[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Error 18: Solaris 10 Native LDAP-Client

To: openldap-technical@openldap.org
Subject: Re: Error 18: Solaris 10 Native LDAP-Client
From: Benjamin Griese <der.darude@gmail.com>
Date: Thu, 28 Oct 2010 15:12:07 +0200
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:received:in-reply-to :references:date:message-id:subject:from:to:content-type :content-transfer-encoding; bh=5wYO4ND4RPi9FA5rnfp249AxomENGzvebP64WvoRCds=; b=xbyKhgMFsNA67qba8ANI5jGQocCyjRi8FdJ5aAczCjg3p/YCq2s92y42o+U3s0ebAB PFC7FBAR0Da0SDs8k3FsLTPlFFpAKfu3Oja+GrSqeGtVAFlOyPXSOJJe/5HiuQ7v2Ndm KCJyZTu2s5VOutP56vGIHbhQ/g5WISJlXWZyg=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :content-type:content-transfer-encoding; b=LHq/nTKz2gHXT9FTHmvv9VJWYoqvTnCKwFOEDpJaZufp+sTWurhiuiu6GDdlFaupav pqDNPjLw3aPNZmYfKjShJwD7Agx/NG73sz+WZvXPaYa7IMKfweqKJv01zltgCUYL+gNh JG8Gkr/TpksiGKTw8v+dXQeCp0y9cO7BNSulE=
In-reply-to: <AANLkTimHGFsz3X1MZxGyHoZ6OG1PBVKZ77hyShw60Rh+@mail.gmail.com>
References: <AANLkTimwvfDUTgwNyjPzPiYjT3BNg-NmzQ_j2JXs=Cn7@mail.gmail.com> <AANLkTin5tk0S6GUVj+3BvxH2Ow=GX=6kYqV0GxMTS1aA@mail.gmail.com> <877hhap5w7.fsf@magenta.l4b.de> <AANLkTinDx3=ED1CPZH_bPaYezGWoLQEEkMkUfonGVMq6@mail.gmail.com> <8739ryp39j.fsf@magenta.l4b.de> <AANLkTinfFgxi7tSzbxsA6pHERgcHbfuTasfiecUXe+f+@mail.gmail.com> <874ocd2h4h.fsf@magenta.l4b.de> <AANLkTimfyyvMgM4CA3PmLQtbuXbs+agpHJ9vpS8aO6Kw@mail.gmail.com> <87sjzwx209.fsf@magenta.l4b.de> <AANLkTimHGFsz3X1MZxGyHoZ6OG1PBVKZ77hyShw60Rh+@mail.gmail.com>

