openldap-bugs

openldap-bugs@openldap.org

1 participants
21002 discussions

(ITS#6914) Feature Request: slapd.conf "include" extension
by marco.pizzoli＠gmail.com 23 Apr '11

23 Apr '11

Full_Name: Marco Pizzoli Version: 2.4.x OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (217.133.1.151) Hi, this is a feature request. I would like to extend "include" directive of slapd.conf by having defined a default path in witch beginning to search for the filename specified by "include" directive(s). In short I would like to mimic the behaviour of "modulepath" and "moduleload" directives. "includepath" could be a suggestion of the name of this new directive. Thanks Marco

1 0

Re: (ITS#6900) dnattr acl statement: users can produce dangling entries
by daniel＠pluta.biz 21 Apr '11

21 Apr '11

Once again an update of this patch: One more step further dnattr's documented behaviour: Now the DN in dnattr is additionally allowed to remove the whole entry. The update can be found here: ftp://ftp.openldap.org/incoming/Daniel-Pluta-110422.patch I'm not quite satisfied with my code and its internal processing. It's more some kind of a prototype. Probably you guys do have the knowlege to "convert" it into a better and slapd-like design... Thanks a lot!

1 0

Re: (ITS#6873) Feature request slapo-lastbind: authTimestamp and relax rules control
by michael＠stroeder.com 21 Apr '11

21 Apr '11

I tried to find the magic flag where to put SLAP_AT_MANAGEABLE but failed. It must be something emotional with C code on my side... ;-) Ciao, Michael.

1 0

Re: (ITS#6911) Feature Request: accesslog filter on DN
by marco.pizzoli＠gmail.com 21 Apr '11

21 Apr '11

> > Patches welcome. > I would like to contribute but I'm not a developer and I have no overlay development documentation available Marco

1 0

Re: (ITS#6913) Feature Request: accesslog filter on DN
by marco.pizzoli＠gmail.com 21 Apr '11

21 Apr '11

I had a refresh on the submit page. This erroneous ITS can be closed, sorry. On Thu, Apr 21, 2011 at 1:33 PM, <openldap-its(a)openldap.org> wrote: > > *** THIS IS AN AUTOMATICALLY GENERATED REPLY *** > > Thanks for your report to the OpenLDAP Issue Tracking System. Your > report has been assigned the tracking number ITS#6913. > > One of our support engineers will look at your report in due course. > Note that this may take some time because our support engineers > are volunteers. They only work on OpenLDAP when they have spare > time. > > If you need to provide additional information in regards to your > issue report, you may do so by replying to this message. Note that > any mail sent to openldap-its(a)openldap.org with (ITS#6913) > in the subject will automatically be attached to the issue report. > > mailto:openldap-its@openldap.org?subject=(ITS#6913) > > You may follow the progress of this report by loading the following > URL in a web browser: > http://www.OpenLDAP.org/its/index.cgi?findid=6913 > > Please remember to retain your issue tracking number (ITS#6913) > on any further messages you send to us regarding this report. If > you don't then you'll just waste our time and yours because we > won't be able to properly track the report. > > Please note that the Issue Tracking System is not intended to > be used to seek help in the proper use of OpenLDAP Software. > Such requests will be closed. > > OpenLDAP Software is user supported. > http://www.OpenLDAP.org/support/ > > -------------- > Copyright 1998-2007 The OpenLDAP Foundation, All Rights Reserved. > > -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

1 0

(ITS#6913) Feature Request: accesslog filter on DN
by marco.pizzoli＠gmail.com 21 Apr '11

21 Apr '11

Full_Name: Marco Pizzoli Version: 2.4.x OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (213.174.164.11) This is a feature request. I would like to further extend accesslog filtering capabilities. It would be useful to me exclude logging of operations made by a specific user (DN). My usage case is a DBMS (DB2) using native LDAP authentication, which does extensive search operations on my DIT (quite 2 millions searches per day per instance). I assigned a specific technical user (DN) to these DB2 instancies and so I am able to identify operations made by those users. This filter would allow me to reduce very much my accesslog db size and augment my data retention. Thanks Marco Pizzoli

