Logged in as guest
Viewing Contrib/4656 Full headers
Major security issue: yes no
Notes: See ITS#3953 Notification:
Date: Wed, 30 Aug 2006 15:20:03 GMT From: ettore.simone@gmail.com To: openldap-its@OpenLDAP.org Subject: Enhancement: again on Netscape style changelog
Full_Name: Ettore Simone Version: CVS HEAD OS: GNU/Linux URL: ftp://ftp.openldap.org/incoming/server-slapd-overlays-accesslog-0.4.patch Submission from: (NULL) (82.91.99.165) I know about the better way using the new accesslog structure, but the old changelog method is still used by commercial product like Oracle Internet Directory, Novell eDirectory and others, usually to perform Identity Management operations. The old style changelog simplify the integration and perform better in sincronizations compared to optimized full searches. I'll provide a patch (server-slapd-overlays-accesslog-0.4.patch) that let choose the style of logging (logstyle accesslog|changelog, with accesslog as default) and that follow the directives pubished as draft by IETF and named draft-good-ldap-changelog-04. In the hope it could be useful. My best regards, Ettore Simone
From: Pierangelo Masarati <openldap-its@OpenLDAP.org> To: ettore.simone@gmail.com Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656) Date: Wed Aug 30 16:47:20 2006
> I know about the better way using the new accesslog structure, but the old > changelog method is still used by commercial product like Oracle Internet > Directory, Novell eDirectory and others, usually to perform Identity Management > operations. > > The old style changelog simplify the integration and perform better in > sincronizations compared to optimized full searches. > > I'll provide a patch (server-slapd-overlays-accesslog-0.4.patch) that let choose > the style of logging (logstyle accesslog|changelog, with accesslog as default) > and that follow the directives pubished as draft by IETF and named > draft-good-ldap-changelog-04. Thanks for the contribution. As soon as the IPR and related stuff are checked and approved, I'd take care of integrating your patch into HEAD code. I have a few questions: - what client software did you check your patch with? - as far as I remember, some implementations also take care of noting firstChangeNumber and lastChangeNumber in the rootDSE, along with the changeLog attribute indicating what naming context is holding the logs. I wonder if their absence, although not described in draft-good-ldap-changelog-04, would impact interoperability with clients making use of che changelog approach. - could you provide a patch for the man page? We could either use the code as is, adding the related parts to slapo-accesslog(5), or register the overlay twice, one as "accesslog" and one as "changelog", and let slapd determine the style and the configuration syntax based on the overlay's name. In this case, a slapo-changelog(5) man page would be more appropriate. p.
Date: Wed, 30 Aug 2006 19:23:42 +0200 From: "Ettore Simone" <ettore.simone@gmail.com> To: "Pierangelo Masarati" <openldap-its@openldap.org> Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
------=_Part_38299_22639140.1156958622051 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Thanks to you for your great job. On 8/30/06, Pierangelo Masarati <openldap-its@openldap.org> wrote: > > Thanks for the contribution. As soon as the IPR and related stuff are > checked > and approved, I'd take care of integrating your patch into HEAD code. > > I have a few questions: > > - what client software did you check your patch with? I played with Novell IDM2, Novell IM3 and with Sun One Directory 5 (based on Netscape). - as far as I remember, some implementations also take care of noting > firstChangeNumber and lastChangeNumber in the rootDSE, along with the > changeLog > attribute indicating what naming context is holding the logs. I wonder if > their > absence, although not described in draft-good-ldap-changelog-04, would > impact > interoperability with clients making use of che changelog approach. I know that firstChangeNumber and lastChangeNumber are used by IBM Tivoli Directory Server, I'm not sure if it's used in OID or other. I'm sure it's not used in eDirectory. In eDirectory with IDM the last changeNumer is stored in its ldap object (with represent the connection to the ldap). In case of its absence they start from 0. If their