ldap manual "other stuff"
by Piotr Wadas
Hello,
from ldap_init(3)
"ldap_open() opens a connection to an LDAP server and allocates an LDAP
structure
[...]
typedef struct ldap {
/* ... other stuff you should not mess with ... */
char ld_lberoptions;
int ld_deref;
[...]"
Ehmm, what is "other stuff I shouldn't mess with" ? :)
Regards,
Piotr
16 years, 6 months
ber_scanf and ber_printf strangeness
by Szombathelyi György
Hi!
I'm developing kldap, a Qt wrapper for LDAP-functions. When I tested ber_scanf
and ber_printf functions, I found this strangeness:
Encode a sequence of octet strings via ber_printf
ber_printf(ber,"{v}",list_of_strings);
But decoding only succeeds if I use the following scanf formats:
ber_scanf(ber,"v",...) - yes, without '{}', or
ber_scanf(ber,"{ooo}")
As I read the ber_scanf man page, 'v' format actually decodes a sequence of
octet strings, so my examples are correct according to these. But the code
example on the end shows that '{v}' should be used. So what is the right way?
Regards,
György
16 years, 6 months
Hardcoded libraries in Openldap binaries on AIX
by Martin Horak
Hello.
I have a problem with compiling openldap suite on AIX. I feel it has
certainly trivial solution, but I'm not so skilled in C development, so I
can't solve it.
After compiling, all binaries have hardcoded library dependencies:
# cd /home/horakmar/src/openldap-2.3.4
# servers/slapd/slapd
Could not load program servers/slapd/slapd:
Dependent module
../../libraries/libldap_r/.libs/libldap_r.a(libldap_r-2.3.so.0) could not be
loaded.
Could not load module ../../libraries/libldap_r/.libs/libldap_r.a(libldap_r-
2.3.so.0).
System error: No such file or directory
# ldd servers/slapd/slapd
servers/slapd/slapd needs:
/lib/libs.a(shr.o)
/lib/libpthreads.a(shr_comm.o)
/lib/libpthreads.a(shr_xpg5.o)
/home/qshorakmar/src/openldap-2.3.4
/libraries/liblber/.libs/liblber.a(liblber-2.3.so.0)
Cannot find ../../libraries/libldap_r/.libs/libldap_r.a(libldap_r-2.3.so.0)
/opt/freeware/lib/libcrypto.a(libcrypto.so.0.9.7)
/unix
/lib/libcrypt.a(shr.o)
/lib/libc.a(shr.o)
/lib/libc.a(shr_64.o)
/lib/libcrypt.a(shr_64.o)
# dump -H servers/slapd/slapd
servers/slapd/slapd:
***Loader Section***
Loader Header Information
VERSION# #SYMtableENT #RELOCent LENidSTR
0x00000001 0x00000183 0x0000226b 0x00000119
#IMPfilID OFFidSTR LENstrTBL OFFstrTBL
0x00000007 0x0001c16c 0x0000130c 0x0001c285
***Import File Strings***
INDEX PATH BASE MEMBER
0
/opt/freware/lib:/usr/lib:/lib
1 libs.a shr.o
2 libpthreads.a shr_comm.o
3 libpthreads.a shr_xpg5.o
4 /home/qshorakmar/src/openldap-2.3.4/libraries/liblber/.libs
liblber.a
liblber-2.3.so.0
5 ../../libraries/libldap_r/.libs libldap_r.a libldap_r-
2.3.so.0
6 libcrypto.a libcrypto.so.0.9.7
Client tools (e.g. ldapsearch) suffer from the same problem.
When I install libraries into desired directories, program works. But
dependency on directory in which it's being run is very unpleasant.
Please do you have any idea, how to get rid of those:
../../libraries/libldap_r/.libs libldap_r.a
/home/qshorakmar/src/openldap-2.3.4/libraries/liblber/.libs liblber.a
?
Thank you in advance,
Martin Horak
16 years, 6 months
Search replies processed twice?
by José Marco
I programmed something like this very simple code inside an overlay.
The idea is quite simple: if a search fulfills a condition, a new search
should be done and the retrieved entries should also be returned to the
client. (It is ensured that the second search does not fulfill the
condition).
static int response( Operation *op, SlapReply *rs ){
if ( op->o_tag == LDAP_REQ_SEARCH ){
switch ( rs->sr_type ){
case REP_SEARCH:
// Show op and rs values in the debug console
Debug(LDAP_DEBUG_TRACE, "#################### I Enter
REP_SEARCH +++++++++++++++++\n",0,0,0);
return SLAP_CB_CONTINUE;
break;
case REP_RESULT:
// Show op and rs values in the debug console
Debug(LDAP_DEBUG_TRACE, "#################### I Enter
REP_RESULT +++++++++++++++++\n",0,0,0);
// Check for subsearch condition
...
if (check){
// Op2 initialize
Operation op2 = *op;
// Some op2 initialization code (just change the
filter so the result of the previous check is false next time for this
over config)
Debug(LDAP_DEBUG_TRACE, "####################
Subsearch: start *****\n",0,0,0);
[Option1:
op2.o_bd = select_backend( &op->o_req_ndn,
get_manageDSAit( op ), 1 );
(op2.o_bd->be_search)( &op2, rs );
]
[ Option2:
fe_op_search( &op2, &rr );
]
Debug(LDAP_DEBUG_TRACE, "####################
Subsearch: finish ************\n",0,0,0);
}
return SLAP_CB_CONTINUE;
break;
}
}
return SLAP_CB_CONTINUE;
}
The code is just that simple but I found that when the subsearch is
done, the ldap server runs the response twice for each retrieved entry.
