard in my filter to get any match.
This works however:
"(myDeviceId:caseExactMatch:=ZZZ-07430.08.12345678)"
What gives here?
The specific attribute is defined in the schema file as follows:
attributetype ( 1.3.6.1.4.1.36200.255.0.17
NAME 'myDeviceId'
DESC 'Identifies a device'
SUP uid
EQUALITY caseExactMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.15
SINGLE-VALUE
)
I am no expert, but this makes no sense to me? I feel I am missing
something, but what?
I am using openldap on CentOS 6 and workign via command-line tools (e.g.
ldapsearch). The backend is mdb if that matters.
# rpm -qa | grep openldap
openldap-clients-2.4.39-8.el6.x86_64
openldap-2.4.39-8.el6.x86_64
openldap-servers-2.4.39-8.el6.x86_64
Thanks for any ideas/suggestions.
Best,
GH
7 years, 10 months
I want to use memberof overlay but I do not have a clue on how to even look at it.
by Eliezer Croitoru
I want to use memberof overlay but I do not have a clue on how to even
look at it.
I have tried to use this:
http://www.schenkels.nl/2013/03/how-to-setup-openldap-with-memberof-overl...
which kind of worked and it has added something to my database.
Now I have tried to run some search but either I am doing something
wrong or the memberof is not loaded.
So first, how do check that it is loaded?
I was thinking about :
ldapsearch -x -H ldap:/// -b cn=module
but again I am unsure since it won't give results.
I am trying to use memberof for squid to match a group membership.
Any hints? directions to understand?
I understand the basics of LDAP but this is something above basic LDAP.
Thanks,
Eliezer
7 years, 10 months
Increasing memory usage on successive LMDB reads
by Rohit Girdhar
Hi
I'm using LMDB (original C interface) to store and read some data. However,
I notice that my resident memory usage (RES in `htop`) keeps rising with
each call to mdb_get with unique keys. It does not change if I do a
repeated call to mdb_get with a key I've used before.
It looks like mdb_get is caching the reads, but I want to make sure what
effect it is really having on my system. Is there some way to limit the
amount of memory lmdb can use for this? Or is it something strange and
should not be happening?
Thanks
Rohit
7 years, 10 months
Slapd-meta and multiple uri
by Nicolas RENAULT
Hello ,
I have a problem with meta and multiple uri :
Two AD server
opensuse 13.1
openldap 2.4.39 (install from repo)
make a meta backend that work but I when I configure it I use this
directive , try to make a failover conf :
uri ldap://172.17.150.47:3268/ou=AD,ou=TOUT,dc=example,dc=fr
ldap://172.17.150.48:3268/
Work like a charm until 172.17.150.47 go down --> slapd never try to
contact 172.17.150.48 ...
slapd.conf ( relevant part )
----------------------------------------------------------
network-timeout 1
timeout 3
idletimeout 10
writetimeout 10
database meta
suffix "ou=AD,ou=TOUT,dc=example,dc=fr"
uri ldap://172.17.150.47:3268/ou=AD,ou=TOUT,dc=example,dc=fr
ldap://172.17.150.48:3268/
suffixmassage "ou=AD,ou=TOUT,dc=example,dc=fr" "dc=example,dc=fr"
idassert-bind bindmethod=simple
binddn="cn=xxxxxx,cn=Users,dc=example,dc=fr" credentials=<secret> mode=none
idassert-authzFrom "dn.regex:.*"
--------------------------------------------------------------
I search on the list and found this :
http://www.openldap.org/lists/openldap-technical/201208/msg00231.html
(one post on the thread, I read all of them)
The problem is exactly the same : if I start slapd and 172.17.150.47 not
present (iptable output drop or reject) never ask 172.17.150.48 (tcpdump
on the interface of slapd server)
in http://www.openldap.org/lists/openldap-technical/201208/msg00247.html
(same thread)
Howard Chu :
Sounds like you should file an ITS.
Pierangelo: looking at libldap/request.c and libldap/.open.c, it appears that
request.c:ldap_new_connection() expects open.c:ldap_int_open_connection() to
return -2 on an asynch open, but ldap_int_open_connection() unconditionally
returns 0. This is probably interfering with back-meta's urllist_proc.
--
-- Howard Chu
CTO, Symas Corp.http://www.symas.com
Director, Highland Sunhttp://highlandsun.com/hyc/
Chief Architect, OpenLDAPhttp://www.openldap.org/project/
so I look to the ITS 7372
http://www.openldap.org/its/index.cgi/Incoming?id=7372;selectid=7372
But no answers, and no trace on changelog
it's something wrong in my conf (if so tell me what) and if no can some
of the dev take a look at the problem ?
Thank's and have a good day.
