Multiple error codes defined as (-1)
by Jan Synacek
Hello all,
There are multiple error codes defined as (-1) in ldap.h.
When you call ldap_result() followed by a
ldap_get_option(ld, LDAP_OPT_RESULT_CODE, &err) how do you distinguish between
the meanings of -1? How does ldap_err2string() do that?
--
Jan Synacek
Software Engineer, BaseOS team Brno, Red Hat
11 years, 7 months
Unexpected slapd shutdown (bad file descriptor)
by Stefan Wold
Hi,
I've got an issue with OpenLDAP 2.4.28 on Ubuntu 12.04 where it unexpectedly shutdown due to a bad file descriptor. I wonder if anyone know what could be causing this problem or where I should be looking to figure it out. This seems to occur when the server is handling many simultaneous queries. Judging by the bugtracker there has been similar issues in earlier versions.
A few log entries:
Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: slapd(23): setsockopt(SO_KEEPALIVE) failed errno=9 (Bad file descriptor)
Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: slapd(23): setsockopt(TCP_NODELAY) failed errno=9 (Bad file descriptor)
Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: daemon: epoll_ctl(ADD,fd=23) failed, errno=1, shutting down
Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: daemon: abnormal condition, shutdown initiated.
Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: conn=109877 fd=18 closed (slapd shutdown)
Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: conn=109881 fd=20 closed (slapd shutdown)
Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: conn=109879 fd=21 closed (slapd shutdown)
Apr 13 15:03:14 sukat-test-ldapro02 slapd[30273]: conn=109880 fd=22 closed (slapd shutdown)
For a complete log:
https://gist.github.com/2994c23ff506ffdaf21f
--
Stefan Wold
IT-services, Stockholm University
11 years, 7 months
ldapdelete "ldap_bind: Invalid DN syntax (34)"
by Tianyin Xu
Hi,
Sorry for the newbie question, but I really cannot figure out the problem.
I just follow the "A Quick-Start Guide", what I did is build a example.ldif
as follows:
-------------------------example.ldif----------------
dn: dc=example,dc=com
objectclass: dcObject
objectclass: organization
o: Example Company
dc: example
dn: cn=Manager,dc=example,dc=com
objectclass: organizationalRole
cn: Manager
-----------------------------------------------------------
Then, using ldapadd to insert these entries:
ldapadd -x -D "cn=Manager,dc=example,dc=com" -f example.ldif -w secret
adding new entry "dc=example,dc=com"
adding new entry "cn=Manager,dc=example,dc=com"
Everything is fine.
*****
Then, I want to use ldapdelete to delete the entries I added just now. I
tried
ldapdelete "cn=Manager,dc=example,dc=com" -x -w secret
ldap_bind: Invalid DN syntax (34)
additional info: invalid DN
and, also, I tried
ldapdelete -D "cn=Manager,dc=example,dc=com" -x -w secret
but this time the client just hangs. I read the manuals and search on
google but still does not have idea.
my ldap.conf is as follows
database bdb
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /usr/local/var/openldap-data
Could anyone take a look and tell me why? Thanks a lot!
-- Tianyin
11 years, 7 months
Re: JLDAP problem
by Bahadir Konu
What I m working on is an integration component that will listen to LDAP
server. When a change occurs on LDAP entries, my component will publish a
message. (actually call a web service).
LDAP admins offer that I can use "change logs" to detect changes. But I
think notification mechanism is a better choice. Do you think JLDAP and
asynch "search" method a good enough choice? Is UnboundID SDK better for me
and why?
Thanks.
Bahadır Konu
On 13 April 2012 19:43, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote:
> --On Friday, April 13, 2012 5:00 PM +0300 Bahadir Konu <bah.konu(a)gmail.com>
> wrote:
>
> Thanks Nick.
>> After building from source, problem dissapeared. And I was able to debug.
>>
>
> If you are serious about using Java to talk to LDAP, then I would advise
> using the UnboundID SDK.
>
> --Quanah
>
>
> --
>
> Quanah Gibson-Mount
> Sr. Member of Technical Staff
> Zimbra, Inc
> A Division of VMware, Inc.
> --------------------
> Zimbra :: the leader in open source messaging and collaboration
>
11 years, 7 months
reqStart<= slow
by Michael Ströder
HI!
I'm trying to retrieve change events from accesslog DB (all with today's
RE24). I tried searching with this filter:
(&(reqDN=cn=Test-Mail-Gruppe 1,dc=example,dc=com)(reqStart<=20120413180000Z))
This turned out to be quite slow though. reqDN is indexed and there are only
two possible entries. Using a filter reqStart>= even when negated with (!())
is pretty fast.
I really wonder why that is.
Ciao, Michael.
11 years, 7 months
Re: AW: Re: How can I set an LDAP-attribute to "null" (empty)?
by masarati@aero.polimi.it
[please keep replies on the list]
> IŽm sorry, but that is not a qualified answer...
OK, I'll try to be more precise.
1) "TelUser": not a standard track attribute. Please provide its
specification (significantly, its syntax) otherwise the point is moot.
2) few standard track syntaxes allow zero length strings; see RFC4517. In
short, RTFM to see if the syntax of your "TelUser" allows a zero length
string.
It appears from the description of your problem, that you want to zero out
a value, not actually store a zero length value. This is common of rdbms
users, where tables have a fixed structure and when some field is not
defined one just wants to store an empty value in it. LDAP, instead
allows object to have optional attributes; when optional attributes are
not needed, they should not appear at all.
