openldap-software June 2007

openldap-software@openldap.org

86 participants
106 discussions

ldap manual "other stuff"
by Piotr Wadas 10 Jun '07

10 Jun '07

Hello, from ldap_init(3) "ldap_open() opens a connection to an LDAP server and allocates an LDAP structure [...] typedef struct ldap { /* ... other stuff you should not mess with ... */ char ld_lberoptions; int ld_deref; [...]" Ehmm, what is "other stuff I shouldn't mess with" ? :) Regards, Piotr

2 1

ber_scanf and ber_printf strangeness
by Szombathelyi György 10 Jun '07

10 Jun '07

Hi! I'm developing kldap, a Qt wrapper for LDAP-functions. When I tested ber_scanf and ber_printf functions, I found this strangeness: Encode a sequence of octet strings via ber_printf ber_printf(ber,"{v}",list_of_strings); But decoding only succeeds if I use the following scanf formats: ber_scanf(ber,"v",...) - yes, without '{}', or ber_scanf(ber,"{ooo}") As I read the ber_scanf man page, 'v' format actually decodes a sequence of octet strings, so my examples are correct according to these. But the code example on the end shows that '{v}' should be used. So what is the right way? Regards, György

2 3

Hardcoded libraries in Openldap binaries on AIX
by Martin Horak 08 Jun '07

08 Jun '07

Hello. I have a problem with compiling openldap suite on AIX. I feel it has certainly trivial solution, but I'm not so skilled in C development, so I can't solve it. After compiling, all binaries have hardcoded library dependencies: # cd /home/horakmar/src/openldap-2.3.4 # servers/slapd/slapd Could not load program servers/slapd/slapd: Dependent module ../../libraries/libldap_r/.libs/libldap_r.a(libldap_r-2.3.so.0) could not be loaded. Could not load module ../../libraries/libldap_r/.libs/libldap_r.a(libldap_r- 2.3.so.0). System error: No such file or directory # ldd servers/slapd/slapd servers/slapd/slapd needs: /lib/libs.a(shr.o) /lib/libpthreads.a(shr_comm.o) /lib/libpthreads.a(shr_xpg5.o) /home/qshorakmar/src/openldap-2.3.4 /libraries/liblber/.libs/liblber.a(liblber-2.3.so.0) Cannot find ../../libraries/libldap_r/.libs/libldap_r.a(libldap_r-2.3.so.0) /opt/freeware/lib/libcrypto.a(libcrypto.so.0.9.7) /unix /lib/libcrypt.a(shr.o) /lib/libc.a(shr.o) /lib/libc.a(shr_64.o) /lib/libcrypt.a(shr_64.o) # dump -H servers/slapd/slapd servers/slapd/slapd: ***Loader Section*** Loader Header Information VERSION# #SYMtableENT #RELOCent LENidSTR 0x00000001 0x00000183 0x0000226b 0x00000119 #IMPfilID OFFidSTR LENstrTBL OFFstrTBL 0x00000007 0x0001c16c 0x0000130c 0x0001c285 ***Import File Strings*** INDEX PATH BASE MEMBER 0 /opt/freware/lib:/usr/lib:/lib 1 libs.a shr.o 2 libpthreads.a shr_comm.o 3 libpthreads.a shr_xpg5.o 4 /home/qshorakmar/src/openldap-2.3.4/libraries/liblber/.libs liblber.a liblber-2.3.so.0 5 ../../libraries/libldap_r/.libs libldap_r.a libldap_r- 2.3.so.0 6 libcrypto.a libcrypto.so.0.9.7 Client tools (e.g. ldapsearch) suffer from the same problem. When I install libraries into desired directories, program works. But dependency on directory in which it's being run is very unpleasant. Please do you have any idea, how to get rid of those: ../../libraries/libldap_r/.libs libldap_r.a /home/qshorakmar/src/openldap-2.3.4/libraries/liblber/.libs liblber.a ? Thank you in advance, Martin Horak

3 3

Search replies processed twice?
by José Marco 08 Jun '07

08 Jun '07

I programmed something like this very simple code inside an overlay. The idea is quite simple: if a search fulfills a condition, a new search should be done and the retrieved entries should also be returned to the client. (It is ensured that the second search does not fulfill the condition). static int response( Operation *op, SlapReply *rs ){ if ( op->o_tag == LDAP_REQ_SEARCH ){ switch ( rs->sr_type ){ case REP_SEARCH: // Show op and rs values in the debug console Debug(LDAP_DEBUG_TRACE, "#################### I Enter REP_SEARCH +++++++++++++++++\n",0,0,0); return SLAP_CB_CONTINUE; break; case REP_RESULT: // Show op and rs values in the debug console Debug(LDAP_DEBUG_TRACE, "#################### I Enter REP_RESULT +++++++++++++++++\n",0,0,0); // Check for subsearch condition ... if (check){ // Op2 initialize Operation op2 = *op; // Some op2 initialization code (just change the filter so the result of the previous check is false next time for this over config) Debug(LDAP_DEBUG_TRACE, "#################### Subsearch: start *****\n",0,0,0); [Option1: op2.o_bd = select_backend( &op->o_req_ndn, get_manageDSAit( op ), 1 ); (op2.o_bd->be_search)( &op2, rs ); ] [ Option2: fe_op_search( &op2, &rr ); ] Debug(LDAP_DEBUG_TRACE, "#################### Subsearch: finish ************\n",0,0,0); } return SLAP_CB_CONTINUE; break; } } return SLAP_CB_CONTINUE; } The code is just that simple but I found that when the subsearch is done, the ldap server runs the response twice for each retrieved entry. I suppose that the entries are being sent twice regardless of the search function I use (fe_op_search or be_search). Anyone can give me a hint on why? Are those the correct searching functions? If so, which one is more appropriate?

