openldap-technical

openldap-technical@openldap.org

9897 discussions

Re: Olc deployment vs slapd.conf based deployment
by Quanah Gibson-Mount 19 Sep '17

19 Sep '17

--On Monday, September 18, 2017 8:48 PM +0200 Michael Ströder <michael(a)stroeder.com> wrote: >> b) Since cn=config is simply a tree, you could have your cn=config in >> git, commit your changes there, and use a tool like ldapdiff to create >> changesets to apply programatically. > > So instead of writing a single file (in one FS transaction) after letting > slaptest check it I have to write several files (multiple FS operations), > diff that and then apply multiple LDAP operations. Hm? How is this any different really than tracking slapd.conf in git? And plenty of people break out slapd.conf into multiple files and use "include" handling to pull, such as with schema, ACLs, etc. I see no difference here. > Yeah, sounds really great regarding error handling. How does this differ from slapd.conf? You get no error handling with that, either, if you modify it and commit it to git. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

3 2

Re: Antw: Re: Olc deployment vs slapd.conf based deployment
by Radovan Semancik 19 Sep '17

19 Sep '17

On 09/19/2017 08:56 AM, Ulrich Windl wrote: > Please don't mix git with github! While github makes some things > easier to do, it's not required to use gir (as you surely know). The > problem with using github is that everybody has to use github then > (will pull requests and related discussions be visible in the mailing > list?). That's obviously not a correct statement. It is not true that "everybody has to use github". The true statement would be "people may use github as an alternative contribution path". I do not propose to make a complete switch to github. What I propose is to make official github/gitlab mirror and use that as an alternative contribution path. Regarding the pull requests and discussions: I have checked the devel mailing list for several months and I haven't see any discussion regarding a contribution. So obviously, this method does not work well either. I'm using github for years and I contribute to several projects. And there are always some ways how to cope with github. Sometimes the github discussions are limited to the technicalities of the merge and all other discussion is referred to mailing list. In addition to that github has hooks that can be used to direct the comments directly to the mailing list. The best solution that I have seen is probably in the Apache CXF project where pull request comments are automatically synchronized with bug tracking system comments. There is always a way ... if there is a will. What I see as a major problem is that there is no will. OpenLDAP project clearly needs major improvement. But there are almost no contributors to improve the project. I'm trying to explain that there may reasons why people are not keen to contribute. But what I see as a response only makes all of this worse. I'm sorry about that. Really sorry. > You could still use "format-patch" to send your change requests via > E-Mail. You could still write your letter by hand, put it into envelope and send it by post. But we are usually not doing that these days, are we? I'm quite sure we all know the reasons. -- Radovan Semancik Software Architect evolveum.com

1 0

Re: Olc deployment vs slapd.conf based deployment
by Howard Chu 18 Sep '17

18 Sep '17

Michael Ströder wrote: > Quanah Gibson-Mount wrote: >> b) Since cn=config is simply a tree, you could have your cn=config in >> git, commit your changes there, and use a tool like ldapdiff to create >> changesets to apply programatically. > > So instead of writing a single file (in one FS transaction) after letting > slaptest check it I have to write several files (multiple FS operations), diff > that and then apply multiple LDAP operations. slapcat -b cn=config -> 1 LDIF file. > P.S.: The day slapd.conf option is dropped from slapd I should start writing > my own LDAP server. ;-) You better get started now, if you want it to be ready to use by then. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

2 1

Re: Olc deployment vs slapd.conf based deployment
by Quanah Gibson-Mount 18 Sep '17