If your problem is with the tool you're using, that has nothing to do with
OpenLDAP; so please ask the appropriate forum.
p.
>
> ----- Ursprüngliche Nachricht -----
> Von: masarati(a)aero.polimi.it
> An: norbert.weckert(a)arcor.de
> Cc: openldap-technical(a)openldap.org
> Gesendet: 13.04.12 23:26
> Betreff: Re: How can I set an LDAP-attribute to "null" (empty)?
>
>> Hello,
>>
>> to fill data into an LDAP-structure, I use the software HP Connect IT.
>> Sometimes it is necessary to clear an attribute.
>>
>> But there is the following error message:
>>
>> Error occured while modifiying the entry (LDAP)
>> TelUser value #0 invalid per Syntax
>> LDAP API Invalid Syntax
>>
>> Can you tell me, what I have to do, so that LDAP accepts an "empty
>> value"?
>
> Nearly no syntax accepts the empty value. What you need to do is delete
> the attribute using a standard LDAP modify operation. In LDIF:
>
> dn: (the DN)
> changetype: modify
> delete: TelUser
> -
>
> How to do it using that specific software is up to you.
>
> p.
>
>
>
11 years, 7 months
How can I set an LDAP-attribute to "null" (empty)?
by norbert.weckert@arcor.de
Hello,
to fill data into an LDAP-structure, I use the software HP Connect IT. Sometimes it is necessary to clear an attribute.
But there is the following error message:
Error occured while modifiying the entry (LDAP)
TelUser value #0 invalid per Syntax
LDAP API Invalid Syntax
Can you tell me, what I have to do, so that LDAP accepts an "empty value"?
Thank you in advance.
Kind regards
Norbert Weckert
11 years, 7 months
JLDAP problem
by Bahadir Konu
Hi everybody,
I m working on an application that will listen to LDAP server (IBM Tivoli)
and detect changes to LDAP entries.
I saw the SearchPersist example and done the same:
http://developer.novell.com/documentation/samplecode/jldap_sample/control...
This example works fine as a standalone Java application. But when I try to
make this a scheduled quartz job and deploy my application as an Enterprise
Application to IBM Websphere ESB server, this line does not work:
// Asynchronous
queue = lc.search(searchBase, // container to search
LDAPConnection.SCOPE_SUB, // search container's subtree
"(objectClass=*)", // search filter, all objects
attrs, // don't return attributes
false, // return attrs and values, ignored
null, // use default search queue
constraints); // use default search constraints
When I debug, the thread hangs here. And right now I cannot debug the JLDAP
itself because my .class files was not produced with line number info.
Synchronous version of the method works fine:
LDAPSearchResults results = lc.search(searchBase,
LDAPConnection.SCOPE_SUB,
"(objectClass=*)",
attrs,
false
);
I guess that the quartz scheduler is creating a seperate thread and the
asynch version of the method doesnt work. But I m not sure what actually is
happening.
Am I doing something wrong? Is it possible to use the asynch search method
in a scheduled job? (And the app is deployed to ESB server but that may not
be relevant to my problem.)
Ask me and I can give more details about the application, if needed.
Any help is appreciated.
Bahadır Konu
11 years, 7 months
Was: (ITS#7130) OpenLDAP with BackSQL and Postgres. Upper on bigint?
by masarati@aero.polimi.it
> I'm sorry, I send my issue to the wrong mailinglist at first (to the
> bugs list) and then tried to send it to technical twice. It doesnt
> seem to go through. Do you have any idea which column it is that
> defines this behaviour? I can't seem to find it..
It is not a boolean, but rather a separate field. As far as I recall, in
the original design uppercasing was intended as a form of normalization.
In table "ldap_attr_mappings" you find a "sel_expr_u" that contains the
"uppercasing" select expression. If not given, and if an uppercasing
function is known, it is constructed as "<uppercasing>(<sel_expr>)", but
you have a chance to provide a specific one. Please test and report
through the openldap-technical mailing list, unless you find a bug.
p.
11 years, 8 months
ppolicy overlay doesn't apply
by Cosmin Ciuraru
Hello,
I am trying to use the ppolicy overlay with openldap, version 2.4.20,
installed on a SLES 11 SP1 x64, as a package. I have made the following
settings in the openldap.conf:
- included the ppolicy.schema
- overlay ppolicy
- ppolicy_default "cn=pwd,ou=Policies,o=...."
I saw that a"'moduleload ppolicy.la" is also required, but I cannot find
the library in /usr/lib/openldap/modules (which is empty). I have compiled
the source with --enable-ppolicy=mod/yes with --enable-modules=yes, to see
if it would generate the library ppolicy.la, but just generated the slapd
binary, so, as it gives no error for the config file, I suppose that the
ppolicy part is embedded in the slapd.
The problem:
When I try to change the password for a user in LDAP, the policy doesn't
apply. The clients run on the same OS, but different machines, with
pam_ldap-184 and nss-ldap-262. If I open the yast2-ldap-client, I can see
that it finds the password policy, but it doesn't get applied. If I follow
the requests to the LDAP server, I can see that the client issues a request
with the filter objectClass=passwordPolicy, which comes from the pam_ldap,
which is written to use the Netscape password policy schema. But in my LDAP
I use the pwdPolicy schema, which is a more recent one. I know that the
password doesn't get applied because I set the checkQuality attribute to 0
and I expect to let me use whatever password I like. The client has the
pam_lookup_policy set to yes.
Can you please point out what I am missing?
Thank you!
11 years, 8 months
