should sssvlv and translucent overlays work together?
by Steve Eckmann
I am applying the sssvlv overlay globally and applying the translucent overlay to an ldap backend. If I execute a search like:
ldapsearch -x -H ldaps://localhost -LLL -b dc=example,dc=com \
-D "cn=admin,dc=example,dc=com" -w admin \
-E 'sss=cn:2.5.13.3' \
'(filter)' cn mail localAttr1 localAttr2
the result is sorted by cn, as desired, but the 'cn' and 'mail' attributes are not included in the ldapsearch output for proxied entries. It doesn't matter whether the filter refers to proxied or local attributes, or some combination. I'm not seeing any clues in the slapd debug output (-d -1). In the ldapsearch debug output it looks like the proxied attributes are not being returned from slapd.
So should the sssvlv and translucent overlays work together, and if so, where should I be looking for a misconfiguration?
Thanks.
Steve
10 years, 1 month
add rich data into attribute type definition possible?
by Zhang Weiwu
GUI explains to the end user what each field is about, by reciting DESC of
olcAttributeTypes - this design seems passable, after all, DESC is intended
to describe the attribute type. This method worked for years.
Now user base grows, there are speakers of different languages. It is
required the field being described in multiple languages.
Had DESC been like the 'description' attribute type, an attribute type
defined in RFC2256, then I would be able to use language modifier:
description: Weight, in kg. It is used to screen health problems.
description;lang-zh: 体重,用于检查健康问题。
But it is not.
I can see only two ways to workaround the problem:
1. Extend DESC. This look ugly but simple:
... NAME 'ibmWeight' DESC 'Your weight, in kg. It is used to screen health
problems.|lang-zh: 您的体重,用于检查健康问题。' ...
The application would read DESC, split it by vertical-bars, find the
langauge that matches the users's and only display that part.
2. Build a shadow entry for every attributeType:
dn: olcAttributeTypes=ibmWeight,cn=shadowAttributeTypes,dc=ibm,dc=com
objectClass: ibmShadowAttributeType
olcAttributeTypes: ibmWeight
description: Weight, in kg. It is used to screen health problems.
description;lang-zh: 体重,用于检查健康问题。
and laboriously manually update shadow attribute entry when user add or
modify existing olcAttributeTypes.
What do you think? How can such a need can be solved?
Thanks in advance!
P.S. === about openldap's choice of design ===
When a few years ago I learned that
a attribute type is defined by adding an olcAttributeTypes attribute
my first reaction was, why not design it in such a way, that
a attribute type is defined by adding an olcAttributeType *entry*?
Like this:
--> objectClasss: olcAttributeType
--> olcAttributeName: ibmWeight
--> description: Weight, in kg. It is used to screen health problems.
--> description;lang-zh: 体重,用于检查健康问题。
The advantage, is to allow extension and inheritance. e.g. the following
example has olcConstrainedAttributeType which inherits olcAttributeType
--> objectClasss: olcAttributeType
++> objectClasss: olcConstrainedAttributeType
--> olcAttributeName: ibmWeight
--> description: Weight, in kg. It is used to screen health problems.
--> description;lang-zh: 体重,用于检查健康问题。
++> olcConstraintRegex: [0-9.][0-9.]kg
For usability reasons, some developer may as well add jpegPhoto into
attribute type definition.
10 years, 1 month
naming convention for INTEGER attribute types with measurement unit
by Zhang Weiwu
Is there a naming convention for attribute types whose SYNTAX is INTEGER?
If I wish to represent 300g as a weight, should I use
ibmWeightInGrams: 300
or
ibmWeightInGRam: 300
or
ibmGrams: 300
or
ibmGram: 300
What is the convention way? There seems to be no INTEGER attribute types
shipped with openldap, thus I have no references.
In my use case, ordered comparison of integer value is required, thus I
cannot use:
ibmWeight: 300g
10 years, 1 month
documents or examples on defining / adding a new syntax?
by Zhang Weiwu
Here is what I can find about defining / adding a new syntax.
Peter Marschall wrote on Sat, 5 Jul 2003
> Defining a new syntax means defining a new form of data structure that the
> server must know about. This is not possible using only configration
> options. You need to code it into the server. Of course the same holds
> for matching rules.
Howard Chu wrote on 2002-10-25
> if you had originally configured with --enable-modules, You need to create
> a dynamic module that calls register_syntax() with your new syntax
> definition, and then use moduleload in slapd.conf to load your module.
My question is:
1. is there a module that introduces a new syntax, from which I could
observe how that is done?
2. Is there any document on what-to-be-aware-of if you design a new syntax?
3. Do I need to design a new syntax at all? My requirement is the following:
I need a new syntax for ranged-values. Examples are:
- netWeight: 12~13kg
- ISOSensitivity: 800~1600
- heightAdjustableRange: 1.2m~1.5m
The spec of ranged-value is a numeric, optionally followed by a
measurement unit, followed by a tild as seperator†, followed by
another measurement.
The syntax needs its own comparison rules, so that you can filter a
range, and get entries who offer values ranging in that range.
† quote from http://en.wikipedia.org/wiki/~
In some languages (though not English), a tilde-like wavy dash may
be used as punctuation (instead of an unspaced hyphen or en-dash)
between two numbers, to indicate a range rather than subtraction or
a hyphenated number (such as a part number or model number).
10 years, 1 month
is there an overlay for 'inheriting' attribute-values from DN?
by Zhang Weiwu
I think there is an overlay that enables inheriting attribute-values, I am
sure I read it somewhere, a few years ago, but I cannot find it, not with
Googling.
