Full_Name: Andrew Bartlett Version: CVS HEAD OS: Fedora 10 URL: http://msdn.microsoft.com/en-us/library/cc223167(PROT.13).aspx Submission from: (NULL) (59.167.251.137) Active Directory always presents an attribute 'name' that is always equal to the relative distinguished name. AD allows only one RDN, but I don't mind if this can be multi-valued for the multi-RDN case. It is equal to the value of the RDN as presented in the RDN. This is not simply the subtype 'CN -> name', but a new attribute unrelated to the existing definition of 'name'. I don't care what name is assigned to 'name', as I can easily remap attributes. It would be great if this could be constructed such that it may be declared to be unique for a particular one-level search (also an AD requirement, but not one Samba4 requires or enforces at this time). Andrew Bartlett
----- abartlet@samba.org wrote: > Full_Name: Andrew Bartlett > Version: CVS HEAD > OS: Fedora 10 > URL: http://msdn.microsoft.com/en-us/library/cc223167(PROT.13).aspx > Submission from: (NULL) (59.167.251.137) > > > Active Directory always presents an attribute 'name' that is always > equal to the > relative distinguished name. AD allows only one RDN, but I don't mind > if this > can be multi-valued for the multi-RDN case. It is equal to the value > of the RDN > as presented in the RDN. > > This is not simply the subtype 'CN -> name', but a new attribute > unrelated to > the existing definition of 'name'. > > I don't care what name is assigned to 'name', as I can easily remap > attributes. > > It would be great if this could be constructed such that it may be > declared to > be unique for a particular one-level search (also an AD requirement, > but not one > Samba4 requires or enforces at this time). The only problem I see in defining such an attribute is that its syntax should allow the value of any syntax, so it should probably be octetString or something like that. From the implementation point of view, what operations should it be used for? If you only need it to be returned with searches, and to be compared, then the implementation would be trivial (it could be dynamically generated, much like entryDN, as far as I can tell). If you need to search for it, namely use it in a filter, then it might be better to store it in the database. This would require to handle add and modrdn, forbid modify, and nothing else. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
On Tue, 2009-04-14 at 10:09 +0200, Pierangelo Masarati wrote: > ----- abartlet@samba.org wrote: > > > Full_Name: Andrew Bartlett > > Version: CVS HEAD > > OS: Fedora 10 > > URL: http://msdn.microsoft.com/en-us/library/cc223167(PROT.13).aspx > > Submission from: (NULL) (59.167.251.137) > > > > > > Active Directory always presents an attribute 'name' that is always > > equal to the > > relative distinguished name. AD allows only one RDN, but I don't mind > > if this > > can be multi-valued for the multi-RDN case. It is equal to the value > > of the RDN > > as presented in the RDN. > > > > This is not simply the subtype 'CN -> name', but a new attribute > > unrelated to > > the existing definition of 'name'. > > > > I don't care what name is assigned to 'name', as I can easily remap > > attributes. > > > > It would be great if this could be constructed such that it may be > > declared to > > be unique for a particular one-level search (also an AD requirement, > > but not one > > Samba4 requires or enforces at this time). > > The only problem I see in defining such an attribute is that its > syntax should allow the value of any syntax, so it should probably be > octetString or something like that. I think the AD document I reference explains that only some attributes can be an RDN, so it limits them to those with a unicode string representation I suppose. There is another attribute that follows the 'type' of RDN btw (never seen it used, but it's in the docs). > From the implementation point of view, what operations should it be > used for? If you only need it to be returned with searches, and to be > compared, then the implementation would be trivial (it could be > dynamically generated, much like entryDN, as far as I can tell). If > you need to search for it, namely use it in a filter, then it might be > better to store it in the database. This would require to handle add > and modrdn, forbid modify, and nothing else. Like entryDN, we need to be able to search on it, so it should probably be persistent. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Red Hat Inc.