3 3

best practice: admin accounts?
by Craig 08 Jun '07

08 Jun '07

I need to create a user (or 2) for replication only, but don't really know where to put it or which structural class it should be. I was thinking about: dn: uid=Replicator,dc=example,dc=com objectClass: top objectClass: account objectClass: shadowAccount userPassword: <some pw> uid: Replicator This works, but is this really the best way to create "admin accounts"? For me, "admin accounts" are accounts used for various tasks related to server (not necessarily just slapd) maintenance. (Replication is the only "task" I can think of at the moment.) Also, I have the following org unit: dn: ou=People,dc=example,dc=com ou: People objectClass: top objectClass: organizationalUnit I was putting the above DN (cn=Replicator,...) in the root (as opposed to "ou=People,..."). Does that make sense? Or should I create an ou just for "admin/misc" accounts? Lastly, is there a way to give a "non-plain text" password for the syncrel user: syncrepl rid=123 ... bindmethod=simple binddn="cn=Replicator,dc=example,dc=com" credentials={SSHA}<encrypted string> All of the examples and docs seem to indicate that the credentials should be the password for the "binddn" in clear text. TIA! Craig

3 4

Re: Rewrite DN format?
by Quanah Gibson-Mount 07 Jun '07

07 Jun '07

--On Thursday, June 07, 2007 12:40 AM +0000 greg.martin18(a)verizon.net wrote: > Sed could be your friend. > > Sent from my Verizon Wireless BlackBerry His question was whether or not editing every single entry was the only solution, which it is. The question was not the 5000 different ways it can be done. I think this thread really can be ended now. --Quanah -- Quanah Gibson-Mount Principal Software Engineer Zimbra, Inc -------------------- Zimbra :: the leader in open source messaging and collaboration

1 0

More information about chain overlay
by Simon Gao 07 Jun '07

07 Jun '07

Hi, I am interested in knowing more about chain overlay and have some questions. Anyone can provide more sources or links for me to read? Thanks, Simon

4 4

Re: chain-overlay question
by Pierangelo Masarati 07 Jun '07

07 Jun '07

Please keep replies on the list. Markus Krause wrote: > Zitat von Pierangelo Masarati <ando(a)sys-net.it>: > Sorry for that, i am not a debugging expert ... > But i can asure you that i am running this on linux system (SuSE Linux > Enterprise Server), although it seems that SuSE does change some > packages in a "special" way. the OpenLDAP server i am running here is > installed from a rpm package from > http://software.opensuse.org/download/OpenLDAP/SLE_10/i586/. OK, I (wrongly) guessed you were building OpenLDAP yourself, as distros usually lag a bit behind with OpenLDAP releases. Good to SuSE :) > i also > installed the package "openldap2-debuginfo-2.3.34-5.2" and started gdb > with: > > gdb /usr/lib/openldap/slapd -se > /usr/lib/debug/usr/lib/openldap/slapd.debug > > after the segfault i called "bt" and posted the result above. > i am really sorry if that output only wastes your time. Well, it wastes yours more than mine :) > if you need some more debugging detail on this (or other things) please > let me now and if i did complete nonsense maybe please tell me what to > do/type ... In any case, to me your configuration looks good, so I guess it's about the URI you're using "ldaps://" which might not work as expected. In this case, I suggest you rather check if the provider gets contacted at all, and, in case, why it doesn't accept the connection. As per the core dump, it should deserve more attention but, for this, we need a non-stripped binary. In that case, you might need to build the latest OpenLDAP release yourself (it's not a big deal, though). p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati(a)sys-net.it ---------------------------------------

2 1

index an attribute makes it unusable in a filter
by sudhakar 06 Jun '07

06 Jun '07

We have a custom string attribute in our ldap schema that tracks the status of the user's account. If the attribute is indexed any search query which filters on that specific attribute fails to return any results. If I remove the index on that attribute then everything runs fine. While this is not a show stopper, it would still be nice to index this particular attribute since it is used in filters very often. I was wondering if someone has noticed similar behavior and what the solution might be. We have other custom attributes are being indexed and functioning correctly. Thanks in advance -sud

3 3

Rewrite DN format?
by Nels Lindquist 06 Jun '07

06 Jun '07

Hi there. I'm trying to merge entries from one tree into another, but the DN format for each tree is different. We're talking about inetOrgPerson entries, if that matters. Specifically, the old DNs are of the form: dn: cn=person,o=org,c=ca And the new DNs are of the form: dn: uid=username,ou=People,dc=example,dc=ca I'm using OpenLDAP 2.1.19, and I suspect that slapd-meta might be able to do what I need. All the examples I've been able to find seem to do with rewriting suffixes, however. I need to go slightly further and rewrite the DN itself. Is this possible, or am I barking up the wrong tree? Thanks very much for any assistance/configuration examples! Nels Lindquist

4 4

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

openldap-software June 2007