OpenLDAP
Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest

Viewing Contrib/4656
Full headers

From: ettore.simone@gmail.com
Subject: Enhancement: again on Netscape style changelog
Compose comment
Download message
State:
2 replies: 1 2
11 followups: 1 2 3 4 5 6 7 8 9 10 11

Major security issue: yes  no

Notes:

Notification:


Date: Wed, 30 Aug 2006 15:20:03 GMT
From: ettore.simone@gmail.com
To: openldap-its@OpenLDAP.org
Subject: Enhancement: again on Netscape style changelog
Full_Name: Ettore Simone
Version: CVS HEAD
OS: GNU/Linux
URL: ftp://ftp.openldap.org/incoming/server-slapd-overlays-accesslog-0.4.patch
Submission from: (NULL) (82.91.99.165)


I know about the better way using the new accesslog structure, but the old
changelog method is still used by commercial product like Oracle Internet
Directory, Novell eDirectory and others, usually to perform Identity Management
operations.

The old style changelog simplify the integration and perform better in
sincronizations compared to optimized full searches.

I'll provide a patch (server-slapd-overlays-accesslog-0.4.patch) that let choose
the style of logging (logstyle accesslog|changelog, with accesslog as default)
and that follow the directives pubished as draft by IETF and named
draft-good-ldap-changelog-04.

In the hope it could be useful. My best regards,
Ettore Simone


Followup 1

Download message
Date: Wed, 30 Aug 2006 19:23:42 +0200
From: "Ettore Simone" <ettore.simone@gmail.com>
To: "Pierangelo Masarati" <openldap-its@openldap.org>
Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
------=_Part_38299_22639140.1156958622051
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thanks to you for your great job.

On 8/30/06, Pierangelo Masarati <openldap-its@openldap.org> wrote:
>
> Thanks for the contribution.  As soon as the IPR and related stuff are
> checked
> and approved, I'd take care of integrating your patch into HEAD code.
>
> I have a few questions:
>
> - what client software did you check your patch with?


I played with Novell IDM2, Novell IM3 and with Sun One Directory 5 (based on
Netscape).

- as far as I remember, some implementations also take care of noting
> firstChangeNumber and lastChangeNumber in the rootDSE, along with the
> changeLog
> attribute indicating what naming context is holding the logs.  I wonder if
> their
> absence, although not described in draft-good-ldap-changelog-04, would
> impact
> interoperability with clients making use of che changelog approach.


I know that firstChangeNumber and lastChangeNumber are used by IBM Tivoli
Directory Server, I'm not sure if it's used in OID or other. I'm sure it's
not used in eDirectory.
In eDirectory with IDM the last changeNumer is stored in its ldap object
(with represent the connection to the ldap). In case of its absence they
start from 0.
If their absence compromise the integration with IBM Tivoli, or other
clients, it could be added in a second stage I suppose.

- could you provide a patch for the man page?  We could either use the code
> as
> is, adding the related parts to slapo-accesslog(5), or register the
> overlay
> twice, one as "accesslog" and one as "changelog", and let slapd determine
> the
> style and the configuration syntax based on the overlay's name.  In this
> case, a
> slapo-changelog(5) man page would be more appropriate.
>

As you prefere. I can provide both the man.
I don't know many about how to register the same overlay twice with
different names. Can you point me to some example of this?

