----- abartlet@samba.org wrote:

> Full_Name: Andrew Bartlett
> Version: CVS HEAD
> OS: Fedora 10
> URL: http://msdn.microsoft.com/en-us/library/cc223167(PROT.13).aspx
> Submission from: (NULL) (59.167.251.137)
> 
> 
> Active Directory always presents an attribute 'name' that is always
> equal to the
> relative distinguished name.  AD allows only one RDN, but I don't mind
> if this
> can be multi-valued for the multi-RDN case.  It is equal to the value
> of the RDN
> as presented in the RDN.
> 
> This is not simply the subtype 'CN -> name', but a new attribute
> unrelated to
> the existing definition of 'name'.
> 
> I don't care what name is assigned to 'name', as I can easily remap
> attributes.
> 
> It would be great if this could be constructed such that it may be
> declared to
> be unique for a particular one-level search (also an AD requirement,
> but not one
> Samba4 requires or enforces at this time).  

The only problem I see in defining such an attribute is that its syntax should allow the value of any syntax, so it should probably be octetString or something like that.  From the implementation point of view, what operations should it be used for?  If you only need it to be returned with searches, and to be compared, then the implementation would be trivial (it could be dynamically generated, much like entryDN, as far as I can tell).  If you need to search for it, namely use it in a filter, then it might be better to store it in the database.  This would require to handle add and modrdn, forbid modify, and nothing else.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

On Tue, 2009-04-14 at 10:09 +0200, Pierangelo Masarati wrote:
> ----- abartlet@samba.org wrote:
> 
> > Full_Name: Andrew Bartlett
> > Version: CVS HEAD
> > OS: Fedora 10
> > URL: http://msdn.microsoft.com/en-us/library/cc223167(PROT.13).aspx
> > Submission from: (NULL) (59.167.251.137)
> > 
> > 
> > Active Directory always presents an attribute 'name' that is always
> > equal to the
> > relative distinguished name.  AD allows only one RDN, but I don't mind
> > if this
> > can be multi-valued for the multi-RDN case.  It is equal to the value
> > of the RDN
> > as presented in the RDN.
> > 
> > This is not simply the subtype 'CN -> name', but a new attribute
> > unrelated to
> > the existing definition of 'name'.
> > 
> > I don't care what name is assigned to 'name', as I can easily remap
> > attributes.
> > 
> > It would be great if this could be constructed such that it may be
> > declared to
> > be unique for a particular one-level search (also an AD requirement,
> > but not one
> > Samba4 requires or enforces at this time).  
> 
> The only problem I see in defining such an attribute is that its
> syntax should allow the value of any syntax, so it should probably be
> octetString or something like that.  

I think the AD document I reference explains that only some attributes
can be an RDN, so it limits them to those with a unicode string
representation I suppose. 

There is another attribute that follows the 'type' of RDN btw (never
seen it used, but it's in the docs). 

> From the implementation point of view, what operations should it be
> used for?  If you only need it to be returned with searches, and to be
> compared, then the implementation would be trivial (it could be
> dynamically generated, much like entryDN, as far as I can tell).  If
> you need to search for it, namely use it in a filter, then it might be
> better to store it in the database.  This would require to handle add
> and modrdn, forbid modify, and nothing else.

Like entryDN, we need to be able to search on it, so it should probably
be persistent.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.

abartlet@samba.org wrote:

>> The only problem I see in defining such an attribute is that its
>> syntax should allow the value of any syntax, so it should probably be
>> octetString or something like that. =20
> 
> I think the AD document I reference explains that only some attributes
> can be an RDN, so it limits them to those with a unicode string
> representation I suppose.=20

OK, I coulnd't follow up to the document you cited.

> There is another attribute that follows the 'type' of RDN btw (never
> seen it used, but it's in the docs).=20
> 
>> From the implementation point of view, what operations should it be
>> used for?  If you only need it to be returned with searches, and to be
>> compared, then the implementation would be trivial (it could be
>> dynamically generated, much like entryDN, as far as I can tell).  If
>> you need to search for it, namely use it in a filter, then it might be
>> better to store it in the database.  This would require to handle add
>> and modrdn, forbid modify, and nothing else.
> 
> Like entryDN, we need to be able to search on it, so it should probably
> be persistent.