18 Sep '17

--On Thursday, September 14, 2017 10:59 PM -0500 Andy Dorman <adorman(a)ironicdesign.com> wrote: Hi Andy, > FWIW, we also need the git trail of changes over time. I have not > figured out a good way to do that with OLC. Well, there are a few options I suppose: a) You could set up an accesslog database that stores the changes made to cn=config over time. If you had to have it in git, it shouldn't be particularly difficult to write a tool to parse those changes out into some format you desire b) Since cn=config is simply a tree, you could have your cn=config in git, commit your changes there, and use a tool like ldapdiff to create changesets to apply programatically. Then you keep a full git history of your configuration, and have the ability to create changesets out of it. It might actually be kind of useful to develop something like ldapdiff (or update it accordingly) that works specificaly with git commits. You could build an entire automation setup for pushing out changes from that. ;) > === To add the same attribute to our dev server running OLC: > > - print the current OLC config to copy exactly how the current object > class is stored for use in my changes.ldif file. I do this because the > first time I did an OLC change I had a typo and the server was down for > almost an hour while I tried to find the typo and recover. > > - prepare a change.ldif file using the old OLC config for the object > class along with the new attribute definition. Adding the same new > attribute as above looks like this: > > dn: cn={5}antespam,cn=schema,cn=config > changetype: modify > add: olcAttributeTypes > olcAttributeTypes: ( idInteger:29 NAME 'asEstReportCardSpan' DESC 'How > many days of data to include in EST Report Cards' SUP idInteger ) > - Looks correct. > delete: olcObjectClasses > olcObjectClasses: ( idDomain:1 NAME 'asDomain' DESC 'A domain using > AnteSpam' SUP top AUXILIARY MUST ( asSidelineServer $ asPlan ) MAY ( > asAcceptUnknown $ asActive $ asAdvanced $ asBlockList $ asCountAccepted $ > asCountDiscarded $ asCountRejected $ asCountSent $ asCountSidelined $ > asCountVirus $ asDestination $ asDisposeThreshold $ asPassList $ > asSidelineThreshold $ asSpam $ asVirus $ asCountValid $ > asCountUnconfirmed $ asCountInvalid $ asCountIndependent $ > asAddressListReminder $ asRejectInvalidSender $ asPingAddress $ > asBlockArchive $ asBlockDoc $ asBlockDocOn $ asBlockExecutable $ > asBlockGeoIP $ asBlockNonLatin $ asBlockPassDoc $ asExternalAuth $ > asAlias $ asPayInterval $ asPlanStart $ asPlanCredit $ asBackup $ > asBackupUsageStats $ asEmergencyEmail $ asEmergencyEmailOn $ > asEmergencyEmailOff $ asEmergencyEmailUsed $ fmExternal $ asOutbound $ > asOutboundAccount $ asOutboundNotify $ asBPReportEmail $ > fmMaxRecipientsPer24Hr $ asUstEnabled $ asUstUsage ) ) > - You can delete by index number. It'd be simpler to do something like delete: olcObjectClasses olcObjectClasses: {3} (Or whatever index number it is). This avoids having to write out the entire object for the delete operation. I've used that as well with ACLs, which is handy. Although if you have a useful ldapdiff tool, then it'll generate this correctly for you as well. > add: olcObjectClasses > olcObjectClasses: ( idDomain:1 NAME 'asDomain' DESC 'A domain using > AnteSpam' SUP top AUXILIARY MUST ( asSidelineServer $ asPlan ) MAY ( > asAcceptUnknown $ asActive $ asAdvanced $ asBlockList $ asCountAccepted $ > asCountDiscarded $ asCountRejected $ asCountSent $ asCountSidelined $ > asCountVirus $ asDestination $ asDisposeThreshold $ asPassList $ > asSidelineThreshold $ asSpam $ asVirus $ asCountValid $ > asCountUnconfirmed $ asCountInvalid $ asCountIndependent $ > asAddressListReminder $ asRejectInvalidSender $ asPingAddress $ > asBlockArchive $ asBlockDoc $ asBlockDocOn $ asBlockExecutable $ > asBlockGeoIP $ asBlockNonLatin $ asBlockPassDoc $ asEstReportCardSpan $ > asExternalAuth $ asAlias $ asPayInterval $ asPlanStart $ asPlanCredit $ > asBackup $ asBackupUsageStats $ asEmergencyEmail $ asEmergencyEmailOn $ > asEmergencyEmailOff $ asEmergencyEmailUsed $ fmExternal $ asOutbound $ > asOutboundAccount $ asOutboundNotify $ asBPReportEmail $ > fmMaxRecipientsPer24Hr $ asUstEnabled $ asUstUsage ) ) > > - After the changes.ldif is done, I just pass it to ldapmodify and, as > long as there are no typos, everything works beautifully. > > And lastly, I will admit I haven't researched it recently, but when OLC > first came out I did not find any docs on how to set OLC up in a > master-slave arrangement so the OLC changes on the master are replicated > to the slaves? At least I assume that is how changes should be handled? This is already covered in test059 in the OpenLDAP test suite. ;) For this scenario what you have is: provider server with: cn=config db (master configuration) back-ldif db (replica configuration) replica server(s) that use syncrepl with the suffixmassage parameter to replica from the back-ldif DB on the master. This allows you to isolate out the replica configuration, since it by definition has to differ from the provider configuration. To update the replica configs, you simply do a write to the ldap provider's back-ldif DB, and the replicas all pull it down immediately. One write op -> Updates all replicas. > So anyway, we need a git trail of changes (or some sort of change log) > and I need to figure out how to set up delta-syncrepl for cn=config and > then seamlessly and safely transition 15 slaves and a master. If I can > do this I will jump on the cn=config wagon. This is possible as noted above. ;) I've put it on my to-do list however to create a test script that covers delta-sync replication for cn=config (There's none currently covering that). Then it can be used as an example. ;) --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Olc deployment vs slapd.conf based deployment
by Quanah Gibson-Mount 18 Sep '17

