- openldap-bugs - openldap.org

(ITS#4869) config creates base64 encoded rootdn
by dieter＠dkluenter.de 12 Mar '07

12 Mar '07

Full_Name: Dieter Kluenter Version: 2.4.4alpha OS: linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.142.235.193) When running slapd with -F -f to create a new config database, olcRootDN value is created base64 encoded => ldap_bv2dn(p,0) ldap_err2string <= ldap_bv2dn(p)=-4 Decoding error ldap_err2string olcRootDN: value #0: <olcRootDN> invalid DN 21 (Invalid syntax) config error processing olcDatabase={1}hdb,cn=config: <olcRootDN> invalid DN 21 (Invalid syntax) send_ldap_result: conn=-1 op=0 p=0 send_ldap_result: err=19 matched="" text="" slapd destroy: freeing system resources. slapd stopped. -Dieter

1 0

Re: example: OpenLDAP with SASL/DIGEST-MD5 authentication (ITS#4867)
by ando＠sys-net.it 12 Mar '07

12 Mar '07

Piotr.Golonka(a)cern.ch wrote: > Indeed, 2.2.13 may be historical, It is. It's not an opinion, but a fact. Even 2.2.30, the latest 2.2 release, is historical. > yet this is the version used in large > production systems (e.g. RedHat Enterprise Linux). I believe the problem is not ours. I think we did our best by pushing out 2.2 up to 2.2.30, then 2.3 up to 2.3.34, and now 2.4. If distributions don't catch up I don't think anyone can blame OpenLDAP (and I don't think you are; I'm just trying to make the point). > I'll try to have a look at what's in 2.4. I hope I get my point: every contribution is welcome, but not every contribution may be useful. Writing howtos for code that was released ages ago, and is not maintained may be considered little useful. This is an opinion, of course. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: example: OpenLDAP with SASL/DIGEST-MD5 authentication (ITS#4867)
by Piotr.Golonka＠cern.ch 12 Mar '07

12 Mar '07

On Monday 12 March 2007 18:04, you wrote: > 2.2.13 is historical. ldap_sasl_bind(3) eventually got documented (only > the prototype in 2.3, more docs in 2.4). Please check current 2.4 > documentation and, in case, adapt your contribution to it. In fact, that > man page does not contain any coding example, as we usually refer to client > tools implementations. Please feel free to submit your contribution, lined > up to active code, as a FAQ entry <http://www.openldap.org/faq/>. The FAQ > is interactive. Hi, thanx for reply. Indeed, 2.2.13 may be historical, yet this is the version used in large production systems (e.g. RedHat Enterprise Linux). I'll try to have a look at what's in 2.4. best regards: Piotr

1 0

(ITS#4868) Binary Attribute Patch(es)
by vargok＠yahoo.com 12 Mar '07

12 Mar '07

Full_Name: Kevin Vargo Version: 2.3.32 OS: Linux (RH-EL4) URL: ftp://ftp.openldap.org/incoming/openldap-2.3.32-kv1-patch_support-binary-at… Submission from: (NULL) (128.237.242.55) These address the use of Binary-valued attributes (#3113, #3386): For example, inetOrgPerson.userCertificate is usually transferred with the ";binary" directive. ";binary" is not handled by OpenLDAP/Back-SQL. As well, the data itself, when stored in the database is not properly read out -- all data is read as SQL_C_CHAR data. This supports SQL_C_BINARY-based data. There remains an issue with selecting attributes using, e.g., "userCertificate;binary" -- nothing is returned. Someone with a better understanding of the attribute-processing method would be much more effective in terms of finding the correct place to remove the ";binary" from the "attribute-name." (i.e. "userCertificate;binary" is NOT the attribute-name; "userCertificate" is the attribute-name, ";binary" is a transport directive (see #3113). Additionally, I included to the patch to remove the "assert(0)" in Back-SQL's verification that a search filter and ldap-data don't mis-match on suffix. Tags: OpenLDAP, Back-SQL, MySQL, userCertificate, Binary Attributes, Client Certificates (1) ./servers/slapd/back-sql/search.c.patch Addressed ITS#4856 -- I think you already fixed this (2) ./servers/slapd/back-sql/back-sql.h.patch ./servers/slapd/back-sql/entry-id.c.patch ./servers/slapd/back-sql/sql-wrap.c.patch Address ITS#3113, ITS#3386 Support for binary attribute values (3) ./servers/slapd/back-sql/schema-map.c.patch Addresses issue with accessing attributes that have been provided with ";binary" directive note that I have no doubts whatso ever that there are many better ways to do (3).