abartlet@samba.org wrote: >> The only problem I see in defining such an attribute is that its >> syntax should allow the value of any syntax, so it should probably be >> octetString or something like that. =20 > > I think the AD document I reference explains that only some attributes > can be an RDN, so it limits them to those with a unicode string > representation I suppose.=20 OK, I coulnd't follow up to the document you cited. > There is another attribute that follows the 'type' of RDN btw (never > seen it used, but it's in the docs).=20 > >> From the implementation point of view, what operations should it be >> used for? If you only need it to be returned with searches, and to be >> compared, then the implementation would be trivial (it could be >> dynamically generated, much like entryDN, as far as I can tell). If >> you need to search for it, namely use it in a filter, then it might be >> better to store it in the database. This would require to handle add >> and modrdn, forbid modify, and nothing else. > > Like entryDN, we need to be able to search on it, so it should probably > be persistent. Ok. Unlike entryDN, which is not persistent but evaluated on the fly based on dn2id indexes, unless we hardcode this in slapd (don't think so) we need to make the attr persistent. It's on the todo list. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
moved from Incoming to Software Enhancements
ando@sys-net.it wrote: > ----- abartlet@samba.org wrote: >> Active Directory always presents an attribute 'name' that is always >> equal to the relative distinguished name. AD allows only one RDN, >> but I don't mind if this can be multi-valued for the multi-RDN >> case. It is equal to the value of the RDN as presented in the RDN. >> >> This is not simply the subtype 'CN -> name', but a new attribute >> unrelated to the existing definition of 'name'. >> >> I don't care what name is assigned to 'name', as I can easily remap >> attributes. >> >> It would be great if this could be constructed such that it may be >> declared to be unique for a particular one-level search (also an AD >> requirement, but not one Samba4 requires or enforces at this time). > > The only problem I see in defining such an attribute is that its > syntax should allow the value of any syntax, so it should probably be > octetString or something like that. Why? IMO such an attribute type could be declared like any other attribute type. If its syntax does not match the syntax of the characteristic attribute invalidAttributeSyntax should be returned. I wonder what the exact requirements for the implementation within slapd are and some very rough ideas as food for thought: 1. slapd shall enforce uniqueness on one-level => I'd vote for an additional feature of slapo-unique to define the scope of uniqueness in a very flexible way 2. Value of 'name' has to match the value of the characteristic attribute. Does this 1. has to be enforced within slapd or 2. could this be enforced within smbd? If 1. maybe the functionality/configuration of slapo-constraint could be extended to define things like this. (I've stumbled across ITS#5704. Isn't that already something like this?) ...more...? In web2ldap's plugin classes I have implemented special treatment for non-compliant notation for the DN part of LDAP URLs to reference a DN based on an entry's DN: . the entry's DN .. the entry's parent DN _ the best matching namingContext for the entry's DN This strings can be appended to DNs. For example: 'ou=Users,_' would always refer to entry ou=Users below an arbitrary naming context. 'ou=My Stuff,.' could refer to a container below a user's entry Maybe something like this could be helpful for an extended configuration of slapo-unique and slapo-constraint. Hmm, also As said only very rough ideas... Ciao, Michael.
michael@stroeder.com wrote: > ando@sys-net.it wrote: >> ----- abartlet@samba.org wrote: >>> Active Directory always presents an attribute 'name' that is always >>> equal to the relative distinguished name. AD allows only one RDN, >>> but I don't mind if this can be multi-valued for the multi-RDN >>> case. It is equal to the value of the RDN as presented in the RDN. >>> >>> This is not simply the subtype 'CN -> name', but a new attribute >>> unrelated to the existing definition of 'name'. >>> >>> I don't care what name is assigned to 'name', as I can easily remap >>> attributes. >>> >>> It would be great if this could be constructed such that it may be >>> declared to be unique for a particular one-level search (also an AD >>> requirement, but not one Samba4 requires or enforces at this time). >> The only problem I see in defining such an attribute is that its >> syntax should allow the value of any syntax, so it should probably be >> octetString or something like that. > > Why? IMO such an attribute type could be declared like any other > attribute type. If its syntax does not match the syntax of the > characteristic attribute invalidAttributeSyntax should be returned. Since we're dealing with something unspecified, you can: - be "strict": only allow the creation of this attribute when the naming attribute's syntax is 2.5.5.12 (unspecified, I understand, but we live in a wild world) - be "liberal": always allow the creation of this attribute by allowing it to contain any value > I wonder what the exact requirements for the implementation within slapd > are and some very rough ideas as food for thought: > > 1. slapd shall enforce uniqueness on one-level > => I'd vote for an additional feature of slapo-unique to define the > scope of uniqueness in a very flexible way > > 2. Value of 'name' has to match the value of the characteristic > attribute. Does this 1. has to be enforced within slapd or 2. could this > be enforced within smbd? > If 1. maybe the functionality/configuration of slapo-constraint could be > extended to define things like this. > (I've stumbled across ITS#5704. Isn't that already something like this?) not