Nicolas
7 years, 10 months
Re: Integrate LDAP in Hadoop
by Dieter Klünter
Am Fri, 31 Jul 2015 14:23:27 +0500
schrieb Aneela Saleem <aneela(a)platalytics.com>:
> But my directory is already running.
>
> What do you mean by object class=person is not part of published LDAP?
That's been a mental error, I was thinking of objectclass=user.
If your directory is running, what is your problem?
I have integrated Hadoop and Jenkins into my directory without any
problems.
You should probably run slapd in debugging mode while trying hadoop to
connect to the directory.
-Dieter
>
> Regards,
> Aneela Saleem
> On Jul 31, 2015 11:48 AM, "Dieter Klünter" <dieter(a)dkluenter.de>
> wrote:
>
> > Am Thu, 30 Jul 2015 20:06:44 +0500
> > schrieb Aneela Saleem <aneela(a)platalytics.com>:
> >
> > > Hi all,
> > >
> > > I want to integrate LDAP in my HDFS, i have changed core-site.xml
> > > Attached is my core-site.xml file.
> > >
> > > Can anyone please send me complete steps, how to integrate LDAP
> > > with HDFS ?
> > >
> > > i have followed this link:
> > >
> > > http://hortonworks.com/blog/hadoop-groupmapping-ldap-integration/
> > >
> > > but the *services.ldif *file is missing in the link.
> >
> > Get your directory running first, and then you may attach hadoop
> > to this directory.
> > Please note that objectclass=person is not part of a published LDAP
> > schema.
> >
> > -Dieter
> >
> > --
> > Dieter Klünter | Systemberatung
> > http://sys4.de
> > GPG Key ID: E9ED159B
> > 53°37'09,95"N
> > 10°08'02,42"E
> >
> >
--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E
7 years, 10 months
ldap proxy to AD - UnicodePwd: attribute type undefined
by Meike Stone
Hello
I've installed a openldap as proxy in a DMZ for authentication
forwarding to an Active Directoy.
The Proxy is used by a VPN gateway.
That all works very well, but password change from client fails with
following error:
slapd[30661]: conn=1001 op=5 do_modify
slapd[30661]: conn=1001 op=5 do_modify: dn (cn=XPTEST5,ou=Users,dc=myorg,dc=net)
slapd[30661]: >>> dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>
slapd[30661]: <<< dnPrettyNormal: <cn=TEST5,ou=Users,dc=myorg,dc=net>,
<cn=xptest5,ou=users,dc=myorg,dc=net>
slapd[30661]: conn=1001 op=5 modifications:
slapd[30661]: delete: UnicodePwd
slapd[30661]: one value, length 26
slapd[30661]: add: UnicodePwd
slapd[30661]: one value, length 26
slapd[30661]: conn=1001 op=5 MOD dn="cn=TEST5,ou=Users,dc=myorg,dc=net"
slapd[30661]: conn=1001 op=5 MOD attr=UnicodePwd UnicodePwd
slapd[30661]: send_ldap_result: conn=1001 op=5 p=3
slapd[30661]: send_ldap_result: err=17 matched="" text="UnicodePwd:
attribute type undefined"
slapd[30661]: send_ldap_response: msgid=6 tag=103 err=17
slapd[30661]: conn=1001 op=5 RESULT tag=103 err=17 text=UnicodePwd:
attribute type undefined
slapd[30661]: daemon: activity on 1 descriptor
slapd[30661]: daemon: activity on:
slapd[30661]:
slapd[30661]: daemon: epoll: listen=7 active_threads=0 tvp=zero
slapd[30661]: daemon: activity on 1 descriptor
slapd[30661]: daemon: activity on:
As I understand, UnicodePwd is a proprietary "standard" MS attribute
in AD to store the password but the RFC attribute is the userPassword.
Is it possible, to get the proxy working to process this MOD request,
may be that openldap proxy pass through the MOD operation with the
attribute UnicodePwd from the VPN-gateway?
I use openldap 2.4.40, here is my configuration:
==============================================================
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/rfc2307bis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
modulepath /usr/lib/openldap/modules
moduleload back_ldap
disallow bind_anon
require authc
TLSCACertificateFile /etc/openldap/certs/myorg.net.root.pem
TLSCertificateFile /etc/openldap/certs/proxy1.myorg.net.pem
TLSCertificateKeyFile /etc/openldap/certs/proxy1.myorg.net.pem.key
TLSVerifyClient never
TLSCipherSuite ALL:!DH:!EDH
database ldap
security tls=256
rebind-as-user yes
suffix "dc=myorg,dc=net"
uri "ldap://dc1.myorg.net ldap://dc2.myorg.net"
tls start
tls_cacert=/etc/openldap/certs/adroot.pem
chase-referrals no
protocol-version 3
loglevel -1
==============================================================
Thanks for help!!
Meike
7 years, 10 months