1 0

(ITS#4867) example: OpenLDAP with SASL/DIGEST-MD5 authentication
by Piotr.Golonka＠CERN.CH 12 Mar '07

12 Mar '07

Full_Name: Piotr.Golonka(a)CERN.CH Version: 2.2.13 OS: Linux URL: ftp://ftp.openldap.org/incoming/golonka-pkg-070312.tgz Submission from: (NULL) (137.138.170.170) Hi, the documentation of the ldap_sasl_bind* family of functions is missing, and getting the actual DIGEST-MD5 authentication in your C code working seems to be completely undocumented. I went through the complete code of ldapsearch.c and extracted the minimal code that succesfully demonstrates DIGEST-MD5 authentication. In my case, I authenticated against ActiveDirectory server. I uploaded the example into your FTP server as golonka-pkg-070312.tgz I hope it may be useful to publish it as a short "Howto" material... regards Piotr Golonka CERN

1 0

(ITS#4866) Can we list Null Value Attributes
by maruthigsr＠gmail.com 12 Mar '07

12 Mar '07

Full_Name: Maruthi Gullapudi Version: OS: AIX URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (194.221.133.211) Hi, I wanted to list all the users based on the value of one attribute using the LDAPSEARCH Command. The value of that attribute is NULL. I dont know whether LDAPSEARCH will capture null values. Can anyone tell me how to list users from an LDAP directory based on a NUll valued attribute. Thanks in Advance Maruthi

1 0

Re: (ITS#4864) -r option "redirects" to logfile, breaks replication
by ando＠sys-net.it 11 Mar '07

11 Mar '07

[please keep the ITS in CC] Eubank, Chris LCS:EX wrote: > Am running Solaris 10, and the version I stuck in the log. > > When I created an "openldaprc" and used the variable for the > replication log, What is the "variable for the replication log"? All one usually needs to do is define a replogfile in slapd.conf(5) > (which ends up obviously running the slurpd daemon > with the -r switch), Again: there's no need to use -r if replogfile is in slapd.conf(5); if there is no replogfile in slapd.conf(5), slapd(8) will not generate any log, so slurpd(8) will have nothing to do > it sent the replication data to the logfile and > not to the replication hosts being specified. Who sent the replication data to the logfile? slapd(8) is supposed to write replication data to the file specified in replogfile (sladp.conf(5)); slurpd(8) is supposed to read that file (whose existence and location is known by parsing slapd.conf(5)), copy the content it is able to process to its own replication log, which resides in slurpd's working directory (default or passed with -t) and is called slurpd.replog, send that content to the slaves, and remove the data that has been handled from slapd's replication log. This is how things are expected to work. As you may see, -r never comes into play; it's intended to be used to force slurpd processing of a different file, which may be required for special purposes. Do you have any special needs, or are you simply trying to set up usual replication? > Does that make more sense? See comments above. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4860) Sets' enhancement
by ando＠sys-net.it 11 Mar '07

11 Mar '07

raphael.ouazana(a)linagora.com wrote: > Fixing these issues, I saw that set_parent will be very similar to > set_chase. Do you think I should create a new gatherer instead of ? I don't see so much similarity: set_chase() is intended to use the gatherer to fetch objects and extract a value from them, including "closure" (recursion). Sublevel does not require fetching, and takes a negative digit as extra argument, rather than an attribute type, so you'd need to add an outer test before calling set_chase() anyway, extend the interface of set_chase() to allow an AttributeDescription and an integer, and so on, while you don't need any callback capability to fetch an object or expand values or so. I'd keep it simple as it is now. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

Re: (ITS#4864) -r option "redirects" to logfile, breaks replication
by ando＠sys-net.it 10 Mar '07