exactly, as sets do not allow a placeholder for the naming attribute; maybe something like "this/entryRDN.ava{0}.value" if it existed... p. > ...more...? > > In web2ldap's plugin classes I have implemented special treatment for > non-compliant notation for the DN part of LDAP URLs to reference a DN > based on an entry's DN: > > . the entry's DN > .. the entry's parent DN > _ the best matching namingContext for the entry's DN > > This strings can be appended to DNs. For example: > > 'ou=Users,_' would always refer to entry ou=Users below an arbitrary > naming context. > > 'ou=My Stuff,.' could refer to a container below a user's entry > > Maybe something like this could be helpful for an extended configuration > of slapo-unique and slapo-constraint. > > Hmm, also > > As said only very rough ideas... > > Ciao, Michael. > > Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ----------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Fax: +39 0382 476497 Email: ando@sys-net.it -----------------------------------
Pierangelo Masarati wrote: > michael@stroeder.com wrote: >> (I've stumbled across ITS#5704. Isn't that already something like this?) > > not exactly, as sets do not allow a placeholder for the naming > attribute; maybe something like "this/entryRDN.ava{0}.value" if it > existed... But given that slapd already enforces the characteristic attribute (e.g. 'cn' for 'user' on Samba4) to be part of the entry IMHO this is not needed. Provided the order of the checks are right. So this would be: constraint_attribute name set "this/cn" restrict="ldap:///dc=example,dc=com??sub?(objectClass=user)" constraint_attribute name set "this/ou" restrict="ldap:///dc=example,dc=com??sub?(objectClass=organizationalUnit)" Since uniqueness of 'cn' or 'ou' for one-level search for the above cases is already enforced wouldn't this be sufficient? Maybe I miss something though. Ciao, Michael.
[Resending because I forgot the ITS number in the subject] I have a simple prototype that on add/modrdn populates/maintains an attribute (rdnValue) with the distinguished values of the naming attributes of the RDN. While doing this, it also checks for uniqueness of the rdnValue value within siblings. You can find it here <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c> Please test and comment. I hope it does what intended. p.
changed notes changed state Open to Feedback moved from Software Enhancements to Development
On Mon, 2009-08-03 at 20:44 +0200, masarati@aero.polimi.it wrote: > [Resending because I forgot the ITS number in the subject] > > I have a simple prototype that on add/modrdn populates/maintains an > attribute (rdnValue) with the distinguished values of the naming > attributes of the RDN. While doing this, it also checks for uniqueness of > the rdnValue value within siblings. > > You can find it here > <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c> > > Please test and comment. I hope it does what intended. Can you please remind me in a few days if I don't get to this? I'm keen to try it out, but I'm also busy with other things, so liable to forget. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
On Mon, 2009-08-03 at 20:44 +0200, masarati@aero.polimi.it wrote: > [Resending because I forgot the ITS number in the subject] > > I have a simple prototype that on add/modrdn populates/maintains an > attribute (rdnValue) with the distinguished values of the naming > attributes of the RDN. While doing this, it also checks for uniqueness of > the rdnValue value within siblings. > > You can find it here > <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c> > > Please test and comment. I hope it does what intended. I'm starting to look at this now. I'm sorry so many months have past since you posted it. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
On Tue, 2010-03-02 at 15:30 +1100, Andrew Bartlett wrote: > On Mon, 2009-08-03 at 20:44 +0200, masarati@aero.polimi.it wrote: > > [Resending because I forgot the ITS number in the subject] > > > > I have a simple prototype that on add/modrdn populates/maintains an > > attribute (rdnValue) with the distinguished values of the naming > > attributes of the RDN. While doing this, it also checks for uniqueness of > > the rdnValue value within siblings. > > > > You can find it here > > <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c> > > > > Please test and comment. I hope it does what intended. > > I'm starting to look at this now. I'm sorry so many months have past > since you posted it. I've now added it into Samba's provision, and using the diff I attach, against current 'master', I get the attached error. It seems to be unable to add the base DN. (The very first entry in the database). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
> On Tue, 2010-03-02 at 15:30 +1100, Andrew Bartlett wrote: >> On Mon, 2009-08-03 at 20:44 +0200, masarati@aero.polimi.it wrote: >> > [Resending because I forgot the ITS number in the subject] >> > >> > I have a simple prototype that on add/modrdn populates/maintains an >> > attribute (rdnValue) with the distinguished values of the naming >> > attributes of the RDN. While doing this, it also checks for >> uniqueness of >> > the rdnValue value within siblings. >> > >> > You can find it here >> > <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2009-08-03-rdnval.2.c> >> > >> > Please test and comment. I hope it does what intended. >> >> I'm starting to look at this now. I'm sorry so many months have past >> since you posted it. > > I've now added it into Samba's provision, and using the diff I attach, > against current 'master', I get the attached error. > > It seems to be unable to add the base DN. (The very first entry in the > database). Try this: <www.aero.polimi.it/masarati/Download/pierangelo-masarati-2010-03-30-rdnval.2.c>. In fact, when adding the suffix entry, the overlay was erroneously checking its siblings from its superior, which is very likely to fail. p.
