openldap-technical April 2012

openldap-technical@openldap.org

76 participants
80 discussions

Multiple error codes defined as (-1)
by Jan Synacek 17 Apr '12

17 Apr '12

Hello all, There are multiple error codes defined as (-1) in ldap.h. When you call ldap_result() followed by a ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err) how do you distinguish between the meanings of -1? How does ldap_err2string() do that? -- Jan Synacek Software Engineer, BaseOS team Brno, Red Hat

2 1

Unexpected slapd shutdown (bad file descriptor)
by Stefan Wold 16 Apr '12

16 Apr '12

Hi, I've got an issue with OpenLDAP 2.4.28 on Ubuntu 12.04 where it unexpectedly shutdown due to a bad file descriptor. I wonder if anyone know what could be causing this problem or where I should be looking to figure it out. This seems to occur when the server is handling many simultaneous queries. Judging by the bugtracker there has been similar issues in earlier versions. A few log entries: Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: slapd(23): setsockopt(SO_KEEPALIVE) failed errno=9 (Bad file descriptor) Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: slapd(23): setsockopt(TCP_NODELAY) failed errno=9 (Bad file descriptor) Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: daemon: epoll_ctl(ADD,fd=23) failed, errno=1, shutting down Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: daemon: abnormal condition, shutdown initiated. Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: conn=109877 fd=18 closed (slapd shutdown) Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: conn=109881 fd=20 closed (slapd shutdown) Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: conn=109879 fd=21 closed (slapd shutdown) Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: conn=109880 fd=22 closed (slapd shutdown) For a complete log: https://gist.github.com/2994c23ff506ffdaf21f -- Stefan Wold IT-services, Stockholm University

1 0

ldapdelete "ldap_bind: Invalid DN syntax (34)"
by Tianyin Xu 16 Apr '12

16 Apr '12

Hi, Sorry for the newbie question, but I really cannot figure out the problem. I just follow the "A Quick-Start Guide", what I did is build a example.ldif as follows: -------------------------example.ldif---------------- dn: dc=example,dc=com objectclass: dcObject objectclass: organization o: Example Company dc: example dn: cn=Manager,dc=example,dc=com objectclass: organizationalRole cn: Manager ----------------------------------------------------------- Then, using ldapadd to insert these entries: ldapadd -x -D "cn=Manager,dc=example,dc=com" -f example.ldif -w secret adding new entry "dc=example,dc=com" adding new entry "cn=Manager,dc=example,dc=com" Everything is fine. ***** Then, I want to use ldapdelete to delete the entries I added just now. I tried ldapdelete "cn=Manager,dc=example,dc=com" -x -w secret ldap_bind: Invalid DN syntax (34) additional info: invalid DN and, also, I tried ldapdelete -D "cn=Manager,dc=example,dc=com" -x -w secret but this time the client just hangs. I read the manuals and search on google but still does not have idea. my ldap.conf is as follows database bdb suffix "dc=example,dc=com" rootdn "cn=Manager,dc=example,dc=com" rootpw secret directory /usr/local/var/openldap-data Could anyone take a look and tell me why? Thanks a lot! -- Tianyin

3 6

Re: JLDAP problem
by Bahadir Konu 15 Apr '12

15 Apr '12

What I m working on is an integration component that will listen to LDAP server. When a change occurs on LDAP entries, my component will publish a message. (actually call a web service). LDAP admins offer that I can use "change logs" to detect changes. But I think notification mechanism is a better choice. Do you think JLDAP and asynch "search" method a good enough choice? Is UnboundID SDK better for me and why? Thanks. Bahadır Konu On 13 April 2012 19:43, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Friday, April 13, 2012 5:00 PM +0300 Bahadir Konu <bah.konu(a)gmail.com> > wrote: > > Thanks Nick. >> After building from source, problem dissapeared. And I was able to debug. >> > > If you are serious about using Java to talk to LDAP, then I would advise > using the UnboundID SDK. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

reqStart<= slow
by Michael Ströder 14 Apr '12

14 Apr '12

HI! I'm trying to retrieve change events from accesslog DB (all with today's RE24). I tried searching with this filter: (&(reqDN=cn=Test-Mail-Gruppe 1,dc=example,dc=com)(reqStart<=20120413180000Z)) This turned out to be quite slow though. reqDN is indexed and there are only two possible entries. Using a filter reqStart>= even when negated with (!()) is pretty fast. I really wonder why that is. Ciao, Michael.

2 4

Re: AW: Re: How can I set an LDAP-attribute to "null" (empty)?
by masarati＠aero.polimi.it 13 Apr '12