10 Mar '07

chris.eubank(a)gov.bc.ca wrote: > Full_Name: Chris Eubank > Version: 2.3.31 (Jan 7 2007 08:51:37) > OS: Solaris 10 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (142.32.230.251) > > > If the -r option is used with the 'slurpd' daemon it breaks the replication > function and sends the replication data to the specified logfile instead. What does this mean? According to the documentation, -r must point to slapd's replog file, namely the file where replications are logged by the producer. Of course, if you point it to a file that is not a valid replication log, the behavior will be unexpected. > This behaviour is not documented in the manpage for slurpd. Please describe what behavior you obtain and how it differs from documented. Note that regular users are not supposed to use the -r switch, since slurpd typically knows where to get the replog file. Also, note that slurpd is deprecated; syncrepl should be used instead. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

(ITS#4865) double declaration of variable in slapd/main.c
by bret.lambert＠gmail.com 09 Mar '07

09 Mar '07

Full_Name: Bret Lambert Version: -HEAD OS: OpenBSD URL: ftp://ftp.openldap.org/incoming/bret-lambert-070309.patch Submission from: (NULL) (70.179.123.124) There are two declarations of "int i;" in main.c main(). The patch listed removes the second (spurious) declaration of the variable. Found via lint(1) on OpenBSD

1 0

(ITS#4864) -r option "redirects" to logfile, breaks replication
by chris.eubank＠gov.bc.ca 09 Mar '07

09 Mar '07

Full_Name: Chris Eubank Version: 2.3.31 (Jan 7 2007 08:51:37) OS: Solaris 10 URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (142.32.230.251) If the -r option is used with the 'slurpd' daemon it breaks the replication function and sends the replication data to the specified logfile instead. This behaviour is not documented in the manpage for slurpd.

1 0

(ITS#4863) 2.3 Administrator's Guide uses deprecated "attr=" statement (typo)
by meburr＠gmail.com 09 Mar '07

09 Mar '07

Full_Name: Michael Burr Version: 2.3.30 OS: Debian 4.0 (sid) URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (70.145.225.250) Referring to the Administrator's Guide hosted at openldap.org, in the "Access Control" section (http://www.openldap.org/doc/admin23/slapdconf2.html#Access%20Control), if I copy this statement: olcAccess: to attr=member,entry by dnattr=member selfwrite directly into my configuration (replacing "olcAccess: " with "access to"), slaptest complains: slapd.conf: line 40: "attr" is deprecated (and undocumented); use "attrs" instead. config file testing succeeded As is suggested by the output, slaptest returns with success (0).