Ok.  Unlike entryDN, which is not persistent but evaluated on the fly 
based on dn2id indexes, unless we hardcode this in slapd (don't think 
so) we need to make the attr persistent.  It's on the todo list.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

moved from Incoming to Software Enhancements

ando@sys-net.it wrote:
> ----- abartlet@samba.org wrote:
>> Active Directory always presents an attribute 'name' that is always
>> equal to the relative distinguished name.  AD allows only one RDN,
>> but I don't mind if this can be multi-valued for the multi-RDN
>> case.  It is equal to the value of the RDN as presented in the RDN.
>>
>> This is not simply the subtype 'CN -> name', but a new attribute 
>> unrelated to the existing definition of 'name'.
>>
>> I don't care what name is assigned to 'name', as I can easily remap
>> attributes.
>>
>> It would be great if this could be constructed such that it may be 
>> declared to be unique for a particular one-level search (also an AD
>> requirement, but not one Samba4 requires or enforces at this time).
> 
> The only problem I see in defining such an attribute is that its
> syntax should allow the value of any syntax, so it should probably be
> octetString or something like that.

Why? IMO such an attribute type could be declared like any other
attribute type. If its syntax does not match the syntax of the
characteristic attribute invalidAttributeSyntax should be returned.

I wonder what the exact requirements for the implementation within slapd
are and some very rough ideas as food for thought:

1. slapd shall enforce uniqueness on one-level
=> I'd vote for an additional feature of slapo-unique to define the
scope of uniqueness in a very flexible way

2. Value of 'name' has to match the value of the characteristic
attribute. Does this 1. has to be enforced within slapd or 2. could this
be enforced within smbd?
If 1. maybe the functionality/configuration of slapo-constraint could be
extended to define things like this.
(I've stumbled across ITS#5704. Isn't that already something like this?)

...more...?

In web2ldap's plugin classes I have implemented special treatment for
non-compliant notation for the DN part of LDAP URLs to reference a DN
based on an entry's DN:

.	the entry's DN
..	the entry's parent DN
_	the best matching namingContext for the entry's DN

This strings can be appended to DNs. For example:

'ou=Users,_' would always refer to entry ou=Users below an arbitrary
naming context.

'ou=My Stuff,.' could refer to a container below a user's entry

Maybe something like this could be helpful for an extended configuration
of slapo-unique and slapo-constraint.

Hmm, also

As said only very rough ideas...

Ciao, Michael.

michael@stroeder.com wrote:
> ando@sys-net.it wrote:
>> ----- abartlet@samba.org wrote:
>>> Active Directory always presents an attribute 'name' that is always
>>> equal to the relative distinguished name.  AD allows only one RDN,
>>> but I don't mind if this can be multi-valued for the multi-RDN
>>> case.  It is equal to the value of the RDN as presented in the RDN.
>>>
>>> This is not simply the subtype 'CN -> name', but a new attribute 
>>> unrelated to the existing definition of 'name'.
>>>
>>> I don't care what name is assigned to 'name', as I can easily remap
>>> attributes.
>>>
>>> It would be great if this could be constructed such that it may be 
>>> declared to be unique for a particular one-level search (also an AD
>>> requirement, but not one Samba4 requires or enforces at this time).
>> The only problem I see in defining such an attribute is that its
>> syntax should allow the value of any syntax, so it should probably be
>> octetString or something like that.
> 
> Why? IMO such an attribute type could be declared like any other
> attribute type. If its syntax does not match the syntax of the
> characteristic attribute invalidAttributeSyntax should be returned.

Since we're dealing with something unspecified, you can:

- be "strict": only allow the creation of this attribute when the naming 
attribute's syntax is 2.5.5.12 (unspecified, I understand, but we live 
in a wild world)

- be "liberal": always allow the creation of this attribute by allowing 
it to contain any value

> I wonder what the exact requirements for the implementation within slapd
> are and some very rough ideas as food for thought:
> 
> 1. slapd shall enforce uniqueness on one-level
> => I'd vote for an additional feature of slapo-unique to define the
> scope of uniqueness in a very flexible way
> 
> 2. Value of 'name' has to match the value of the characteristic
> attribute. Does this 1. has to be enforced within slapd or 2. could this
> be enforced within smbd?
> If 1. maybe the functionality/configuration of slapo-constraint could be
> extended to define things like this.
> (I've stumbled across ITS#5704. Isn't that already something like this?)

not exactly, as sets do not allow a placeholder for the naming 
attribute; maybe something like "this/entryRDN.ava{0}.value" if it 
existed...

p.