18 Sep '17

--On Monday, September 18, 2017 8:18 PM +0200 Radovan Semancik <radovan.semancik(a)evolveum.com> wrote: > On 09/18/2017 06:25 PM, Quanah Gibson-Mount wrote: >> Numerous projects have BSD-style licenses, this isn't OpenLDAP >> specific. So yes, you should already have a legal team, if that's >> necessary in your case, that's familiar with dealing with FOSS >> licenses, to review them. > > Not really. Not that many any more. But in fact I try to avoid using such > projects. Certainly I do not consider contributions into these. I think > that is not worth the effort. Unfortunately, I have to conclude that > OpenLDAP project seems to confirm my assumption. You generally seem fairly convinced the world is aligned against you. I'm not sure there's a solution to that that the OpenLDAP project can help you with. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Instructions for Open LDAP library?
by Martin van den Nieuwelaar 18 Sep '17

18 Sep '17

Hi People, I'm writing an application using Qt and wish to use the openldap library within my program to query an LDAP server. I have been searching for instructions on using the library from a client point of view but have not been successful. I tried using the man pages and I think I'm part way there but have reached an impasse on the correct way (or any way at all for that matter) to extract the results from an LDAPMessage *. I have an example search working using the command line program ldap_search, so the next thought is to look at the source for ldap_search and see what calls it makes to figure things out. This somehow seems like the wrong way to be going about things however. Is there something equivalent for openldap to the documentation for libcurl, https://ec.haxx.se/libcurl-easyhandle.html ? If there is that would be brilliant. I also tried searching for 3rd party howtos and tutorials and there are a few of those but invariably they use now deprecated library calls. Regards, -Martin -- R A Ward Ltd. | We take the privacy of our customers seriously. Christchurch | All sensitive E-Mail attachments MUST be encrypted. New Zealand

2 1

Re: Olc deployment vs slapd.conf based deployment
by Quanah Gibson-Mount 18 Sep '17