1 0

Re: (ITS#4857) Subtree accesslog support
by Frank.Swasey＠uvm.edu 09 Mar '07

09 Mar '07

This is a cryptographically signed message in MIME format. --------------ms080906050304010303040408 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit On 3/7/07 5:29 PM, hyc(a)symas.com wrote: > ---- <quanah(a)stanford.edu> wrote: >> What I want to do, is put subtree based accesslog's on my replica servers. >> We have multiple downstream systems that pull data from the directory. >> This would allow them to "sit and listen" to the changes made in their >> subtrees of interest, using the syncrepl protocol. > > Uh huh. That's what search filters are for. If that's the only motivation for this ITS, then we can close it right now. If that's the only original motivation... then I'd like to hijack this to get the ability to expire different subtree's out of the log at different rates... can I do that? -- Frank Swasey | http://www.uvm.edu/~fcs Sr Systems Administrator | Always remember: You are UNIQUE, University of Vermont | just like everyone else. "I am not young enough to know everything." - Oscar Wilde (1854-1900) --------------ms080906050304010303040408 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" Content-Description: S/MIME Cryptographic Signature MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJDzCC AuIwggJLoAMCAQICEAq9rKiduK3HCbKzsBiBodUwDQYJKoZIhvcNAQEEBQAwYjELMAkGA1UE BhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMT I1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENBMB4XDTA2MDcxNzE2NTcyNloX DTA3MDcxNzE2NTcyNlowRjEfMB0GA1UEAxMWVGhhd3RlIEZyZWVtYWlsIE1lbWJlcjEjMCEG CSqGSIb3DQEJARYURnJhbmsuU3dhc2V5QHV2bS5lZHUwggEiMA0GCSqGSIb3DQEBAQUAA4IB DwAwggEKAoIBAQCzhSmesaR8qf2y5cNt0qa27m42Kq3Bwubs28CzSxR1uRUaRZUfL/C2FEFV kKSat6da5b19UEWxM1giaWvLeDtQE5Tok8GhN8LNgScTiSEM6gFWnL0o7A9W7oAj42dfFvBV md7/u7nSJoAP3Wt9cU3TBJBh99U89EzIYLNik8iVhzbwfNmisxmuR5870AHURoR1sN/X4jWx q5114Rv8r60+bVitlXL7P20Z2S9+va9+a7+C1P/yJLPq1GK8+X9uaoUaGHlapBeBYNu3QWQG Q+mF+QuidS01jbaburvJxUm7dVO3QRt1PovVhlidv89eqcH8n4h7xSG1IG3teNJkschdAgMB AAGjMTAvMB8GA1UdEQQYMBaBFEZyYW5rLlN3YXNleUB1dm0uZWR1MAwGA1UdEwEB/wQCMAAw DQYJKoZIhvcNAQEEBQADgYEAblV8ye5ZLs/y3DX0W3NU67N2T6tOSZ1609L+BRWB/Md7RDFd Cm8AXFIldDLzkyPFqs9WpgAQLvZ0gRXQ8aqwYEBB3WlZzkpUS+YTuY6X9wjcroMjHCyWNpq0 /joDumCNSEWiZJ6AZMRom9Z/P6foBxXmgCBKVq/O0mGqgArlxdkwggLiMIICS6ADAgECAhAK vayonbitxwmys7AYgaHVMA0GCSqGSIb3DQEBBAUAMGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQK ExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29u YWwgRnJlZW1haWwgSXNzdWluZyBDQTAeFw0wNjA3MTcxNjU3MjZaFw0wNzA3MTcxNjU3MjZa MEYxHzAdBgNVBAMTFlRoYXd0ZSBGcmVlbWFpbCBNZW1iZXIxIzAhBgkqhkiG9w0BCQEWFEZy YW5rLlN3YXNleUB1dm0uZWR1MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs4Up nrGkfKn9suXDbdKmtu5uNiqtwcLm7NvAs0sUdbkVGkWVHy/wthRBVZCkmrenWuW9fVBFsTNY Imlry3g7UBOU6JPBoTfCzYEnE4khDOoBVpy9KOwPVu6AI+NnXxbwVZne/7u50iaAD91rfXFN 