absence compromise the integration with IBM Tivoli, or other clients, it could be added in a second stage I suppose. - could you provide a patch for the man page? We could either use the code > as > is, adding the related parts to slapo-accesslog(5), or register the > overlay > twice, one as "accesslog" and one as "changelog", and let slapd determine > the > style and the configuration syntax based on the overlay's name. In this > case, a > slapo-changelog(5) man page would be more appropriate. > As you prefere. I can provide both the man. I don't know many about how to register the same overlay twice with different names. Can you point me to some example of this? Regards, Ettore Simone ------=_Part_38299_22639140.1156958622051 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Thanks to you for your great job.<br><br><div><span class="gmail_quote">On 8/30/06, <b class="gmail_sendername">Pierangelo Masarati</b> <<a href="mailto:openldap-its@openldap.org">openldap-its@openldap.org</a>> wrote: </span><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">Thanks for the contribution. As soon as the IPR and related stuff are checked<br>and approved, I'd take care of integrating your patch into HEAD code. <br><br>I have a few questions:<br><br>- what client software did you check your patch with?</blockquote><div><br>I played with Novell IDM2, Novell IM3 and with Sun One Directory 5 (based on Netscape). </div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> - as far as I remember, some implementations also take care of noting<br>firstChangeNumber and lastChangeNumber in the rootDSE, along with the changeLog<br>attribute indicating what naming context is holding the logs. I wonder if their <br>absence, although not described in draft-good-ldap-changelog-04, would impact<br>interoperability with clients making use of che changelog approach.</blockquote><div><br>I know that firstChangeNumber and lastChangeNumber are used by IBM Tivoli Directory Server, I'm not sure if it's used in OID or other. I'm sure it's not used in eDirectory.<br> In eDirectory with IDM the last changeNumer is stored in its ldap object (with represent the connection to the ldap). In case of its absence they start from 0.<br>If their absence compromise the integration with IBM Tivoli, or other clients, it could be added in a second stage I suppose. </div><br><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"> - could you provide a patch for the man page? We could either use the code as<br>is, adding the related parts to slapo-accesslog(5), or register the overlay<br>twice, one as "accesslog" and one as "changelog", and let slapd determine the <br>style and the configuration syntax based on the overlay's name. In this case, a<br>slapo-changelog(5) man page would be more appropriate.<br></blockquote></div><br>As you prefere. I can provide both the man.<br>I don't know many about how
Date: Wed, 30 Aug 2006 19:36:16 +0200 From: "Ettore Simone" <ettore.simone@gmail.com> To: "Pierangelo Masarati" <openldap-its@openldap.org> Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
I forgot to mention that the rootDSE changeLog entry is just provided in the patch supplied.
From: Pierangelo Masarati <openldap-its@OpenLDAP.org> To: ettore.simone@gmail.com Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656) Date: Wed Aug 30 17:46:25 2006
> I forgot to mention that the rootDSE changeLog entry is just provided > in the patch supplied. Yes, I've noticed it, thanks. I've already reworked the code to take care of registering with two names. I'm doing some cleanup of the back-config stuff to prevent reconfiguring a running database from accesslog to changelog mode and the like; I'll take care of those details. Right now, to select the changelog mode, you can simply use overlay changelog log* ... the rest is much like accesslog. In any case, I think we can plainly add a comment to slapo-accesslog(5) which states that by invoking the overlay as "changelog" the changelog mode is used. At a first glance, all the functionalities seem to be there as expected; now I'm looking for something to test it with, I'll likely be back by the end of the week. -- o --- o -- Kurt, please check the IPR and see if I can go along with committing the changes. Also, I guess it'd be nice to add draft-good-ldap-changelog to the package, right? p.
