OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Development/4730
Full headers

From: ando@sys-net.it
Subject: Overlay that generates operational attributes to support GUI interaction
Compose comment
Download message
State:
0 replies:
14 followups: 1 2 3 4 5 6 7 8 9 10 11 12 13 14

Major security issue: yes  no

Notes:

Notification:


Date: Fri, 3 Nov 2006 09:25:01 GMT
From: ando@sys-net.it
To: openldap-its@OpenLDAP.org
Subject: Overlay that generates operational attributes to support GUI interaction
Full_Name: Pierangelo Masarati
Version: HEAD
OS: irrelevant
URL: ftp://ftp.openldap.org/incoming/pierangelo-masarati-2006-11-03-allowed.c
Submission from: (NULL) (81.72.89.40)
Submitted by: ando


This overlay provides simple support for allowedAttributes and
allowedAttributesEffective, a (somewhat broken) AD feature that is intended to
help GUIs into determining, based on the current objectClass values of an
object, what attributes would comply with the schema (without distinction
between "allowed" and "required"), by listing them in "allowedAttributes", and,
furthermore, by providing a hint to what of those values could be effectively
added by the current connection, by listing them in
"allowedAttributesEffective".  This is broken since it doesn't consider the
possibility of value-dependent ACLs, so it should really be considered just a
hint, while the "allowedAttributes" could really be computed starting from the
schema definition, which remains the recommended way to solve the problem

So this overlay should really be considered only food for thought as a starting
base for a tighter integration of OpenLDAP into Samba4.

There's minimal support for "allowedChildClasses" and
"allowedChildClassesEffective", whose definition is absolutely obscure to me, as
I believe the only classes that can be added to an existing object are all the
AUXILIARY ones, while considering what are effectively allowed implies getting
into value-dependent ACLs.

Some discussion can be found here (follow the thread)
<http://www.redhat.com/archives/fedora-directory-devel/2006-November/msg00000.html>
while portions of the schema definition has been taken from here
<http://www.redhat.com/archives/fedora-directory-devel/2006-August/msg00007.html>

p.


Followup 1

Download message
Date: Fri, 3 Nov 2006 15:56:51 +0100 (CET)
Subject: Re: (ITS#4730) Overlay that generates operational attributes to 
     support GUI interaction
From: "Pierangelo Masarati" <ando@sys-net.it>
To: openldap-its@openldap.org
> This overlay provides simple support for allowedAttributes and
> allowedAttributesEffective, a (somewhat broken) AD feature that is
> intended to
> help GUIs into determining, based on the current objectClass values of an
> object, what attributes would comply with the schema (without distinction
> between "allowed" and "required"), by listing them in "allowedAttributes",

This could be made more useful by providing ";x-allowed" or ";x-required"
options to "allowedAttributes", so that GUI developers can easily handle
mandatory vs. optional fields.  However, I bet this would break existing
applications that make use of those attributes.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------



Followup 2

Download message
Date: Sat, 08 Mar 2008 19:30:27 +0100
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@openldap.org
Subject: Re: (ITS#4730) Overlay that generates operational attributes to support
 GUI interaction
I'd be interested to add support for something like this to my LDAP client.

BTW: I'd vote against ";x-allowed" or ";x-required" since a schema-aware 
client can already determine this in a non-proprietary way from the subschema.

The overlay's source is quite old. Does it still build with recent HEAD?

Ciao, Michael.



Followup 3

Download message
Date: Thu, 13 Mar 2008 11:46:06 +0100
From: Jonathan Clarke <jclarke@linagora.com>
To: michael@stroeder.com
Cc: openldap-its@openldap.org
Subject: Re: (ITS#4730) Overlay that generates operational attributes to	support
 GUI interaction
Hi,

michael@stroeder.com a .crit :
> I'd be interested to add support for something like this to my LDAP client.
> 
> BTW: I'd vote against ";x-allowed" or ";x-required" since a schema-aware 
> client can already determine this in a non-proprietary way from the
subschema.
> 
> The overlay's source is quite old. Does it still build with recent HEAD?

I'm also interested in an overlay of this type. I started hacking into
it recently, and don't remember any problems getting it to build on HEAD
(a couple of months ago).

