openldap-technical April 2009

openldap-technical@openldap.org

71 participants
79 discussions

Re: search for "dynamic" calculated attribute's value (bdb_equality_candidates: not indexed)
by Pierangelo Masarati 14 Apr '09

14 Apr '09

----- "Daniel" <deepee(a)gmx.net> wrote: > Hi slapd-Gurus out there, > > using the search filter "(test=TRUE)" results in: "candidates not > indexed". The cause for the below slapd trace output seems clear to > me: > In fact there is no entry in my bdb backend existing with an attribute > > description "test" present... > > => bdb_filter_candidates > EQUALITY > => bdb_equality_candidates (test) > <= bdb_equality_candidates: (test) not indexed > <= bdb_filter_candidates: id=-1 first=1 last=430 > <= bdb_list_candidates: id=-1 first=1 last=430 > <= bdb_filter_candidates: id=-1 first=1 last=430 > <= bdb_list_candidates: id=25 first=141 last=430 > <= bdb_filter_candidates: id=25 first=141 last=430 > bdb_search_candidates: id=25 first=141 last=430 > => test_filter > EQUALITY > => access_allowed: search access to "dc=foo,dc=bar" "test" requested > <= root access granted > => access_allowed: search access granted by manage(=mwrscxd) > <= test_filter 5 > bdb_search: 141 does not match filter > > > In regard to the above slapd-trace I've the following question: > Could someone please be so kind and tell me whether there exists a > possibility to search (filter) for "dynamic" (calculated) attribute > values, that do not get stored in a backend (in my case bdb)? Idea: An > > overlay should calculate a dynamic attribute's value based on already > > existing attribute values of an entry each time this dynamic attribute > > is searched for using a filter-statement, e.g. > '(&(dynamic-attr-name=xyz)(|((...)(...))...)...)'. > > First of all I had a quick look into slapo-collect's sources. The > collective attributes seem to be added dynamically to an entry but the > > collected attributes are not "filterable". I think the reason is that > > slapo-collect operates on the response/slapreply and that's to late in > > the overlay's processing queue... > > Then I thought of something similar to the operational attribute > "hasSubordinates" - this attribute's value is filterable and seems (at > > least sounds) to be dynamically evaluated. On the other hand I'm not > sure whether "hasSuborinates" is dynamically calculated each time an > entry get's searched or accessed. Perhabs the value of > "hasSubordinates" > is only be calculated in case the entrys' childrens get modified and > (thus seldomly) updated within the backend, which could be the reason > to > be search- and filterable?! > > Last but not least I tried to implement a small test-overlay using a > custom search-callback that updates the dynamic "test" attribute > within > the bdb-backend: Imagine an (very simple/stupid) overlay that for > example set a custom attribute named "test" to "TRUE" in case an > entry's > attributes "givenName" and "sn" both contain at least one value. ;-) I > > know, that the filter "(&(givenName=*)(sn=*))" would do the trick but > > the example is just a simple scenario for me to step into > overlay-processing details. > > If I use attr_merge() within the search-callback to store the dynamic > > test attribute's value "TRUE" or "FALSE" within the entry the search > succeeds without problems - I mean the filter (test=TRUE) get's > processed ok. > > So my questions still left is: > Do I always have to store/update the dynamic attribute's calculation > result value within each entry (in the backend) or is there another > posibility that allows filtering for the calculated attribute's value, > > while getting rid of the store and update overhead within the > backend? > > Hopefully this is no hen egg problem concerning the internal > processing > order of filters, candidates, entries, etc. Using dynamically computed attrs in a search filter and pretending it to ber indexed is an oxymoron. If you intend to allow it, you need to be prepared to intercepting the search operation and doing the candidate collection yourself. I don't recall any overlay or so that does it and that could be used as an example, simply because it makes little sense. In any case, the problem can be solved, but the solution may not be trivial and require a fair amount of coding. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando(a)sys-net.it -----------------------------------