Regards,
Ettore Simone

------=_Part_38299_22639140.1156958622051
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Thanks to you for your great job.<br><br><div><span
class="gmail_quote">On 8/30/06, <b class="gmail_sendername">Pierangelo
Masarati</b> &lt;<a
href="mailto:openldap-its@openldap.org">openldap-its@openldap.org</a>&gt;
wrote:
</span><blockquote class="gmail_quote" style="border-left: 1px solid
rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thanks for
the contribution.&nbsp;&nbsp;As soon as the IPR and related stuff are
checked<br>and approved, I'd take care of integrating your patch into HEAD
code.
<br><br>I have a few questions:<br><br>- what client
software did you check your patch with?</blockquote><div><br>I
played with Novell IDM2, Novell IM3 and with Sun One Directory 5 (based on
Netscape).&nbsp;</div><br><blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex;
padding-left: 1ex;">
- as far as I remember, some implementations also take care of
noting<br>firstChangeNumber and lastChangeNumber in the rootDSE, along
with the changeLog<br>attribute indicating what naming context is holding
the logs.&nbsp;&nbsp;I wonder if their
<br>absence, although not described in draft-good-ldap-changelog-04, would
impact<br>interoperability with clients making use of che changelog
approach.</blockquote><div><br>I know that firstChangeNumber
and lastChangeNumber are used by IBM
Tivoli Directory Server, I'm not sure if it's used in OID or other. I'm
sure it's not used in eDirectory.<br>
In eDirectory with IDM the last changeNumer is stored in its ldap
object (with represent the connection to the ldap). In case of its
absence they start from 0.<br>If their absence compromise the integration
with IBM Tivoli, or other clients, it could be added in a second stage I
suppose.&nbsp;</div><br><blockquote class="gmail_quote"
style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex;
padding-left: 1ex;">
- could you provide a patch for the man page?&nbsp;&nbsp;We could either
use the code as<br>is, adding the related parts to slapo-accesslog(5), or
register the overlay<br>twice, one as &quot;accesslog&quot; and
one as &quot;changelog&quot;, and let slapd determine the
<br>style and the configuration syntax based on the overlay's
name.&nbsp;&nbsp;In this case, a<br>slapo-changelog(5) man page
would be more appropriate.<br></blockquote></div><br>As
you prefere. I can provide both the man.<br>I don't know many about how

Message of length 5208 truncated


Followup 2

Download message
Date: Wed, 30 Aug 2006 19:36:16 +0200
From: "Ettore Simone" <ettore.simone@gmail.com>
To: "Pierangelo Masarati" <openldap-its@openldap.org>
Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
I forgot to mention that the rootDSE changeLog entry is just provided
in the patch supplied.



Followup 3

Download message
Date: Sat, 02 Sep 2006 05:06:26 -0700
From: Howard Chu <hyc@symas.com>
To: ettore.simone@gmail.com
CC: openldap-its@OpenLDAP.org
Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
To Ando as well - be very careful with this. As noted in my accesslog 
draft, the changelog spec has some major security weaknesses, along with 
the rest of its shortcomings.

ettore.simone@gmail.com wrote:
> I forgot to mention that the rootDSE changeLog entry is just provided
> in the patch supplied.

-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   OpenLDAP Core Team            http://www.openldap.org/project/



Followup 4

Download message
Date: Sat, 02 Sep 2006 14:50:46 +0200
From: Pierangelo Masarati <ando@sys-net.it>
To: hyc@symas.com
CC: openldap-its@OpenLDAP.org
Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
hyc@symas.com wrote:
> To Ando as well - be very careful with this. As noted in my accesslog 
> draft, the changelog spec has some major security weaknesses, along with 
> the rest of its shortcomings.
>   
I think I'm aware of all those issues.  One major point for spending 
some time on this issue is that I happen to need supporting few clients 
that want to use this feature.  I'll do my best to persuade the 
implementors of those clients that supporting content synchronization 
and/or accesslog as currently implemented in OpenLDAP is way much 
better, but unfortunately I have no control on that, and it's very 
unlikely that they will, based on the usual refrain "changelog is the de 
facto standard" or things like that.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------



Followup 5

Download message
Date: Sat, 02 Sep 2006 15:07:16 +0200
From: Pierangelo Masarati <ando@sys-net.it>
To: hyc@symas.com
CC: openldap-its@OpenLDAP.org
Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
ando@sys-net.it wrote:
> hyc@symas.com wrote:
>   
>> To Ando as well - be very careful with this. As noted in my accesslog 
>> draft, the changelog spec has some major security weaknesses, along
with 
>> the rest of its shortcomings.
>>   
>>     
> I think I'm aware of all those issues.  One major point for spending 
> some time on this issue is that I happen to need supporting few clients 
> that want to use this feature.  I'll do my best to persuade the 
> implementors of those clients that supporting content synchronization 
> and/or accesslog as currently implemented in OpenLDAP is way much 
> better, but unfortunately I have no control on that, and it's very 
> unlikely that they will, based on the usual refrain "changelog is the de 
> facto standard" or things like that.
>   
I agree that implementing that spec means contributing to keeping it 
into life, but the point is that I have to face with closed source 
products which claim to support it and explicitly state in their 
documentation that they "can interoperate with: Netscape/iPlanet/Sun 
ONE; Active Directory; Lotus Domino; Exchange, while interoperability 
with OpenLDAP is not possible because it cannot store changes into the 
changelog", which we know it's not only incorrect, but also false: 
OpenLDAP provides better native (although coded into an open 
specification: RFC4533) means to synchronize than simply storing changes 
into a changelog.  Moreover, it provides native (although coded into an 
open specification: draft-chu-ldap-logschema) means to inform clients 
about modifications.  But many client implementors seem to willingly 
ignore this, so I need to keep supporting obsoleted de facto standard 
stuff, which, by the way, doesn't even agree with the contents of 
preliminary attempts to specify them in an open manner (see 
Netscape/iPlanet/Sun ONE, now Fedora DS "retroplugin" as opposed to 
draft-good-ldap-changelog)!