I suppose that the entries are being sent twice regardless of the search
function I use (fe_op_search or be_search).
Anyone can give me a hint on why?
Are those the correct searching functions? If so, which one is more
appropriate?
16 years, 6 months
best practice: admin accounts?
by Craig
I need to create a user (or 2) for replication only, but don't really
know where to put it or which structural class it should be.
I was thinking about:
dn: uid=Replicator,dc=example,dc=com
objectClass: top
objectClass: account
objectClass: shadowAccount
userPassword: <some pw>
uid: Replicator
This works, but is this really the best way to create "admin accounts"?
For me, "admin accounts" are accounts used for various tasks related to
server (not necessarily just slapd) maintenance. (Replication is the
only "task" I can think of at the moment.)
Also, I have the following org unit:
dn: ou=People,dc=example,dc=com
ou: People
objectClass: top
objectClass: organizationalUnit
I was putting the above DN (cn=Replicator,...) in the root (as opposed
to "ou=People,..."). Does that make sense? Or should I create an ou just
for "admin/misc" accounts?
Lastly, is there a way to give a "non-plain text" password for the
syncrel user:
syncrepl rid=123
...
bindmethod=simple
binddn="cn=Replicator,dc=example,dc=com"
credentials={SSHA}<encrypted string>
All of the examples and docs seem to indicate that the credentials
should be the password for the "binddn" in clear text.
TIA!
Craig
16 years, 6 months
Re: Rewrite DN format?
by Quanah Gibson-Mount
--On Thursday, June 07, 2007 12:40 AM +0000 greg.martin18(a)verizon.net wrote:
> Sed could be your friend.
>
> Sent from my Verizon Wireless BlackBerry
His question was whether or not editing every single entry was the only
solution, which it is. The question was not the 5000 different ways it can
be done. I think this thread really can be ended now.
--Quanah
--
Quanah Gibson-Mount
Principal Software Engineer
Zimbra, Inc
--------------------
Zimbra :: the leader in open source messaging and collaboration
16 years, 6 months
More information about chain overlay
by Simon Gao
Hi,
I am interested in knowing more about chain overlay and have some
questions. Anyone can provide more sources or links for me to read?
Thanks,
Simon
16 years, 6 months
Re: chain-overlay question
by Pierangelo Masarati
Please keep replies on the list.
Markus Krause wrote:
> Zitat von Pierangelo Masarati <ando(a)sys-net.it>:
> Sorry for that, i am not a debugging expert ...
> But i can asure you that i am running this on linux system (SuSE Linux
> Enterprise Server), although it seems that SuSE does change some
> packages in a "special" way. the OpenLDAP server i am running here is
> installed from a rpm package from
> http://software.opensuse.org/download/OpenLDAP/SLE_10/i586/.
OK, I (wrongly) guessed you were building OpenLDAP yourself, as distros
usually lag a bit behind with OpenLDAP releases. Good to SuSE :)
> i also
> installed the package "openldap2-debuginfo-2.3.34-5.2" and started gdb
> with:
>
> gdb /usr/lib/openldap/slapd -se
> /usr/lib/debug/usr/lib/openldap/slapd.debug
>
> after the segfault i called "bt" and posted the result above.
> i am really sorry if that output only wastes your time.
Well, it wastes yours more than mine :)
> if you need some more debugging detail on this (or other things) please
> let me now and if i did complete nonsense maybe please tell me what to
> do/type ...
In any case, to me your configuration looks good, so I guess it's about
the URI you're using "ldaps://" which might not work as expected. In
this case, I suggest you rather check if the provider gets contacted at
all, and, in case, why it doesn't accept the connection. As per the
core dump, it should deserve more attention but, for this, we need a
non-stripped binary. In that case, you might need to build the latest
OpenLDAP release yourself (it's not a big deal, though).
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati(a)sys-net.it
---------------------------------------
16 years, 6 months
index an attribute makes it unusable in a filter
by sudhakar
We have a custom string attribute in our ldap schema that tracks the
status of the user's account. If the attribute is indexed any search
query which filters on that specific attribute fails to return any
results. If I remove the index on that attribute then everything runs
fine. While this is not a show stopper, it would still be nice to index
this particular attribute since it is used in filters very often.
I was wondering if someone has noticed similar behavior and what the
solution might be. We have other custom attributes are being indexed and
functioning correctly.
Thanks in advance
-sud
16 years, 6 months
Rewrite DN format?
by Nels Lindquist
Hi there.
I'm trying to merge entries from one tree into another, but the DN
format for each tree is different. We're talking about inetOrgPerson
entries, if that matters.
Specifically, the old DNs are of the form:
dn: cn=person,o=org,c=ca
And the new DNs are of the form:
dn: uid=username,ou=People,dc=example,dc=ca
I'm using OpenLDAP 2.1.19, and I suspect that slapd-meta might be able
to do what I need.
All the examples I've been able to find seem to do with rewriting
suffixes, however. I need to go slightly further and rewrite the DN itself.
Is this possible, or am I barking up the wrong tree?
Thanks very much for any assistance/configuration examples!
Nels Lindquist
16 years, 6 months