Refactored rdnval.c available at <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-18-rdnval.c> attempts to repair the database at startup; useful when the overlay is configured for an existing database. Please test. p.
On Mon, 2010-04-19 at 02:15 +0200, masarati@aero.polimi.it wrote: > Refactored rdnval.c available at > > <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-18-rdnval.c> > > attempts to repair the database at startup; useful when the overlay is > configured for an existing database. Please test. Sadly it segfaults on startup (we don't have the DB at startup - we expect the first operations to create them). I produced the environment with Samba4 from master (538a07a80aae72b57e5c23133158c7f214d0c27a) with the attached additional patch TEST_LDAP=yes OPENLDAP_SLAPD=/usr/local/libexec/slapd make quicktest This ran: '/usr/local/libexec/slapd' '-F/scratch/samba-2/source4/st/dc/private/ldap/slapd.d' '-h' 'ldapi://% 2Fscratch%2Fsamba-2%2Fsource4%2Fst%2Fdc%2Fprivate%2Fldap%2Fldapi' '-d0' and running that under gdb produced Program received signal SIGSEGV, Segmentation fault. 0x000000000057ba54 in rdnval_repair (be=0x7fffffffdbe0) at rdnval.c:466 466 op->o_req_dn = op->o_bd->be_suffix[ 0 ]; Missing separate debuginfos, use: debuginfo-install glibc-2.11.90-17.x86_64 libgcc-4.4.3-12.fc13.x86_64 libicu-4.2.1-7.fc12.x86_64 libicu-4.2.1-8.fc13.x86_64 libstdc ++-4.4.3-12.fc13.x86_64 libtool-ltdl-2.2.6-18.fc12.x86_64 libtool-ltdl-2.2.6-18.fc13.x86_64 libuuid-2.17.2-1.fc13.x86_64 mysql-libs-5.1.45-2.fc13.x86_64 postgresql-libs-8.4.3-1.fc13.x86_64 (gdb) p op $1 = (Operation *) 0x7fffffffd4d0 (gdb) p op->o_bd $2 = (BackendDB *) 0x0 (gdb) p *op $3 = {o_hdr = 0x7fffffffd640, o_tag = 99, o_time = 1271737105, o_tincr = 1, o_bd = 0x0, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn = {bv_len = 0, bv_val = 0x0}, o_request = {oq_add = {rs_modlist = 0x0, rs_e = 0x0}, oq_bind = { rb_method = 0, rb_cred = {bv_len = 0, bv_val = 0x0}, rb_edn = {bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_mech = {bv_len = 0, bv_val = 0x0}}, oq_compare = {rs_ava = 0x0}, oq_modify = {rs_mods = {rs_modlist = 0x0, rs_no_opattrs = 0 '\000'}, rs_increment = 0}, oq_modrdn = {rs_mods = {rs_modlist = 0x0, rs_no_opattrs = 0 '\000'}, rs_deleteoldrdn = 0, rs_newrdn = {bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0, bv_val = 0x0}, rs_newSup = 0x0, rs_nnewSup = 0x0}, oq_search = {rs_scope = 0, rs_deref = 0, rs_slimit = 0, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly = 0, rs_attrs = 0x0, rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val = 0x0}}, oq_abandon = {rs_msgid = 0}, oq_cancel = {rs_msgid = 0}, oq_extended = {rs_reqoid = {bv_len = 0, bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, oq_pwdexop = {rs_extended = {rs_reqoid = {bv_len = 0, bv_val = 0x0}, rs_flags = 0, rs_reqdata = 0x0}, rs_old = {bv_len = 0, bv_val = 0x0}, rs_new = {bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, rs_modtail = 0x0}}, o_abandon = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000', o_is_auth_check = 0 '\000', o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0 '\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000', o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31 times>, o_controls = 0x7fffffffd788, o_authz = {sai_method = 0, sai_mech = {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn = {bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, sai_tls_ssf = 0, sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 0x0, o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0, o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}} (gdb) -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