> ...more...?
> 
> In web2ldap's plugin classes I have implemented special treatment for
> non-compliant notation for the DN part of LDAP URLs to reference a DN
> based on an entry's DN:
> 
> .	the entry's DN
> ..	the entry's parent DN
> _	the best matching namingContext for the entry's DN
> 
> This strings can be appended to DNs. For example:
> 
> 'ou=Users,_' would always refer to entry ou=Users below an arbitrary
> naming context.
> 
> 'ou=My Stuff,.' could refer to a container below a user's entry
> 
> Maybe something like this could be helpful for an extended configuration
> of slapo-unique and slapo-constraint.
> 
> Hmm, also
> 
> As said only very rough ideas...
> 
> Ciao, Michael.
> 
> 



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Pierangelo Masarati wrote:
> michael@stroeder.com wrote:
>> (I've stumbled across ITS#5704. Isn't that already something like this?)
> 
> not exactly, as sets do not allow a placeholder for the naming
> attribute; maybe something like "this/entryRDN.ava{0}.value" if it
> existed...

But given that slapd already enforces the characteristic attribute (e.g.
'cn' for 'user' on Samba4) to be part of the entry IMHO this is not
needed. Provided the order of the checks are right.

So this would be:

constraint_attribute    name set
   "this/cn"
   restrict="ldap:///dc=example,dc=com??sub?(objectClass=user)"

constraint_attribute    name set
   "this/ou"
restrict="ldap:///dc=example,dc=com??sub?(objectClass=organizationalUnit)"

Since uniqueness of 'cn' or 'ou' for one-level search for the above
cases is already enforced wouldn't this be sufficient?

Maybe I miss something though.

Ciao, Michael.

[Resending because I forgot the ITS number in the subject]

I have a simple prototype that on add/modrdn populates/maintains an
attribute (rdnValue) with the distinguished values of the naming
attributes of the RDN.  While doing this, it also checks for uniqueness of
the rdnValue value within siblings.

You can find it here
<ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c>

Please test and comment.  I hope it does what intended.

p.

changed notes
changed state Open to Feedback
moved from Software Enhancements to Development

On Mon, 2009-08-03 at 20:44 +0200, masarati@aero.polimi.it wrote:
> [Resending because I forgot the ITS number in the subject]
> 
> I have a simple prototype that on add/modrdn populates/maintains an
> attribute (rdnValue) with the distinguished values of the naming
> attributes of the RDN.  While doing this, it also checks for uniqueness of
> the rdnValue value within siblings.
> 
> You can find it here
> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c>
> 
> Please test and comment.  I hope it does what intended.

Can you please remind me in a few days if I don't get to this?

I'm keen to try it out, but I'm also busy with other things, so liable
to forget.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

On Mon, 2009-08-03 at 20:44 +0200, masarati@aero.polimi.it wrote:
> [Resending because I forgot the ITS number in the subject]
> 
> I have a simple prototype that on add/modrdn populates/maintains an
> attribute (rdnValue) with the distinguished values of the naming
> attributes of the RDN.  While doing this, it also checks for uniqueness of
> the rdnValue value within siblings.
> 
> You can find it here
> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c>
> 
> Please test and comment.  I hope it does what intended.

I'm starting to look at this now.  I'm sorry so many months have past
since you posted it.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

On Tue, 2010-03-02 at 15:30 +1100, Andrew Bartlett wrote:
> On Mon, 2009-08-03 at 20:44 +0200, masarati@aero.polimi.it wrote:
> > [Resending because I forgot the ITS number in the subject]
> > 
> > I have a simple prototype that on add/modrdn populates/maintains an
> > attribute (rdnValue) with the distinguished values of the naming
> > attributes of the RDN.  While doing this, it also checks for uniqueness of
> > the rdnValue value within siblings.
> > 
> > You can find it here
> > <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c>
> > 
> > Please test and comment.  I hope it does what intended.
> 
> I'm starting to look at this now.  I'm sorry so many months have past
> since you posted it.

I've now added it into Samba's provision, and using the diff I attach,
against current 'master', I get the attached error.

It seems to be unable to add the base DN. (The very first entry in the
database).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

> On Tue, 2010-03-02 at 15:30 +1100, Andrew Bartlett wrote:
>> On Mon, 2009-08-03 at 20:44 +0200, masarati@aero.polimi.it wrote:
>> > [Resending because I forgot the ITS number in the subject]
>> >
>> > I have a simple prototype that on add/modrdn populates/maintains an
>> > attribute (rdnValue) with the distinguished values of the naming
>> > attributes of the RDN.  While doing this, it also checks for
>> uniqueness of
>> > the rdnValue value within siblings.
>> >
>> > You can find it here
>> > <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c>
>> >
>> > Please test and comment.  I hope it does what intended.
>>
>> I'm starting to look at this now.  I'm sorry so many months have past
>> since you posted it.
>
> I've now added it into Samba's provision, and using the diff I attach,
> against current 'master', I get the attached error.
>
> It seems to be unable to add the base DN. (The very first entry in the
> database).

