openldap-bugs April 2010

openldap-bugs@openldap.org

45 participants
233 discussions

Re: (ITS#6531) Modify updateref to generate referrals on the backend
by rein＠basefarm.no 26 Apr '10

26 Apr '10

On 04/25/2010 12:49 AM, hyc(a)symas.com wrote: > Also in terms of logical abstraction the current behavior is wrong; the > frontend should of course generate the default_referral responses but > updateref is a per-backend item and should be generated at the backend layer. > Ideally this would all have been fixed to behave correctly by moving all > replication support into an overlay, where it properly belongs. As an interim > step it would be trivial to write an updateref overlay that supersedes the > current updateref behavior. Updateref processing should imo be kept out of any replication modules, it is needed in databases where syncrepl isn't configured too. I'm using it on my subordinate databases (with an artificial updatedn so that slapd accepts it..) when syncrepl is configured on the superior glue database without managing all of the subordinate databases. I.e, the infamous test058... I was having the same "chain only on some of the databases" requirement and is using a patch that allows it. I consider this patch more of a hack than a correct solution, which is why I haven't contributed it. A separate updateref overlay apear to me as the best solution. But for what it's worth, my patch is now in: ftp://ftp.openldap.org/incoming/rein-ITS6531.patch An advantage with this patch over a new overlay is that it should be usable without any configuration changes (provided the chain overlay have already been configured in the databases and found to not work as expected there that is ... ;-). Rein

1 0

Re: (ITS#6531) Modify updateref to generate referrals on the backend
by masarati＠aero.polimi.it 25 Apr '10

25 Apr '10

[snip] >> Although redesigning referral generation in slapd could streamline >> things, >> I don't quite see what issues can't be addressed using a global instance >> of slapo-chain. You can configure referral chasing differently for >> different domains using the chain-uri directive. I favor fixing only >> what's actually broken. > > The request revolves around having different behavior for different > databases. > With a global slapo-chain you cannot turn off referral chasing; URIs that > are > not explicitly configured will still be chased. > > Also in terms of logical abstraction the current behavior is wrong; the > frontend should of course generate the default_referral responses but > updateref is a per-backend item and should be generated at the backend > layer. > Ideally this would all have been fixed to behave correctly by moving all > replication support into an overlay, where it properly belongs. As an > interim > step it would be trivial to write an updateref overlay that supersedes the > current updateref behavior. As I said, I recognize the usefulness of such a change: I first moved replication into an overlay (ITS#4261). I'm questioning its need for the case at hand. Perhaps allowing slapo-chain to ignore some URIs would be easier to implement, and generally useful in other applications. In any case, I might spare some time to revitalize (ITS#4261), now that slurpd is no longer around and thus things simplify significantly. p.

1 0

Re: (ITS#6533) add rid to syncrepl config logs
by masarati＠aero.polimi.it 25 Apr '10

25 Apr '10

Patched in HEAD. Thanks, p.

1 0

(ITS#6533) add rid to syncrepl config logs
by jonathan＠phillipoux.net 25 Apr '10

25 Apr '10

Full_Name: Jonathan Clarke Version: RE24 OS: URL: ftp://ftp.openldap.org/incoming/jonathan-clarke-syncrepl-log-20100425.patch Submission from: (NULL) (88.164.187.72) Hi, Currently, when a syncrepl statement is added, the following is output on log level config: Config: ** successfully added syncrepl "ldap://localhost:9011/" In the case of setups replicating several databases from the same server (multimaster with cn=config and a database for example), this leads to confusing identical messages. I attach a patch to add the RID to this line, like this: Config: ** successfully added syncrepl "ldap://localhost:9011/" (rid=001) Please consider this for inclusion. Thanks, Jonathan

1 0

(ITS#6532) Support for common orderingMatching rules in extensible match filters
by daniel＠pluta.biz 25 Apr '10

25 Apr '10

Full_Name: Daniel Pluta Version: HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/servers-slapd-schema_init.patch Submission from: (NULL) (2001:470:9feb:ff02:f435:4e97:f213:bc9e) In regard to http://www.openldap.org/lists/openldap-technical/201004/msg00228.html I've uploaded a patch which enables support for octetStringOrderingMatch to be used in combination with extensible match filters. According RFC4517 section 4.1 the following ordering matching rules currently available in slapd are affected by this patch: caseIgnoreOrderingMatch caseExactOrderingMatch In addition I've added this kind of support to generalizedTimeOrderingMatch, too. The patch can be downloaded here: ftp://ftp.openldap.org/incoming/servers-slapd-schema_init.patch Note: RFC4517 section 4.1 also lists some substring matching rules which also SHOULD be supported in extensible match filters. slapd as well as my patch currently do not offer support for them.