Date: Sat, 02 Sep 2006 05:06:26 -0700 From: Howard Chu <hyc@symas.com> To: ettore.simone@gmail.com CC: openldap-its@OpenLDAP.org Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
To Ando as well - be very careful with this. As noted in my accesslog draft, the changelog spec has some major security weaknesses, along with the rest of its shortcomings. ettore.simone@gmail.com wrote: > I forgot to mention that the rootDSE changeLog entry is just provided > in the patch supplied. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Date: Sat, 02 Sep 2006 14:50:46 +0200 From: Pierangelo Masarati <ando@sys-net.it> To: hyc@symas.com CC: openldap-its@OpenLDAP.org Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
hyc@symas.com wrote: > To Ando as well - be very careful with this. As noted in my accesslog > draft, the changelog spec has some major security weaknesses, along with > the rest of its shortcomings. > I think I'm aware of all those issues. One major point for spending some time on this issue is that I happen to need supporting few clients that want to use this feature. I'll do my best to persuade the implementors of those clients that supporting content synchronization and/or accesslog as currently implemented in OpenLDAP is way much better, but unfortunately I have no control on that, and it's very unlikely that they will, based on the usual refrain "changelog is the de facto standard" or things like that. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Date: Sat, 02 Sep 2006 15:07:16 +0200 From: Pierangelo Masarati <ando@sys-net.it> To: hyc@symas.com CC: openldap-its@OpenLDAP.org Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
ando@sys-net.it wrote: > hyc@symas.com wrote: > >> To Ando as well - be very careful with this. As noted in my accesslog >> draft, the changelog spec has some major security weaknesses, along with >> the rest of its shortcomings. >> >> > I think I'm aware of all those issues. One major point for spending > some time on this issue is that I happen to need supporting few clients > that want to use this feature. I'll do my best to persuade the > implementors of those clients that supporting content synchronization > and/or accesslog as currently implemented in OpenLDAP is way much > better, but unfortunately I have no control on that, and it's very > unlikely that they will, based on the usual refrain "changelog is the de > facto standard" or things like that. > I agree that implementing that spec means contributing to keeping it into life, but the point is that I have to face with closed source products which claim to support it and explicitly state in their documentation that they "can interoperate with: Netscape/iPlanet/Sun ONE; Active Directory; Lotus Domino; Exchange, while interoperability with OpenLDAP is not possible because it cannot store changes into the changelog", which we know it's not only incorrect, but also false: OpenLDAP provides better native (although coded into an open specification: RFC4533) means to synchronize than simply storing changes into a changelog. Moreover, it provides native (although coded into an open specification: draft-chu-ldap-logschema) means to inform clients about modifications. But many client implementors seem to willingly ignore this, so I need to keep supporting obsoleted de facto standard stuff, which, by the way, doesn't even agree with the contents of preliminary attempts to specify them in an open manner (see Netscape/iPlanet/Sun ONE, now Fedora DS "retroplugin" as opposed to draft-good-ldap-changelog)! p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Date: Mon, 04 Sep 2006 10:26:17 +0200 From: Pierangelo Masarati <ando@sys-net.it> To: ettore.simone@gmail.com CC: openldap-its@OpenLDAP.org Subject: Re: Enhancement: again on Netscape style changelog (ITS#4656)