2 2

Modifying password by user
by Franck Royer 14 Apr '09

14 Apr '09

Hi, I'm installing openldap on a ubuntu intrepid server (8.10). Everything is ok except when I want that a user is able to modify his own password using phpldapadmin (0x32 LDAP_INSUFFICIENT_ACCESS). So I tried to modify it using ldappasswd : dante@kollok ~ $ ldappasswd SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) or dante@kollok ~ $ ldappasswd -D "uid=dante,ou=people,dc=kollok,dc=org" SASL/DIGEST-MD5 authentication started Please enter your password: ldap_sasl_interactive_bind_s: Invalid credentials (49) The posix user dante is the same user than the ldap one (I use pam libs). And I know that my password is right cause I can log in ldapadmin or ssh with it. My slapd.conf : http://pastebin.com/f44dd2b59 My ldap.conf : http://pastebin.com/f3af1bec3 Any idea ? Cheers, Franck Royer

4 4

group of groups
by alois blasbichler 14 Apr '09

14 Apr '09

Hello list Is there a possibility in openldap to make group of groups ? We need this fpr posix- and sambagroups. I dont find any predefined objectclasses or documentation. Somebody can give me a link or other help? Thank you luis

3 3

OpenLDAP groups and Unix users
by Stephen Parry 14 Apr '09

14 Apr '09

Thanks in advance for any answers to this query, and thanks to the geniuses who wrote and maintain OpenLDAP. I have OpenLDAP running on my Ubuntu Intrepid server. I have installed the various PAM and NSS bits and pieces to allow integrated authentication. I can now use users and groups stored in LDAP database to do shell logins, permission files and authenticate Apache secure connections (hooray!). It also is set up so that Unix user accounts and groups still function outside of LDAP as expected. However, there is one quirk to this. I can make LDAP users members of Unix groups and this works fine. I cannot however do the equivalent: make Unix users working members of LDAP groups. I can put them in the groups, but the the system command "id -nG" does not list the LDAP groups and the filesystem fails to pick up the permissions. Is this behaviour by design? Can the relevant modules be configured to allow LDAP groups have Unix users as members?

2 1

Notify mechanism for changes on a specific directory?
by Bahadır Kandemir 13 Apr '09

13 Apr '09

Hello, I'm working on a remote management system that uses LDAP for storing policies. Clients pull policies from server periodically, but we sometimes need to push policies to clients instantly. Polling LDAP every five seconds is not an option, of course. Is there any auto notification mechanism for LDAP that notifies client about changes on a specific directory? I've searched archives but could not find anything. Thanks in advance, Bahadir Kandemir

3 2

search for "dynamic" calculated attribute's value (bdb_equality_candidates: not indexed)
by Daniel 12 Apr '09

12 Apr '09

Hi slapd-Gurus out there, using the search filter "(test=TRUE)" results in: "candidates not indexed". The cause for the below slapd trace output seems clear to me: In fact there is no entry in my bdb backend existing with an attribute description "test" present... => bdb_filter_candidates EQUALITY => bdb_equality_candidates (test) <= bdb_equality_candidates: (test) not indexed <= bdb_filter_candidates: id=-1 first=1 last=430 <= bdb_list_candidates: id=-1 first=1 last=430 <= bdb_filter_candidates: id=-1 first=1 last=430 <= bdb_list_candidates: id=25 first=141 last=430 <= bdb_filter_candidates: id=25 first=141 last=430 bdb_search_candidates: id=25 first=141 last=430 => test_filter EQUALITY => access_allowed: search access to "dc=foo,dc=bar" "test" requested <= root access granted => access_allowed: search access granted by manage(=mwrscxd) <= test_filter 5 bdb_search: 141 does not match filter In regard to the above slapd-trace I've the following question: Could someone please be so kind and tell me whether there exists a possibility to search (filter) for "dynamic" (calculated) attribute values, that do not get stored in a backend (in my case bdb)? Idea: An overlay should calculate a dynamic attribute's value based on already existing attribute values of an entry each time this dynamic attribute is searched for using a filter-statement, e.g. '(&(dynamic-attr-name=xyz)(|((...)(...))...)...)'. First of all I had a quick look into slapo-collect's sources. The collective attributes seem to be added dynamically to an entry but the collected attributes are not "filterable". I think the reason is that slapo-collect operates on the response/slapreply and that's to late in the overlay's processing queue... Then I thought of something similar to the operational attribute "hasSubordinates" - this attribute's value is filterable and seems (at least sounds) to be dynamically evaluated. On the other hand I'm not sure whether "hasSuborinates" is dynamically calculated each time an entry get's searched or accessed. Perhabs the value of "hasSubordinates" is only be calculated in case the entrys' childrens get modified and (thus seldomly) updated within the backend, which could be the reason to be search- and filterable?! Last but not least I tried to implement a small test-overlay using a custom search-callback that updates the dynamic "test" attribute within the bdb-backend: Imagine an (very simple/stupid) overlay that for example set a custom attribute named "test" to "TRUE" in case an entry's attributes "givenName" and "sn" both contain at least one value. ;-) I know, that the filter "(&(givenName=*)(sn=*))" would do the trick but the example is just a simple scenario for me to step into overlay-processing details. If I use attr_merge() within the search-callback to store the dynamic test attribute's value "TRUE" or "FALSE" within the entry the search succeeds without problems - I mean the filter (test=TRUE) get's processed ok. So my questions still left is: Do I always have to store/update the dynamic attribute's calculation result value within each entry (in the backend) or is there another posibility that allows filtering for the calculated attribute's value, while getting rid of the store and update overhead within the backend? Hopefully this is no hen egg problem concerning the internal processing order of filters, candidates, entries, etc. Many thanks for your advice! Kind regards Daniel