The intended behaviour is the following:
For this record:
dn: cn=David,ou=Sales Department,o=Example Co.
objectClass: organizationalPerson
cn: David
sn: Jones
Normally, if you do (ou=Sales Department), you don't find David's record.
But with a certain overlay enabled, you can. It is as if the attribute in
the DN is inexplicitly there assigned to the record.
Forgive me if I was wrong.
Best.
10 years, 1 month
how to configure deref overlay
by Zhang Weiwu
It seems few use deref overlay. This feature is mentioned on feature list†,
but there is no manual for the overlay; only one line is about it in
ldapsearch(1) manual. In the last years, only one person mentioned it in
2009 on this mailing list, and his question was unanswered.
I observed this is the way it is supposed to work:
$ ldapsearch -E deref=secretary:sn
Would put the surname of the secretary as the value of 'secretary' attribute.
In reality this search extension complains the "control is unavailable in
context". I am afraid loading the model is not enough, it has to be
configured first, somewhere in cn=config, but couldn't find any document.
$ ldapsearch -x -E '!deref=secretary:sn' cn=Betsy secretary
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: cn=Betsy
# requesting: secretary with dereference critical control
#
# search result
search: 2
result: 12 Critical extension is unavailable
text: critical control unavailable in context
# numResponses: 1
This is how I loaded the module (slapd didn't produce error in log, thus I
consider it is loaded):
$ slapcat -s cn=config | grep -C 8 deref
entryCSN: 20130803010832.965676Z#000000#000#000000
modifiersName: cn=config
modifyTimestamp: 20130803010832Z
dn: cn=module{1},cn=config
objectClass: olcModuleList
cn: module{1}
olcModulePath: /usr/lib/ldap
olcModuleLoad: {0}deref
structuralObjectClass: olcModuleList
entryUUID: cdb88ba8-9131-1032-8334-7700fe3e5919
creatorsName: cn=admin,cn=config
createTimestamp: 20130804091300Z
entryCSN: 20130804091300.138105Z#000000#000#000000
modifiersName: cn=admin,cn=config
modifyTimestamp: 20130804091300Z
Here is the data I am experimenting with, very minimalism:
$ ldapsearch -x objectClass=pilotPerson
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: objectClass=pilotPerson
# requesting: ALL
#
# David, editors
dn: cn=David,ou=editors,dc=example,dc=com
cn: David
objectClass: pilotPerson
objectClass: person
objectClass: top
sn: Jones
# Betsy, editors
dn: cn=Betsy,ou=editors,dc=example,dc=com
cn: Betsy
objectClass: pilotPerson
objectClass: person
objectClass: top
sn: Shwan
secretary: cn=David,ou=editors,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Any hint on how to make it work? Or more importantly, was there anyone using
the overlay at all??
Thanks.
P.S. the email subject intends to guide googlers to land in this discussion.
† http://www.openldap.org/faq/data/cache/645.html
10 years, 1 month
error "!deref=secretary: event not found"
by Zhang Weiwu
It seems few use deref overlay. This feature is mentioned on feature list†,
but there is no manual for the overlay; only one line is about it in
ldapsearch(1) manual. In the last years, only one person mentioned it in
2009 on this mailing list, and his question was unanswered.
I observed this is the way it is supposed to work:
$ ldapsearch -E deref=secretary:sn
Would put the surname of the secretary as the value of 'secretary' attribute.
In reality this search extension errs with a confusing "event not found":
$ ldapsearch -x -E !deref=secretary:sn cn=Betsy secretary
bash: !deref=secretary: event not found
A TCP dump shows the surname of the secretary was not mentioned. Here is the
data I am experimenting with, very minimalism:
$ ldapsearch -x objectClass=pilotPerson
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> (default) with scope subtree
# filter: objectClass=pilotPerson
# requesting: ALL
#
# David, editors
dn: cn=David,ou=editors,dc=example,dc=com
cn: David
objectClass: pilotPerson
objectClass: person
objectClass: top
sn: Jones
# Betsy, editors
dn: cn=Betsy,ou=editors,dc=example,dc=com
cn: Betsy
objectClass: pilotPerson
objectClass: person
objectClass: top
sn: Shwan
secretary: cn=David,ou=editors,dc=example,dc=com
# search result
search: 2
result: 0 Success
# numResponses: 3
# numEntries: 2
Any hint on how to make it work? Or more importantly, was there anyone using
the overlay at all??
Thanks.
P.S. the email subject intends to guide googlers to land in this discussion.
† http://www.openldap.org/faq/data/cache/645.html
10 years, 1 month
adding mail objectClass to schema
by Darouichi, Aziz
Hi all,
I am trying to create groups within in Openldap-2.4.34 to use for Gmail Active Directory Synch "GADs" I formed the ldif file with following attributes:
dn: cn=Google,ou=Group,dc=curry,dc=edu
objectclass: groupOfUniqueNames
cn:
mail:
description:
uniqueMember:
uniqueMember:
when I try to add the file I get the following error: adding new entry "cn=Google,ou=Group,dc=curry,dc=edu"
ldap_add: Object class violation (65)
additional info: attribute 'mail' not allowed
Thanks.
10 years, 1 month
Re: RE24 testing call (OpenLDAP 2.4.36)
by Khosrow Ebrahimpour
On Monday, July 29, 2013 12:44:39 PM Quanah Gibson-Mount wrote:
> If you know how to build OpenLDAP manually, and would like to participate
> in testing the next set of code for the 2.4.36 release, please do so.
>
> Generally, get the code for RE24:
>
> <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs...>
>
> Configure & build.
>
> Execute the test suite (via make test) after it is built.
All tests completed fine on a stock Ubuntu 12.04.
# uname -a
Linux localhost 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
10 years, 1 month