13 Apr '12

[please keep replies on the list] > IŽm sorry, but that is not a qualified answer... OK, I'll try to be more precise. 1) "TelUser": not a standard track attribute. Please provide its specification (significantly, its syntax) otherwise the point is moot. 2) few standard track syntaxes allow zero length strings; see RFC4517. In short, RTFM to see if the syntax of your "TelUser" allows a zero length string. It appears from the description of your problem, that you want to zero out a value, not actually store a zero length value. This is common of rdbms users, where tables have a fixed structure and when some field is not defined one just wants to store an empty value in it. LDAP, instead allows object to have optional attributes; when optional attributes are not needed, they should not appear at all. If your problem is with the tool you're using, that has nothing to do with OpenLDAP; so please ask the appropriate forum. p. > > ----- Ursprüngliche Nachricht ----- > Von: masarati(a)aero.polimi.it > An: norbert.weckert(a)arcor.de > Cc: openldap-technical(a)openldap.org > Gesendet: 13.04.12 23:26 > Betreff: Re: How can I set an LDAP-attribute to "null" (empty)? > >> Hello, >> >> to fill data into an LDAP-structure, I use the software HP Connect IT. >> Sometimes it is necessary to clear an attribute. >> >> But there is the following error message: >> >> Error occured while modifiying the entry (LDAP) >> TelUser value #0 invalid per Syntax >> LDAP API Invalid Syntax >> >> Can you tell me, what I have to do, so that LDAP accepts an "empty >> value"? > > Nearly no syntax accepts the empty value. What you need to do is delete > the attribute using a standard LDAP modify operation. In LDIF: > > dn: (the DN) > changetype: modify > delete: TelUser > - > > How to do it using that specific software is up to you. > > p. > > >

1 0

How can I set an LDAP-attribute to "null" (empty)?
by norbert.weckert＠arcor.de 13 Apr '12

13 Apr '12

Hello, to fill data into an LDAP-structure, I use the software HP Connect IT. Sometimes it is necessary to clear an attribute. But there is the following error message: Error occured while modifiying the entry (LDAP) TelUser value #0 invalid per Syntax LDAP API Invalid Syntax Can you tell me, what I have to do, so that LDAP accepts an "empty value"? Thank you in advance. Kind regards Norbert Weckert

2 1

JLDAP problem
by Bahadir Konu 13 Apr '12

13 Apr '12

Hi everybody, I m working on an application that will listen to LDAP server (IBM Tivoli) and detect changes to LDAP entries. I saw the SearchPersist example and done the same: http://developer.novell.com/documentation/samplecode/jldap_sample/controls/… This example works fine as a standalone Java application. But when I try to make this a scheduled quartz job and deploy my application as an Enterprise Application to IBM Websphere ESB server, this line does not work: // Asynchronous queue = lc.search(searchBase, // container to search LDAPConnection.SCOPE_SUB, // search container's subtree "(objectClass=*)", // search filter, all objects attrs, // don't return attributes false, // return attrs and values, ignored null, // use default search queue constraints); // use default search constraints When I debug, the thread hangs here. And right now I cannot debug the JLDAP itself because my .class files was not produced with line number info. Synchronous version of the method works fine: LDAPSearchResults results = lc.search(searchBase, LDAPConnection.SCOPE_SUB, "(objectClass=*)", attrs, false ); I guess that the quartz scheduler is creating a seperate thread and the asynch version of the method doesnt work. But I m not sure what actually is happening. Am I doing something wrong? Is it possible to use the asynch search method in a scheduled job? (And the app is deployed to ESB server but that may not be relevant to my problem.) Ask me and I can give more details about the application, if needed. Any help is appreciated. Bahadır Konu

3 4

Was: (ITS#7130) OpenLDAP with BackSQL and Postgres. Upper on bigint?
by masarati＠aero.polimi.it 12 Apr '12

12 Apr '12

> I'm sorry, I send my issue to the wrong mailinglist at first (to the > bugs list) and then tried to send it to technical twice. It doesnt > seem to go through. Do you have any idea which column it is that > defines this behaviour? I can't seem to find it.. It is not a boolean, but rather a separate field. As far as I recall, in the original design uppercasing was intended as a form of normalization. In table "ldap_attr_mappings" you find a "sel_expr_u" that contains the "uppercasing" select expression. If not given, and if an uppercasing function is known, it is constructed as "<uppercasing>(<sel_expr>)", but you have a chance to provide a specific one. Please test and report through the openldap-technical mailing list, unless you find a bug. p.

1 0

ppolicy overlay doesn't apply
by Cosmin Ciuraru 12 Apr '12

12 Apr '12

Hello, I am trying to use the ppolicy overlay with openldap, version 2.4.20, installed on a SLES 11 SP1 x64, as a package. I have made the following settings in the openldap.conf: - included the ppolicy.schema - overlay ppolicy - ppolicy_default "cn=pwd,ou=Policies,o=...." I saw that a"'moduleload ppolicy.la" is also required, but I cannot find the library in /usr/lib/openldap/modules (which is empty). I have compiled the source with --enable-ppolicy=mod/yes with --enable-modules=yes, to see if it would generate the library ppolicy.la, but just generated the slapd binary, so, as it gives no error for the config file, I suppose that the ppolicy part is embedded in the slapd. The problem: When I try to change the password for a user in LDAP, the policy doesn't apply. The clients run on the same OS, but different machines, with pam_ldap-184 and nss-ldap-262. If I open the yast2-ldap-client, I can see that it finds the password policy, but it doesn't get applied. If I follow the requests to the LDAP server, I can see that the client issues a request with the filter objectClass=passwordPolicy, which comes from the pam_ldap, which is written to use the Netscape password policy schema. But in my LDAP I use the pwdPolicy schema, which is a more recent one. I know that the password doesn't get applied because I set the checkQuality attribute to 0 and I expect to let me use whatever password I like. The client has the pam_lookup_policy set to yes. Can you please point out what I am missing? Thank you!

3 2

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical April 2012