Try this:
<www.aero.polimi.it/masarati/Download/pierangelo-masarati-2010-03-30-rdnval.2.c>.
 In fact, when adding the suffix entry, the overlay was erroneously
checking its siblings from its superior, which is very likely to fail.

p.

Refactored rdnval.c available at

<ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-18-rdnval.c>

attempts to repair the database at startup; useful when the overlay is
configured for an existing database.  Please test.

p.

On Mon, 2010-04-19 at 02:15 +0200, masarati@aero.polimi.it wrote:
> Refactored rdnval.c available at
> 
> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-18-rdnval.c>
> 
> attempts to repair the database at startup; useful when the overlay is
> configured for an existing database.  Please test.

Sadly it segfaults on startup (we don't have the DB at startup - we
expect the first operations to create them). 

I produced the environment with Samba4 from master
(538a07a80aae72b57e5c23133158c7f214d0c27a) with the attached additional
patch

TEST_LDAP=yes OPENLDAP_SLAPD=/usr/local/libexec/slapd make quicktest

This ran: 
'/usr/local/libexec/slapd'
'-F/scratch/samba-2/source4/st/dc/private/ldap/slapd.d' '-h' 'ldapi://%
2Fscratch%2Fsamba-2%2Fsource4%2Fst%2Fdc%2Fprivate%2Fldap%2Fldapi' '-d0'

and running that under gdb produced

Program received signal SIGSEGV, Segmentation fault.
0x000000000057ba54 in rdnval_repair (be=0x7fffffffdbe0) at rdnval.c:466
466		op->o_req_dn = op->o_bd->be_suffix[ 0 ];
Missing separate debuginfos, use: debuginfo-install
glibc-2.11.90-17.x86_64 libgcc-4.4.3-12.fc13.x86_64
libicu-4.2.1-7.fc12.x86_64 libicu-4.2.1-8.fc13.x86_64 libstdc
++-4.4.3-12.fc13.x86_64 libtool-ltdl-2.2.6-18.fc12.x86_64
libtool-ltdl-2.2.6-18.fc13.x86_64 libuuid-2.17.2-1.fc13.x86_64
mysql-libs-5.1.45-2.fc13.x86_64 postgresql-libs-8.4.3-1.fc13.x86_64
(gdb) p op
$1 = (Operation *) 0x7fffffffd4d0
(gdb) p op->o_bd
$2 = (BackendDB *) 0x0
(gdb) p *op
$3 = {o_hdr = 0x7fffffffd640, o_tag = 99, o_time = 1271737105, o_tincr =
1, o_bd = 0x0, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn =
{bv_len = 0, bv_val = 0x0}, o_request = {oq_add = {rs_modlist = 0x0,
rs_e = 0x0}, oq_bind = {
      rb_method = 0, rb_cred = {bv_len = 0, bv_val = 0x0}, rb_edn =
{bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_mech = {bv_len = 0, bv_val =
0x0}}, oq_compare = {rs_ava = 0x0}, oq_modify = {rs_mods = {rs_modlist =
0x0, 
        rs_no_opattrs = 0 '\000'}, rs_increment = 0}, oq_modrdn =
{rs_mods = {rs_modlist = 0x0, rs_no_opattrs = 0 '\000'}, rs_deleteoldrdn
= 0, rs_newrdn = {bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0,
bv_val = 0x0}, 
      rs_newSup = 0x0, rs_nnewSup = 0x0}, oq_search = {rs_scope = 0,
rs_deref = 0, rs_slimit = 0, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly
= 0, rs_attrs = 0x0, rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val
= 0x0}}, 
    oq_abandon = {rs_msgid = 0}, oq_cancel = {rs_msgid = 0}, oq_extended
= {rs_reqoid = {bv_len = 0, bv_val = 0x0}, rs_flags = 0, rs_reqdata =
0x0}, oq_pwdexop = {rs_extended = {rs_reqoid = {bv_len = 0, bv_val =
0x0}, rs_flags = 0, 
        rs_reqdata = 0x0}, rs_old = {bv_len = 0, bv_val = 0x0}, rs_new =
{bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, rs_modtail = 0x0}}, o_abandon
= 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000',
o_is_auth_check = 0 '\000', 
  o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0
'\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000',
o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31
times>, 
  o_controls = 0x7fffffffd788, o_authz = {sai_method = 0, sai_mech =
{bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn
= {bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0,
sai_tls_ssf = 0, 
    sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 0x0,
o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0,
o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}}
(gdb) 