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------



Followup 6

Download message
Date: Mon, 04 Sep 2006 10:26:17 +0200
From: Pierangelo Masarati <ando@sys-net.it>
To: ettore.simone@gmail.com
CC: openldap-its@OpenLDAP.org
Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
I've placed a reworked patch into the ITS at 
<ftp://ftp.openldap.org/incoming/changelog-pm-2006-09-04.patch>

Basically, there were a few concurrency issues when increasing the 
changeNumber plus minor cleanup.  I also renamed functions specific to 
the changelog feature prepending "changelog_" instead of "accesslog_", 
to make clear what's specific and what's not.  Finally, I started 
integrating some of the stuff that Neil Dunbar submitted as ITS#3953 
(right now, the schema and the presentation of 
{first,last}ChangeNumber.  Right now, this is optional and mimics what 
done by FDS, i.e. the numbers are published in the root DSE (which makes 
very little sense; even publishing the changeLog attribute in the root 
DSE is nonsense to me!) rather than in the suffix entry of the changelog 
itself.  Consider this a work in progress, though.

Please test. p.




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------



Followup 7

Download message
Subject: Re: (ITS#4656) Enhancement: again on Netscape style changelog
Date: Mon, 5 Feb 2007 13:34:30 +0100
From: "Rieger, Sebastian" <sebastian.rieger@gwdg.de>
To: <openldap-its@OpenLDAP.org>
Cc: <ettore.simone@gmail.com>
This is a multi-part message in MIME format.

------=_NextPart_000_0018_01C7492A.5D6431D0
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Great work! I submitted a patch to update the old overlay of Neil Dunbar =
to
OpenLDAP 2.3. It works for our identity management (using Novell IDM =
3.01) -
see ITS#4685. As my patch needs cleanup to get into OpenLDAP HEAD I =
would
like to ask, wether this patch (ITS#4656) is likely to be accepted in =
the
near future. In this case I won't maintain a separate overlay. But it
doesn't seem to be in HEAD, for now?

--
MfG

Sebastian Rieger

Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=F6ttingen=20
Am Fassberg - 37077 G=F6ttingen
Fon: +49 551 201 1878 -- Fax: +49 551 201 2150

Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des =
DFN
=FCberpr=FCft werden: =
https://ca.gwdg.de/certs/root-classic/root-ca-cert.der