> On Mon, 2010-04-19 at 02:15 +0200, masarati@aero.polimi.it wrote: >> Refactored rdnval.c available at >> >> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-18-rdnval.c> >> >> attempts to repair the database at startup; useful when the overlay is >> configured for an existing database. Please test. > > Sadly it segfaults on startup (we don't have the DB at startup - we > expect the first operations to create them). It's not that sad: this overlay is not intended to be used as global. You should use it within any database you want the rdnvalue stored. I haven't considered yet how hard it would be to allow it to be global, and if it's worth. Since it needs to write operational attributes to the directory, it may run into issues in case non-local storage databases are used, and it'd definitely risk to suffer from authentication issues. Does it make sense for you to add an instance in each database you need rndvalue for? p. > I produced the environment with Samba4 from master > (538a07a80aae72b57e5c23133158c7f214d0c27a) with the attached additional > patch > > TEST_LDAP=yes OPENLDAP_SLAPD=/usr/local/libexec/slapd make quicktest > > This ran: > '/usr/local/libexec/slapd' > '-F/scratch/samba-2/source4/st/dc/private/ldap/slapd.d' '-h' 'ldapi://% > 2Fscratch%2Fsamba-2%2Fsource4%2Fst%2Fdc%2Fprivate%2Fldap%2Fldapi' '-d0' > > and running that under gdb produced > > Program received signal SIGSEGV, Segmentation fault. > 0x000000000057ba54 in rdnval_repair (be=0x7fffffffdbe0) at rdnval.c:466 > 466 op->o_req_dn = op->o_bd->be_suffix[ 0 ]; > Missing separate debuginfos, use: debuginfo-install > glibc-2.11.90-17.x86_64 libgcc-4.4.3-12.fc13.x86_64 > libicu-4.2.1-7.fc12.x86_64 libicu-4.2.1-8.fc13.x86_64 libstdc > ++-4.4.3-12.fc13.x86_64 libtool-ltdl-2.2.6-18.fc12.x86_64 > libtool-ltdl-2.2.6-18.fc13.x86_64 libuuid-2.17.2-1.fc13.x86_64 > mysql-libs-5.1.45-2.fc13.x86_64 postgresql-libs-8.4.3-1.fc13.x86_64 > (gdb) p op > $1 = (Operation *) 0x7fffffffd4d0 > (gdb) p op->o_bd > $2 = (BackendDB *) 0x0 > (gdb) p *op > $3 = {o_hdr = 0x7fffffffd640, o_tag = 99, o_time = 1271737105, o_tincr = > 1, o_bd = 0x0, o_req_dn = {bv_len = 0, bv_val = 0x0}, o_req_ndn = > {bv_len = 0, bv_val = 0x0}, o_request = {oq_add = {rs_modlist = 0x0, > rs_e = 0x0}, oq_bind = { > rb_method = 0, rb_cred = {bv_len = 0, bv_val = 0x0}, rb_edn = > {bv_len = 0, bv_val = 0x0}, rb_ssf = 0, rb_mech = {bv_len = 0, bv_val = > 0x0}}, oq_compare = {rs_ava = 0x0}, oq_modify = {rs_mods = {rs_modlist = > 0x0, > rs_no_opattrs = 0 '\000'}, rs_increment = 0}, oq_modrdn = > {rs_mods = {rs_modlist = 0x0, rs_no_opattrs = 0 '\000'}, rs_deleteoldrdn > = 0, rs_newrdn = {bv_len = 0, bv_val = 0x0}, rs_nnewrdn = {bv_len = 0, > bv_val = 0x0}, > rs_newSup = 0x0, rs_nnewSup = 0x0}, oq_search = {rs_scope = 0, > rs_deref = 0, rs_slimit = 0, rs_tlimit = 0, rs_limit = 0x0, rs_attrsonly > = 0, rs_attrs = 0x0, rs_filter = 0x0, rs_filterstr = {bv_len = 0, bv_val > = 0x0}}, > oq_abandon = {rs_msgid = 0}, oq_cancel = {rs_msgid = 0}, oq_extended > = {rs_reqoid = {bv_len = 0, bv_val = 0x0}, rs_flags = 0, rs_reqdata = > 0x0}, oq_pwdexop = {rs_extended = {rs_reqoid = {bv_len = 0, bv_val = > 0x0}, rs_flags = 0, > rs_reqdata = 0x0}, rs_old = {bv_len = 0, bv_val = 0x0}, rs_new = > {bv_len = 0, bv_val = 0x0}, rs_mods = 0x0, rs_modtail = 0x0}}, o_abandon > = 0, o_cancel = 0, o_groups = 0x0, o_do_not_cache = 0 '\000', > o_is_auth_check = 0 '\000', > o_dont_replicate = 0 '\000', o_acl_priv = ACL_NONE, o_nocaching = 0 > '\000', o_delete_glue_parent = 0 '\000', o_no_schema_check = 0 '\000', > o_no_subordinate_glue = 0 '\000', o_ctrlflag = '\000' <repeats 31 > times>, > o_controls = 0x7fffffffd788, o_authz = {sai_method = 0, sai_mech = > {bv_len = 0, bv_val = 0x0}, sai_dn = {bv_len = 0, bv_val = 0x0}, sai_ndn > = {bv_len = 0, bv_val = 0x0}, sai_ssf = 0, sai_transport_ssf = 0, > sai_tls_ssf = 0, > sai_sasl_ssf = 0}, o_ber = 0x0, o_res_ber = 0x0, o_callback = 0x0, > o_ctrls = 0x0, o_csn = {bv_len = 0, bv_val = 0x0}, o_private = 0x0, > o_extra = {slh_first = 0x0}, o_next = {stqe_next = 0x0}} > (gdb) > > > -- > Andrew Bartlett http://samba.org/~abartlet/ > Authentication Developer, Samba Team http://samba.org > Samba Developer, Cisco Inc. > >