This was related to an implementation of Get Effective Rights [1], which
returns rights the current user has on each attribute in an object. I
had a premilinary working version, but it did not work as a control,
just returned extra attributes. Similarly, this would be useful to LDAP
GUI clients.

If you're interested, I could dig out the code.

[1] http://directory.fedoraproject.org/wiki/Get_Effective_Rights_Design
and
http://www.ietf.org/proceedings/01dec/I-D/draft-ietf-ldapext-acl-model-08.txt

Regards,
Jonathan

-- 
Jonathan Clarke

Cellule OSSA - Groupe LINAGORA
27 rue de Berri, 75008 Paris
T.l: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com



Followup 4

Download message
Date: Sat, 15 Aug 2009 02:18:24 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: openldap-its@OpenLDAP.org
CC: ando@sys-net.it
Subject: Re: (ITS#4730) Overlay that generates operational attributes to support
 GUI interaction
HI!

I've added support for 'allowedAttributesEffective' in web2ldap recently which
works with AD. I tried this overlay but it seg faults with recent OpenLDAP
version. Any chance to get this back on the radar?

Ciao, Michael.



Followup 5

Download message
Date: Sat, 15 Aug 2009 14:06:36 +0200 (CEST)
Subject: Re: (ITS#4730) Overlay that generates operational attributes to 
     support GUI interaction
From: masarati@aero.polimi.it
To: michael@stroeder.com
Cc: openldap-its@openldap.org
> HI!
>
> I've added support for 'allowedAttributesEffective' in web2ldap recently
> which
> works with AD. I tried this overlay but it seg faults with recent OpenLDAP
> version. Any chance to get this back on the radar?

Not *now*, possibly shortly.

p.



Followup 6

Download message
Date: Mon, 17 Aug 2009 11:05:17 +0200 (CEST)
Subject: Re: (ITS#4730) Overlay that generates operational attributes to 
     support GUI interaction
From: masarati@aero.polimi.it
To: michael@stroeder.com
Cc: openldap-its@openldap.org
> HI!
>
> I've added support for 'allowedAttributesEffective' in web2ldap recently
> which
> works with AD. I tried this overlay but it seg faults with recent OpenLDAP
> version. Any chance to get this back on the radar?

Michael,

I've built and tested my copy of allowed.c with HEAD and re24 and it works
as expected.  However, I might have modified it to keep pace with baseline
code evolution without resubmitting modifications.  I can't check right
now but I will.  If needed, I'll resubmit the modified code, so consider
it done.

The main reason I didn't put it directly in contrib/ is that at that time
I was considering the opportunity of packaging all contributions and
customizations intended for samba4 in something as self contained as
possible (in the end, supporting all samba4 related extensions may result
in stacking dozens of overlays, which may result in overhead and possibly
in incompatibilities, something we might need to deal with at some point).

However, as your interest seems to revitalize this feature, I see no
objection in putting it at least in contrib (if there's enough consensus).

p.



Followup 7

Download message
Date: Mon, 17 Aug 2009 11:08:44 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: masarati@aero.polimi.it
CC: openldap-its@openldap.org
Subject: Re: (ITS#4730) Overlay that generates operational attributes to support
 GUI interaction
masarati@aero.polimi.it wrote:
>>
>> I've added support for 'allowedAttributesEffective' in web2ldap
recently
>> which
>> works with AD. I tried this overlay but it seg faults with recent
OpenLDAP
>> version. Any chance to get this back on the radar?
> 
> I've built and tested my copy of allowed.c with HEAD and re24 and it works
> as expected.  However, I might have modified it to keep pace with baseline
> code evolution without resubmitting modifications.  I can't check right
> now but I will.  If needed, I'll resubmit the modified code, so consider
> it done.
> 
> The main reason I didn't put it directly in contrib/ is that at that time
> I was considering the opportunity of packaging all contributions and
> customizations intended for samba4 in something as self contained as
> possible (in the end, supporting all samba4 related extensions may result
> in stacking dozens of overlays, which may result in overhead and possibly
> in incompatibilities, something we might need to deal with at some point).
> 
> However, as your interest seems to revitalize this feature, I see no
> objection in putting it at least in contrib (if there's enough consensus).

I'd highly appreciate to find copy under contrib/. Other people I know also
have interest in that. Many thanks.

