openldap-technical August 2013

openldap-technical@openldap.org

70 participants
88 discussions

should sssvlv and translucent overlays work together?
by Steve Eckmann 05 Aug '13

05 Aug '13

I am applying the sssvlv overlay globally and applying the translucent overlay to an ldap backend. If I execute a search like: ldapsearch -x -H ldaps://localhost -LLL -b dc=example,dc=com \ -D "cn=admin,dc=example,dc=com" -w admin \ -E 'sss=cn:2.5.13.3' \ '(filter)' cn mail localAttr1 localAttr2 the result is sorted by cn, as desired, but the 'cn' and 'mail' attributes are not included in the ldapsearch output for proxied entries. It doesn't matter whether the filter refers to proxied or local attributes, or some combination. I'm not seeing any clues in the slapd debug output (-d -1). In the ldapsearch debug output it looks like the proxied attributes are not being returned from slapd. So should the sssvlv and translucent overlays work together, and if so, where should I be looking for a misconfiguration? Thanks. Steve

1 0

add rich data into attribute type definition possible?
by Zhang Weiwu 05 Aug '13

05 Aug '13

GUI explains to the end user what each field is about, by reciting DESC of olcAttributeTypes - this design seems passable, after all, DESC is intended to describe the attribute type. This method worked for years. Now user base grows, there are speakers of different languages. It is required the field being described in multiple languages. Had DESC been like the 'description' attribute type, an attribute type defined in RFC2256, then I would be able to use language modifier: description: Weight, in kg. It is used to screen health problems. description;lang-zh: 体重，用于检查健康问题。 But it is not. I can see only two ways to workaround the problem: 1. Extend DESC. This look ugly but simple: ... NAME 'ibmWeight' DESC 'Your weight, in kg. It is used to screen health problems.|lang-zh: 您的体重，用于检查健康问题。' ... The application would read DESC, split it by vertical-bars, find the langauge that matches the users's and only display that part. 2. Build a shadow entry for every attributeType: dn: olcAttributeTypes=ibmWeight,cn=shadowAttributeTypes,dc=ibm,dc=com objectClass: ibmShadowAttributeType olcAttributeTypes: ibmWeight description: Weight, in kg. It is used to screen health problems. description;lang-zh: 体重，用于检查健康问题。 and laboriously manually update shadow attribute entry when user add or modify existing olcAttributeTypes. What do you think? How can such a need can be solved? Thanks in advance! P.S. === about openldap's choice of design === When a few years ago I learned that a attribute type is defined by adding an olcAttributeTypes attribute my first reaction was, why not design it in such a way, that a attribute type is defined by adding an olcAttributeType *entry*? Like this: --> objectClasss: olcAttributeType --> olcAttributeName: ibmWeight --> description: Weight, in kg. It is used to screen health problems. --> description;lang-zh: 体重，用于检查健康问题。 The advantage, is to allow extension and inheritance. e.g. the following example has olcConstrainedAttributeType which inherits olcAttributeType --> objectClasss: olcAttributeType ++> objectClasss: olcConstrainedAttributeType --> olcAttributeName: ibmWeight --> description: Weight, in kg. It is used to screen health problems. --> description;lang-zh: 体重，用于检查健康问题。 ++> olcConstraintRegex: [0-9.][0-9.]kg For usability reasons, some developer may as well add jpegPhoto into attribute type definition.

1 0

naming convention for INTEGER attribute types with measurement unit
by Zhang Weiwu 05 Aug '13

05 Aug '13

Is there a naming convention for attribute types whose SYNTAX is INTEGER? If I wish to represent 300g as a weight, should I use ibmWeightInGrams: 300 or ibmWeightInGRam: 300 or ibmGrams: 300 or ibmGram: 300 What is the convention way? There seems to be no INTEGER attribute types shipped with openldap, thus I have no references. In my use case, ordered comparison of integer value is required, thus I cannot use: ibmWeight: 300g

1 0

documents or examples on defining / adding a new syntax?
by Zhang Weiwu 05 Aug '13

05 Aug '13

Here is what I can find about defining / adding a new syntax. Peter Marschall wrote on Sat, 5 Jul 2003 > Defining a new syntax means defining a new form of data structure that the > server must know about. This is not possible using only configration > options. You need to code it into the server. Of course the same holds > for matching rules. Howard Chu wrote on 2002-10-25 > if you had originally configured with --enable-modules, You need to create > a dynamic module that calls register_syntax() with your new syntax > definition, and then use moduleload in slapd.conf to load your module. My question is: 1. is there a module that introduces a new syntax, from which I could observe how that is done? 2. Is there any document on what-to-be-aware-of if you design a new syntax? 3. Do I need to design a new syntax at all? My requirement is the following: I need a new syntax for ranged-values. Examples are: - netWeight: 12~13kg - ISOSensitivity: 800~1600 - heightAdjustableRange: 1.2m~1.5m The spec of ranged-value is a numeric, optionally followed by a measurement unit, followed by a tild as seperator†, followed by another measurement. The syntax needs its own comparison rules, so that you can filter a range, and get entries who offer values ranging in that range. † quote from http://en.wikipedia.org/wiki/~ In some languages (though not English), a tilde-like wavy dash may be used as punctuation (instead of an unspaced hyphen or en-dash) between two numbers, to indicate a range rather than subtraction or a hyphenated number (such as a part number or model number).