Correction:
-w <passwd> or -w - instead of -W

On Thu, Oct 28, 2010 at 15:02, Benjamin Griese <der.darude@gmail.com> wrote:
> Hello Günther,
>
> sorry for my late reply, I hate sun cluster panics after patching
> those beasts. :(
>
> Here is the content of solaris_profile:
>
> dn: cn=solaris_profile,ou=profile,dc=example,dc=de
> objectClass: DUAConfigProfile
> objectClass: top
> cn: solaris_profile
> authenticationMethod: simple
> bindTimeLimit: 10
> credentialLevel: proxy
> defaultSearchBase: dc=example,dc=de
> defaultSearchScope: sub
> defaultServerList: exampleldap01 exampleldap02 (syncrepl, configured
> to mirrormode)
> followReferrals: FALSE
> profileTTL: 3600
> searchTimeLimit: 30
> serviceSearchDescriptor: sudoers:ou=SUDOers,dc=example,dc=de?sub
> serviceSearchDescriptor: group:ou=groups,dc=example,dc=de?sub
> serviceSearchDescriptor: passwd:ou=people,dc=example,dc=de?sub
>
>
> Regarding to the sorting I found this in man ldapsearch:
>
> "-F sep
>
>         Use sep as the field separator between  attribute  names
>         and  values.  If  this option has been specified, the -L
>         option is ignored.
>
>
> -S [-]attribute
>
>         Specify an attribute for sorting the entries returned by
>         the  search.  The  sort  criteria is alphabetical on the
>         attribute's value or reverse alphabetical with the  form
>         -attribute.  You  can give multiple -S options to refine
>         the sorting, For example:
>
>         -S sn -S givenname
>
>         By default, the entries  are  not  sorted.  Use  the  -x
>         option to perform server-side sorting."
>
> If I use -x for server side sorting, I get the complete list of
> uid-Objects, but not sorted in any obvious way:
> # ldapsearch -v -x -b dc=example,dc=de -h exampleldap01 -D
> cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>
> ldapsearch: started Thu Oct 28 12:16:49 2010
> ldap_init( exampleldap01, 389 )
> filter pattern: (uid=*)
> returning: ALL
> filter is: (uid=*)
> version: 1
>
> If I use this string I get the complete list of uid-objects sorted by uidNumber
> # ldapsearch -v -S uidnumber -b dc=example,dc=de -h exampleldap01 -D
> cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>
> ldapsearch: started Thu Oct 28 12:37:11 2010
> ldap_init( exampleldap01, 389 )
> filter pattern: (uid=*)
> returning: ALL
> filter is: (uid=*)
> version: 1
>
> If I try to search with -x and -S uidnumber I get the same message
> that appears in the OpenLDAP logfile:
> # ldapsearch -v -x -S uidNumber -b dc=example,dc=de -h exampleldap01
> -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
>
> ldapsearch: started Thu Oct 28 12:25:50 2010
> ldap_init( exampleldap01, 389 )
> filter pattern: (uid=*)
> returning: ALL
> filter is: (uid=*)
> ldap_search: Inappropriate matching
> ldap_search: additional info: serverSort control: No ordering rule
> ldap_parse_sort_control: Requested LDAP control not found
>
> Finally I still have no clue how to prevent the client from doing
> these kinds of searches.
> And I couldn't find any templates regarding the ldapclient on my test machine.
>
> Any other clues or ideas?
>
> Bye, Benjamin.
>
> On Sat, Oct 23, 2010 at 19:17, Dieter Kluenter <dieter@dkluenter.de> wrote:
>> Benjamin Griese <der.darude@gmail.com> writes:
>>
>>> Hey thanks for quick reply,
>>>
>>> I put the config of the ldapclient on the ML some days ago,
>>> but I can't figure out how I may have set such a rule on client side.
>>> Probably it is something hardcoded.
>>>
>>> ldapclient config:
>>> NS_LDAP_FILE_VERSION= 2.0
>>> NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de
>>> NS_LDAP_BINDPASSWD= secret
>>> NS_LDAP_SERVERS= ldap01
>>> NS_LDAP_SEARCH_BASEDN= dc=example,dc=de
>>> NS_LDAP_AUTH= simple
>>> NS_LDAP_SEARCH_REF= FALSE
>>> NS_LDAP_SEARCH_SCOPE= sub
>>> NS_LDAP_SEARCH_TIME= 30
>>> NS_LDAP_CACHETTL= 60
>>> NS_LDAP_PROFILE= solaris_profile
>>> NS_LDAP_CREDENTIAL_LEVEL= proxy
>>> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub
>>> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub
>>> NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub
>>>
>>> That's all I setup, its like defaultest of the defaultest I guess :)
>>>
>>> And thanks for describing EQUALITY.
>>
>> I must admit I am not that familiar with old netscape tools, but the
>> openldap log ist quite clear, there is a request for a Server Side
>> Sorting extended operation, which in fact is quite unusual. You really
>> should check Solaris 10 setup for appropriate templates, i.e. what is
>> the content of solaris_profile? By the way, AFAIR the flag for sss is
>> -F so you may check any templates, Redhat provides these in
>> /usr/share/dirsrv, Solaris might be different.
>>
>> -Dieter
>>
>> --
>> Dieter Klünter | Systemberatung
>> sip: 7770535@sipgate.de
>> http://www.dpunkt.de/buecher/2104.html
>> GPG Key ID:8EF7B6C6
>>
>
>
>
> --
> To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
> be is to do -- Sartre | Do be do be do -- Sinatra
>



-- 
To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To
be is to do -- Sartre | Do be do be do -- Sinatra

Follow-Ups:
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: Benjamin Griese <der.darude@gmail.com>
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- Error 18: Solaris 10 Native LDAP-Client
  - From: Benjamin Griese <der.darude@gmail.com>
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: Benjamin Griese <der.darude@gmail.com>
- Re: Error 18: Solaris 10 Native LDAP-Client
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Re: ldapsearch performance degradation
Next by Date: Problem updating cn=config directory
Index(es):
- Chronological
- Thread