-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

> On Mon, 2010-04-19 at 02:15 +0200, masarati@aero.polimi.it wrote:
>> Refactored rdnval.c available at
>>
>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-18-rdnval.c>
>>
>> attempts to repair the database at startup; useful when the overlay is
>> configured for an existing database.  Please test.
>
> Sadly it segfaults on startup (we don't have the DB at startup - we
> expect the first operations to create them).

It's not that sad: this overlay is not intended to be used as global.  You
should use it within any database you want the rdnvalue stored.  I haven't
considered yet how hard it would be to allow it to be global, and if it's
worth.  Since it needs to write operational attributes to the directory,
it may run into issues in case non-local storage databases are used, and
it'd definitely risk to suffer from authentication issues.  Does it make
sense for you to add an instance in each database you need rndvalue for?

p.

> I produced the environment with Samba4 from master
> (538a07a80aae72b57e5c23133158c7f214d0c27a) with the attached additional
> patch
>
> TEST_LDAP=yes OPENLDAP_SLAPD=/usr/local/libexec/slapd make quicktest
>
> This ran:
> '/usr/local/libexec/slapd'
> '-F/scratch/samba-2/source4/st/dc/private/ldap/slapd.d' '-h' 'ldapi://%
> 2Fscratch%2Fsamba-2%2Fsource4%2Fst%2Fdc%2Fprivate%2Fldap%2Fldapi' '-d0'
>
> and running that under gdb produced
>
> Program received signal SIGSEGV, Segmentation fault.
> 0x000000000057ba54 in rdnval_repair (be=0x7fffffffdbe0) at rdnval.c:466
> 466		op->o_req_dn = op->o_bd->be_suffix[ 0 ];
> Missing separate debuginfos, use: debuginfo-install
> glibc-2.11.90-17.x86_64 libgcc-4.4.3-12.fc13.x86_64
> libicu-4.2.1-7.fc12.x86_64 libicu-4.2.1-8.fc13.x86_64 libstdc
> ++-4.4.3-12.fc13.x86_64 libtool-ltdl-2.2.6-18.fc12.x86_64
> libtool-ltdl-2.2.6-18.fc13.x86_64 libuuid-2.17.2-1.fc13.x86_64
> mysql-libs-5.1.45-2.fc13.x86_64 postgresql-libs-8.4.3-1.fc13.x86_64
> (gdb) p op
> $1 = (Operation *) 0x7fffffffd4d0
> (gdb) p op->o_bd
> $2 = (BackendDB *) 0x0
> (gdb) p *op
> $3 = {o_hdr = 0x7fffffffd640, o_tag = 99, o_time = 1271737105, o_tincr =
> 1, o_bd = 0x0, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn =
> {bv_len = 0, bv_val = 0x0}, o_request = {oq_add = {rs_modlist = 0x0,
> rs_e = 0x0}, oq_bind = {
>       rb_method = 0, rb_cred = {bv_len = 0, bv_val = 0x0}, rb_edn =
> {bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_mech = {bv_len = 0, bv_val =
> 0x0}}, oq_compare = {rs_ava = 0x0}, oq_modify = {rs_mods = {rs_modlist =
> 0x0,
>         rs_no_opattrs = 0 '\000'}, rs_increment = 0}, oq_modrdn =
> {rs_mods = {rs_modlist = 0x0, rs_no_opattrs = 0 '\000'}, rs_deleteoldrdn
> = 0, rs_newrdn = {bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0,
> bv_val = 0x0},
>       rs_newSup = 0x0, rs_nnewSup = 0x0}, oq_search = {rs_scope = 0,
> rs_deref = 0, rs_slimit = 0, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly
> = 0, rs_attrs = 0x0, rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val
> = 0x0}},
>     oq_abandon = {rs_msgid = 0}, oq_cancel = {rs_msgid = 0}, oq_extended
> = {rs_reqoid = {bv_len = 0, bv_val = 0x0}, rs_flags = 0, rs_reqdata =
> 0x0}, oq_pwdexop = {rs_extended = {rs_reqoid = {bv_len = 0, bv_val =
> 0x0}, rs_flags = 0,
>         rs_reqdata = 0x0}, rs_old = {bv_len = 0, bv_val = 0x0}, rs_new =
> {bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, rs_modtail = 0x0}}, o_abandon
> = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000',
> o_is_auth_check = 0 '\000',
>   o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0
> '\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000',
> o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31
> times>,
>   o_controls = 0x7fffffffd788, o_authz = {sai_method = 0, sai_mech =
> {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn
> = {bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0,
> sai_tls_ssf = 0,
>     sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 0x0,
> o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0,
> o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}}
> (gdb)
>
>
> --
> Andrew Bartlett                                http://samba.org/~abartlet/
> Authentication Developer, Samba Team           http://samba.org
> Samba Developer, Cisco Inc.
>
>