0wSQYffVPPRMyGCzYpPIlYc28HzZorMZrkefO9AB1EaEdbDf1+I1sauddeEb/K+tPm1YrZVy +z9tGdkvfr2vfmu/gtT/8iSz6tRivPl/bmqFGhh5WqQXgWDbt0FkBkPphfkLonUtNY22m7q7 ycVJu3VTt0EbdT6L1YZYnb/PXqnB/J+Ie8UhtSBt7XjSZLHIXQIDAQABozEwLzAfBgNVHREE GDAWgRRGcmFuay5Td2FzZXlAdXZtLmVkdTAMBgNVHRMBAf8EAjAAMA0GCSqGSIb3DQEBBAUA A4GBAG5VfMnuWS7P8tw19FtzVOuzdk+rTkmdetPS/gUVgfzHe0QxXQpvAFxSJXQy85MjxarP VqYAEC72dIEV0PGqsGBAQd1pWc5KVEvmE7mOl/cI3K6DIxwsljaatP46A7pgjUhFomSegGTE aJvWfz+n6AcV5oAgSlavztJhqoAK5cXZMIIDPzCCAqigAwIBAgIBDTANBgkqhkiG9w0BAQUF ADCB0TELMAkGA1UEBhMCWkExFTATBgNVBAgTDFdlc3Rlcm4gQ2FwZTESMBAGA1UEBxMJQ2Fw ZSBUb3duMRowGAYDVQQKExFUaGF3dGUgQ29uc3VsdGluZzEoMCYGA1UECxMfQ2VydGlmaWNh dGlvbiBTZXJ2aWNlcyBEaXZpc2lvbjEkMCIGA1UEAxMbVGhhd3RlIFBlcnNvbmFsIEZyZWVt YWlsIENBMSswKQYJKoZIhvcNAQkBFhxwZXJzb25hbC1mcmVlbWFpbEB0aGF3dGUuY29tMB4X DTAzMDcxNzAwMDAwMFoXDTEzMDcxNjIzNTk1OVowYjELMAkGA1UEBhMCWkExJTAjBgNVBAoT HFRoYXd0ZSBDb25zdWx0aW5nIChQdHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25h bCBGcmVlbWFpbCBJc3N1aW5nIENBMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDEpjxV c1X7TrnKmVoeaMB1BHCd3+n/ox7svc31W/Iadr1/DDph8r9RzgHU5VAKMNcCY1osiRVwjt3J 8CuFWqo/cVbLrzwLB+fxH5E2JCoTzyvV84J3PQO+K/67GD4Hv0CAAmTXp6a7n2XRxSpUhQ9I BH+nttE8YQRAHmQZcmC3+wIDAQABo4GUMIGRMBIGA1UdEwEB/wQIMAYBAf8CAQAwQwYDVR0f BDwwOjA4oDagNIYyaHR0cDovL2NybC50aGF3dGUuY29tL1RoYXd0ZVBlcnNvbmFsRnJlZW1h aWxDQS5jcmwwCwYDVR0PBAQDAgEGMCkGA1UdEQQiMCCkHjAcMRowGAYDVQQDExFQcml2YXRl TGFiZWwyLTEzODANBgkqhkiG9w0BAQUFAAOBgQBIjNFQg+oLLswNo2asZw9/r6y+whehQ5aU nX9MIbj4Nh+qLZ82L8D0HFAgk3A8/a3hYWLD2ToZfoSxmRsAxRoLgnSeJVCUYsfbJ3FXJY3d qZw5jowgT2Vfldr394fWxghOrvbqNOUQGls1TXfjViF4gtwhGTXeJLHTHUb/XV9lTzGCA2Qw ggNgAgEBMHYwYjELMAkGA1UEBhMCWkExJTAjBgNVBAoTHFRoYXd0ZSBDb25zdWx0aW5nIChQ dHkpIEx0ZC4xLDAqBgNVBAMTI1RoYXd0ZSBQZXJzb25hbCBGcmVlbWFpbCBJc3N1aW5nIENB AhAKvayonbitxwmys7AYgaHVMAkGBSsOAwIaBQCgggHDMBgGCSqGSIb3DQEJAzELBgkqhkiG 9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA3MDMwOTE0MDYxMFowIwYJKoZIhvcNAQkEMRYEFCiK 6zalxLVu83Mrwb6GWBRfSXOYMFIGCSqGSIb3DQEJDzFFMEMwCgYIKoZIhvcNAwcwDgYIKoZI hvcNAwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIGFBgkr BgEEAYI3EAQxeDB2MGIxCzAJBgNVBAYTAlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGlu ZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNUaGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWlu ZyBDQQIQCr2sqJ24rccJsrOwGIGh1TCBhwYLKoZIhvcNAQkQAgsxeKB2MGIxCzAJBgNVBAYT AlpBMSUwIwYDVQQKExxUaGF3dGUgQ29uc3VsdGluZyAoUHR5KSBMdGQuMSwwKgYDVQQDEyNU aGF3dGUgUGVyc29uYWwgRnJlZW1haWwgSXNzdWluZyBDQQIQCr2sqJ24rccJsrOwGIGh1TAN BgkqhkiG9w0BAQEFAASCAQCc8+iSw5QIRwppDoDmleLlwBqS/QpcRbyraKL58bvYQh2GFw+o 9W7fBsV7Kt6Vt4AqaWkn+5RZ4NqlIeOIzck/utkki59zSci3mcOUOZ0DHQsmWGmyiSPPohzN CtupvRWo5viTrBr5fPAWeAiTlNfg4B2G3Ic81e2VPixWUScgLy8TlvFJmopH3yK64lqkAU7E 71L3SXe5n2ZB3O2WLsPtlVHTp9fo+AbU+/WYEMbpgR5vkAxYM6noOyhw3+W632b0hnKICtbP 6HGjZ7EZt1VyowOk95Q5x01EIo6wOBOAkOUQ/Ax+ZatZTosxpuFL87kMv1M+DuyQNzljK29V GQwtAAAAAAAA --------------ms080906050304010303040408--

