openldap-technical

openldap-technical@openldap.org

23 participants
9804 discussions

Re: JLDAP problem
by Bahadir Konu 16 Apr '12

16 Apr '12

What I m working on is an integration component that will listen to LDAP server. When a change occurs on LDAP entries, my component will publish a message. (actually call a web service). LDAP admins offer that I can use "change logs" to detect changes. But I think notification mechanism is a better choice. Do you think JLDAP and asynch "search" method a good enough choice? Is UnboundID SDK better for me and why? Thanks. Bahadır Konu On 13 April 2012 19:43, Quanah Gibson-Mount <quanah(a)zimbra.com> wrote: > --On Friday, April 13, 2012 5:00 PM +0300 Bahadir Konu <bah.konu(a)gmail.com> > wrote: > > Thanks Nick. >> After building from source, problem dissapeared. And I was able to debug. >> > > If you are serious about using Java to talk to LDAP, then I would advise > using the UnboundID SDK. > > --Quanah > > > -- > > Quanah Gibson-Mount > Sr. Member of Technical Staff > Zimbra, Inc > A Division of VMware, Inc. > -------------------- > Zimbra :: the leader in open source messaging and collaboration >

1 0

reqStart<= slow
by Michael Ströder 14 Apr '12

14 Apr '12

HI! I'm trying to retrieve change events from accesslog DB (all with today's RE24). I tried searching with this filter: (&(reqDN=cn=Test-Mail-Gruppe 1,dc=example,dc=com)(reqStart<=20120413180000Z)) This turned out to be quite slow though. reqDN is indexed and there are only two possible entries. Using a filter reqStart>= even when negated with (!()) is pretty fast. I really wonder why that is. Ciao, Michael.

2 4

Re: AW: Re: How can I set an LDAP-attribute to "null" (empty)?
by masarati＠aero.polimi.it 14 Apr '12

14 Apr '12

[please keep replies on the list] > IŽm sorry, but that is not a qualified answer... OK, I'll try to be more precise. 1) "TelUser": not a standard track attribute. Please provide its specification (significantly, its syntax) otherwise the point is moot. 2) few standard track syntaxes allow zero length strings; see RFC4517. In short, RTFM to see if the syntax of your "TelUser" allows a zero length string. It appears from the description of your problem, that you want to zero out a value, not actually store a zero length value. This is common of rdbms users, where tables have a fixed structure and when some field is not defined one just wants to store an empty value in it. LDAP, instead allows object to have optional attributes; when optional attributes are not needed, they should not appear at all. If your problem is with the tool you're using, that has nothing to do with OpenLDAP; so please ask the appropriate forum. p. > > ----- Ursprüngliche Nachricht ----- > Von: masarati(a)aero.polimi.it > An: norbert.weckert(a)arcor.de > Cc: openldap-technical(a)openldap.org > Gesendet: 13.04.12 23:26 > Betreff: Re: How can I set an LDAP-attribute to "null" (empty)? > >> Hello, >> >> to fill data into an LDAP-structure, I use the software HP Connect IT. >> Sometimes it is necessary to clear an attribute. >> >> But there is the following error message: >> >> Error occured while modifiying the entry (LDAP) >> TelUser value #0 invalid per Syntax >> LDAP API Invalid Syntax >> >> Can you tell me, what I have to do, so that LDAP accepts an "empty >> value"? > > Nearly no syntax accepts the empty value. What you need to do is delete > the attribute using a standard LDAP modify operation. In LDIF: > > dn: (the DN) > changetype: modify > delete: TelUser > - > > How to do it using that specific software is up to you. > > p. > > >

1 0

How can I set an LDAP-attribute to "null" (empty)?
by norbert.weckert＠arcor.de 13 Apr '12

13 Apr '12

Hello, to fill data into an LDAP-structure, I use the software HP Connect IT. Sometimes it is necessary to clear an attribute. But there is the following error message: Error occured while modifiying the entry (LDAP) TelUser value #0 invalid per Syntax LDAP API Invalid Syntax Can you tell me, what I have to do, so that LDAP accepts an "empty value"? Thank you in advance. Kind regards Norbert Weckert

2 1

JLDAP problem
by Bahadir Konu 13 Apr '12

13 Apr '12

Hi everybody, I m working on an application that will listen to LDAP server (IBM Tivoli) and detect changes to LDAP entries. I saw the SearchPersist example and done the same: http://developer.novell.com/documentation/samplecode/jldap_sample/controls/… This example works fine as a standalone Java application. But when I try to make this a scheduled quartz job and deploy my application as an Enterprise Application to IBM Websphere ESB server, this line does not work: // Asynchronous queue = lc.search(searchBase, // container to search LDAPConnection.SCOPE_SUB, // search container's subtree "(objectClass=*)", // search filter, all objects attrs, // don't return attributes false, // return attrs and values, ignored null, // use default search queue constraints); // use default search constraints When I debug, the thread hangs here. And right now I cannot debug the JLDAP itself because my .class files was not produced with line number info. Synchronous version of the method works fine: LDAPSearchResults results = lc.search(searchBase, LDAPConnection.SCOPE_SUB, "(objectClass=*)", attrs, false ); I guess that the quartz scheduler is creating a seperate thread and the asynch version of the method doesnt work. But I m not sure what actually is happening. Am I doing something wrong? Is it possible to use the asynch search method in a scheduled job? (And the app is deployed to ESB server but that may not be relevant to my problem.) Ask me and I can give more details about the application, if needed. Any help is appreciated. Bahadır Konu