On Tue, 2010-04-20 at 07:11 +0200, masarati@aero.polimi.it wrote:
> > On Mon, 2010-04-19 at 02:15 +0200, masarati@aero.polimi.it wrote:
> >> Refactored rdnval.c available at
> >>
> >> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-18-rdnval.c>
> >>
> >> attempts to repair the database at startup; useful when the overlay is
> >> configured for an existing database.  Please test.
> >
> > Sadly it segfaults on startup (we don't have the DB at startup - we
> > expect the first operations to create them).
> 
> It's not that sad: this overlay is not intended to be used as global.  You
> should use it within any database you want the rdnvalue stored.  I haven't
> considered yet how hard it would be to allow it to be global, and if it's
> worth.  Since it needs to write operational attributes to the directory,
> it may run into issues in case non-local storage databases are used, and
> it'd definitely risk to suffer from authentication issues.  Does it make
> sense for you to add an instance in each database you need rndvalue for?

That's no problem at all.  It now just fails in the same was as without
the patch.  I'll mention it on openldap-technical if I can't get
assistance on #ldap.

Then, when I get past that, I'll get back to this!

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

> That's no problem at all.

Good.  This version explicitly check for instantiation as global, and also
does some further sanity checks prior to startup.

<ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-20-rdnval.2.c>

> It now just fails in the same was as without
> the patch.  I'll mention it on openldap-technical if I can't get
> assistance on #ldap.

Not quite clear what patch and what failure you refer to.  Anyway, I've
tested this version of the overlay as global (refuses to start) and on a
database, either empty or populated, and it works as intended.  Please
test and report.  Thanks, p.

On Tue, 2010-04-20 at 15:37 +0200, masarati@aero.polimi.it wrote:
> > That's no problem at all.
> 
> Good.  This version explicitly check for instantiation as global, and also
> does some further sanity checks prior to startup.
> 
> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-20-rdnval.2.c>
> 
> > It now just fails in the same was as without
> > the patch.  I'll mention it on openldap-technical if I can't get
> > assistance on #ldap.
> 
> Not quite clear what patch and what failure you refer to.  Anyway, I've
> tested this version of the overlay as global (refuses to start) and on a
> database, either empty or populated, and it works as intended.  Please
> test and report.  Thanks, p.

It seems to be working well.  When can I expect it to be in the tree?

(I'll then require folks to use the current OpenLDAP CVS if they want to
use the LDAP backend).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

> On Tue, 2010-04-20 at 15:37 +0200, masarati@aero.polimi.it wrote:
>> > That's no problem at all.
>>
>> Good.  This version explicitly check for instantiation as global, and
>> also
>> does some further sanity checks prior to startup.
>>
>> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-20-rdnval.2.c>
>>
>> > It now just fails in the same was as without
>> > the patch.  I'll mention it on openldap-technical if I can't get
>> > assistance on #ldap.
>>
>> Not quite clear what patch and what failure you refer to.  Anyway, I've
>> tested this version of the overlay as global (refuses to start) and on a
>> database, either empty or populated, and it works as intended.  Please
>> test and report.  Thanks, p.
>
> It seems to be working well.  When can I expect it to be in the tree?
>
> (I'll then require folks to use the current OpenLDAP CVS if they want to
> use the LDAP backend).

I can commit it in a minute.  It's not 100% clear to me what's the most
appropriate location: slapd/overlays/ may not, as this looks like
something definitely specific to Samba4; probably, contrib/slapd-modules/
is more appropriate.  Perhaps, a contrib/slapd-modules/samba4/ would be
the most appropriate, along with future specific (i.e. not of general
usefulness) modules, as we did for the nssov module.

Comments?  I mean, from others, not only from you :)

p.