Ciao, Michael.



Followup 8

Download message
Date: Mon, 17 Aug 2009 11:31:23 +0200
From: Jonathan Clarke <jonathan@phillipoux.net>
To: openldap-its@openldap.org
Subject: Re: (ITS#4730) Overlay that generates operational attributes to	support
 GUI interaction
On 17/08/2009 11:09, michael@stroeder.com wrote:
> masarati@aero.polimi.it wrote:
>>>
>>> I've added support for 'allowedAttributesEffective' in web2ldap
recently
>>> which
>>> works with AD. I tried this overlay but it seg faults with recent
OpenLDAP
>>> version. Any chance to get this back on the radar?
>>
>> I've built and tested my copy of allowed.c with HEAD and re24 and it
works
>> as expected.  However, I might have modified it to keep pace with
baseline
>> code evolution without resubmitting modifications.  I can't check right
>> now but I will.  If needed, I'll resubmit the modified code, so
consider
>> it done.
>>
>> The main reason I didn't put it directly in contrib/ is that at that
time
>> I was considering the opportunity of packaging all contributions and
>> customizations intended for samba4 in something as self contained as
>> possible (in the end, supporting all samba4 related extensions may
result
>> in stacking dozens of overlays, which may result in overhead and
possibly
>> in incompatibilities, something we might need to deal with at some
point).
>>
>> However, as your interest seems to revitalize this feature, I see no
>> objection in putting it at least in contrib (if there's enough
consensus).
>
> I'd highly appreciate to find copy under contrib/. Other people I know also
> have interest in that. Many thanks.

Absolutely, I for one am very interested. Looking forward to it :)

Jonathan



Followup 9

Download message
Date: Tue, 18 Aug 2009 00:29:19 +0200 (CEST)
Subject: Re: (ITS#4730) Overlay that generates operational attributes to 
     support GUI interaction
From: masarati@aero.polimi.it
To: michael@stroeder.com
Cc: openldap-its@openldap.org
>> HI!
>>
>> I've added support for 'allowedAttributesEffective' in web2ldap
recently
>> which
>> works with AD. I tried this overlay but it seg faults with recent
>> OpenLDAP
>> version. Any chance to get this back on the radar?
>
> Michael,
>
> I've built and tested my copy of allowed.c with HEAD and re24 and it works
> as expected.  However, I might have modified it to keep pace with baseline
> code evolution without resubmitting modifications.

My version was indeed rather modified, that's why it worked.  It's now in
HEAD's contrib/slapd-modules/allowed/.  It builds fine with HEAD and re24;
it should also build with OL 2.3, although I haven't checked in a while. 
Please test and report.

p.





Followup 10

Download message
Date: Tue, 18 Aug 2009 14:20:02 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: masarati@aero.polimi.it
CC: openldap-its@openldap.org
Subject: Re: (ITS#4730) Overlay that generates operational attributes to support
 GUI interaction
This is a multi-part message in MIME format.
--------------080500010001090702060704
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit

masarati@aero.polimi.it wrote:
>>> HI!
>>>
>>> I've added support for 'allowedAttributesEffective' in web2ldap
recently
>>> which
>>> works with AD. I tried this overlay but it seg faults with recent
>>> OpenLDAP
>>> version. Any chance to get this back on the radar?
>>
>> I've built and tested my copy of allowed.c with HEAD and re24 and it
works
>> as expected.  However, I might have modified it to keep pace with
baseline
>> code evolution without resubmitting modifications.
> 
> My version was indeed rather modified, that's why it worked.  It's now in
> HEAD's contrib/slapd-modules/allowed/.  It builds fine with HEAD and re24;
> it should also build with OL 2.3, although I haven't checked in a while. 
> Please test and report.

I've created a simple Makefile derived from the one for slapo-smbk5pwd for
this I'd like to contribute if appropriate. Please review. I grant *all*
rights to the OpenLDAP project.

Now for the concrete testing:

In principle it works. That's great!

There's a special corner-case:
If the user bound (e.g. anonymous in my test configuration) has no write
access to any attribute an empty attribute value list is returned for
'allowedAttributesEffective'. Indeed this is helpful since my web2ldap can
then distinguish between this attribute being not available at all or no
attributes are allowed to be written. But I'm not sure whether that complies
to the LDAP data model. What do you think?

Ciao, Michael.

--------------080500010001090702060704
Content-Type: text/plain;
 name="Makefile"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline;
 filename="Makefile"

# $OpenLDAP: pkg/ldap/contrib/slapd-modules/allowed/Makefile,v 1.3 2009/08/16
20:55:27 kurt Exp $
# This work is part of OpenLDAP Software <http://www.openldap.org/>.
#
# Copyright 1998-2009 The OpenLDAP Foundation.
# Copyright 2004 Howard Chu, Symas Corp. All Rights Reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted only as authorized by the OpenLDAP
# Public License.
#
# A copy of this license is available in the file LICENSE in the
# top-level directory of the distribution or, alternatively, at
# <http://www.OpenLDAP.org/license.html>.

PREFIX=/opt/openldap-HEAD

LIBTOOL=../../../libtool
OPT=-g -O2
CC=gcc

DEFS=-DSLAPD_OVER_ALLOWED=SLAPD_MOD_DYNAMIC

LDAP_INC=-I../../../include -I../../../servers/slapd
INCS=$(LDAP_INC)

LDAP_LIB=-lldap_r -llber -L../../../lib
LDAP_LIB=
LIBS=$(LDAP_LIB)

all:	allowed.la


allowed.lo:	allowed.c
	$(LIBTOOL) --mode=compile $(CC) $(OPT) $(DEFS) $(INCS) -c $?

allowed.la:	allowed.lo
	$(LIBTOOL) --mode=link $(CC) $(OPT) -version-info 0:0:0 \
	-rpath $(PREFIX)/lib -module -o $@ $? $(LIBS)

clean:
	rm -f allowed.o allowed.lo allowed.la

install: allowed.la
	mkdir -p $(PREFIX)/libexec/openldap
	$(LIBTOOL) --mode=install cp allowed.la $(PREFIX)/libexec/openldap
	$(LIBTOOL) --finish $(PREFIX)/libexec/openldap

--------------080500010001090702060704--



Followup 11

Download message
Date: Tue, 18 Aug 2009 14:24:43 +0200 (CEST)
Subject: Re: (ITS#4730) Overlay that generates operational attributes to 
     support GUI interaction
From: masarati@aero.polimi.it
To: Michael =?iso-8859-1?Q?Str=F6der?= <michael@stroeder.com>
Cc: openldap-its@openldap.org
> I've created a simple Makefile derived from the one for slapo-smbk5pwd for
> this I'd like to contribute if appropriate. Please review. I grant *all*
> rights to the OpenLDAP project.
>
> Now for the concrete testing:
>
> In principle it works. That's great!
>
> There's a special corner-case:
> If the user bound (e.g. anonymous in my test configuration) has no write
> access to any attribute an empty attribute value list is returned for
> 'allowedAttributesEffective'.

You mean an instance of the allowedAttributesEffective with the empty
value?  I'm not seeing anything like that.

> Indeed this is helpful since my web2ldap can
> then distinguish between this attribute being not available at all or no
> attributes are allowed to be written. But I'm not sure whether that
> complies
> to the LDAP data model. What do you think?

In any case, I'd consider it an error, which deserves to be fixed.

p.



Followup 12

Download message
Date: Tue, 18 Aug 2009 14:31:04 +0200 (CEST)
Subject: Re: (ITS#4730) Overlay that generates operational attributes to 
     support GUI interaction
From: masarati@aero.polimi.it
To: michael@stroeder.com
Cc: openldap-its@openldap.org
> You mean an instance of the allowedAttributesEffective with the empty
> value?  I'm not seeing anything like that.

Actually, I confirm I didn't see anything like that, but there was a bug:
the attribute was being added regardless of having any value, and the
a_numvals field was not being filled in any case.  Fixing...

p.



Followup 13

Download message
Date: Tue, 18 Aug 2009 14:35:01 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: masarati@aero.polimi.it
CC: openldap-its@openldap.org
Subject: Re: (ITS#4730) Overlay that generates operational attributes to	support
 GUI interaction
masarati@aero.polimi.it wrote:
> Michael Str.der wrote:
>> There's a special corner-case:
>> If the user bound (e.g. anonymous in my test configuration) has no
write
>> access to any attribute an empty attribute value list is returned for
>> 'allowedAttributesEffective'.
> 
> You mean an instance of the allowedAttributesEffective with the empty
> value?