3 4

Was: (ITS#7130) OpenLDAP with BackSQL and Postgres. Upper on bigint?
by masarati＠aero.polimi.it 12 Apr '12

12 Apr '12

> I'm sorry, I send my issue to the wrong mailinglist at first (to the > bugs list) and then tried to send it to technical twice. It doesnt > seem to go through. Do you have any idea which column it is that > defines this behaviour? I can't seem to find it.. It is not a boolean, but rather a separate field. As far as I recall, in the original design uppercasing was intended as a form of normalization. In table "ldap_attr_mappings" you find a "sel_expr_u" that contains the "uppercasing" select expression. If not given, and if an uppercasing function is known, it is constructed as "<uppercasing>(<sel_expr>)", but you have a chance to provide a specific one. Please test and report through the openldap-technical mailing list, unless you find a bug. p.

1 0

ppolicy overlay doesn't apply
by Cosmin Ciuraru 12 Apr '12

12 Apr '12

Hello, I am trying to use the ppolicy overlay with openldap, version 2.4.20, installed on a SLES 11 SP1 x64, as a package. I have made the following settings in the openldap.conf: - included the ppolicy.schema - overlay ppolicy - ppolicy_default "cn=pwd,ou=Policies,o=...." I saw that a"'moduleload ppolicy.la" is also required, but I cannot find the library in /usr/lib/openldap/modules (which is empty). I have compiled the source with --enable-ppolicy=mod/yes with --enable-modules=yes, to see if it would generate the library ppolicy.la, but just generated the slapd binary, so, as it gives no error for the config file, I suppose that the ppolicy part is embedded in the slapd. The problem: When I try to change the password for a user in LDAP, the policy doesn't apply. The clients run on the same OS, but different machines, with pam_ldap-184 and nss-ldap-262. If I open the yast2-ldap-client, I can see that it finds the password policy, but it doesn't get applied. If I follow the requests to the LDAP server, I can see that the client issues a request with the filter objectClass=passwordPolicy, which comes from the pam_ldap, which is written to use the Netscape password policy schema. But in my LDAP I use the pwdPolicy schema, which is a more recent one. I know that the password doesn't get applied because I set the checkQuality attribute to 0 and I expect to let me use whatever password I like. The client has the pam_lookup_policy set to yes. Can you please point out what I am missing? Thank you!

3 2

CentOS 6.2 ldap client -> CentOS 5.8 server = all fields *but* password (kinda)?
by Phillippe Welsh 12 Apr '12

12 Apr '12

I know C6 client -> C5 ldap server works. I have a couple of systems that do it. I have one crazy system that just went into production that does not properly authenticate. Here is the scenario: 1. "getent passwd" will show *all* users *and* passwords. 2. "getent passwd USERNAME" will show all user info and *NOT* the password(the field is a "*"). Has anyone come across this behavior? There must be some option I messed up and did not realize it. I have checked for differences from a working system in nsswitch.conf, authconfig, sssd.conf, pam_ldap.conf, nslcd.conf and ldap.conf with no luck. I have looked at "rpm -V openldap" and "rpm -V openldap-clients" with no luck. This is making me crazy! It has to be something simple. Additionally, I have "nscd -i passwd" and tried to stop/start both the nslcd and nscd daemons. Google has not been of very much help with the pattern of search I've tried so far, either... Thanks for any help pj

1 0

Re: slow or inconsistent syncrepl
by Amol Kulkarni 12 Apr '12

12 Apr '12

As per the recommendations, we have done following : 1. Installed openldap 2.4.30 on master & all replicas. 2. We have cascaded the replication by adding another replica in lan which acts as provider for the consumers on wan. There are definite improvements but still we are observing following problem : 1. Bulk changes (1000 records changed) in LDAP on the provider, do not replicate to replicas with busy ldap unless a) the records are updated in smaller batches on provider b) the replication database on the consumer is reset - i.e ldap restarted with -c rid=001 Is there a buffer/queue at the consumer side which overflows? Can it be tuned? Does a busy server drop replication requests? Thanks, Amol. ----- Original Message ----- From: Quanah Gibson-Mount Sent: 03/12/12 03:36 AM To: Amol Kulkarni Subject: Re: slow or inconsistent syncrepl --On Sunday, March 11, 2012 8:51 AM +0100 Amol Kulkarni <amolkulkarni(a)gmx.com> wrote: > > I see that I'm outdated in my tuning as per > http://wiki.zimbra.com/wiki/OpenLDAP_Performance_Tuning. > I'll do these changes and observe the servers. > > In the mean time a new observation regarding syncrepl is that if I do > ldapmodify for 5 - 10 entries in one go the changes get replicated but if > I change about 300 entries in one go, then some entries do not get > replicated on some servers. These changes dont get replicated until I > change those entries again. > > Does this indicate provider resource problem or consumer resource problem > ( or normal behaviour ) ? Changes failing to replicate is not a desired behavior. It is expected to occur in older known buggy releases. If all of your masters & replicas are on 2.4.30, hopefully you won't see that issue any more. --Quanah -- Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration

2 1

home directory of added user with him profile environment
by stefano malini 11 Apr '12

11 Apr '12

Hi, i installed an ldap server on debian squeeze. i've to add every user but i don't how to set him home directory with him profile environment. The home directory can be created using mkdir? how to keep the profile environment from /etc/skel? thanks

1 0

Jump to page:

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

openldap-technical