On Wed, 2010-04-21 at 03:44 +0200, masarati@aero.polimi.it wrote:
> > On Tue, 2010-04-20 at 15:37 +0200, masarati@aero.polimi.it wrote:
> >> > That's no problem at all.
> >>
> >> Good.  This version explicitly check for instantiation as global, and
> >> also
> >> does some further sanity checks prior to startup.
> >>
> >> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-20-rdnval.2.c>
> >>
> >> > It now just fails in the same was as without
> >> > the patch.  I'll mention it on openldap-technical if I can't get
> >> > assistance on #ldap.
> >>
> >> Not quite clear what patch and what failure you refer to.  Anyway, I've
> >> tested this version of the overlay as global (refuses to start) and on a
> >> database, either empty or populated, and it works as intended.  Please
> >> test and report.  Thanks, p.
> >
> > It seems to be working well.  When can I expect it to be in the tree?
> >
> > (I'll then require folks to use the current OpenLDAP CVS if they want to
> > use the LDAP backend).
> 
> I can commit it in a minute.  It's not 100% clear to me what's the most
> appropriate location: slapd/overlays/ may not, as this looks like
> something definitely specific to Samba4; probably, contrib/slapd-modules/
> is more appropriate.  Perhaps, a contrib/slapd-modules/samba4/ would be
> the most appropriate, along with future specific (i.e. not of general
> usefulness) modules, as we did for the nssov module.
> 
> Comments?  I mean, from others, not only from you :)

My only concern is that it be maintained, so that the OpenLDAP backend
can be a supported part of Samba4 into the long term.  (I know it's not
been in good shape for the past while, but there is hope we can get it
back on track). 

Do contrib modules come with this level of maintenance?

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

> My only concern is that it be maintained, so that the OpenLDAP backend
> can be a supported part of Samba4 into the long term.  (I know it's not
> been in good shape for the past while, but there is hope we can get it
> back on track).
>
> Do contrib modules come with this level of maintenance?

Inherently no, because they would not be configured/built along with the
rest of the package.  Of course, as soon as users (possibly including
myself) notice issues, they would be maintained (see for example nssov).

The most straightforward way of having it routinely built is to place it
in slapd/overlays/; I guess this needs consensus from the rest of the
team.  I'd vote in favor; please holler.

p.

masarati@aero.polimi.it wrote:
>> My only concern is that it be maintained, so that the OpenLDAP backend
>> can be a supported part of Samba4 into the long term.  (I know it's not
>> been in good shape for the past while, but there is hope we can get it
>> back on track).
>>
>> Do contrib modules come with this level of maintenance?
>
> Inherently no, because they would not be configured/built along with the
> rest of the package.  Of course, as soon as users (possibly including
> myself) notice issues, they would be maintained (see for example nssov).
>
> The most straightforward way of having it routinely built is to place it
> in slapd/overlays/; I guess this needs consensus from the rest of the
> team.  I'd vote in favor; please holler.

I think contrib is the right place for now. It seems to me that the 
requirements here are still a moving target, so it's better in contrib. 
(Contrib items are free to add new features independent of the rest of the 
release cycle. Items in the main slapd/overlays are more constrained to 
bugfixes-only within a release cycle.)

-- 
   -- Howard Chu
   CTO, Symas Corp.           http://www.symas.com
   Director, Highland Sun     http://highlandsun.com/hyc/
   Chief Architect, OpenLDAP  http://www.openldap.org/project/

On Wed, 2010-04-21 at 04:32 +0200, masarati@aero.polimi.it wrote:
> > My only concern is that it be maintained, so that the OpenLDAP backend
> > can be a supported part of Samba4 into the long term.  (I know it's not
> > been in good shape for the past while, but there is hope we can get it
> > back on track).
> >
> > Do contrib modules come with this level of maintenance?
> 
> Inherently no, because they would not be configured/built along with the
> rest of the package.  Of course, as soon as users (possibly including
> myself) notice issues, they would be maintained (see for example nssov).
> 
> The most straightforward way of having it routinely built is to place it
> in slapd/overlays/; I guess this needs consensus from the rest of the
> team.  I'd vote in favor; please holler.

My eventual goal is that folks using a Ubuntu or Fedora system would
have Samba4 'just work' with the packaged OpenLDAP.  I can of course
lobby them to get their packages updated to build from contrib, but it's
easier if it's just in there. 

Similarly, when I ask folks to configure with 'OpenLDAP HEAD' in the
short term, it is of course easier for me if everything is already in
place. 