------=_NextPart_000_0018_01C7492A.5D6431D0
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIXujCCBHUw
ggNdoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1W
ZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJTAjBgNVBAMTHERGTi1WZXJlaW4gUENBIENsYXNzaWMg
LSBHMDEwHhcNMDUwMjI4MDAyOTM3WhcNMTMwNDI4MDAyOTM3WjBbMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTElMCMGA1UEAxMcREZOLVZlcmVpbiBQ
Q0EgQ2xhc3NpYyAtIEcwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNTUXjQCVx
w87yo/67c+J0bhhl6sfVNVO87Jk2WMY/lPC/E1cmq6iOAe2fV10FhexSG2zIp8XqbrlPNN7s3sy/
0jUQfHegDqWWuCDQfWLkdWHTiDhIfhcCTdLaXDRshAxE18zDJzKPu3EMeU/N5dju7/azQVi2wkzM
fM9I5aARVcrYVH+OanfQo1+yCoQupE9XaGpZRCr2w1X6pf1v0JcqakuC/LBX9uk0IPtMz9Y6frOP
AvCldCn8pWNdQrT6VPmJpI7zDCm6/PCAZy82cImzkfbxGpMVxNBxC3Zwgc4zT9Cn22e0Hms8Q3cm
cr8hbFb3icuGnMGKp50e9L2eOokCAwEAAaOCAUIwggE+MB0GA1UdDgQWBBSDrjvMk+EkUnrpIE+D
cKIq3XsvATAfBgNVHSMEGDAWgBSDrjvMk+EkUnrpIE+DcKIq3XsvATAPBgNVHRMBAf8EBTADAQH/
MIHHBgNVHR8Egb8wgbwwXKBaoFiGVmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXBraS9jZXJ0
aWZpY2F0aW9uL3g1MDkvY2xhc3NpYy9nMS9kYXRhL2NybHMvcm9vdC1jYS1jcmwuY3JsMFygWqBY
hlZodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1wa2kvY2VydGlmaWNhdGlvbi94NTA5L2NsYXNz
aWMvZzEvZGF0YS9jcmxzL3Jvb3QtY2EtY3JsLmNybDAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4
QgEBBAQDAgAHMA0GCSqGSIb3DQEBBQUAA4IBAQDaFaWOgZRQO/CaU+xUQPj3mgnJ5MJug0ad1d+L
k+K1iTUp8r9fLxnamypzVeVrHFbtC5zk9lxx8qDMiDc6sd9HYRJNikJUme/EfHPkzlbn6hTXuL6+
ZKdCeK3qQHnltEjg/NLUIaU/bukFmhOk6NrnU5XNTKcEeOJ47t0K2EWWZ6rN3Ji0FU444hGO73tl
C5t1ACWaMYFakmylmagwdZPIVnA3qKFmVRTPcz3Cel56UyA2U6n9qQR8zZzkltIwx2/6SHt2EqQN
u3g6iDyOWzIfsb0bRVHmvHQx3KCUZb5JNy3iue8yIB6WMbKZ+eJuwZl1Q0PJ87BjsHYglO3JX+Oy
MIIFhjCCBG6gAwIBAgIEBnsYQDANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJERTETMBEGA1UE
ChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTElMCMGA1UEAxMcREZOLVZlcmVpbiBQQ0Eg
Q2xhc3NpYyAtIEcwMTAeFw0wNTA0MTIwOTUzNTRaFw0wOTA0MTIwOTUzNTRaMIGcMQswCQYDVQQG
EwJERTFCMEAGA1UEChM5R2VzZWxsc2NoYWZ0IGZ1ZXIgd2lzc2Vuc2NoYWZ0bGljaGUgRGF0ZW52