1 0

Re: (ITS#4862) Doxygen support
by ghenry＠suretecsystems.com 08 Mar '07

08 Mar '07

<quote who="ando(a)sys-net.it"> > Full_Name: Pierangelo Masarati > Version: HEAD (almost irrelevant) > OS: irrelevant > URL: ftp://ftp.openldap.org/incoming/openldap-doxygen.tar.gz > Submission from: (NULL) (81.72.89.40) > Submitted by: ando > > > I've updated a simple doxygen configuration file that allows to create a > (hopefully) complete and useful browsable tree of OpenLDAP software. The > current configuration is quite redundant, since it includes sources in the > tree, > and may take a while to process. It needs "doxygen" and "dot" (the latter > can > be disabled by setting HAVE_DOT to "no", if unavailable, at the expense of > loosing the graphical description of relations between data types and > files). > > To "install": > - cd into the root of the source tree > - untar openldap-doxygen.tar.gz > > this puts a couple .html files in doc/devel, and Doxyfile in the root of > the > source tree. Edit this to customize. > > Finally, run doxygen from the root of the source tree (and be patient). > > Documents will be installed in doc/source_html. Edit Doxyfile to > customize. > Enjoy. > > p. Wow! That rules and looks great. Brilliant work. Thoughts on polishing this up and adding something to the main site with an announcement sometime? "OpenLDAP goes Doxygen" ;-) Gavin. -- Kind Regards, Gavin Henry. Managing Director. T +44 (0) 1224 279484 M +44 (0) 7930 323266 F +44 (0) 1224 824887 E ghenry(a)suretecsystems.com Open Source. Open Solutions(tm). http://www.suretecsystems.com/

1 0

(ITS#4862) Doxygen support
by ando＠sys-net.it 08 Mar '07

08 Mar '07

Full_Name: Pierangelo Masarati Version: HEAD (almost irrelevant) OS: irrelevant URL: ftp://ftp.openldap.org/incoming/openldap-doxygen.tar.gz Submission from: (NULL) (81.72.89.40) Submitted by: ando I've updated a simple doxygen configuration file that allows to create a (hopefully) complete and useful browsable tree of OpenLDAP software. The current configuration is quite redundant, since it includes sources in the tree, and may take a while to process. It needs "doxygen" and "dot" (the latter can be disabled by setting HAVE_DOT to "no", if unavailable, at the expense of loosing the graphical description of relations between data types and files). To "install": - cd into the root of the source tree - untar openldap-doxygen.tar.gz this puts a couple .html files in doc/devel, and Doxyfile in the root of the source tree. Edit this to customize. Finally, run doxygen from the root of the source tree (and be patient). Documents will be installed in doc/source_html. Edit Doxyfile to customize. Enjoy. p.

1 0

(ITS#4861) Issue with referrals in proxy backends
by ando＠sys-net.it 08 Mar '07

08 Mar '07

Full_Name: Pierangelo Masarati Version: re23 + patches from HEAD OS: irrelevant URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (131.175.154.35) Submitted by: ando I've received reports of issues with referrals returned from a third-party DSA to OpenLDAP's proxy backends. Apparently, in some cases the response contained referrals with a return code different from LDAP_REFERRAL. Although I can't prove it (it seems to be non-deterministic), I've strenghtened the proxy backends code so that it rejects those responses instead of sending them thru send_ldap_result(), which triggers an assertion. p.

1 0

Re: (ITS#4860) Sets' enhancement
by raphael.ouazana＠linagora.com 08 Mar '07

08 Mar '07

On Jeu 8 mars 2007 01:00, Pierangelo Masarati wrote: > raphael.ouazana(a)linagora.com wrote: > > I see at least 2 issues in this patch: > > 1) the use of dnParent() in place on malloc'd data would lead to memory > corruption, because at some point the value of the set will be freed, > but the bv_val of that value would no longer point to the beginning of a > malloc()'ed block. You should rather use AC_MEMCPY() to move the > parent's DN at the beginning of the malloc()'ed memory block. > > 2) when trimming a set of DNs to some ancestor, DNs with common > ancestors could result in duplicate set values. I'm not sure this > currently has any adverse effect on set evaluation, but I'd consider it > bad anyway. You should eliminate duplicates, in case any arises. Fixing these issues, I saw that set_parent will be very similar to set_chase. Do you think I should create a new gatherer instead of ? Regards, Raphael Ouazana.