On Tue, 2010-04-20 at 07:11 +0200, masarati@aero.polimi.it wrote: > > On Mon, 2010-04-19 at 02:15 +0200, masarati@aero.polimi.it wrote: > >> Refactored rdnval.c available at > >> > >> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-18-rdnval.c> > >> > >> attempts to repair the database at startup; useful when the overlay is > >> configured for an existing database. Please test. > > > > Sadly it segfaults on startup (we don't have the DB at startup - we > > expect the first operations to create them). > > It's not that sad: this overlay is not intended to be used as global. You > should use it within any database you want the rdnvalue stored. I haven't > considered yet how hard it would be to allow it to be global, and if it's > worth. Since it needs to write operational attributes to the directory, > it may run into issues in case non-local storage databases are used, and > it'd definitely risk to suffer from authentication issues. Does it make > sense for you to add an instance in each database you need rndvalue for? That's no problem at all. It now just fails in the same was as without the patch. I'll mention it on openldap-technical if I can't get assistance on #ldap. Then, when I get past that, I'll get back to this! Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
> That's no problem at all. Good. This version explicitly check for instantiation as global, and also does some further sanity checks prior to startup. <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-20-rdnval.2.c> > It now just fails in the same was as without > the patch. I'll mention it on openldap-technical if I can't get > assistance on #ldap. Not quite clear what patch and what failure you refer to. Anyway, I've tested this version of the overlay as global (refuses to start) and on a database, either empty or populated, and it works as intended. Please test and report. Thanks, p.
On Tue, 2010-04-20 at 15:37 +0200, masarati@aero.polimi.it wrote: > > That's no problem at all. > > Good. This version explicitly check for instantiation as global, and also > does some further sanity checks prior to startup. > > <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-20-rdnval.2.c> > > > It now just fails in the same was as without > > the patch. I'll mention it on openldap-technical if I can't get > > assistance on #ldap. > > Not quite clear what patch and what failure you refer to. Anyway, I've > tested this version of the overlay as global (refuses to start) and on a > database, either empty or populated, and it works as intended. Please > test and report. Thanks, p. It seems to be working well. When can I expect it to be in the tree? (I'll then require folks to use the current OpenLDAP CVS if they want to use the LDAP backend). Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
> On Tue, 2010-04-20 at 15:37 +0200, masarati@aero.polimi.it wrote: >> > That's no problem at all. >> >> Good. This version explicitly check for instantiation as global, and >> also >> does some further sanity checks prior to startup. >> >> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-20-rdnval.2.c> >> >> > It now just fails in the same was as without >> > the patch. I'll mention it on openldap-technical if I can't get >> > assistance on #ldap. >> >> Not quite clear what patch and what failure you refer to. Anyway, I've >> tested this version of the overlay as global (refuses to start) and on a >> database, either empty or populated, and it works as intended. Please >> test and report. Thanks, p. > > It seems to be working well. When can I expect it to be in the tree? > > (I'll then require folks to use the current OpenLDAP CVS if they want to > use the LDAP backend). I can commit it in a minute. It's not 100% clear to me what's the most appropriate location: slapd/overlays/ may not, as this looks like something definitely specific to Samba4; probably, contrib/slapd-modules/ is more appropriate. Perhaps, a contrib/slapd-modules/samba4/ would be the most appropriate, along with future specific (i.e. not of general usefulness) modules, as we did for the nssov module. Comments? I mean, from others, not only from you :) p.