3 6

OpenLDAP server should use windows certificate store for certificates
by pramod kulkarni 05 Aug '13

05 Aug '13

Hi, I need information on how to configure OpenLDAP server in the slapd.conf to look for certificates from windows certificate store? Currently i am using certificates from file in a path. Waiting for your inputs. Regards, Pramod

4 4

is there an overlay for 'inheriting' attribute-values from DN?
by Zhang Weiwu 04 Aug '13

04 Aug '13

I think there is an overlay that enables inheriting attribute-values, I am sure I read it somewhere, a few years ago, but I cannot find it, not with Googling. The intended behaviour is the following: For this record: dn: cn=David,ou=Sales Department,o=Example Co. objectClass: organizationalPerson cn: David sn: Jones Normally, if you do (ou=Sales Department), you don't find David's record. But with a certain overlay enabled, you can. It is as if the attribute in the DN is inexplicitly there assigned to the record. Forgive me if I was wrong. Best.

2 1

how to configure deref overlay
by Zhang Weiwu 04 Aug '13

04 Aug '13

It seems few use deref overlay. This feature is mentioned on feature list†, but there is no manual for the overlay; only one line is about it in ldapsearch(1) manual. In the last years, only one person mentioned it in 2009 on this mailing list, and his question was unanswered. I observed this is the way it is supposed to work: $ ldapsearch -E deref=secretary:sn Would put the surname of the secretary as the value of 'secretary' attribute. In reality this search extension complains the "control is unavailable in context". I am afraid loading the model is not enough, it has to be configured first, somewhere in cn=config, but couldn't find any document. $ ldapsearch -x -E '!deref=secretary:sn' cn=Betsy secretary # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: cn=Betsy # requesting: secretary with dereference critical control # # search result search: 2 result: 12 Critical extension is unavailable text: critical control unavailable in context # numResponses: 1 This is how I loaded the module (slapd didn't produce error in log, thus I consider it is loaded): $ slapcat -s cn=config | grep -C 8 deref entryCSN: 20130803010832.965676Z#000000#000#000000 modifiersName: cn=config modifyTimestamp: 20130803010832Z dn: cn=module{1},cn=config objectClass: olcModuleList cn: module{1} olcModulePath: /usr/lib/ldap olcModuleLoad: {0}deref structuralObjectClass: olcModuleList entryUUID: cdb88ba8-9131-1032-8334-7700fe3e5919 creatorsName: cn=admin,cn=config createTimestamp: 20130804091300Z entryCSN: 20130804091300.138105Z#000000#000#000000 modifiersName: cn=admin,cn=config modifyTimestamp: 20130804091300Z Here is the data I am experimenting with, very minimalism: $ ldapsearch -x objectClass=pilotPerson # extended LDIF # # LDAPv3 # base <dc=example,dc=com> (default) with scope subtree # filter: objectClass=pilotPerson # requesting: ALL # # David, editors dn: cn=David,ou=editors,dc=example,dc=com cn: David objectClass: pilotPerson objectClass: person objectClass: top sn: Jones # Betsy, editors dn: cn=Betsy,ou=editors,dc=example,dc=com cn: Betsy objectClass: pilotPerson objectClass: person objectClass: top sn: Shwan secretary: cn=David,ou=editors,dc=example,dc=com # search result search: 2 result: 0 Success # numResponses: 3 # numEntries: 2 Any hint on how to make it work? Or more importantly, was there anyone using the overlay at all?? Thanks. P.S. the email subject intends to guide googlers to land in this discussion. † http://www.openldap.org/faq/data/cache/645.html

1 0

error "!deref=secretary: event not found"
by Zhang Weiwu 04 Aug '13

04 Aug '13

2 2

adding mail objectClass to schema
by Darouichi, Aziz 03 Aug '13

03 Aug '13

Hi all, I am trying to create groups within in Openldap-2.4.34 to use for Gmail Active Directory Synch "GADs" I formed the ldif file with following attributes: dn: cn=Google,ou=Group,dc=curry,dc=edu objectclass: groupOfUniqueNames cn: mail: description: uniqueMember: uniqueMember: when I try to add the file I get the following error: adding new entry "cn=Google,ou=Group,dc=curry,dc=edu" ldap_add: Object class violation (65) additional info: attribute 'mail' not allowed Thanks.

4 3

Re: RE24 testing call (OpenLDAP 2.4.36)
by Khosrow Ebrahimpour 02 Aug '13

02 Aug '13

On Monday, July 29, 2013 12:44:39 PM Quanah Gibson-Mount wrote: > If you know how to build OpenLDAP manually, and would like to participate > in testing the next set of code for the 2.4.36 release, please do so. > > Generally, get the code for RE24: > > <http://www.openldap.org/devel/gitweb.cgi?p=openldap.git;a=snapshot;h=refs/h…> > > Configure & build. > > Execute the test suite (via make test) after it is built. All tests completed fine on a stock Ubuntu 12.04. # uname -a Linux localhost 3.2.0-23-generic #36-Ubuntu SMP Tue Apr 10 20:39:51 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

1 0

← Newer
1
2
3
4
5
6
7
8
9
Older →

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical August 2013