ZXJhcmJlaXR1bmcgbWJIMQswCQYDVQQLEwJDQTEcMBoGA1UEAxMTR1dERy1DQSBFYmVuZSAxIEcw
MjEeMBwGCSqGSIb3DQEJARYPZ3dkZy1jYUBnd2RnLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A
MIIBCgKCAQEA3y/2S6yGKZhpv+DwWTSH4/szbEB2yPEJUgZz5kaVId/17wKdRNKd9el03skx/ind
1IJ27YaoOybmRp5pwuNSAL7SEC2neEKcLCqkV+jDcLusV2mQ/ykgMs7No5csyhS6FxuUwBK18BlF
E7tfraK3J6iyOJxzjFKB+3/ZWhasXnwEtzOUc5hRry9bTNYpyLueUa5DLR5nqIRwk1OWbx3IARbC
RKrxdAupzwEAjWwz8ar2aDHgsBH41D7sfDY9wRxH04sW6K9D0BANEx+o8KhbsPQv6l0HQE7p0n6Y
XQhUo5QhZ8GMfEiIh39sE1turDLut7I4bCZwrIjPT9gJqhFMWwIDAQABo4ICDjCCAgowHQYDVR0O
BBYEFPP+0UOeITsrZQ3Y8arSBsKbVgajMB8GA1UdIwQYMBaAFIOuO8yT4SRSeukgT4Nwoirdey8B
MA8GA1UdEwEB/wQFMAMBAf8wgccGA1UdHwSBvzCBvDBcoFqgWIZWaHR0cDovL2NkcDEucGNhLmRm
bi5kZS9kZm4tcGtpL2NlcnRpZmljYXRpb24veDUwOS9jbGFzc2ljL2cxL2RhdGEvY3Jscy9yb290
LWNhLWNybC5jcmwwXKBaoFiGVmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLXBraS9jZXJ0aWZp
Y2F0aW9uL3g1MDkvY2xhc3NpYy9nMS9kYXRhL2NybHMvcm9vdC1jYS1jcmwuY3JsMIHcBggrBgEF
BQcBAQSBzzCBzDBkBggrBgEFBQcwAoZYaHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tcGtpL2Nl
cnRpZmljYXRpb24veDUwOS9jbGFzc2ljL2cxL2RhdGEvY2VydHMvcm9vdC1jYS1jZXJ0LmNydDBk
BggrBgEFBQcwAoZYaHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tcGtpL2NlcnRpZmljYXRpb24v
eDUwOS9jbGFzc2ljL2cxL2RhdGEvY2VydHMvcm9vdC1jYS1jZXJ0LmNydDAOBgNVHQ8BAf8EBAMC
AQYwDQYJKoZIhvcNAQEFBQADggEBADFx3Ji676DYFd/XIY9KcsNopLqtgF5Ixr2irPOPpZ/X/zta
Gss3l18EdKCCBFqhwCrd2lFOfowbxnWZ1L+WRS/+0x4a8MZoAUWyfk+pLLgv3OucY4ZhAGP5F0XJ
wLRlskcnLVvt3HFQ9JsEjHo45u/QiKbZJGFPVZb5elpphRtAVTiRisw5UTiV57m07vcJhUtrt6wh
7389cz2aYYdlViMZtuaE0Z+LlSElAe4/U6tOowoR+06qDjjFNLjQ1P3fnmBPRo2zWidaLiZcfD3f
qjxBgJolgeS+gS3YePj2M6NAUTu+1XKAbrFJUyrCI+qPkEcVq3yK6FkZbbhla+BKQrcwggZUMIIF
PKADAgECAgou6MIgAAAAAASaMA0GCSqGSIb3DQEBBQUAMIGVMSkwJwYDVQQDEyBHV0RHLUNBIEVi
ZW5lIDIgR2VuZXJpYy1DQSBHMDIuMTELMAkGA1UECxMCY2ExQjBABgNVBAoTOUdlc2VsbHNjaGFm
dCBmdWVyIHdpc3NlbnNjaGFmdGxpY2hlIERhdGVudmVyYXJiZWl0dW5nIG1iSDELMAkGA1UEBhMC
REUxCjAIBgNVBAUTATIwHhcNMDYxMTA5MTMzNDU3WhcNMDcwOTIwMTA1ODAwWjCBvjELMAkGA1UE
BhMCREUxFjAUBgNV