1 0

Re: (ITS#4860) Sets' enhancement
by ando＠sys-net.it 07 Mar '07

07 Mar '07

raphael.ouazana(a)linagora.com wrote: I see at least 2 issues in this patch: 1) the use of dnParent() in place on malloc'd data would lead to memory corruption, because at some point the value of the set will be freed, but the bv_val of that value would no longer point to the beginning of a malloc()'ed block. You should rather use AC_MEMCPY() to move the parent's DN at the beginning of the malloc()'ed memory block. 2) when trimming a set of DNs to some ancestor, DNs with common ancestors could result in duplicate set values. I'm not sure this currently has any adverse effect on set evaluation, but I'd consider it bad anyway. You should eliminate duplicates, in case any arises. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

1 0

(ITS#4860) Sets' enhancement
by raphael.ouazana＠linagora.com 07 Mar '07

07 Mar '07

Full_Name: Raphael Ouazana Version: HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/raphael-ouazana-070307.patch Submission from: (NULL) (82.225.231.106) Hi, This patch creates a new operator for sets : /- It allows to get the nth parent of all the elements of a set. For example, if user is cn=user,ou=people,dc=example,dc=com : user/-1 : resolves to set {ou=people,dc=example,dc=com} user/-2 : resolves to set {dc=example,dc=com} Of course it works the same for sets of more than 1 element. It is very useful when ACLs depends on hierarchy. Legal notice : This patch file is derived from OpenLDAP Software. All of the modifications to OpenLDAP Software represented in this following patch were developed by Raphael Ouazana raphael.ouazana(a)linagora.com. These modifications are not subject to any license of Linagora. The attached modifications to OpenLDAP Software are subject to the following notice: Copyright 2007 Raphael Ouazana, Linagora Redistribution and use in source and binary forms, with or without modification, are permitted only as authorized by the OpenLDAP Public License.

1 0

Re: (ITS#4857) Subtree accesslog support
by quanah＠stanford.edu 07 Mar '07

07 Mar '07

--On Wednesday, March 07, 2007 2:32 PM -0800 Quanah Gibson-Mount <quanah(a)stanford.edu> wrote: > > > --On Wednesday, March 07, 2007 2:28 PM -0800 Howard Chu <hyc(a)symas.com> > wrote: > >> >> ---- <quanah(a)stanford.edu> wrote: >>> What I want to do, is put subtree based accesslog's on my replica >>> servers. We have multiple downstream systems that pull data from the >>> directory. This would allow them to "sit and listen" to the changes >>> made in their subtrees of interest, using the syncrepl protocol. >> >> Uh huh. That's what search filters are for. If that's the only motivation >> for this ITS, then we can close it right now. >> >> ldapsearch -b cn=log >> (reqDN:dnsubtreematch:=ou=accounts,dc=stanford,dc=edu) > > That doesn't do a never ending search that catches every write as it > occurs. Although I guess a syncrepl search could use the filter ;) --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4857) Subtree accesslog support
by quanah＠stanford.edu 07 Mar '07

07 Mar '07

--On Wednesday, March 07, 2007 2:28 PM -0800 Howard Chu <hyc(a)symas.com> wrote: > > ---- <quanah(a)stanford.edu> wrote: >> What I want to do, is put subtree based accesslog's on my replica >> servers. We have multiple downstream systems that pull data from the >> directory. This would allow them to "sit and listen" to the changes >> made in their subtrees of interest, using the syncrepl protocol. > > Uh huh. That's what search filters are for. If that's the only motivation > for this ITS, then we can close it right now. > > ldapsearch -b cn=log > (reqDN:dnsubtreematch:=ou=accounts,dc=stanford,dc=edu) That doesn't do a never ending search that catches every write as it occurs. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4857) Subtree accesslog support
by hyc＠symas.com 07 Mar '07

07 Mar '07

---- <quanah(a)stanford.edu> wrote: > What I want to do, is put subtree based accesslog's on my replica servers. > We have multiple downstream systems that pull data from the directory. > This would allow them to "sit and listen" to the changes made in their > subtrees of interest, using the syncrepl protocol. Uh huh. That's what search filters are for. If that's the only motivation for this ITS, then we can close it right now. ldapsearch -b cn=log (reqDN:dnsubtreematch:=ou=accounts,dc=stanford,dc=edu) -- Howard Chu Chief Architect, Symas Corp. Director, Highland Sun http://www.symas.com http://highlandsun.com/hyc Symas: Premier OpenSource Development and Support