1 0

(ITS#6912) authz-regexp DN
by daniel＠pluta.biz 21 Apr '11

21 Apr '11

Full_Name: authz-regex dnNormalize() filter expression with matching rule assertion Version: HEAD OS: Linux URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (2001:4ca0:0:fe00:200:5efe:81bb:f4c) We tried to support/implement case-sensitive logins using SASL DIGEST-MD5. Imagine the following partial authz-regexp statement: ldap:///ou=users,ou=eecbcs.de,dc=foo,dc=bar??one?(uid:caseExactMatch:=$1) During "dnNormalize" the uid is transformed into lowercase which cause the caseExactMatch to fail: SASL [conn=1010] Debug: DIGEST-MD5 server step 2 slap_sasl_getdn: u:id converted to uid=user1HAHA,cn=DIGEST-MD5,cn=auth >>> dnNormalize: <uid=user1HAHA,cn=DIGEST-MD5,cn=auth> <<< dnNormalize: <uid=user1HAHA,cn=digest-md5,cn=auth> ==>slap_sasl2dn: converting SASL name uid=user1HAHA,cn=digest-md5,cn=auth to a DN ==> rewrite_context_apply [depth=1] string='uid=user1HAHA,cn=digest-md5,cn=auth' ==> rewrite_rule_apply rule='uid=([^,]+),cn=(PLAIN|LOGIN|OTP|DIGEST-MD5|CRAM-MD5),cn=auth' string='uid=user1HAHA,cn=digest-md5,cn=auth' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'ldap:///ou=users,ou=eecbcs.de,dc=foo,dc=bar??one?(uid:caseExactMatch:=user1haha)'}

1 0

Re: (ITS#6911) Feature Request: accesslog filter on DN
by hyc＠symas.com 21 Apr '11

21 Apr '11

marco.pizzoli(a)gmail.com wrote: > Full_Name: Marco Pizzoli > Version: 2.4.x > OS: Linux > URL: ftp://ftp.openldap.org/incoming/ > Submission from: (NULL) (213.174.164.11) > > > This is a feature request. > > I would like to further extend accesslog filtering capabilities. > It would be useful to me exclude logging of operations made by a specific user > (DN). > > My usage case is a DBMS (DB2) using native LDAP authentication, which does > extensive search operations on my DIT (quite 2 millions searches per day per > instance). > I assigned a specific technical user (DN) to these DB2 instancies and so I am > able to identify operations made by those users. > > This filter would allow me to reduce very much my accesslog db size and augment > my data retention. Patches welcome. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

(ITS#6911) Feature Request: accesslog filter on DN
by marco.pizzoli＠gmail.com 21 Apr '11

21 Apr '11

1 0

Re: (ITS#6815) Feature Request: Accesslog filter
by marco.pizzoli＠gmail.com 21 Apr '11

21 Apr '11

It works! :-) In next 2 days I will test other configurations and I will let you know! By now, thanks a lot! Marco On Wed, Apr 20, 2011 at 9:26 PM, Howard Chu <hyc(a)symas.com> wrote: > Marco Pizzoli wrote: >> >> Trying a more complex configuration I found my first problem. >> This is my configuration: >> >> logbase session dc=mycorp,dc=mydc.it >> logbase all ou=groups,dc=mycorp,dc=mydc.it >> logbase all ou=people,dc=mycorp,dc=mydc.it >> >> Using my rootdn (cn=manager,dc=mycorp,dc=mydc.it) and submitting an >> authenticated ldapsearch under base "ou=groups,dc=mycorp,dc=mydc.it", >> I obtain this accesslog >> >> >> # 20110420141404.000000Z, log03, mydc.it >> dn: reqStart=20110420141404.000000Z,cn=log03,dc=mydc.it >> objectClass: auditBind >> reqStart: 20110420141404.000000Z >> reqEnd: 20110420141404.000001Z >> reqType: bind >> reqSession: 1000 >> reqAuthzID: >> reqDN: cn=manager,dc=mycorp,dc=mydc.it >> reqResult: 0 >> reqVersion: 3 >> reqMethod: SIMPLE >> >> # 20110420141404.000002Z, log03, mydc.it >> dn: reqStart=20110420141404.000002Z,cn=log03,dc=mydc.it >> objectClass: auditSearch >> reqStart: 20110420141404.000002Z >> reqEnd: 20110420141404.000003Z >> reqType: search >> reqSession: 1000 >> reqAuthzID: cn=manager,dc=mycorp,dc=mydc.it >> reqDN: ou=groups,dc=mycorp,dc=mydc.it >> reqResult: 0 >> reqScope: sub >> reqDerefAliases: never >> reqAttrsOnly: FALSE >> reqFilter: (cn=minnie) >> reqAttr: dn >> reqEntries: 0 >> reqTimeLimit: -1 >> reqSizeLimit: -1 >> >> As you can see, there isn't the unbind operation log... >> It's an error of mine? >> > Looks like Unbind has not been modified to handle logbase yet. Will fix this > shortly. > > -- > -- Howard Chu > CTO, Symas Corp. http://www.symas.com > Director, Highland Sun http://highlandsun.com/hyc/ > Chief Architect, OpenLDAP http://www.openldap.org/project/ > -- _________________________________________ Non è forte chi non cade, ma chi cadendo ha la forza di rialzarsi. Jim Morrison

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-bugs