1 0

./scripts/test021-certificate failed
by hariharan＠thehindu.co.in 11 Apr '09

11 Apr '09

2 1

Authentication issue into a ubuntu client: `finger` and `id` commands working but no `su`
by carolina fernandez 10 Apr '09

10 Apr '09

Hello, I'm trying to configure a Ubuntu 8.10 client to authenticate againts a openldap directory. The client configuration (PAM, NSS and /etc/ldap.conf) is here: http://pastebin.com/mc279767 I performed some test getting the following results: `ldapsearch -xLLL`, `id $USER`, `finger $USER` Those three commands work fine. See the ouput here: http://pastebin.com/d43add436 `su $USER` Prompts twice for a password and then fails. See the output with a debug level 1: http://pastebin.com/m390ab435 My main question is: Line 12 from `su $USER` output says: "ldap_connect_to_host: TCP localhost:389" It seems like it were trying to connect to the localhost but I specified "host 192.168.0.10" and "uri ldap://192.168.0.10/" at the /etc/ldap.conf file. Maybe I need to specify a bind domain name but if I'm not wrong the query will be permormed as anonymous and I have the followings credentials at the server /etc/ldap/slapd.conf: access to attrs=userPassword,shadowLastChange by dn="cn=admin,dc=carolina,dc=es" write by anonymous auth by self write by * none access to * by dn="cn=admin,dc=carolina,dc=es" write by * read Any idea to solve this? Any one can enlight me? Thank you in advance, Carolina F. Bravo

1 0

pam_ldap: error trying to bind (Server is unwilling to perform)
by Hammad Ahmad Bhatti 10 Apr '09

10 Apr '09

I am trying to ssh my ldap client linux box using ldap user. When I try to login from local root user and su to ldap user then it works and if I try to directly ssh using ldap user then it does not works. Can some one help me out. Hammad Ahmad

2 1

Matthew GARRETT is out of the office.
by Matthew GARRETT 09 Apr '09

09 Apr '09

I will be out of the office starting 08/04/2009 and will not return until 21/04/2009. I will respond to your message when I return. For IT issues please see Drew Harvey Registered in England and Wales No.811900 Registered Office 33 Cavendish Square, London W1G 0PW This e-mail and any attachments are intended only for the person or entity to whom it is addressed and may contain confidential or privileged information. If you are not the addressee, any disclosure, reproduction, copying, distribution, or use of this communication is strictly prohibited. If you are not the intended recipient or person responsible for delivering this message to the named addressee, please notify us immediately and delete this e-mail. It is the responsibility of the addressee to scan this email and any attachments for computer viruses or other defects. The sender does not accept liability for any loss or damage of any nature, however caused, which may result directly or indirectly from this email or any file attached.

1 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2009