Message of length 10694 truncated


Followup 8

Download message
Date: Tue, 13 Feb 2007 03:20:06 -0800
From: Howard Chu <hyc@symas.com>
To: "Rieger, Sebastian" <sebastian.rieger@gwdg.de>
CC: "Heuer, Konrad" <kheuer@gwdg.de>, ando@OpenLDAP.org,
        openldap-its@OpenLDAP.org
Subject: Re: ITS#4656  OpenLDAP accesslog overlay using "changelog dialect"
Hi,
   I have not been paying attention to these changes since Ando was working 
on them. You'll have to ask him for their update status.

Since you've already posted a query to the ITS, I think that would be the 
appropriate place to continue the conversation.

Looking over the ITS just now, I would say the tweak to register the 
changelog overlay type is unnecessary. Nor can you fairly deprecate the 
LogStyle parameter, since that appears to be the only way to invoke the 
SunOne workaround.

All in all I understand your motivations for pursuing this feature. Despite 
my dislike for broken specs and broken code, I will not prevent this patch 
from going in. But you should realize that wrong is wrong, and just because 
Novell, Sun, and Oracle software is broken doesn't mean we should be broken 
too. There are other IdM packages out there.

Rieger, Sebastian wrote:
> Hi,
> 
> I submitted a patch to update the old overlay of Neil Dunbar to OpenLDAP
> 2.3. It works for our identity management (using Novell IDM 3.01) - see
> ITS#4685. As my patch needs cleanup to get into OpenLDAP HEAD I would like
> to ask, wether the patch to your accesslog that offers changelog
> functionality (ITS#4656) is likely to be committed to CVS HEAD in the near
> future. In this case I won't maintain a separate overlay. Thanks in advance
> for a quick reply, we really need changelog functionality as Novell, Sun
and
> Oracle seem to depend on it.
> 
> --
> MfG
> 
> Sebastian Rieger
> 
> Gesellschaft f.r wissenschaftliche Datenverarbeitung mbH G.ttingen 
> Am Fassberg - 37077 G.ttingen
> Fon: +49 551 201 1878 -- Fax: +49 551 201 2150
> 
> Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des DFN
> .berpr.ft werden: https://ca.gwdg.de/certs/root-classic/root-ca-cert.der
> 


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   Chief Architect, OpenLDAP     http://www.openldap.org/project/



Followup 9

Download message
Subject: AW: ITS#4656  OpenLDAP accesslog overlay using "changelog dialect"
Date: Tue, 13 Feb 2007 12:31:21 +0100
From: "Rieger, Sebastian" <sebastian.rieger@gwdg.de>
To: "Howard Chu" <hyc@symas.com>
Cc: "Heuer, Konrad" <kheuer@gwdg.de>, <ando@OpenLDAP.org>,
        <openldap-its@OpenLDAP.org>
This is a multi-part message in MIME format.

------=_NextPart_000_00AD_01C74F6A.DE443C50
Content-Type: text/plain;
	charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

Thanks for the quick reply, I'd continue the conversation with Ando and =
via
IST, thanks for putting them on CC:. Can you name the IdM packages you =
refer
to, that implement a replication mechanism that is compatible with =
OpenLDAP?
We tested:

- Microsoft Identity Integration Server: only flat-file LDAP support =
(using
LDIF) (until Gemini version ~2008) - no replication, just full
synchronization
- Siemens DirX: using a full search over all objects (Novell Identity
Manager can do so either, but you're unable to detect moved objects =
then, as
it looks like a delete and add of the object, and performance is low, as =
for
every sync cycle a full search over the tree is necessary)
Oracle and Sun using changelog were already mentioned...

Maybe IBM? or do you refer to the meta backend module for OpenLDAP?

Thanks in advance for the advice...

--
MfG

Sebastian Rieger

Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=F6ttingen=20
Am Fassberg - 37077 G=F6ttingen
Fon: +49 551 201 1878 -- Fax: +49 551 201 2150

Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des =
DFN
=FCberpr=FCft werden: =
https://ca.gwdg.de/certs/root-classic/root-ca-cert.der


-----Urspr=FCngliche Nachricht-----
Von: Howard Chu [mailto:hyc@symas.com]=20
Gesendet: Dienstag, 13. Februar 2007 12:20
An: Rieger, Sebastian
Cc: Heuer, Konrad; ando@OpenLDAP.org; openldap-its@OpenLDAP.org
Betreff: Re: ITS#4656 OpenLDAP accesslog overlay using "changelog =
dialect"

Hi,
   I have not been paying attention to these changes since Ando was =
working
on them. You'll have to ask him for their update status.

Since you've already posted a query to the ITS, I think that would be =
the
appropriate place to continue the conversation.

Looking over the ITS just now, I would say the tweak to register the
changelog overlay type is unnecessary. Nor can you fairly deprecate the
LogStyle parameter, since that appears to be the only way to invoke the
SunOne workaround.

All in all I understand your motivations for pursuing this feature. =
Despite
my dislike for broken specs and broken code, I will not prevent this =
patch
from going in. But you should realize that wrong is wrong, and just =
because
Novell, Sun, and Oracle software is broken doesn't mean we should be =
broken
too. There are other IdM packages out there.

Rieger, Sebastian wrote:
> Hi,
>=20
> I submitted a patch to update the old overlay of Neil Dunbar to=20
> OpenLDAP 2.3. It works for our identity management (using Novell IDM=20
> 3.01) - see ITS#4685. As my patch needs cleanup to get into OpenLDAP=20
> HEAD I would like to ask, wether the patch to your accesslog that=20
> offers changelog functionality (ITS#4656) is likely to be committed to =

> CVS HEAD in the near future. In this case I won't maintain a separate=20
> overlay. Thanks in advance for a quick reply, we really need changelog =

> functionality as Novell, Sun and Oracle seem to depend on it.
>=20
> --
> MfG
>=20
> Sebastian Rieger
>=20
> Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=F6ttingen =
Am=20
> Fassberg - 37077 G=F6ttingen
> Fon: +49 551 201 1878 -- Fax: +49 551 201 2150
>=20
> Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des=20
> DFN =FCberpr=FCft werden:=20
> https://ca.gwdg.de/certs/root-classic/root-ca-cert.der
>=20


