hi,
Does OpenLDAP provide any routines for validating whether a given string represents a valid LDAP search filter? This is for me to detect invalid configuration settings in my LDAP client, and report the problem to the end-user as early as possible. For example, I want to catch settings like LDAPFilter="(cn=foo)", since they don't conform to the RFC 2254. Also, a side question, is the use of brackets around the main filter definition compulsory? All of the LDAP tools I have at my disposal seem to allow just cn=foo type filters...
thanks in advance,
regards, Greg
Greg B wrote:
hi,
Does OpenLDAP provide any routines for validating whether a given string represents a valid LDAP search filter? This is for me to detect invalid configuration settings in my LDAP client, and report the problem to the end-user as early as possible. For example, I want to catch settings like LDAPFilter="(cn=foo)", since they don't conform to the RFC 2254. Also, a side question, is the use of brackets around the main filter definition compulsory? All of the LDAP tools I have at my disposal seem to allow just cn=foo type filters...
thanks in advance,
regards, Greg
Well, as a test I did objectclass>f (without quotes) and I got back an error stating "missing equals" so yes you can leave off the parenthesis and yes you will get validation related errors back (at least in some cases from what I've experienced).
hope that helps Brandon
hi Brandon, what OpenLDAP API calls have you used? if you just did invoked LDAP search, then that doesn't really help because I'm already doing that and by that point in time its already too late.
On 10/17/06, Brandon McCombs bmccombs@ma.rr.com wrote:
Greg B wrote:
hi,
Does OpenLDAP provide any routines for validating whether a given string represents a valid LDAP search filter? This is for me to detect invalid configuration settings in my LDAP client, and report the problem to the end-user as early as possible. For example, I want to catch settings like LDAPFilter="(cn=foo)", since they don't conform to the RFC 2254. Also, a side question, is the use of brackets around the main filter definition compulsory? All of the LDAP tools I have at my disposal seem to allow just cn=foo type filters...
thanks in advance,
regards, Greg
Well, as a test I did objectclass>f (without quotes) and I got back an error stating "missing equals" so yes you can leave off the parenthesis and yes you will get validation related errors back (at least in some cases from what I've experienced).
hope that helps Brandon
Greg B wrote:
hi Brandon, what OpenLDAP API calls have you used? if you just did invoked LDAP search, then that doesn't really help because I'm already doing that and by that point in time its already too late.
On 10/17/06, Brandon McCombs bmccombs@ma.rr.com wrote:
Greg B wrote:
hi,
Does OpenLDAP provide any routines for validating whether a given string represents a valid LDAP search filter? This is for me to detect invalid configuration settings in my LDAP client, and report the problem to the end-user as early as possible. For example, I want to catch settings like LDAPFilter="(cn=foo)", since they don't conform to the RFC 2254. Also, a side question, is the use of brackets around the main filter definition compulsory? All of the LDAP tools I have at my disposal seem to allow just cn=foo type filters...
thanks in advance,
regards, Greg
Well, as a test I did objectclass>f (without quotes) and I got back an error stating "missing equals" so yes you can leave off the parenthesis and yes you will get validation related errors back (at least in some cases from what I've experienced).
hope that helps Brandon
Actually I'm using Java JNDI API which is compatible with OpenLDAP (as long as I don't attempt to do anything with the schema at which point I run into some usability issues). Actually, OpenLDAP is compatible with JNDI, not the other way around. If you have a C API I would presume it would do the same thing because it's the directory server that is responsible for working with a given API so unless OpenLDAP isn't consistent across APIs you should have the same experience with the C API if that is what you are using.
As a side note, I'm using Novell's LDAP API for accessing OpenLDAP's schema.
Brandon
hi,
Does OpenLDAP provide any routines for validating whether a given string represents a valid LDAP search filter? This is for me to detect invalid configuration settings in my LDAP client, and report the problem to the end-user as early as possible. For example, I want to catch settings like LDAPFilter="(cn=foo)", since they don't conform to the RFC 2254. Also, a side question, is the use of brackets around the main filter definition compulsory? All of the LDAP tools I have at my disposal seem to allow just cn=foo type filters...
Well, the client library, with respect to filters, does syntax validation but it cannot do any semantics validation (i.e. check if an attribute syntax supports the matching rule that's being used, or if an attribute's value complies with the syntax for that attribute). A "smart" client could do this by accessing the schema related to the search it's going to perform, provided it implements the necessary checks for the syntaxes in use, but OpenLDAP's clients don't do that (I guess no existing client really does that).
Syntax checking is done while encoding the filter for transmission (if encoding succeeds, the filter was fine); this is done by ldap_pvt_put_filter(), which is part of the private API (as the ldap_pvt_* indicates) so it's not exposed in the header ldap.h. As part of the private API, it requires access to data types otherwise opaque, so calling it may not be easy. You can follow two paths: learn from that function, and code your own, or use that function by accessing the private API. Note that the latter option implies you're aware of the fact that the interface may change without notice, so don't expect your code to build seamlessly whenever you upgrade.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
If I have an old base dn of uid=jdoe,o=x,c=us and I want to redirect all such client queries to uid=jdoes,dc=group1,dc=x,dc=y; what is the best way to do this? The old base is on an old netscape server and the new one is on openldap 2.3.27. Thanks!
