Re: search for "dynamic" calculated attribute's value (bdb_equality_candidates: not indexed)
by Pierangelo Masarati
----- "Daniel" <deepee(a)gmx.net> wrote:
> Hi slapd-Gurus out there,
>
> using the search filter "(test=TRUE)" results in: "candidates not
> indexed". The cause for the below slapd trace output seems clear to
> me:
> In fact there is no entry in my bdb backend existing with an attribute
>
> description "test" present...
>
> => bdb_filter_candidates
> EQUALITY
> => bdb_equality_candidates (test)
> <= bdb_equality_candidates: (test) not indexed
> <= bdb_filter_candidates: id=-1 first=1 last=430
> <= bdb_list_candidates: id=-1 first=1 last=430
> <= bdb_filter_candidates: id=-1 first=1 last=430
> <= bdb_list_candidates: id=25 first=141 last=430
> <= bdb_filter_candidates: id=25 first=141 last=430
> bdb_search_candidates: id=25 first=141 last=430
> => test_filter
> EQUALITY
> => access_allowed: search access to "dc=foo,dc=bar" "test" requested
> <= root access granted
> => access_allowed: search access granted by manage(=mwrscxd)
> <= test_filter 5
> bdb_search: 141 does not match filter
>
>
> In regard to the above slapd-trace I've the following question:
> Could someone please be so kind and tell me whether there exists a
> possibility to search (filter) for "dynamic" (calculated) attribute
> values, that do not get stored in a backend (in my case bdb)? Idea: An
>
> overlay should calculate a dynamic attribute's value based on already
>
> existing attribute values of an entry each time this dynamic attribute
>
> is searched for using a filter-statement, e.g.
> '(&(dynamic-attr-name=xyz)(|((...)(...))...)...)'.
>
> First of all I had a quick look into slapo-collect's sources. The
> collective attributes seem to be added dynamically to an entry but the
>
> collected attributes are not "filterable". I think the reason is that
>
> slapo-collect operates on the response/slapreply and that's to late in
>
> the overlay's processing queue...
>
> Then I thought of something similar to the operational attribute
> "hasSubordinates" - this attribute's value is filterable and seems (at
>
> least sounds) to be dynamically evaluated. On the other hand I'm not
> sure whether "hasSuborinates" is dynamically calculated each time an
> entry get's searched or accessed. Perhabs the value of
> "hasSubordinates"
> is only be calculated in case the entrys' childrens get modified and
> (thus seldomly) updated within the backend, which could be the reason
> to
> be search- and filterable?!
>
> Last but not least I tried to implement a small test-overlay using a
> custom search-callback that updates the dynamic "test" attribute
> within
> the bdb-backend: Imagine an (very simple/stupid) overlay that for
> example set a custom attribute named "test" to "TRUE" in case an
> entry's
> attributes "givenName" and "sn" both contain at least one value. ;-) I
>
> know, that the filter "(&(givenName=*)(sn=*))" would do the trick but
>
> the example is just a simple scenario for me to step into
> overlay-processing details.
>
> If I use attr_merge() within the search-callback to store the dynamic
>
> test attribute's value "TRUE" or "FALSE" within the entry the search
> succeeds without problems - I mean the filter (test=TRUE) get's
> processed ok.
>
> So my questions still left is:
> Do I always have to store/update the dynamic attribute's calculation
> result value within each entry (in the backend) or is there another
> posibility that allows filtering for the calculated attribute's value,
>
> while getting rid of the store and update overhead within the
> backend?
>
> Hopefully this is no hen egg problem concerning the internal
> processing
> order of filters, candidates, entries, etc.
Using dynamically computed attrs in a search filter and pretending it to ber indexed is an oxymoron. If you intend to allow it, you need to be prepared to intercepting the search operation and doing the candidate collection yourself. I don't recall any overlay or so that does it and that could be used as an example, simply because it makes little sense. In any case, the problem can be solved, but the solution may not be trivial and require a fair amount of coding.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497
Email: ando(a)sys-net.it
-----------------------------------
12 years
Modifying password by user
by Franck Royer
Hi,
I'm installing openldap on a ubuntu intrepid server (8.10). Everything
is ok except when I want that a user is able to modify his own password
using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS).