On Wed, 2010-04-21 at 03:44 +0200, masarati@aero.polimi.it wrote: > > On Tue, 2010-04-20 at 15:37 +0200, masarati@aero.polimi.it wrote: > >> > That's no problem at all. > >> > >> Good. This version explicitly check for instantiation as global, and > >> also > >> does some further sanity checks prior to startup. > >> > >> <ftp://ftp.openldap.org/incoming/pierangelo-masarati-2010-04-20-rdnval.2.c> > >> > >> > It now just fails in the same was as without > >> > the patch. I'll mention it on openldap-technical if I can't get > >> > assistance on #ldap. > >> > >> Not quite clear what patch and what failure you refer to. Anyway, I've > >> tested this version of the overlay as global (refuses to start) and on a > >> database, either empty or populated, and it works as intended. Please > >> test and report. Thanks, p. > > > > It seems to be working well. When can I expect it to be in the tree? > > > > (I'll then require folks to use the current OpenLDAP CVS if they want to > > use the LDAP backend). > > I can commit it in a minute. It's not 100% clear to me what's the most > appropriate location: slapd/overlays/ may not, as this looks like > something definitely specific to Samba4; probably, contrib/slapd-modules/ > is more appropriate. Perhaps, a contrib/slapd-modules/samba4/ would be > the most appropriate, along with future specific (i.e. not of general > usefulness) modules, as we did for the nssov module. > > Comments? I mean, from others, not only from you :) My only concern is that it be maintained, so that the OpenLDAP backend can be a supported part of Samba4 into the long term. (I know it's not been in good shape for the past while, but there is hope we can get it back on track). Do contrib modules come with this level of maintenance? Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
> My only concern is that it be maintained, so that the OpenLDAP backend > can be a supported part of Samba4 into the long term. (I know it's not > been in good shape for the past while, but there is hope we can get it > back on track). > > Do contrib modules come with this level of maintenance? Inherently no, because they would not be configured/built along with the rest of the package. Of course, as soon as users (possibly including myself) notice issues, they would be maintained (see for example nssov). The most straightforward way of having it routinely built is to place it in slapd/overlays/; I guess this needs consensus from the rest of the team. I'd vote in favor; please holler. p.
masarati@aero.polimi.it wrote: >> My only concern is that it be maintained, so that the OpenLDAP backend >> can be a supported part of Samba4 into the long term. (I know it's not >> been in good shape for the past while, but there is hope we can get it >> back on track). >> >> Do contrib modules come with this level of maintenance? > > Inherently no, because they would not be configured/built along with the > rest of the package. Of course, as soon as users (possibly including > myself) notice issues, they would be maintained (see for example nssov). > > The most straightforward way of having it routinely built is to place it > in slapd/overlays/; I guess this needs consensus from the rest of the > team. I'd vote in favor; please holler. I think contrib is the right place for now. It seems to me that the requirements here are still a moving target, so it's better in contrib. (Contrib items are free to add new features independent of the rest of the release cycle. Items in the main slapd/overlays are more constrained to bugfixes-only within a release cycle.) -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
On Wed, 2010-04-21 at 04:32 +0200, masarati@aero.polimi.it wrote: > > My only concern is that it be maintained, so that the OpenLDAP backend > > can be a supported part of Samba4 into the long term. (I know it's not > > been in good shape for the past while, but there is hope we can get it > > back on track). > > > > Do contrib modules come with this level of maintenance? > > Inherently no, because they would not be configured/built along with the > rest of the package. Of course, as soon as users (possibly including > myself) notice issues, they would be maintained (see for example nssov). > > The most straightforward way of having it routinely built is to place it > in slapd/overlays/; I guess this needs consensus from the rest of the > team. I'd vote in favor; please holler. My eventual goal is that folks using a Ubuntu or Fedora system would have Samba4 'just work' with the packaged OpenLDAP. I can of course lobby them to get their packages updated to build from contrib, but it's easier if it's just in there. Similarly, when I ask folks to configure with 'OpenLDAP HEAD' in the short term, it is of course easier for me if everything is already in place. But this is your project, not mine, and I am happy with whatever we can make work. Andrew Bartlett -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
> masarati@aero.polimi.it wrote: >>> My only concern is that it be maintained, so that the OpenLDAP backend >>> can be a supported part of Samba4 into the long term. (I know it's not >>> been in good shape for the past while, but there is hope we can get it >>> back on track). >>> >>> Do contrib modules come with this level of maintenance? >> >> Inherently no, because they would not be configured/built along with the >> rest of the package. Of course, as soon as users (possibly including >> myself) notice issues, they would be maintained (see for example nssov). >> >> The most straightforward way of having it routinely built is to place it >> in slapd/overlays/; I guess this needs consensus from the rest of the >> team. I'd vote in favor; please holler. > > I think contrib is the right place for now. It seems to me that the > requirements here are still a moving target, so it's better in contrib. > (Contrib items are free to add new features independent of the rest of the > release cycle. Items in the main slapd/overlays are more constrained to > bugfixes-only within a release cycle.) Fair enough. I've started committing stuff to contrib/slapd-modules/samba4 p.