1 0

Re: (ITS#4857) Subtree accesslog support
by quanah＠stanford.edu 07 Mar '07

07 Mar '07

--On Wednesday, March 07, 2007 5:09 PM +0000 Frank.Swasey(a)uvm.edu wrote: > This is a cryptographically signed message in MIME format. > > --------------ms050409020803020407000508 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > > On 3/6/07 6:31 PM, quanah(a)stanford.edu wrote: >> I was looking at adding access log configurations to my main database >> that would log operations based on subtree. For example, I'd like to >> have all operations on "cn=accounts,dc=stanford,dc=edu" go into one >> accesslog, and operations on "cn=people,dc=stanford,dc=edu" go into >> another accesslog. My root is "dc=stanford,dc=edu". There doesn't seem >> to be a way with the way accesslog is currently designed to do this. I >> believe it would be a useful feature. > > I have wished for a similar capability. However, have always been > stopped from proceeding to look at modifying the code because all my > consumers need to replicate the full database. > > However, it would be nice to be able to break things apart and have > them expire out of the accesslog at different times. For instance, our > sendmail spam blocking rules live for a max of several hours and so I > could expire those from the accesslog after 8 hours, but the core > (people, groups, accounts) I'd like to keep for a couple days to make > certain they get to the replica servers. > > Is that the same kind of thing you are thinking of Quanah? Hi Frank, Actually, no, it isn't. ;) What I want to do, is put subtree based accesslog's on my replica servers. We have multiple downstream systems that pull data from the directory. This would allow them to "sit and listen" to the changes made in their subtrees of interest, using the syncrepl protocol. --Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: (ITS#4857) Subtree accesslog support
by hyc＠symas.com 07 Mar '07

07 Mar '07

Frank.Swasey(a)uvm.edu wrote: > This is a cryptographically signed message in MIME format. > > --------------ms050409020803020407000508 > Content-Type: text/plain; charset=ISO-8859-1; format=flowed > Content-Transfer-Encoding: 7bit > > On 3/6/07 6:31 PM, quanah(a)stanford.edu wrote: >> I was looking at adding access log configurations to my main database that would >> log operations based on subtree. For example, I'd like to have all operations >> on "cn=accounts,dc=stanford,dc=edu" go into one accesslog, and operations on >> "cn=people,dc=stanford,dc=edu" go into another accesslog. My root is >> "dc=stanford,dc=edu". There doesn't seem to be a way with the way accesslog is >> currently designed to do this. I believe it would be a useful feature. > > I have wished for a similar capability. However, have always been > stopped from proceeding to look at modifying the code because all my > consumers need to replicate the full database. Usually when you have a logging requirement, you need to see everything... Breaking out options by subtree does seem to be a pretty common need though. It strikes me that we need to solve this once, generically, instead of doing it over and over again in each overlay. That sounds an awful lot like getting full subentry support implemented, or at least a generic subtree search specification handler. > However, it would be nice to be able to break things apart and have > them expire out of the accesslog at different times. For instance, our > sendmail spam blocking rules live for a max of several hours and so I > could expire those from the accesslog after 8 hours, but the core > (people, groups, accounts) I'd like to keep for a couple days to make > certain they get to the replica servers. > > Is that the same kind of thing you are thinking of Quanah? > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: (ITS#4858) sasl_client_init Problem
by hyc＠symas.com 07 Mar '07

07 Mar '07

The OpenLDAP ITS is for tracking issues in OpenLDAP software. Your problem appears to be in a package produced by someone else; you should contact whoever provided that package for support. We have no way of knowing what build or configuration options someone else used to create their package, so we cannot track down problems in their package. Note that OpenLDAP 2.1 was moved to Historic status a number of years ago. You should consider using a more recent version. Symas Corporation provides professional support for OpenLDAP 2.3 packaged for HPUX and many other platforms. m.birkenkamp(a)e-fact-gmbh.de wrote: > Full_Name: Marcel Birkenkamp > Version: 2.1.22 > OS: HP UX 11.11 > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (84.63.24.153) > > > Hi, > > i have a Problem, i've implemented a c program using OpenLDAP to connect to an > ActiveDirectory for uservalidation, the Problem is that whenever i use one of > the OpenLDAP functions (i.e. ldap_init, ldap_initialize) i get the following > error: "/usr/lib/dld.sl: Unresolvable symbol: sasl_client_init (code) from > /opt/iexpress/openldap/lib/libldap.sl - IOT trap". I've reinstalled OpenLDAP but > the Problem persists. > Does anyone have an idea what might be causing this or how i can find out where > this Problem originates? > > thanks in advance > > Marcel > > > . > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs