openldap-devel

openldap-devel@openldap.org

1418 discussions

deprecated functions
by Quanah Gibson-Mount 02 Mar '07

02 Mar '07

I'm interested in updating Net::LDAPapi so that it no longer uses the deprecated C API. ldap.h is nicely commented on the replacement functions for just about all of the deprecated functions, except for: ldap_sort_entries ldap_sort_values ldap_sort_strcasecmp of which Net::LDAPapi only uses ldap_sort_entries. Is there a replacement function for this? If not, any thoughts on what the steps are to duplicate that functionality? Thanks, Quanah -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

2 2

Re: [Kerberos] Kerberos + OpenLDAP (fwd)
by Quanah Gibson-Mount 01 Mar '07

01 Mar '07

To keep OpenLDAP in on this loop... --Quanah ------------ Forwarded Message ------------ Date: Thursday, March 01, 2007 5:10 PM -0500 From: Sam Hartman <hartmans(a)mit.edu> To: Quanah Gibson-Mount <quanah(a)stanford.edu> Cc: Apache Directory Developers List <dev(a)directory.apache.org>, g.w(a)hurderos.org, krbdev(a)MIT.EDU Subject: Re: [Kerberos] Kerberos + OpenLDAP 1) I'd really like to see interested individuals work on the LDAP schema in the IETF. The effort has floundered for lack of people driving it. 2) I'd really love to see an ldap plugin that used some schema and called kadm5_* interfaces--I.E. a way to replace kadmind with openldap even in situations where the ldap kdb layer was not used. ---------- End Forwarded Message ---------- -- Quanah Gibson-Mount Principal Software Developer ITS/Shared Application Services Stanford University GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html

1 0

Re: Config file statement ordering (Was: (ITS#4848) Another slapd startup segfault)
by Howard Chu 25 Feb '07

25 Feb '07

Pierangelo Masarati wrote: > For back-meta, I'd like to create children entries for each target; in > this case, an overlay with specific per-target behavior, would need to > either create a similar tree, or to append entries to targets'. This is > really going to mess up back-config. Still, I think having separate > entries makes sense. That's how I made, for example, the monitor > interface to "foobar" overlay... Speaking of which, ITS#4789, were you actually suggesting that back-monitor also use olcDatabase={x}foo to name its database entries? That would change its apparent behavior quite a bit from 2.3. As I mentioned before, I chose not to use a cn=Databases container in back-config because I didn't want to have to deal with creating a lot of do-nothing infrastructure entries. Philosophically I also prefer RDNs that use task-specific attributes; I've always thought cn was too overused... And if we're using olcDatabase, then e.g. olcDatabase={1}foo,cn=databases,cn=monitor is just redundant information, we already know foo is a database so we don't need the container to remind us of that. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Config file statement ordering (Was: (ITS#4848) Another slapd startup segfault)
by Pierangelo Masarati 24 Feb '07

24 Feb '07

ando(a)sys-net.it wrote: > The above had nothing to do with your problem. Your problem is related > to the fact that you intermixed overlay and database configuration > statements, so the idletimeout statement after the accesslog overlay > instantiation was causing invalid memory write (beyond the private data > of the accesslog overlay instead of in the private data of the bdb > database) resulting in heap corruption. > > Maybe it hasn't been stressed enough, but the order of directives is: I believe the problem is here: ========================================================================= diff -u -r1.341.2.25 config.c --- servers/slapd/config.c 8 Feb 2007 12:31:24 -0000 1.341.2.25 +++ servers/slapd/config.c 24 Feb 2007 13:29:42 -0000 @@ -308,13 +308,28 @@ return(0); } if(arg_type & ARG_OFFSET) { - if (c->be && (!overlay_is_over(c->be) || - ((slap_overinfo *)c->be->bd_info)->oi_orig == c->bi)) - ptr = c->be->be_private; - else if (c->bi) + if ( c->be ) { + if (!overlay_is_over(c->be) || + ((slap_overinfo *)c->be->bd_info)->oi_orig == c->bi) + { + ptr = c->be->be_private; + + } else { + snprintf( c->msg, sizeof( c->msg ), + "<%s> statement outside scope " + "(after overlay?)", + c->argv[0] ); + Debug(LDAP_DEBUG_CONFIG, "%s: %s!\n", + c->log, c->msg, 0); + return(ARG_BAD_CONF); + } + + } else if ( c->bi ) { ptr = c->bi->bi_private; - else { - snprintf( c->msg, sizeof( c->msg ), "<%s> offset is missing base pointer", + + } else { + snprintf( c->msg, sizeof( c->msg ), + "<%s> offset is missing base pointer", c->argv[0] ); Debug(LDAP_DEBUG_CONFIG, "%s: %s!\n", c->log, c->msg, 0); ========================================================================= that is, if both the database and the overlay allow back-config, there are cases in which config_set_vals() can be called with (arg_type & ARG_OFFSET) and the c->be points to the database's structure while c->bi points to the overlay's structure, and the config statement refers to the database although appearing after the overlay's instantiation. This is Bad (TM) and should be avoided. However, for example, I have special needs in back-meta that require to allow overlay instantiation __before__ the database configuration is complete (in that case, I need an overlay to be instantiated before targets are defined, so that the overlay can get per-target configuration parameters much like the underlying database does). This may defer introduction of back-config support for back-meta. Comments? Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

2 3

openldap-2.4.4alpha available [corrected]
by OpenLDAP Project 17 Feb '07

17 Feb '07

See http://www.openldap.org/software/download/ Please report problems using the Issue Tracking System. http://www.openldap.org/its/ -- OpenLDAP Project [previous post had incorrect version number]

1 0

openldap-2.4.3alpha available
by OpenLDAP Project 17 Feb '07

17 Feb '07

See http://www.openldap.org/software/download/ Please report problems using the Issue Tracking System. http://www.openldap.org/its/ -- OpenLDAP Project

1 0

liblber additions
by Howard Chu 16 Feb '07

16 Feb '07

We have a port of GNUtls support for OpenLDAP underway. Their certificate DN parsing APIs are pretty bad. Rather than use their APIs I've modified libldap's ldap_X509dn2bv function to take a DN in DER form, directly from the certificate, and parse it directly using liblber. For that purpose I've needed to add a few new tag definitions as well as a decoder for BER-encoded OIDs. Not sure if these should be ber_pvt definitions or just public. Since a typical LDAP program rarely is faced with real ASN.1 structures it seems we don't need to expose them. Comments? Also as a side-effect, we can support certificate parsing, to implement the certificate-related component matching rules, without needing OpenSSL or any other crypto library. I.e., I have a complete certificate parser using liblber. (The code is trivial. We probably should have done this from the start...) Something I'd like to revisit - when using liblber and parsing in-place, our parse is destructive because we NUL-terminate all octet strings. I'm considering changing this behavior, to leave the original BER data unmodified. At present it seems this change would have the greatest effect on Debug output, where we pass ber->bv_val's for printing without any further qualification. Any thoughts? as an aside - the fact that GNUtls' certificate DN handling is broken is worrisome, since issuer DNs are an integral part of certificate path validation. Until we have time to dig deeper into that code and patch all the problems, it would be a good idea to avoid using GNUtls. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Re: commit: ldap/servers/slapd sasl.c sl_malloc.c connection.c proto-slap.h
by Howard Chu 14 Feb '07

14 Feb '07

hyc(a)OpenLDAP.org wrote: > Update of /repo/OpenLDAP/pkg/ldap/servers/slapd > > Modified Files: > sasl.c 1.245 -> 1.246 > sl_malloc.c 1.40 -> 1.41 > connection.c 1.393 -> 1.394 > proto-slap.h 1.715 -> 1.716 > > Log Message: > Added "slapd" rewrite map handler, connection_fake_init2 to use existing > tmpmemctx without reinitializing The documentation for this feature presents a bit of a problem, since most of the functionality of librewrite is documented in slapo-rwm(5). When SLAP_AUTH_REWRITE is defined (which it is, whenever --enable-rewrite is used) then all of librewrite's capabilities really should be in the main slapd documentation. In the meantime, here's an example usage: rwm-rewriteMap slapd cn2dn "ldap:///dc=example,dc=com?dn?sub?(&(objectclass=person)" rwm-rewriteContext bindDN rwm-rewriteRule "^(cn=[^,]+),.*" "${cn2dn(($1)))}" ":@I" This (stupid) example allows a user with a long DN to bind using just their RDN plus any subset of the DB suffix. E.g, a user with DN cn=Joe Bob,ou=Team1,ou=Teams,ou=Divisions,dc=example,dc=com could bind with just cn=Joe Bob,dc=example,dc=com -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

3 4

Re: commit: ldap/servers/slapd/schema dyngroup.schema
by Pierangelo Masarati 09 Feb '07

09 Feb '07

hyc(a)OpenLDAP.org wrote: > Update of /repo/OpenLDAP/pkg/ldap/servers/slapd/schema > > Modified Files: > dyngroup.schema 1.9 -> 1.10 > > Log Message: > Revert memberURL back to STRUCTURAL - test044 breaks otherwise AFAIR, there's no need in slapo-dynlist(5) code for 'groupOfURLs' (not 'memberUrl' :) to be STRUCTURAL; what test044 does is simply add some dynamic groups, so reworking the test data should suffice, if you believe that class should be AUXILIARY. Do you want me to look at that test with the above change? p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati(a)sys-net.it ------------------------------------------

2 1

Re: commit: ldap/servers/slapd bconfig.c
by Howard Chu 07 Feb '07

07 Feb '07

hyc(a)OpenLDAP.org wrote: > Update of /repo/OpenLDAP/pkg/ldap/servers/slapd > > Modified Files: > bconfig.c 1.255 -> 1.256 > > Log Message: > ITS#4752 add undo for schema entries. back-config was already cleaning up failed Adds for databases and overlays. This commit adds another special case for schema entries. A general solution doesn't really exist, since some attributes just don't support a Delete operation. But this covers the key object types. E.g. deleting a moduleLoad directive will be a major problem until we add a lot of unregister / destroy functions which currently don't exist. (An overlay like syncprov dynamically registers a schema, a control and the overlay itself. Each of those needs a tear-down function. The Modify handler does a more thorough job of undoing things. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-devel