Hello,
I am new to OpenLDAP. May I ask if Persistent Search is supported in any version of OpenLdap Server? I installed version 2.4.46 from Rocky repo and it does not seem to support persistent search.
pham lan wrote:
Hello,
I am new to OpenLDAP. May I ask if Persistent Search is supported in any version of OpenLdap Server?
Yes.
I installed version 2.4.46 from Rocky repo and it does not seem to support persistent search.
OpenLDAP's syncrepl replication protocol has supported persistent searches since OpenLDAP 2.2 in 2003.
Still, if you're using OpenLDAP for the first time you should use a newer, supported release. 2.4.46 is from 2018, and the 2.4 release stream has been deprecated for quite a while now.
--On Thursday, December 15, 2022 5:08 PM +0000 Howard Chu hyc@symas.com wrote:
pham lan wrote:
Hello,
I am new to OpenLDAP. May I ask if Persistent Search is supported in any version of OpenLdap Server?
Yes.
I installed version 2.4.46 from Rocky repo and it does not seem to support persistent search.
OpenLDAP's syncrepl replication protocol has supported persistent searches since OpenLDAP 2.2 in 2003.
Still, if you're using OpenLDAP for the first time you should use a newer, supported release. 2.4.46 is from 2018, and the 2.4 release stream has been deprecated for quite a while now.
Does it use the same control as described in draft-ietf-ldapext-psearch? My recollection was that it was different as described in https://datatracker.ietf.org/doc/html/rfc4533?
--Quanah
Hi Howard,
Thanks for your answer. I am new to using OpenLDAP but it was set up by my colleagues and he said the OpenLDAP version from repo is not well updated. So, regarding the Persistent Search, The reason I asked is that I am switching from Classic ActiveMQ to ActiveMQ Artemis. And Artemis has this setting:
" enableListener. Whether or not to enable a listener that will automatically receive updates made in the LDAP server and update the broker's authorization configuration in real-time. The default value is true ."
And In the ActiveMQ Artemis log, I (and also some other cases i found in google) got this error: " ERROR [org.apache.activemq.artemis.core.server] AMQ224086: Caught unexpected exception: javax.naming.OperationNotSupportedException: [LDAP: error code 12 - critical extension is not recognized]; remaining name 'ou=Destination,ou=ActiveMQ,ou=activemq,dc=test,dc=com' "
This is not the problem with classic ActiveMQ where I found in their documentation, saying that OpenLDAP does not support the “persistent search” feature. That's why I wanted to verify. https://activemq.apache.org/cached-ldap-authorization-module [image: grafik.png]
Is there something extra I need to configure on OpenLDAP to have this feature enabled for such kinds of cases that a client like ActiveMQ Artemis can register to get live updates from OpenLDAP (instead of having to restart the service)? If yes, could you send me a link to how to set it up?
I also found this issue regarding implementation of persistent search on OpenLDAP https://bugs.openldap.org/show_bug.cgi?id=8983
On Thu, Dec 15, 2022 at 6:08 PM Howard Chu hyc@symas.com wrote:
pham lan wrote:
Hello,
I am new to OpenLDAP. May I ask if Persistent Search is supported in any
version of OpenLdap Server?
Yes.
I installed version 2.4.46 from Rocky repo and it does not seem to support persistent search.
OpenLDAP's syncrepl replication protocol has supported persistent searches since OpenLDAP 2.2 in 2003.
Still, if you're using OpenLDAP for the first time you should use a newer, supported release. 2.4.46 is from 2018, and the 2.4 release stream has been deprecated for quite a while now.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
--On Thursday, December 15, 2022 7:13 PM +0100 pham lan phamlankt@gmail.com wrote:
That bug clearly notes it is implemented in OpenLDAP 2.5+
I would advise using a current supported release of OpenLDAP, as the 2.4 series is historic and has no support. You can obtain current binary releases of OpenLDAP for RHEL-like systems (including Rocky linux) from multiple sources, such as:
Symas (https://repo.symas.com/soldap2.5/ for OpenLDAP 2.5 or https://repo.symas.com/soldap/ for OpenLDAP 2.6) The LTB project (https://ltb-project.org/download.html)
Regards, Quanah
On 12/15/22 20:52, Quanah Gibson-Mount wrote:
That bug clearly notes it is implemented in OpenLDAP 2.5+
Hmm, as I read ITS#8983 the control encoding has been implemented in libldap (see libraries/libldap/psearchctrl.c).
But the original poster asked about the server-side implementation of draft-ietf-ldapext-psearch-03. And AFAIK this is *not* implemented in OpenLDAP.
Ciao, Michael.
Michael Ströder wrote:
On 12/15/22 20:52, Quanah Gibson-Mount wrote:
That bug clearly notes it is implemented in OpenLDAP 2.5+
Hmm, as I read ITS#8983 the control encoding has been implemented in libldap (see libraries/libldap/psearchctrl.c).
But the original poster asked about the server-side implementation of draft-ietf-ldapext-psearch-03. And AFAIK this is *not* implemented in OpenLDAP.
git grep shows it is present in the slapd source, but indeed, it is only for the replication consumer.
head> git grep LDAP_CONTROL_PERSIST clients/tools/common.c: { LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE, TOOL_SEARCH, print_psearch }, clients/tools/common.c: case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD: clients/tools/common.c: case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_DELETE: clients/tools/common.c: case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_MODIFY: clients/tools/common.c: case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME: clients/tools/ldapsearch.c: c[i].ldctl_oid = LDAP_CONTROL_PERSIST_REQUEST; include/ldap.h:#define LDAP_CONTROL_PERSIST_REQUEST "2.16.840.1.113730.3.4.3" include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE "2.16.840.1.113730.3.4.7" include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD 0x1 include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_DELETE 0x2 include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_MODIFY 0x4 include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME 0x8 libraries/libldap/psearchctrl.c: ld->ld_errno = ldap_control_create( LDAP_CONTROL_PERSIST_REQUEST, libraries/libldap/psearchctrl.c: LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD (1), libraries/libldap/psearchctrl.c: LDAP_CONTROL_PERSIST_ENTRY_CHANGE_DELETE (2), libraries/libldap/psearchctrl.c: LDAP_CONTROL_PERSIST_ENTRY_CHANGE_MODIFY (4), or libraries/libldap/psearchctrl.c: LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME (8). servers/slapd/syncrepl.c: c[0].ldctl_oid = LDAP_CONTROL_PERSIST_REQUEST; servers/slapd/syncrepl.c: rc = ldap_create_persistentsearch_control_value( si->si_ld, LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD, servers/slapd/syncrepl.c: rctrlp = ldap_control_find( LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE, rctrls, &next );
Hi all,
Thanks for your all replies here. So, do you know if there is any plan to have this feature implemented on the server side?
On Fri, Dec 16, 2022, 18:23 Howard Chu hyc@symas.com wrote:
Michael Ströder wrote:
On 12/15/22 20:52, Quanah Gibson-Mount wrote:
That bug clearly notes it is implemented in OpenLDAP 2.5+
Hmm, as I read ITS#8983 the control encoding has been implemented in
libldap (see libraries/libldap/psearchctrl.c).
But the original poster asked about the server-side implementation of
draft-ietf-ldapext-psearch-03. And AFAIK this is *not* implemented in OpenLDAP.
git grep shows it is present in the slapd source, but indeed, it is only for the replication consumer.
head> git grep LDAP_CONTROL_PERSIST clients/tools/common.c: { LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE, TOOL_SEARCH, print_psearch }, clients/tools/common.c: case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD: clients/tools/common.c: case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_DELETE: clients/tools/common.c: case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_MODIFY: clients/tools/common.c: case LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME: clients/tools/ldapsearch.c: c[i].ldctl_oid = LDAP_CONTROL_PERSIST_REQUEST; include/ldap.h:#define LDAP_CONTROL_PERSIST_REQUEST "2.16.840.1.113730.3.4.3" include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE "2.16.840.1.113730.3.4.7" include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD 0x1 include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_DELETE 0x2 include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_MODIFY 0x4 include/ldap.h:#define LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME 0x8 libraries/libldap/psearchctrl.c: ld->ld_errno = ldap_control_create( LDAP_CONTROL_PERSIST_REQUEST, libraries/libldap/psearchctrl.c: LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD (1), libraries/libldap/psearchctrl.c: LDAP_CONTROL_PERSIST_ENTRY_CHANGE_DELETE (2), libraries/libldap/psearchctrl.c: LDAP_CONTROL_PERSIST_ENTRY_CHANGE_MODIFY (4), or libraries/libldap/psearchctrl.c: LDAP_CONTROL_PERSIST_ENTRY_CHANGE_RENAME (8). servers/slapd/syncrepl.c: c[0].ldctl_oid = LDAP_CONTROL_PERSIST_REQUEST; servers/slapd/syncrepl.c: rc = ldap_create_persistentsearch_control_value( si->si_ld, LDAP_CONTROL_PERSIST_ENTRY_CHANGE_ADD, servers/slapd/syncrepl.c: rctrlp = ldap_control_find( LDAP_CONTROL_PERSIST_ENTRY_CHANGE_NOTICE, rctrls, &next );
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Hi experts,
is there a chance that persistent searches could be implemented in a way that clients can take advantage of them (support of control 2.16.840.1.113730.3.4.3)?
Thanks in advance, Carsten
openldap-technical@openldap.org
-
Carsten Jäckel -
Howard Chu -
Michael Ströder -
pham lan -
Quanah Gibson-Mount