I've placed a reworked patch into the ITS at <ftp://ftp.openldap.org/incoming/changelog-pm-2006-09-04.patch> Basically, there were a few concurrency issues when increasing the changeNumber plus minor cleanup. I also renamed functions specific to the changelog feature prepending "changelog_" instead of "accesslog_", to make clear what's specific and what's not. Finally, I started integrating some of the stuff that Neil Dunbar submitted as ITS#3953 (right now, the schema and the presentation of {first,last}ChangeNumber. Right now, this is optional and mimics what done by FDS, i.e. the numbers are published in the root DSE (which makes very little sense; even publishing the changeLog attribute in the root DSE is nonsense to me!) rather than in the suffix entry of the changelog itself. Consider this a work in progress, though. Please test. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Subject: Re: (ITS#4656) Enhancement: again on Netscape style changelog Date: Mon, 5 Feb 2007 13:34:30 +0100 From: "Rieger, Sebastian" <sebastian.rieger@gwdg.de> To: <openldap-its@OpenLDAP.org> Cc: <ettore.simone@gmail.com>
This is a multi-part message in MIME format. ------=_NextPart_000_0018_01C7492A.5D6431D0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Great work! I submitted a patch to update the old overlay of Neil Dunbar = to OpenLDAP 2.3. It works for our identity management (using Novell IDM = 3.01) - see ITS#4685. As my patch needs cleanup to get into OpenLDAP HEAD I = would like to ask, wether this patch (ITS#4656) is likely to be accepted in = the near future. In this case I won't maintain a separate overlay. But it doesn't seem to be in HEAD, for now? -- MfG Sebastian Rieger Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=F6ttingen=20 Am Fassberg - 37077 G=F6ttingen Fon: +49 551 201 1878 -- Fax: +49 551 201 2150 Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des = DFN =FCberpr=FCft werden: = https://ca.gwdg.de/certs/root-classic/root-ca-cert.der ------=_NextPart_000_0018_01C7492A.5D6431D0 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIXujCCBHUw ggNdoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1W ZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJTAjBgNVBAMTHERGTi1WZXJlaW4gUENBIENsYXNzaWMg LSBHMDEwHhcNMDUwMjI4MDAyOTM3WhcNMTMwNDI4MDAyOTM3WjBbMQswCQYDVQQGEwJERTETMBEG A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTElMCMGA1UEAxMcREZOLVZlcmVpbiBQ Q0EgQ2xhc3NpYyAtIEcwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNTUXjQCVx w87yo/67c+J0bhhl6sfVNVO87Jk2WMY/lPC/E1cmq6iOAe2fV10FhexSG2zIp8XqbrlPNN7s3sy/ 0jUQfHegDqWWuCDQfWLkdWHTiDhIfhcCTdLaXDRshAxE18zDJzKPu3EMeU/N5dju7/azQVi2wkzM fM9I5aARVcrYVH+OanfQo1+yCoQupE9XaGpZRCr2w1X6pf1v0JcqakuC/LBX9uk0IPtMz9Y6frOP AvCldCn8pWNdQrT6VPmJpI7zDCm6/PCAZy82cImzkfbxGpMVxNBxC3Zwgc4zT9Cn22e0Hms8Q3cm cr8hbFb3icuGnMGKp50e9L2eOokCAwEAAaOCAUIwggE+MB0GA1UdDgQWBBSDrjvMk+EkUnrpIE+D cKIq3XsvATAfBgNVHSMEGDAWgBSDrjvMk+EkUnrpIE+DcKIq3XsvATAPBgNVHRMBAf8EBTADAQH/ MIHHBgNVHR8Egb8wgbwwXKBaoFiGVmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXBraS9jZXJ0 aWZpY2F0aW9uL3g1MDkvY2xhc3NpYy9nMS9kYXRhL2NybHMvcm9vdC1jYS1jcmwuY3JsMFygWqBY hlZodHRwOi8vY2RwMi5wY2EuZGZuLmRlL2Rmbi1wa2kvY2VydGlmaWNhdGlvbi94NTA5L2NsYXNz aWMvZzEvZGF0YS9jcmxzL3Jvb3QtY2EtY3JsLmNybDAOBgNVHQ8BAf8EBAMCAQYwEQYJYIZIAYb4 QgEBBAQDAgAHMA0GCSqGSIb3DQEBBQUAA4IBAQDaFaWOgZRQO/CaU+xUQPj3mgnJ5MJug0ad1d+L k+K1iTUp8r9fLxnamypzVeVrHFbtC5zk9lxx8qDMiDc6sd9HYRJNikJUme/EfHPkzlbn6hTXuL6+ ZKdCeK3qQHnltEjg/NLUIaU/bukFmhOk6NrnU5XNTKcEeOJ47t0K2EWWZ6rN3Ji0FU444hGO73tl C5t1ACWaMYFakmylmagwdZPIVnA3qKFmVRTPcz3Cel56UyA2U6n9qQR8zZzkltIwx2/6SHt2EqQN u3g6iDyOWzIfsb0bRVHmvHQx3KCUZb5JNy3iue8yIB6WMbKZ+eJuwZl1Q0PJ87BjsHYglO3JX+Oy MIIFhjCCBG6gAwIBAgIEBnsYQDANBgkqhkiG9w0BAQUFADBbMQswCQYDVQQGEwJERTETMBEGA1UE ChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTElMCMGA1UEAxMcREZOLVZlcmVpbiBQQ0Eg Q2xhc3NpYyAtIEcwMTAeFw0wNTA0MTIwOTUzNTRaFw0wOTA0MTIwOTUzNTRaMIGcMQswCQYDVQQG EwJERTFCMEAGA1UEChM5R2VzZWxsc2NoYWZ0IGZ1ZXIgd2lzc2Vuc2NoYWZ0bGljaGUgRGF0ZW52 ZXJhcmJlaXR1bmcgbWJIMQswCQYDVQQLEwJDQTEcMBoGA1UEAxMTR1dERy1DQSBFYmVuZSAxIEcw MjEeMBwGCSqGSIb3DQEJARYPZ3dkZy1jYUBnd2RnLmRlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8A MIIBCgKCAQEA3y/2S6yGKZhpv+DwWTSH4/szbEB2yPEJUgZz5kaVId/17wKdRNKd9el03skx/ind 1IJ27YaoOybmRp5pwuNSAL7SEC2neEKcLCqkV+jDcLusV2mQ/ykgMs7No5csyhS6FxuUwBK18BlF E7tfraK3J6iyOJxzjFKB+3/ZWhasXnwEtzOUc5hRry9bTNYpyLueUa5DLR5nqIRwk1OWbx3IARbC RKrxdAupzwEAjWwz8ar2aDHgsBH41D7sfDY9wRxH04sW6K9D0BANEx+o8KhbsPQv6l0HQE7p0n6Y XQhUo5QhZ8GMfEiIh39sE1turDLut7I4bCZwrIjPT9gJqhFMWwIDAQABo4ICDjCCAgowHQYDVR0O BBYEFPP+0UOeITsrZQ3Y8arSBsKbVgajMB8GA1UdIwQYMBaAFIOuO8yT4SRSeukgT4Nwoirdey8B MA8GA1UdEwEB/wQFMAMBAf8wgccGA1UdHwSBvzCBvDBcoFqgWIZWaHR0cDovL2NkcDEucGNhLmRm bi5kZS9kZm4tcGtpL2NlcnRpZmljYXRpb24veDUwOS9jbGFzc2ljL2cxL2RhdGEvY3Jscy9yb290 LWNhLWNybC5jcmwwXKBaoFiGVmh0dHA6Ly9jZHAyLnBjYS5kZm4uZGUvZGZuLXBraS9jZXJ0aWZp Y2F0aW9uL3g1MDkvY2xhc3NpYy9nMS9kYXRhL2NybHMvcm9vdC1jYS1jcmwuY3JsMIHcBggrBgEF BQcBAQSBzzCBzDBkBggrBgEFBQcwAoZYaHR0cDovL2NkcDEucGNhLmRmbi5kZS9kZm4tcGtpL2Nl cnRpZmljYXRpb24veDUwOS9jbGFzc2ljL2cxL2RhdGEvY2VydHMvcm9vdC1jYS1jZXJ0LmNydDBk BggrBgEFBQcwAoZYaHR0cDovL2NkcDIucGNhLmRmbi5kZS9kZm4tcGtpL2NlcnRpZmljYXRpb24v eDUwOS9jbGFzc2ljL2cxL2RhdGEvY2VydHMvcm9vdC1jYS1jZXJ0LmNydDAOBgNVHQ8BAf8EBAMC AQYwDQYJKoZIhvcNAQEFBQADggEBADFx3Ji676DYFd/XIY9KcsNopLqtgF5Ixr2irPOPpZ/X/zta Gss3l18EdKCCBFqhwCrd2lFOfowbxnWZ1L+WRS/+0x4a8MZoAUWyfk+pLLgv3OucY4ZhAGP5F0XJ wLRlskcnLVvt3HFQ9JsEjHo45u/QiKbZJGFPVZb5elpphRtAVTiRisw5UTiV57m07vcJhUtrt6wh 7389cz2aYYdlViMZtuaE0Z+LlSElAe4/U6tOowoR+06qDjjFNLjQ1P3fnmBPRo2zWidaLiZcfD3f qjxBgJolgeS+gS3YePj2M6NAUTu+1XKAbrFJUyrCI+qPkEcVq3yK6FkZbbhla+BKQrcwggZUMIIF PKADAgECAgou6MIgAAAAAASaMA0GCSqGSIb3DQEBBQUAMIGVMSkwJwYDVQQDEyBHV0RHLUNBIEVi ZW5lIDIgR2VuZXJpYy1DQSBHMDIuMTELMAkGA1UECxMCY2ExQjBABgNVBAoTOUdlc2VsbHNjaGFm dCBmdWVyIHdpc3NlbnNjaGFmdGxpY2hlIERhdGVudmVyYXJiZWl0dW5nIG1iSDELMAkGA1UEBhMC REUxCjAIBgNVBAUTATIwHhcNMDYxMTA5MTMzNDU3WhcNMDcwOTIwMTA1ODAwWjCBvjELMAkGA1UE BhMCREUxFjAUBgNV
Date: Tue, 13 Feb 2007 03:20:06 -0800 From: Howard Chu <hyc@symas.com> To: "Rieger, Sebastian" <sebastian.rieger@gwdg.de> CC: "Heuer, Konrad" <kheuer@gwdg.de>, ando@OpenLDAP.org, openldap-its@OpenLDAP.org Subject: Re: ITS#4656 OpenLDAP accesslog overlay using "changelog dialect"