So I tried to modify it using ldappasswd :
dante@kollok ~ $ ldappasswd
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
or
dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org"
SASL/DIGEST-MD5 authentication started
Please enter your password:
ldap_sasl_interactive_bind_s: Invalid credentials (49)
The posix user dante is the same user than the ldap one (I use pam
libs). And I know that my password is right cause I can log in ldapadmin
or ssh with it.
My slapd.conf : http://pastebin.com/f44dd2b59
My ldap.conf : http://pastebin.com/f3af1bec3
Any idea ?
Cheers,
Franck Royer
12 years
group of groups
by alois blasbichler
Hello list
Is there a possibility in openldap to make group of groups ?
We need this fpr posix- and sambagroups.
I dont find any predefined objectclasses or documentation.
Somebody can give me a link or other help?
Thank you
luis
12 years
OpenLDAP groups and Unix users
by Stephen Parry
Thanks in advance for any answers to this query, and thanks to the geniuses
who wrote and maintain OpenLDAP.
I have OpenLDAP running on my Ubuntu Intrepid server. I have installed the
various PAM and NSS bits and pieces to allow integrated authentication. I
can now use users and groups stored in LDAP database to do shell logins,
permission files and authenticate Apache secure connections (hooray!). It
also is set up so that Unix user accounts and groups still function outside
of LDAP as expected.
However, there is one quirk to this. I can make LDAP users members of Unix
groups and this works fine. I cannot however do the equivalent: make Unix
users working members of LDAP groups. I can put them in the groups, but the
the system command "id -nG" does not list the LDAP groups and the filesystem
fails to pick up the permissions.
Is this behaviour by design? Can the relevant modules be configured to allow
LDAP groups have Unix users as members?
12 years
Notify mechanism for changes on a specific directory?
by Bahadır Kandemir
Hello,
I'm working on a remote management system that uses LDAP for storing policies.
Clients pull policies from server periodically, but we sometimes need to push
policies to clients instantly. Polling LDAP every five seconds is not an
option, of course.
Is there any auto notification mechanism for LDAP that notifies client about
changes on a specific directory? I've searched archives but could not find
anything.
Thanks in advance,
Bahadir Kandemir
12 years
search for "dynamic" calculated attribute's value (bdb_equality_candidates: not indexed)
by Daniel
Hi slapd-Gurus out there,
using the search filter "(test=TRUE)" results in: "candidates not
indexed". The cause for the below slapd trace output seems clear to me:
In fact there is no entry in my bdb backend existing with an attribute
description "test" present...
=> bdb_filter_candidates
EQUALITY
=> bdb_equality_candidates (test)
<= bdb_equality_candidates: (test) not indexed
<= bdb_filter_candidates: id=-1 first=1 last=430
<= bdb_list_candidates: id=-1 first=1 last=430
<= bdb_filter_candidates: id=-1 first=1 last=430
<= bdb_list_candidates: id=25 first=141 last=430
<= bdb_filter_candidates: id=25 first=141 last=430
bdb_search_candidates: id=25 first=141 last=430
=> test_filter
EQUALITY
=> access_allowed: search access to "dc=foo,dc=bar" "test" requested
<= root access granted
=> access_allowed: search access granted by manage(=mwrscxd)
<= test_filter 5
bdb_search: 141 does not match filter
In regard to the above slapd-trace I've the following question:
Could someone please be so kind and tell me whether there exists a
possibility to search (filter) for "dynamic" (calculated) attribute
values, that do not get stored in a backend (in my case bdb)? Idea: An
overlay should calculate a dynamic attribute's value based on already
existing attribute values of an entry each time this dynamic attribute
is searched for using a filter-statement, e.g.
'(&(dynamic-attr-name=xyz)(|((...)(...))...)...)'.
First of all I had a quick look into slapo-collect's sources. The
collective attributes seem to be added dynamically to an entry but the
collected attributes are not "filterable". I think the reason is that
slapo-collect operates on the response/slapreply and that's to late in
the overlay's processing queue...