--=20
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   Chief Architect, OpenLDAP     http://www.openldap.org/project/

------=_NextPart_000_00AD_01C74F6A.DE443C50
Content-Type: application/x-pkcs7-signature;
	name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
	filename="smime.p7s"

MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIXujCCBHUw
ggNdoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1W
ZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJTAjBgNVBAMTHERGTi1WZXJlaW4gUENBIENsYXNzaWMg
LSBHMDEwHhcNMDUwMjI4MDAyOTM3WhcNMTMwNDI4MDAyOTM3WjBbMQswCQYDVQQGEwJERTETMBEG
A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTElMCMGA1UEAxMcREZOLVZlcmVpbiBQ
Q0EgQ2xhc3NpYyAtIEcwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNTUXjQCVx
w87yo/67c+J0bhhl6sfVNVO87Jk2WMY/lPC/E1cmq6iOAe2fV10FhexSG2zIp8XqbrlPNN7s3sy/
0jUQfHegDqWWuCDQfWLkdWHTiDhIfhcCTdLaXDRshAxE18zDJzKPu3EMeU/N5dju7/azQVi2wkzM
fM9I5aARVcrYVH+OanfQo1+yCoQupE9XaGpZRCr2w1X6pf1v0JcqakuC/LBX9uk0IPtMz9Y6frOP
AvCldCn8pWNdQrT6VPmJpI7zDCm6/PCAZy82cImzkfbxGpMVxNBxC3Zwgc4zT9Cn22e0Hms8Q3cm
cr8hbFb3icuGnMGKp50e9L2eOokCAwEAAaOCAUIwggE+MB0GA1UdDgQWBBSDrjvMk+EkUnrpIE+D
cKIq3XsvATAfBgNVHSMEGDAWgBSDrjvMk+EkUnrpIE+DcKIq3XsvATAPBgNVHRMBAf8EBTADAQH/
MIHHBgNVHR8Egb8wgbwwXKBaoFiGVmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXBraS9jZXJ0
aWZpY2F0aW9uL3

Message of length 13545 truncated


Followup 10

Download message
Date: Tue, 13 Feb 2007 03:34:28 -0800
From: Howard Chu <hyc@symas.com>
To: openldap-its@openldap.org
Subject: Re: ITS#4656  OpenLDAP accesslog overlay using "changelog dialect"
hyc@symas.com wrote:

> All in all I understand your motivations for pursuing this feature. Despite

> my dislike for broken specs and broken code, I will not prevent this patch 
> from going in. But you should realize that wrong is wrong, and just because

> Novell, Sun, and Oracle software is broken doesn't mean we should be broken

> too. There are other IdM packages out there.

While this is hardly the place for commercial endorsements, I should note 
that while Neil Dunbar wrote that changelog overlay for HP's purposes, we 
(Symas) convinced HP to adopt the accesslog format instead and HP does not 
rely on the changelog any more. If you're looking for software that actually 
conforms to open specs with some degree of technical merit, you might 
consider looking there, if you can't convince your current vendors to fix 
their products.
> 
> Rieger, Sebastian wrote:
>> Hi,
>>
>> I submitted a patch to update the old overlay of Neil Dunbar to
OpenLDAP
>> 2.3. It works for our identity management (using Novell IDM 3.01) - see
>> ITS#4685. As my patch needs cleanup to get into OpenLDAP HEAD I would
like
>> to ask, wether the patch to your accesslog that offers changelog
>> functionality (ITS#4656) is likely to be committed to CVS HEAD in the
near
>> future. In this case I won't maintain a separate overlay. Thanks in
advance
>> for a quick reply, we really need changelog functionality as Novell,
Sun and
>> Oracle seem to depend on it.


-- 
   -- Howard Chu
   Chief Architect, Symas Corp.  http://www.symas.com
   Director, Highland Sun        http://highlandsun.com/hyc
   Chief Architect, OpenLDAP     http://www.openldap.org/project/



Followup 11

Download message
Date: Tue, 13 Feb 2007 12:44:37 +0100
From: Pierangelo Masarati <ando@sys-net.it>
To: hyc@symas.com
CC: openldap-its@openldap.org
Subject: Re: ITS#4656  OpenLDAP accesslog overlay using "changelog dialect"
hyc@symas.com wrote:
> Hi,
>    I have not been paying attention to these changes since Ando was working

> on them. You'll have to ask him for their update status.