1 0

Re: (ITS#6531) Modify updateref to generate referrals on the backend
by hyc＠symas.com 24 Apr '10

24 Apr '10

masarati(a)aero.polimi.it wrote: >> Full_Name: Ryan Steele >> Version: 2.4.18 >> OS: Ubuntu Server >> URL: ftp://ftp.openldap.org/incoming/ >> Submission from: (NULL) (207.106.239.81) >> >> >> Per conversation on the #openldap IRC channel on Freenode with Howard Chu, >> it >> has been deemed appropriate to modify the behavior of updateref to answer >> referrals on the backend. This would allow one to use updateref to >> automatically chase referrals for individual backends, instead of it being >> all >> or nothing. Here is the tail end of the channel conversation: >> >> >> <hyc> when you configure an updateref on a backend, that referral is only >> generated in the frontend so putting the overlay on the database, misses >> it... >> >> <rgsteele> Well, I am intending to set an updateref on that backend >> >> <hyc> then you have a problem >> >> <rgsteele> Hm, so you can't do automatic referrals on individual backends >> then? >> >> <rgsteele> That was my original question, or at least the intent of it. >> >> <hyc> not using updateref, no >> >> <rgsteele> Does your response imply there's another way? >> >> <hyc> probably we should fix updateref to be generated at the backend >> level >> >> <rgsteele> That would be good - I'd be happy to write tests or something >> to help >> with that. >> >> <hyc> the "other way" is the normal referral mechanism - using referral >> entries >> inside a database >> >> <hyc> but like I said, updateref is a relic, we've carried it forward >> without >> really adapting it >> >> <hyc> probably should file an ITS about this >> >> <rgsteele> Interesting, I wasn't aware of that method. I'll have to do >> some >> research on that - thanks! Also, is there anything I can do to help get >> the >> process of fixing updateref to generate referrals on the backend? >> >> <rgsteele> I can file the ITS if you like? >> >> <hyc> go ahead > > It is correct that referrals are generated by the frontend, but the > frontend uses information contained in the updateref of each database. > The slapo-chain needs to be global, in order to intercept those referrals. > > Although redesigning referral generation in slapd could streamline things, > I don't quite see what issues can't be addressed using a global instance > of slapo-chain. You can configure referral chasing differently for > different domains using the chain-uri directive. I favor fixing only > what's actually broken. The request revolves around having different behavior for different databases. With a global slapo-chain you cannot turn off referral chasing; URIs that are not explicitly configured will still be chased. Also in terms of logical abstraction the current behavior is wrong; the frontend should of course generate the default_referral responses but updateref is a per-backend item and should be generated at the backend layer. Ideally this would all have been fixed to behave correctly by moving all replication support into an overlay, where it properly belongs. As an interim step it would be trivial to write an updateref overlay that supersedes the current updateref behavior. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#6531) Modify updateref to generate referrals on the backend
by masarati＠aero.polimi.it 24 Apr '10

24 Apr '10

> Full_Name: Ryan Steele > Version: 2.4.18 > OS: Ubuntu Server > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (207.106.239.81) > > > Per conversation on the #openldap IRC channel on Freenode with Howard Chu, > it > has been deemed appropriate to modify the behavior of updateref to answer > referrals on the backend. This would allow one to use updateref to > automatically chase referrals for individual backends, instead of it being > all > or nothing. Here is the tail end of the channel conversation: > > > <hyc> when you configure an updateref on a backend, that referral is only > generated in the frontend so putting the overlay on the database, misses > it... > > <rgsteele> Well, I am intending to set an updateref on that backend > > <hyc> then you have a problem > > <rgsteele> Hm, so you can't do automatic referrals on individual backends > then? > > <rgsteele> That was my original question, or at least the intent of it. > > <hyc> not using updateref, no > > <rgsteele> Does your response imply there's another way? > > <hyc> probably we should fix updateref to be generated at the backend > level > > <rgsteele> That would be good - I'd be happy to write tests or something > to help > with that. > > <hyc> the "other way" is the normal referral mechanism - using referral > entries > inside a database > > <hyc> but like I said, updateref is a relic, we've carried it forward > without > really adapting it > > <hyc> probably should file an ITS about this > > <rgsteele> Interesting, I wasn't aware of that method. I'll have to do > some > research on that - thanks! Also, is there anything I can do to help get > the > process of fixing updateref to generate referrals on the backend? > > <rgsteele> I can file the ITS if you like? > > <hyc> go ahead It is correct that referrals are generated by the frontend, but the frontend uses information contained in the updateref of each database. The slapo-chain needs to be global, in order to intercept those referrals. Although redesigning referral generation in slapd could streamline things, I don't quite see what issues can't be addressed using a global instance of slapo-chain. You can configure referral chasing differently for different domains using the chain-uri directive. I favor fixing only what's actually broken. p.