But this is your project, not mine, and I am happy with whatever we can
make work. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

> masarati@aero.polimi.it wrote:
>>> My only concern is that it be maintained, so that the OpenLDAP backend
>>> can be a supported part of Samba4 into the long term.  (I know it's not
>>> been in good shape for the past while, but there is hope we can get it
>>> back on track).
>>>
>>> Do contrib modules come with this level of maintenance?
>>
>> Inherently no, because they would not be configured/built along with the
>> rest of the package.  Of course, as soon as users (possibly including
>> myself) notice issues, they would be maintained (see for example nssov).
>>
>> The most straightforward way of having it routinely built is to place it
>> in slapd/overlays/; I guess this needs consensus from the rest of the
>> team.  I'd vote in favor; please holler.
>
> I think contrib is the right place for now. It seems to me that the
> requirements here are still a moving target, so it's better in contrib.
> (Contrib items are free to add new features independent of the rest of the
> release cycle. Items in the main slapd/overlays are more constrained to
> bugfixes-only within a release cycle.)

Fair enough.  I've started committing stuff to contrib/slapd-modules/samba4

p.

> My eventual goal is that folks using a Ubuntu or Fedora system would
> have Samba4 'just work' with the packaged OpenLDAP.  I can of course
> lobby them to get their packages updated to build from contrib, but it's
> easier if it's just in there.=20
>
> Similarly, when I ask folks to configure with 'OpenLDAP HEAD' in the
> short term, it is of course easier for me if everything is already in
> place.=20
>
> But this is your project, not mine, and I am happy with whatever we can
> make work.=20

Right now, along the lines illustrated by Howard, I've committed
everything to contrib/slapd-modules/samba4.  You may need to tweak the
Makefile if you are not building in the source tree (as I usually do; then
adjust LDAP_BUILD to your build tree), and if you wish to install modules
in some specific place (prefix, exec_prefix, ldap_subdir).

My medium term objective would be to have:

- generally useful modules built-in (e.g. slapo-deref)

- Samba4-specific modules all in one contrib directory, possibly
harmonized and consolidated when possible in a single module, to ease
configuration and maintenance

The latter could then have a specific configure, if needed, so that
packagers could make and install them as easily as possible.  In the
meanwhile, we should live with this interim solution.  Time permitting, I
see no issue in maintaining that code, much like we already do with the
other modules.

p.

On Wed, 2010-04-21 at 05:42 +0200, masarati@aero.polimi.it wrote:
> > My eventual goal is that folks using a Ubuntu or Fedora system would
> > have Samba4 'just work' with the packaged OpenLDAP.  I can of course
> > lobby them to get their packages updated to build from contrib, but it's
> > easier if it's just in there.=20
> >
> > Similarly, when I ask folks to configure with 'OpenLDAP HEAD' in the
> > short term, it is of course easier for me if everything is already in
> > place.=20
> >
> > But this is your project, not mine, and I am happy with whatever we can
> > make work.=20
> 
> Right now, along the lines illustrated by Howard, I've committed
> everything to contrib/slapd-modules/samba4.  You may need to tweak the
> Makefile if you are not building in the source tree (as I usually do; then
> adjust LDAP_BUILD to your build tree), and if you wish to install modules
> in some specific place (prefix, exec_prefix, ldap_subdir).
> 
> My medium term objective would be to have:
> 
> - generally useful modules built-in (e.g. slapo-deref)
> 
> - Samba4-specific modules all in one contrib directory, possibly
> harmonized and consolidated when possible in a single module, to ease
> configuration and maintenance
> 
> The latter could then have a specific configure, if needed, so that
> packagers could make and install them as easily as possible.  In the
> meanwhile, we should live with this interim solution.  Time permitting, I
> see no issue in maintaining that code, much like we already do with the
> other modules.

Can you give me the exact commands I need to put into the wiki, for a
user to go from a checkout of OpenLDAP, to a build with this module
installed just like all the others?

Thanks,

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Cisco Inc.

> Can you give me the exact commands I need to put into the wiki, for a
> user to go from a checkout of OpenLDAP, to a build with this module
> installed just like all the others?

Assuming one builds in the tree,

- follow instructions for anonymous CVS checkout of HEAD branch
  <http://www.openldap.org/software/repo.html#AnonCVS>

- cd contrib/slapd-modules/samba4

- edit Makefile if needed; as it is, it assumes you build in tree,
  and installs in /usr/local/libexec/openldap

- make; make install

- in slapd.conf:

    modulepath /usr/local/libexec/openldap
    moduleload rdnval.la

    # ...
    database hdb
    # ...

    overlay rdnval

That's it.

p.

a proposed overlay is available