18 Sep '17

--On Monday, September 18, 2017 8:11 PM +0200 Radovan Semancik <radovan.semancik(a)evolveum.com> wrote: > On 09/18/2017 06:27 PM, Quanah Gibson-Mount wrote: >> git is a pretty standard tool. Interestingly, numerous people seem to >> have no issue using git to check out the source, do a git format >> patch, and submit it for inclusion with the project. You can see this >> rather trivially by looking at my scratch repo where I've been >> consolidating contributed patches for review and inclusion in OpenLDAP: > > Yes, git is great tool and it is standard. No doubt about that. But why > there is no official OpenLDAP repo on github/gitlab? There is: <https://github.com/openldap/openldap> > Why the people > cannot contribute by simple pull requests? It is rather simple to set up > and maintain. And it lowers the entry barrier by a huge amount. Would be > ideal for fixes in man pages. Once you've gone to the work to do a change and commit it, there is little difference from that point of doing a pull request or a git format patch. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Olc deployment vs slapd.conf based deployment
by Howard Chu 18 Sep '17

18 Sep '17

Radovan Semancik wrote: > On 09/18/2017 06:25 PM, Quanah Gibson-Mount wrote: >> Numerous projects have BSD-style licenses, this isn't OpenLDAP specific. So >> yes, you should already have a legal team, if that's necessary in your case, >> that's familiar with dealing with FOSS licenses, to review them. > > Not really. Not that many any more. But in fact I try to avoid using such > projects. Certainly I do not consider contributions into these. I think that > is not worth the effort. Unfortunately, I have to conclude that OpenLDAP > project seems to confirm my assumption. The OpenLDAP license has been in use in its present form since 2003. It has certainly stood the test of time, which is something many other licenses cannot claim. Relicensing all of the code would be a non-trivial effort, as well. Basically everything you've posted amounts to "why doesn't this project that has been running for 19 years not conform to my newbie expectations?" It is not the community's obligation to conform to newcomers' expectations. It's the newcomer's obligation to observe existing community policies. That's true in all communities, not just open source. -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/

1 0

Re: Olc deployment vs slapd.conf based deployment
by Quanah Gibson-Mount 18 Sep '17

18 Sep '17

--On Monday, September 18, 2017 7:13 PM +0200 Radovan Semancik <radovan.semancik(a)evolveum.com> wrote: > >> That's incorrect. It's a BSD-style license, it doesn't get much more >> basic than that. <https://en.wikipedia.org/wiki/BSD_licenses> > > The point is that is may be BSD-style license. But it is not a BSD > license. I may need to run OpenLDAP license with our company lawyer to > make sure it is BSD-like and to be sure about the implications that might > be hidden there. I would not need to do that with a BSD license. > Everybody knows that one already. That's the power of standardization. It > saves time and lowers barriers. Numerous projects have BSD-style licenses, this isn't OpenLDAP specific. So yes, you should already have a legal team, if that's necessary in your case, that's familiar with dealing with FOSS licenses, to review them. --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Re: Olc deployment vs slapd.conf based deployment
by Quanah Gibson-Mount 18 Sep '17

18 Sep '17

--On Monday, September 18, 2017 7:08 PM +0200 Radovan Semancik <radovan.semancik(a)evolveum.com> wrote: > On 09/18/2017 05:20 PM, Howard Chu wrote: >> Radovan Semancik wrote: >>> I would ... if this was a wiki, or github-like pull request and if >>> there was an example of how a good result should look like. But it >>> does not make sense for me to spend few hours just figuring out how >>> to contribute documentation fix. >> >> So you're still saying, it's fine for other people to put in the hours >> to produce something you benefit from, but it's too much trouble for >> you to contribute in return. And in the meantime, it's perfectly OK >> for you to sit back and complain that things haven't been fixed. Got it. > > I'm afraid that you haven't got the point. According to my experience > people are willing to contribute. I'm willing to contribute. Just the > barrier is too high. But the worst thing is that I feel that the barrier > could be much lower if there was a bit of will to lower it. But the will > is just not there. And I do not see why. It is not 1990s any more. There > are ways how to make cooperation easier. Why not use them? git is a pretty standard tool. Interestingly, numerous people seem to have no issue using git to check out the source, do a git format patch, and submit it for inclusion with the project. You can see this rather trivially by looking at my scratch repo where I've been consolidating contributed patches for review and inclusion in OpenLDAP: <https://github.com/quanah/openldap-scratch> --Quanah -- Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: <http://www.symas.com>

2 1

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical