3:46 a.m.
Hello,
I am trying to make my client, developed for OpenLDAP also compatible
with Oracle DSEE.
Oracle DSEE is missing support for simple paged results, which I use.
Yet, ODSEE supports virtual list view with server-side sorting. I
adjusted my code, to use that - VLV+SSS as a fallback whenever the
server does not support paged results and supports VLV+SSS, like
ODSEE.
Is it possible to disable OpenLDAP server-side support of simple paged
results control, so the OpenLDAP server would respond that this
control is unavailable?
I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me
many times, in past. Can OpenLDAP be configured to do what I need, so
I could test my fallback code in the client using an OpenLDAP server?
Thank you,
Igor Shmukler
4:23 a.m.
OK, I might have found the setting:
olcSizeLimit: size.prtotal=disabled
Thank you
On Thu, Aug 27, 2015 at 1:46 PM, Igor Shmukler <igor.shmukler(a)gmail.com> wrote:
Hello,
I am trying to make my client, developed for OpenLDAP also compatible
with Oracle DSEE.
Oracle DSEE is missing support for simple paged results, which I use.
Yet, ODSEE supports virtual list view with server-side sorting. I
adjusted my code, to use that - VLV+SSS as a fallback whenever the
server does not support paged results and supports VLV+SSS, like
ODSEE.
Is it possible to disable OpenLDAP server-side support of simple paged
results control, so the OpenLDAP server would respond that this
control is unavailable?
I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me
many times, in past. Can OpenLDAP be configured to do what I need, so
I could test my fallback code in the client using an OpenLDAP server?
Thank you,
Igor Shmukler
5:43 a.m.
Hello,
Sorry, I am [still] having problems disabling paged results. The below
LDIF is not working:
dn: cn=config
changetype: modify
replace: olcSizeLimit
olcSizeLimit: size.prtotal=disabled
What is wrong with the LDIF? It was successfully applied using
ldapmodify(1), yet my server still does not throw an unsupported
control, instead providing clients with paged results.
Thank you.
On Thu, Aug 27, 2015 at 2:23 PM, Igor Shmukler <igor.shmukler(a)gmail.com> wrote:
OK, I might have found the setting:
olcSizeLimit: size.prtotal=disabled
Thank you
On Thu, Aug 27, 2015 at 1:46 PM, Igor Shmukler <igor.shmukler(a)gmail.com> wrote:
> Hello,
>
> I am trying to make my client, developed for OpenLDAP also compatible
> with Oracle DSEE.
> Oracle DSEE is missing support for simple paged results, which I use.
> Yet, ODSEE supports virtual list view with server-side sorting. I
> adjusted my code, to use that - VLV+SSS as a fallback whenever the
> server does not support paged results and supports VLV+SSS, like
> ODSEE.
>
> Is it possible to disable OpenLDAP server-side support of simple paged
> results control, so the OpenLDAP server would respond that this
> control is unavailable?
>
> I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me
> many times, in past. Can OpenLDAP be configured to do what I need, so
> I could test my fallback code in the client using an OpenLDAP server?
>
> Thank you,
>
> Igor Shmukler
6:37 a.m.
On Thu, 27 Aug 2015, Igor Shmukler wrote:
olcSizeLimit: size.prtotal=disabled
What is wrong with the LDIF? It was successfully applied using
ldapmodify(1), yet my server still does not throw an unsupported
control, instead providing clients with paged results.
You can see how prtotal=disabled is supposed to work with test025, e.g.
$ ../clients/tools/ldapsearch -P 3 -x -S uid -b 'dc=example,dc=com' -h localhost
-p 9011 -w secret -D 'cn=Paged Results Disabled User,ou=Paged Results
Users,dc=example,dc=com' -E '!pr=5/noprompt' -b 'dc=example,dc=com'
'(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
# with pagedResults critical control: size=5
#
# search result
search: 2
result: 11 Administrative limit exceeded
text: pagedResults control not allowed
# numResponses: 1
so perhaps turn up your slapd logging and see if you're sending that
result. And you mention "unsupported control," but these are
administrative limits, it's not like this deletes the code from slapd. For
example again with test025 and assuming you don't --enable-sssvlv=yes:
$ ../clients/tools/ldapsearch -P 3 -x -S uid -b 'dc=example,dc=com' -h localhost
-p 9011 -E '!sss=mail:caseIgnoreIA5Match' -b 'dc=example,dc=com'
'(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
# with server side sorting critical control
#
# search result
search: 2
result: 12 Critical extension is unavailable
text: critical extension is not recognized
# numResponses: 1
Note that one practical, albeit somewhat evil, method to deal with
confused clients can be to disallow them access to the supportedControl.
# VLV, for instance
access to dn.exact=""
attrs=supportedControl
val/objectIdentifierMatch.exact=2.16.840.1.113730.3.4.9
by <foolishClient> none
6:53 a.m.
Hello Aaron,
Thank you for responding.
I am still trying to process your email. Hopefully, I understand some
of your suggestions. Thank you for referring me to test025.
I would be delighted to get: "Unavailable Critical Extension" in
return for simple paged results request.
My problem is that the server does not return anything reflecting that
paged results control is disabled. Please take a look:
# search result
search: 4
result: 0 Success
control: 1.2.840.113556.1.4.319 false MA0CAQAECA8AAAAAAAAA
pagedresults: cookie=DwAAAAAAAAA=
# extended LDIF
#
# LDAPv3
# base <dc=sssvlv,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
# with pagedResults critical control: size=5
#
# ffanco, sssvlv.com
dn: cn=ffanco,dc=sssvlv,dc=com
sn: Fanco
ipPhone: 20006
givenName: Franc
mail: ffanco(a)spain.gov.es
Hence, my question is whether I did something wrong while attempting
to disable paged results.
Sincerely,
Igor Shmukler
On Thu, Aug 27, 2015 at 4:37 PM, Aaron Richton <richton(a)nbcs.rutgers.edu> wrote:
On Thu, 27 Aug 2015, Igor Shmukler wrote:
> olcSizeLimit: size.prtotal=disabled
>
> What is wrong with the LDIF? It was successfully applied using
> ldapmodify(1), yet my server still does not throw an unsupported
> control, instead providing clients with paged results.
You can see how prtotal=disabled is supposed to work with test025, e.g.
$ ../clients/tools/ldapsearch -P 3 -x -S uid -b 'dc=example,dc=com' -h
localhost -p 9011 -w secret -D 'cn=Paged Results Disabled User,ou=Paged
Results Users,dc=example,dc=com' -E '!pr=5/noprompt' -b
'dc=example,dc=com'
'(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
# with pagedResults critical control: size=5
#
# search result
search: 2
result: 11 Administrative limit exceeded
text: pagedResults control not allowed
# numResponses: 1
so perhaps turn up your slapd logging and see if you're sending that result.
And you mention "unsupported control," but these are administrative limits,
it's not like this deletes the code from slapd. For example again with
test025 and assuming you don't --enable-sssvlv=yes:
$ ../clients/tools/ldapsearch -P 3 -x -S uid -b 'dc=example,dc=com' -h
localhost -p 9011 -E '!sss=mail:caseIgnoreIA5Match' -b
'dc=example,dc=com'
'(objectClass=*)'
# extended LDIF
#
# LDAPv3
# base <dc=example,dc=com> with scope subtree
# filter: (objectClass=*)
# requesting: ALL
# with server side sorting critical control
#
# search result
search: 2
result: 12 Critical extension is unavailable
text: critical extension is not recognized
# numResponses: 1
Note that one practical, albeit somewhat evil, method to deal with confused
clients can be to disallow them access to the supportedControl.
# VLV, for instance
access to dn.exact=""
attrs=supportedControl
val/objectIdentifierMatch.exact=2.16.840.1.113730.3.4.9
by <foolishClient> none
7:50 a.m.
On Thu, 27 Aug 2015, Igor Shmukler wrote:
search: 4
result: 0 Success
obviously isn't
> result: 11 Administrative limit exceeded
> text: pagedResults control not allowed
so yeah, that prtotal=disabled doesn't seem to hit. I'd turn up slapd
logging and see what's going on. (Are you positive that your bindDN is
subject to your prtotal clause?)
7:55 a.m.
Aaron,
I don't know what is happening, hence tried to tap into collective wisdom.
My LDIF was written to disable paged search for everyone, hence dn: cn=config
If I knew how the rule should be written, I would not bother smart people.
Sincerely,
Igor Shmukler
On Thu, Aug 27, 2015 at 5:50 PM, Aaron Richton <richton(a)nbcs.rutgers.edu> wrote:
On Thu, 27 Aug 2015, Igor Shmukler wrote:
> search: 4
> result: 0 Success
obviously isn't
>> result: 11 Administrative limit exceeded
>> text: pagedResults control not allowed
so yeah, that prtotal=disabled doesn't seem to hit. I'd turn up slapd
logging and see what's going on. (Are you positive that your bindDN is
subject to your prtotal clause?)
3:23 a.m.
On Thu, Aug 27, 2015 at 01:46:53PM +0300, Igor Shmukler wrote:
Is it possible to disable OpenLDAP server-side support of simple
paged
results control, so the OpenLDAP server would respond that this
control is unavailable?
I don't have an LDAP proxy, nor ODSEE configured. OpenLDAP saved me
many times, in past. Can OpenLDAP be configured to do what I need, so
I could test my fallback code in the client using an OpenLDAP server?
Have a look at the RETCODE overlay: slapo-retcode(5) - this should allow you
to return whatever error codes you like to your client during testing.
Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
3014
days inactive
3020
days old
openldap-technical@openldap.org
7 comments
3 participants
participants (3)
-
Aaron Richton -
Andrew Findlay -
Igor Shmukler