1 0

cn=monitor attributes (monitorOpInitiated for example) missing in cn=Subschema
by Cannady, Mike 24 Apr '10

24 Apr '10

I'm using openldap-stable-20100219.tgz build. When I look at cn=Monitor with browsing tools (like Softerra LDAP browser) I do see entries for monitorOpInitiated and monitorOpCompleted in DN cn=Operations,cn=Monitor. When I look at cn=SubSchema, I do not see any definitions of these two attributes. Using (unfortunately) Microsoft's VBScript, ADODB, and ADsDSOOBJECT to access to access cn=Monitor, I can access everything that is defined in the subschema (entryDN, modifyTimestamp, etc); however, I cannot access MonitorOpInitiated and such. Looking at the logs, It looks like the query never gets to the ldap server because MS checks it against the cn=subschema. I saw ITS#4947 and ITS#5576 which sounds like what my problem is (attributes not published). Is there a fix for this and what would that fix be? My OS for the ldap server is Redhat Enterprise 5.4. At the end of this email is my redacted slapd.conf file. ---Thanks Mike Cannady Information Services Horry Telephone Cooperative (HTC) Phone: (843)369-8212 Email: Mike.Cannady(a)htcinc.net [root@vmLDAPdev2 openldap]# cat slapd.conf # # See slapd.conf(5) for details on configuration options. # This file should NOT be world readable. # include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema include /usr/local/etc/openldap/HTC/iaaa-radius.schema include /usr/local/etc/openldap/HTC/radius.schema include /usr/local/etc/openldap/HTC/users.schema # Allow LDAPv2 client connections. This is NOT the default. allow bind_v2 loglevel 0x100 #loglevel any sizelimit unlimited # Do not enable referrals until AFTER you have a working directory # service AND an understanding of referrals. #referral ldap://root.openldap.org ServerID 002 pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args access to * by dn.one="ou=replicants,ou=admin,dc=htc,dc=com" read by * break access to dn.subtree="dc=htc,dc=com" by dn.one="ou=admin,dc=htc,dc=com" manage by self write by anonymous auth access to * by self write by users read by anonymous auth ####################################################################### # database definitions ####################################################################### database bdb suffix "dc=htc,dc=com" rootdn "cn=Manager,dc=htc,dc=com" # Cleartext passwords, especially for the rootdn, should # be avoided. See slappasswd(8) and slapd.conf(5) for details. # Use of strong authentication encouraged. # rootpw secret # rootpw {crypt}ijFYNcSNctBYg rootpw {xxxxxxx}xxxxxxxxxxxxxxxxxxxxxxxxxx # The database directory MUST exist prior to running slapd AND # should only be accessible by the slapd and slap tools. # Mode 700 recommended. directory /usr/local/var/openldap-data cachesize 50000 dncachesize 50000 idlcachesize 150000 checkpoint 1024 5 # Indices to maintain for this database index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub index uidNumber,gidNumber,loginShell eq,pres index uid,memberUid eq,pres,sub index nisMapName,nisMapEntry eq,pres,sub index entryCSN eq index entryUUID eq # Replicas of this database syncrepl rid=001 provider=ldap://vmldapdev1.htc.external:389 type=refreshAndPersist retry="5 5 300 +" searchbase="dc=htc,dc=com" attrs="*,+" bindmethod=simple binddn="uid=vmldapdev2,ou=replicants,ou=admin,dc=htc,dc=com" credentials=atest2 mirrormode TRUE overlay syncprov syncprov-checkpoint 1000 1 database monitor [root@vmLDAPdev2 openldap] ********************************************************************** HTC Disclaimer: The information contained in this message may be privileged and confidential and protected from disclosure. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify us immediately by replying to the message and deleting it from your computer. Thank you. **********************************************************************

2 1

(ITS#6531) Modify updateref to generate referrals on the backend
by ryans＠aweber.com 23 Apr '10

23 Apr '10

Full_Name: Ryan Steele Version: 2.4.18 OS: Ubuntu Server URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (207.106.239.81) Per conversation on the #openldap IRC channel on Freenode with Howard Chu, it has been deemed appropriate to modify the behavior of updateref to answer referrals on the backend. This would allow one to use updateref to automatically chase referrals for individual backends, instead of it being all or nothing. Here is the tail end of the channel conversation: <hyc> when you configure an updateref on a backend, that referral is only generated in the frontend so putting the overlay on the database, misses it... <rgsteele> Well, I am intending to set an updateref on that backend <hyc> then you have a problem <rgsteele> Hm, so you can't do automatic referrals on individual backends then? <rgsteele> That was my original question, or at least the intent of it. <hyc> not using updateref, no <rgsteele> Does your response imply there's another way? <hyc> probably we should fix updateref to be generated at the backend level <rgsteele> That would be good - I'd be happy to write tests or something to help with that. <hyc> the "other way" is the normal referral mechanism - using referral entries inside a database <hyc> but like I said, updateref is a relic, we've carried it forward without really adapting it <hyc> probably should file an ITS about this <rgsteele> Interesting, I wasn't aware of that method. I'll have to do some research on that - thanks! Also, is there anything I can do to help get the process of fixing updateref to generate referrals on the backend? <rgsteele> I can file the ITS if you like? <hyc> go ahead

1 0

Re: (ITS#4685) Updated changelog overlay by Neil Dunbar
by sebastian＠rieger.info 23 Apr '10

23 Apr '10

sorry... the last update was broken. I've uploaded a new version to: <ftp://ftp.openldap.org/incoming/rieger-changelog-2.4.21-pkg-100423.tgz> this version compiles and runs smoothly with 2.4.21. Also I fixed a minor memory leak. Any feedback is welcome ;)

1 0

← Newer
1
2
3
4
5
6
7
...
24
Older →

Jump to page:

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs April 2010