Sorry for overlooking yur previous message.  Yes, I'm keeping that patch
sort of updated, but keeping it in sync with HEAD was a pain due to the
many changes that occurred in that code.  I'm not sure it's ready for
commit right now, and I'm not sure it works as intended, given the lack
of specs (every implementor seem to have their own idea of haw that's
supposed to work, and willing to interoperate, despite claims, seems to
be their last concern).  Preserving compatibility with re23 might not be
an option, and I don't think we want that stuff to go in re23 right now.

> Since you've already posted a query to the ITS, I think that would be the 
> appropriate place to continue the conversation.
> 
> Looking over the ITS just now, I would say the tweak to register the 
> changelog overlay type is unnecessary. Nor can you fairly deprecate the 
> LogStyle parameter, since that appears to be the only way to invoke the 
> SunOne workaround.
> 
> All in all I understand your motivations for pursuing this feature. Despite

> my dislike for broken specs and broken code, I will not prevent this patch 
> from going in. But you should realize that wrong is wrong, and just because

> Novell, Sun, and Oracle software is broken doesn't mean we should be broken

> too. There are other IdM packages out there.

I'll be committing something workable soon.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------



Reply 1

Resend
From: Pierangelo Masarati <openldap-its@OpenLDAP.org>
To: ettore.simone@gmail.com
Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
Date: Wed Aug 30 16:47:20 2006
> I know about the better way using the new accesslog structure, but the old
> changelog method is still used by commercial product like Oracle Internet
> Directory, Novell eDirectory and others, usually to perform Identity
Management
> operations.
> 
> The old style changelog simplify the integration and perform better in
> sincronizations compared to optimized full searches.
> 
> I'll provide a patch (server-slapd-overlays-accesslog-0.4.patch) that let
choose
> the style of logging (logstyle accesslog|changelog, with accesslog as
default)
> and that follow the directives pubished as draft by IETF and named
> draft-good-ldap-changelog-04.

Thanks for the contribution.  As soon as the IPR and related stuff are checked
and approved, I'd take care of integrating your patch into HEAD code.

I have a few questions:

- what client software did you check your patch with?

- as far as I remember, some implementations also take care of noting
firstChangeNumber and lastChangeNumber in the rootDSE, along with the changeLog
attribute indicating what naming context is holding the logs.  I wonder if their
absence, although not described in draft-good-ldap-changelog-04, would impact
interoperability with clients making use of che changelog approach.

- could you provide a patch for the man page?  We could either use the code as
is, adding the related parts to slapo-accesslog(5), or register the overlay
twice, one as "accesslog" and one as "changelog", and let slapd determine the
style and the configuration syntax based on the overlay's name.  In this case, a
slapo-changelog(5) man page would be more appropriate.

p.


Reply 2

Resend
From: Pierangelo Masarati <openldap-its@OpenLDAP.org>
To: ettore.simone@gmail.com
Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
Date: Wed Aug 30 17:46:25 2006
> I forgot to mention that the rootDSE changeLog entry is just provided
> in the patch supplied.

Yes, I've noticed it, thanks.  I've already reworked the code to take care of
registering with two names.  I'm doing some cleanup of the back-config stuff to
prevent reconfiguring a running database from accesslog to changelog mode and
the like; I'll take care of those details.  Right now, to select the changelog
mode, you can simply use

overlay changelog
log* ...

the rest is much like accesslog.  In any case, I think we can plainly add a
comment to slapo-accesslog(5) which states that by invoking the overlay as
"changelog" the changelog mode is used.

At a first glance, all the functionalities seem to be there as expected; now
I'm looking for something to test it with, I'll likely be back by the end of the
week.

     -- o --- o --

Kurt,

please check the IPR and see if I can go along with committing the changes. 
Also, I guess it'd be nice to add draft-good-ldap-changelog to the package,
right?

p.

Up to top level
Build   Contrib   Development   Documentation   Historical   Incoming   Software Bugs   Software Enhancements   Web  

Logged in as guest


The OpenLDAP Issue Tracking System uses a hacked version of JitterBug

______________
© Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org