Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Net::LDAP update failure when using Authen::SASL GSSAPI authentication

45 views
Skip to first unread message

John Perkins

unread,
Nov 5, 2010, 2:57:21 PM11/5/10
to perl...@perl.org
I've got a script here at our site to sync user data in our OpenLDAP
server with a number of data sources. I've recently run across a
problem when trying to add some UUID data to certain groups on our LDAP
server.

We have 3 groups with >550 members in them (2 of the 3 are over 1000
members). I'm trying to populate that group with memberUid and
apple-group-memberguid data for each member of the group. The smaller
group of the three results in an LDIF file 1198 lines long.

The script is written in perl and attempts to modify group data using
Net::LDAP connecting via a secure ldap (ldaps, port 636) connection
using kerberos GSSAPI authentication.

The bug I've run across: when I try to add the apple-group-memberguid
data (done by generating a perl array with all the UUID strings, then
trying to replace the apple-group-memberguid field of the group entry
with the generated array via Net::LDAP->replace() ), the operation will
hang with no sign of a connection on the LDAP server.

Updates of smaller groups (1-200 members) in this fashion work fine.
Updates done connecting via the rootdn of the LDAP server succeed fine,
even for the larger groups. I can generate an LDIF file and use ldapadd
to add the data via a GSSAPI-authenticated connection with no trouble.
Trying to do this add from within perl and Net::LDAP will hang, though.

I have attempted to set the sizelimit to "unlimited" on the LDAP server
with no effect.

Has anyone else seen such a problem before? Any suggestions for where
to go from here?

--
=========================================================================
John Perkins | University of Wisconsin-Madison
Researcher | Department of Computer Science
jo...@cs.wisc.edu | 1210 W. Dayton St.
608-262-0438/608-262-6626 FAX | Madison, WI 53706-1685
=========================================================================

John Perkins

unread,
Nov 5, 2010, 3:07:02 PM11/5/10
to perl...@perl.org
On 11/05/2010 01:57 PM, John Perkins wrote:
> I've got a script here at our site to sync user data in our OpenLDAP
> server with a number of data sources. I've recently run across a
> problem when trying to add some UUID data to certain groups on our
> LDAP server.

As a follow-up:

We're using perl 5.8.8 with Authen::SASL 2.15 and Net::LDAP 0.4001.

John

John

unread,
Feb 13, 2012, 1:43:05 PM2/13/12
to perl...@perl.org
I know this is an old entry, but was this ever resolved?
I'm seeing a similar issue doing an "add". It only occurs over SSL and in
groups/entries larger than ~250 attributes. Add of an LDIF using an ldapmodify
works fine over SSL, as does changing the connection to not use SSL (but not an
option) or truncating the entry.

I had a similar issue many years ago and it ended up being an issue on the Sun
Proxy with the BER size. I'm seeing this hang on both ODSEE 11.x and OpenDJ
2.4x. Also running from both RH4 and RH5 standard Perl and perl-ldap modules.



Quanah Gibson-Mount

unread,
Feb 14, 2012, 3:40:37 PM2/14/12
to John, perl...@perl.org
--On Monday, February 13, 2012 6:43 PM +0000 John <jawag...@yahoo.com>
wrote:

> I know this is an old entry, but was this ever resolved?
> I'm seeing a similar issue doing an "add". It only occurs over SSL and in
> groups/entries larger than ~250 attributes. Add of an LDIF using an
> ldapmodify works fine over SSL, as does changing the connection to not
> use SSL (but not an option) or truncating the entry.

Are you using the latest perl-ldap (0.44)?

--Quanah


--

Quanah Gibson-Mount
Sr. Member of Technical Staff
Zimbra, Inc
A Division of VMware, Inc.
--------------------
Zimbra :: the leader in open source messaging and collaboration
0 new messages