Yes. Here's the python-ldap trace log:
Note the 'allowedAttributesEffective': [] in the result.

I can also enable OpenLDAP debugging log if that would be more evidence for you.

---------------------------- snip ----------------------------
*** ldap://localhost:2071 - LDAPObject.search_ext
(('ou=schulung,dc=stroeder,dc=local', 0, '(objectClass=*)',
['hasSubordinates', 'entryCSN', 'tokenGroupsGlobalAndUniversal',
'localEntryID', 'createTimestamp', 'uSNCreated', 'fromEntry',
'administrativeRole', 'structuralObjectClass', 'mS-DS-CreatorSID',
'msDS-Approx-Immed-Subordinates', 'nsAccountLock', 'authzTo',
'nsLookthroughLimit', 'GUID', 'authzFrom', '*', 'passwordExpWarned',
'whenChanged', 'modifiersName', 'isMemberOf', 'sDRightsEffective',
'governingStructureRule', 'primaryGroupToken', 'pwdPolicySubentry',
'accountUnlockTime', 'passwordHistory', 'subordinateCount',
'allowedAttributesEffective', 'creatorsName', 'entryUUID', 'aclentry',
'uSNChanged', 'tokenGroupsNoGCAcceptable', 'entryDN', 'passwordRetryCount',
'tokenGroups', 'passwordExpirationTime', 'aci', 'passwordAllowChangeTime',
'whenCreated', 'retryCountResetTime', 'canonicalName', 'entryUSN',
'subschemaSubentry', 'numSubordinates', 'modifyTimestamp'], 0, [], None, 300,
0),{})
=> result: 13
*** ldap://localhost:2071 - LDAPObject.result3 ((13, 1, 300),{})
=> result: (101, [('ou=schulung,dc=stroeder,dc=local', {'hasSubordinates':
['TRUE'], 'entryCSN': ['20090818120115.850129Z#000000#000#000000'],
'objectClass': ['organizationalUnit'], 'creatorsName':
['uid=diradm,ou=schulung,dc=stroeder,dc=local'], 'entryUUID':
['d0ed3070-150d-4a5a-bec3-5c21e78c31c3'], 'allowedAttributesEffective': [],
'modifiersName': ['uid=diradm,ou=schulung,dc=stroeder,dc=local'],
'createTimestamp': ['20090818120115Z'], 'entryDN':
['ou=schulung,dc=stroeder,dc=local'], 'subschemaSubentry': ['cn=Subschema'],
'structuralObjectClass': ['organizationalUnit'], 'ou': ['schulung'],
'modifyTimestamp': ['20090818120115Z']})], 13, [])
---------------------------- snip ----------------------------

>  I'm not seeing anything like that.

At which level?

>> Indeed this is helpful since my web2ldap can
>> then distinguish between this attribute being not available at all or
no
>> attributes are allowed to be written. But I'm not sure whether that
>> complies
>> to the LDAP data model. What do you think?
> 
> In any case, I'd consider it an error, which deserves to be fixed.

If you fix it with hunking out the empty values list the distinction within
web2ldap would be then to look at the schema and decide whether
allowedAttributesEffective is available. I can see that attr type description
of allowedAttributesEffective is hard-coded in allowed.c so that seems fairly
reliable to me.

Ciao, Michael.



Followup 14

Download message
Date: Tue, 18 Aug 2009 14:44:41 +0200
From: =?ISO-8859-1?Q?Michael_Str=F6der?= <michael@stroeder.com>
To: masarati@aero.polimi.it
CC: openldap-its@openldap.org
Subject: Re: (ITS#4730) Overlay that generates operational attributes to 
     support GUI interaction
masarati@aero.polimi.it wrote:
>> You mean an instance of the allowedAttributesEffective with the empty
>> value?  I'm not seeing anything like that.
> 
> Actually, I confirm I didn't see anything like that, but there was a bug:
> the attribute was being added regardless of having any value, and the
> a_numvals field was not being filled in any case.  Fixing...

Yupp, that seems right now.

Ciao, Michael.


Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org