Then I thought of something similar to the operational attribute
"hasSubordinates" - this attribute's value is filterable and seems (at
least sounds) to be dynamically evaluated. On the other hand I'm not
sure whether "hasSuborinates" is dynamically calculated each time an
entry get's searched or accessed. Perhabs the value of "hasSubordinates"
is only be calculated in case the entrys' childrens get modified and
(thus seldomly) updated within the backend, which could be the reason to
be search- and filterable?!
Last but not least I tried to implement a small test-overlay using a
custom search-callback that updates the dynamic "test" attribute within
the bdb-backend: Imagine an (very simple/stupid) overlay that for
example set a custom attribute named "test" to "TRUE" in case an entry's
attributes "givenName" and "sn" both contain at least one value. ;-) I
know, that the filter "(&(givenName=*)(sn=*))" would do the trick but
the example is just a simple scenario for me to step into
overlay-processing details.
If I use attr_merge() within the search-callback to store the dynamic
test attribute's value "TRUE" or "FALSE" within the entry the search
succeeds without problems - I mean the filter (test=TRUE) get's
processed ok.
So my questions still left is:
Do I always have to store/update the dynamic attribute's calculation
result value within each entry (in the backend) or is there another
posibility that allows filtering for the calculated attribute's value,
while getting rid of the store and update overhead within the backend?
Hopefully this is no hen egg problem concerning the internal processing
order of filters, candidates, entries, etc.
Many thanks for your advice!
Kind regards
Daniel
12 years
Authentication issue into a ubuntu client: `finger` and `id` commands working but no `su`
by carolina fernandez
Hello,
I'm trying to configure a Ubuntu 8.10 client to authenticate
againts a openldap directory.
The client configuration (PAM, NSS and /etc/ldap.conf) is here:
http://pastebin.com/mc279767
I performed some test getting the following results:
`ldapsearch -xLLL`, `id $USER`, `finger $USER`
Those three commands work fine. See the ouput here:
http://pastebin.com/d43add436
`su $USER`
Prompts twice for a password and then fails.
See the output with a debug level 1:
http://pastebin.com/m390ab435
My main question is:
Line 12 from `su $USER` output says:
"ldap_connect_to_host: TCP localhost:389"
It seems like it were trying to connect to the localhost but I
specified "host 192.168.0.10" and "uri ldap://192.168.0.10/" at the
/etc/ldap.conf file.
Maybe I need to specify a bind domain name but if I'm not wrong
the query will be permormed as anonymous and I have the followings
credentials at the server /etc/ldap/slapd.conf:
access to attrs=userPassword,shadowLastChange
by dn="cn=admin,dc=carolina,dc=es" write
by anonymous auth
by self write
by * none
access to *
by dn="cn=admin,dc=carolina,dc=es" write
by * read
Any idea to solve this? Any one can enlight me?
Thank you in advance,
Carolina F. Bravo
12 years
pam_ldap: error trying to bind (Server is unwilling to perform)
by Hammad Ahmad Bhatti
I am trying to ssh my ldap client linux box using ldap user. When I try to
login from local root user and su to ldap user then it works and if I try to
directly ssh using ldap user then it does not works.
Can some one help me out.
Hammad Ahmad
12 years
Matthew GARRETT is out of the office.
by Matthew GARRETT
I will be out of the office starting 08/04/2009 and will not return until 21/04/2009.
I will respond to your message when I return.
For IT issues please see Drew Harvey
Registered in England and Wales No.811900
Registered Office 33 Cavendish Square, London W1G 0PW
This e-mail and any attachments are intended only for the person or entity
to whom it is addressed and may contain confidential or privileged
information. If you are not the addressee, any disclosure, reproduction,
copying, distribution, or use of this communication is strictly prohibited.
If you are not the intended recipient or person responsible for delivering
this message to the named addressee, please notify us immediately and delete
this e-mail.
It is the responsibility of the addressee to scan this email and any
attachments for computer viruses or other defects. The sender does not
accept liability for any loss or damage of any nature, however caused,
which may result directly or indirectly from this email or any file attached.
12 years