It's not clear to me what data you actually have hosted on each server currently, and where you expect what data to be in the long run.
My current best guess is that NS has 'o=x,c=us' on disk and you're looking to turn it off, while OL has 'dc=group1,dc=x,dc=y' on disk, and you're looking to add 'o=x,c=us' to OL.
In this case, add a relay from 'o=x,c=us' to 'dc=group1,dc=x,dc=y' in the OpenLDAP server, and turn off the Netscape server.
See the slapd-relay(5) man page, and the recent thread on rewriting http://www.openldap.org/lists/openldap-software/200610/msg00105.html for some just-short-of-usable examples. (Just because they didn't work out for Quanah doesn't mean they won't necessarily work out for you.)
If this was completely off base from what you wanted, you can hold out for other replies, but you'd be better served by reposting a more precise inquiry. At a minimum, I could be confusing "redirect" as "rewrite" when you want "referral." That would be quite different...
On Tue, 17 Oct 2006, Douglas B. Jones wrote:
If I have an old base dn of uid=jdoe,o=x,c=us and I want to redirect all such client queries to uid=jdoes,dc=group1,dc=x,dc=y; what is the best way to do this? The old base is on an old netscape server and the new one is on openldap 2.3.27. Thanks!
"Douglas B. Jones" douglas@gpc.edu writes:
If I have an old base dn of uid=jdoe,o=x,c=us and I want to redirect all such client queries to uid=jdoes,dc=group1,dc=x,dc=y; what is the best way to do this? The old base is on an old netscape server and the new one is on openldap 2.3.27. Thanks!
Define a referral, if the old server supports it, or install a proxy like back-ldap or back-meta.
-Dieter
On Tuesday 17 October 2006 17:40, Douglas B. Jones wrote:
If I have an old base dn of uid=jdoe,o=x,c=us and I want to redirect all such client queries to uid=jdoes,dc=group1,dc=x,dc=y; what is the best way to do this? The old base is on an old netscape server and the new one is on openldap 2.3.27. Thanks!
Assuming you have migrated all of the content from o=x,c=us on the old Netscape server to live under dc=group1,dc=x,dc=y on the OpenLDAP server, which you would like to have visible to clients searching the new server under o=x,c=us, you should consider using back-relay as the backend for o=x,c=us.
See the man page for slapd-relay for details.
Regards, Buchan
Hi everyone - thanks for the great replies!!!!
To try to clarify, I currently have a netscape server on port 389. I now have a openldap 2.3.27 set up with all the data port 900. I The ns is set up as o=x,c=us. The openldap is set up as dc=group1,dc=x,dc=y. If I do a ldapsearch on port 900 with a base of o=x,c=us, I want it to return the result with a base of dc=group1,dc=x,dc=y.
database relay suffix "o=x,c=us" relay "dc=group1,dc=x,dc=y"
database bdb suffix "dc=group1,dc=x,dc=y" ...
and when I try to start up the openldap, I get:
'cannot find database of relay "dc=group1,dc=x,dc=y" in "relay <db> [message]".
Another way of looking at what I want to do is:
1) if the outlook base dn is o=x,c=us, I want this to work on the server with dc=group1,dc=x,dc=y. Right now, a lot of our users have the base dn and we want to make the migration easier for them.
2) if I do:
ldapsearch -h host1 -p 389 -b o=x,c=us uid=userx cn
on the ns port, I would get back the expect results - the ns server has that base dn.
ldapsearch -h host2 -p 900 -b o=x,c=us uid=userx cn
will fail, for host to has the base of dc=group1,dc=x,dc=y. If I do:
ldapsearch -h host2 -p 900 uid=userx cn
then it returns what I expect, for dc=group1,dc=x,dc=y is the default base dn.
I hope this all makes sense. Thanks for any help!
-----Original Message----- From: openldap-software-bounces+douglas=gpc.edu@openldap.org [mailto:openldap-software-bounces+douglas=gpc.edu@openldap.org] On Behalf Of Buchan Milne Sent: Wednesday, October 18, 2006 7:08 AM To: openldap-software@openldap.org Cc: Douglas B. Jones Subject: Re: changing the base dn
On Tuesday 17 October 2006 17:40, Douglas B. Jones wrote:
If I have an old base dn of uid=jdoe,o=x,c=us and I want to redirect all such client queries to uid=jdoes,dc=group1,dc=x,dc=y; what is the best way to do this? The old base is on an old netscape server and the new one is on openldap 2.3.27. Thanks!
Assuming you have migrated all of the content from o=x,c=us on the old Netscape server to live under dc=group1,dc=x,dc=y on the OpenLDAP server, which you would like to have visible to clients searching the new server under o=x,c=us, you should consider using back-relay as the backend for o=x,c=us.
See the man page for slapd-relay for details.
Regards, Buchan
openldap-software@openldap.org
-
Aaron Richton -
Brandon McCombs -
Buchan Milne -
Dieter Kluenter -
Douglas B. Jones -
Greg B -
Pierangelo Masarati