Hi, I have not been paying attention to these changes since Ando was working on them. You'll have to ask him for their update status. Since you've already posted a query to the ITS, I think that would be the appropriate place to continue the conversation. Looking over the ITS just now, I would say the tweak to register the changelog overlay type is unnecessary. Nor can you fairly deprecate the LogStyle parameter, since that appears to be the only way to invoke the SunOne workaround. All in all I understand your motivations for pursuing this feature. Despite my dislike for broken specs and broken code, I will not prevent this patch from going in. But you should realize that wrong is wrong, and just because Novell, Sun, and Oracle software is broken doesn't mean we should be broken too. There are other IdM packages out there. Rieger, Sebastian wrote: > Hi, > > I submitted a patch to update the old overlay of Neil Dunbar to OpenLDAP > 2.3. It works for our identity management (using Novell IDM 3.01) - see > ITS#4685. As my patch needs cleanup to get into OpenLDAP HEAD I would like > to ask, wether the patch to your accesslog that offers changelog > functionality (ITS#4656) is likely to be committed to CVS HEAD in the near > future. In this case I won't maintain a separate overlay. Thanks in advance > for a quick reply, we really need changelog functionality as Novell, Sun and > Oracle seem to depend on it. > > -- > MfG > > Sebastian Rieger > > Gesellschaft f.r wissenschaftliche Datenverarbeitung mbH G.ttingen > Am Fassberg - 37077 G.ttingen > Fon: +49 551 201 1878 -- Fax: +49 551 201 2150 > > Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des DFN > .berpr.ft werden: https://ca.gwdg.de/certs/root-classic/root-ca-cert.der > -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/
Subject: AW: ITS#4656 OpenLDAP accesslog overlay using "changelog dialect" Date: Tue, 13 Feb 2007 12:31:21 +0100 From: "Rieger, Sebastian" <sebastian.rieger@gwdg.de> To: "Howard Chu" <hyc@symas.com> Cc: "Heuer, Konrad" <kheuer@gwdg.de>, <ando@OpenLDAP.org>, <openldap-its@OpenLDAP.org>
This is a multi-part message in MIME format. ------=_NextPart_000_00AD_01C74F6A.DE443C50 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Thanks for the quick reply, I'd continue the conversation with Ando and = via IST, thanks for putting them on CC:. Can you name the IdM packages you = refer to, that implement a replication mechanism that is compatible with = OpenLDAP? We tested: - Microsoft Identity Integration Server: only flat-file LDAP support = (using LDIF) (until Gemini version ~2008) - no replication, just full synchronization - Siemens DirX: using a full search over all objects (Novell Identity Manager can do so either, but you're unable to detect moved objects = then, as it looks like a delete and add of the object, and performance is low, as = for every sync cycle a full search over the tree is necessary) Oracle and Sun using changelog were already mentioned... Maybe IBM? or do you refer to the meta backend module for OpenLDAP? Thanks in advance for the advice... -- MfG Sebastian Rieger Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=F6ttingen=20 Am Fassberg - 37077 G=F6ttingen Fon: +49 551 201 1878 -- Fax: +49 551 201 2150 Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des = DFN =FCberpr=FCft werden: = https://ca.gwdg.de/certs/root-classic/root-ca-cert.der -----Urspr=FCngliche Nachricht----- Von: Howard Chu [mailto:hyc@symas.com]=20 Gesendet: Dienstag, 13. Februar 2007 12:20 An: Rieger, Sebastian Cc: Heuer, Konrad; ando@OpenLDAP.org; openldap-its@OpenLDAP.org Betreff: Re: ITS#4656 OpenLDAP accesslog overlay using "changelog = dialect" Hi, I have not been paying attention to these changes since Ando was = working on them. You'll have to ask him for their update status. Since you've already posted a query to the ITS, I think that would be = the appropriate place to continue the conversation. Looking over the ITS just now, I would say the tweak to register the changelog overlay type is unnecessary. Nor can you fairly deprecate the LogStyle parameter, since that appears to be the only way to invoke the SunOne workaround. All in all I understand your motivations for pursuing this feature. = Despite my dislike for broken specs and broken code, I will not prevent this = patch from going in. But you should realize that wrong is wrong, and just = because Novell, Sun, and Oracle software is broken doesn't mean we should be = broken too. There are other IdM packages out there. Rieger, Sebastian wrote: > Hi, >=20 > I submitted a patch to update the old overlay of Neil Dunbar to=20 > OpenLDAP 2.3. It works for our identity management (using Novell IDM=20 > 3.01) - see ITS#4685. As my patch needs cleanup to get into OpenLDAP=20 > HEAD I would like to ask, wether the patch to your accesslog that=20 > offers changelog functionality (ITS#4656) is likely to be committed to = > CVS HEAD in the near future. In this case I won't maintain a separate=20 > overlay. Thanks in advance for a quick reply, we really need changelog = > functionality as Novell, Sun and Oracle seem to depend on it. >=20 > -- > MfG >=20 > Sebastian Rieger >=20 > Gesellschaft f=FCr wissenschaftliche Datenverarbeitung mbH G=F6ttingen = Am=20 > Fassberg - 37077 G=F6ttingen > Fon: +49 551 201 1878 -- Fax: +49 551 201 2150 >=20 > Die digitale Unterschrift dieser Mail kann anhand des Zertifikats des=20 > DFN =FCberpr=FCft werden:=20 > https://ca.gwdg.de/certs/root-classic/root-ca-cert.der >=20 --=20 -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/ ------=_NextPart_000_00AD_01C74F6A.DE443C50 Content-Type: application/x-pkcs7-signature; name="smime.p7s" Content-Transfer-Encoding: base64 Content-Disposition: attachment; filename="smime.p7s" MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIXujCCBHUw ggNdoAMCAQICAQEwDQYJKoZIhvcNAQEFBQAwWzELMAkGA1UEBhMCREUxEzARBgNVBAoTCkRGTi1W ZXJlaW4xEDAOBgNVBAsTB0RGTi1QS0kxJTAjBgNVBAMTHERGTi1WZXJlaW4gUENBIENsYXNzaWMg LSBHMDEwHhcNMDUwMjI4MDAyOTM3WhcNMTMwNDI4MDAyOTM3WjBbMQswCQYDVQQGEwJERTETMBEG A1UEChMKREZOLVZlcmVpbjEQMA4GA1UECxMHREZOLVBLSTElMCMGA1UEAxMcREZOLVZlcmVpbiBQ Q0EgQ2xhc3NpYyAtIEcwMTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNTUXjQCVx w87yo/67c+J0bhhl6sfVNVO87Jk2WMY/lPC/E1cmq6iOAe2fV10FhexSG2zIp8XqbrlPNN7s3sy/ 0jUQfHegDqWWuCDQfWLkdWHTiDhIfhcCTdLaXDRshAxE18zDJzKPu3EMeU/N5dju7/azQVi2wkzM fM9I5aARVcrYVH+OanfQo1+yCoQupE9XaGpZRCr2w1X6pf1v0JcqakuC/LBX9uk0IPtMz9Y6frOP AvCldCn8pWNdQrT6VPmJpI7zDCm6/PCAZy82cImzkfbxGpMVxNBxC3Zwgc4zT9Cn22e0Hms8Q3cm cr8hbFb3icuGnMGKp50e9L2eOokCAwEAAaOCAUIwggE+MB0GA1UdDgQWBBSDrjvMk+EkUnrpIE+D cKIq3XsvATAfBgNVHSMEGDAWgBSDrjvMk+EkUnrpIE+DcKIq3XsvATAPBgNVHRMBAf8EBTADAQH/ MIHHBgNVHR8Egb8wgbwwXKBaoFiGVmh0dHA6Ly9jZHAxLnBjYS5kZm4uZGUvZGZuLXBraS9jZXJ0 aWZpY2F0aW9uL3
Date: Tue, 13 Feb 2007 03:34:28 -0800 From: Howard Chu <hyc@symas.com> To: openldap-its@openldap.org Subject: Re: ITS#4656 OpenLDAP accesslog overlay using "changelog dialect"