> My eventual goal is that folks using a Ubuntu or Fedora system would > have Samba4 'just work' with the packaged OpenLDAP. I can of course > lobby them to get their packages updated to build from contrib, but it's > easier if it's just in there.=20 > > Similarly, when I ask folks to configure with 'OpenLDAP HEAD' in the > short term, it is of course easier for me if everything is already in > place.=20 > > But this is your project, not mine, and I am happy with whatever we can > make work.=20 Right now, along the lines illustrated by Howard, I've committed everything to contrib/slapd-modules/samba4. You may need to tweak the Makefile if you are not building in the source tree (as I usually do; then adjust LDAP_BUILD to your build tree), and if you wish to install modules in some specific place (prefix, exec_prefix, ldap_subdir). My medium term objective would be to have: - generally useful modules built-in (e.g. slapo-deref) - Samba4-specific modules all in one contrib directory, possibly harmonized and consolidated when possible in a single module, to ease configuration and maintenance The latter could then have a specific configure, if needed, so that packagers could make and install them as easily as possible. In the meanwhile, we should live with this interim solution. Time permitting, I see no issue in maintaining that code, much like we already do with the other modules. p.
On Wed, 2010-04-21 at 05:42 +0200, masarati@aero.polimi.it wrote: > > My eventual goal is that folks using a Ubuntu or Fedora system would > > have Samba4 'just work' with the packaged OpenLDAP. I can of course > > lobby them to get their packages updated to build from contrib, but it's > > easier if it's just in there.=20 > > > > Similarly, when I ask folks to configure with 'OpenLDAP HEAD' in the > > short term, it is of course easier for me if everything is already in > > place.=20 > > > > But this is your project, not mine, and I am happy with whatever we can > > make work.=20 > > Right now, along the lines illustrated by Howard, I've committed > everything to contrib/slapd-modules/samba4. You may need to tweak the > Makefile if you are not building in the source tree (as I usually do; then > adjust LDAP_BUILD to your build tree), and if you wish to install modules > in some specific place (prefix, exec_prefix, ldap_subdir). > > My medium term objective would be to have: > > - generally useful modules built-in (e.g. slapo-deref) > > - Samba4-specific modules all in one contrib directory, possibly > harmonized and consolidated when possible in a single module, to ease > configuration and maintenance > > The latter could then have a specific configure, if needed, so that > packagers could make and install them as easily as possible. In the > meanwhile, we should live with this interim solution. Time permitting, I > see no issue in maintaining that code, much like we already do with the > other modules. Can you give me the exact commands I need to put into the wiki, for a user to go from a checkout of OpenLDAP, to a build with this module installed just like all the others? Thanks, -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org Samba Developer, Cisco Inc.
> Can you give me the exact commands I need to put into the wiki, for a > user to go from a checkout of OpenLDAP, to a build with this module > installed just like all the others? Assuming one builds in the tree, - follow instructions for anonymous CVS checkout of HEAD branch <http://www.openldap.org/software/repo.html#AnonCVS> - cd contrib/slapd-modules/samba4 - edit Makefile if needed; as it is, it assumes you build in tree, and installs in /usr/local/libexec/openldap - make; make install - in slapd.conf: modulepath /usr/local/libexec/openldap moduleload rdnval.la # ... database hdb # ... overlay rdnval That's it. p.
a proposed overlay is available