hyc@symas.com wrote: > All in all I understand your motivations for pursuing this feature. Despite > my dislike for broken specs and broken code, I will not prevent this patch > from going in. But you should realize that wrong is wrong, and just because > Novell, Sun, and Oracle software is broken doesn't mean we should be broken > too. There are other IdM packages out there. While this is hardly the place for commercial endorsements, I should note that while Neil Dunbar wrote that changelog overlay for HP's purposes, we (Symas) convinced HP to adopt the accesslog format instead and HP does not rely on the changelog any more. If you're looking for software that actually conforms to open specs with some degree of technical merit, you might consider looking there, if you can't convince your current vendors to fix their products. > > Rieger, Sebastian wrote: >> Hi, >> >> I submitted a patch to update the old overlay of Neil Dunbar to OpenLDAP >> 2.3. It works for our identity management (using Novell IDM 3.01) - see >> ITS#4685. As my patch needs cleanup to get into OpenLDAP HEAD I would like >> to ask, wether the patch to your accesslog that offers changelog >> functionality (ITS#4656) is likely to be committed to CVS HEAD in the near >> future. In this case I won't maintain a separate overlay. Thanks in advance >> for a quick reply, we really need changelog functionality as Novell, Sun and >> Oracle seem to depend on it. -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc Chief Architect, OpenLDAP http://www.openldap.org/project/
Date: Tue, 13 Feb 2007 12:44:37 +0100 From: Pierangelo Masarati <ando@sys-net.it> To: hyc@symas.com CC: openldap-its@openldap.org Subject: Re: ITS#4656 OpenLDAP accesslog overlay using "changelog dialect"
hyc@symas.com wrote: > Hi, > I have not been paying attention to these changes since Ando was working > on them. You'll have to ask him for their update status. Sorry for overlooking yur previous message. Yes, I'm keeping that patch sort of updated, but keeping it in sync with HEAD was a pain due to the many changes that occurred in that code. I'm not sure it's ready for commit right now, and I'm not sure it works as intended, given the lack of specs (every implementor seem to have their own idea of haw that's supposed to work, and willing to interoperate, despite claims, seems to be their last concern). Preserving compatibility with re23 might not be an option, and I don't think we want that stuff to go in re23 right now. > Since you've already posted a query to the ITS, I think that would be the > appropriate place to continue the conversation. > > Looking over the ITS just now, I would say the tweak to register the > changelog overlay type is unnecessary. Nor can you fairly deprecate the > LogStyle parameter, since that appears to be the only way to invoke the > SunOne workaround. > > All in all I understand your motivations for pursuing this feature. Despite > my dislike for broken specs and broken code, I will not prevent this patch > from going in. But you should realize that wrong is wrong, and just because > Novell, Sun, and Oracle software is broken doesn't mean we should be broken > too. There are other IdM packages out there. I'll be committing something workable soon. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
______________ © Copyright 2013, OpenLDAP Foundation, info@OpenLDAP.org
