Re: [ldapmodify] multiple entries of the same attibute

2017-10-13 Thread Dave Horsfall 

On Fri, 13 Oct 2017, richard lucassen wrote:

GUI ldap clients like jxplorer are able to change a single mail: entry. 
Using "ldapmodify" I replace the first mail: entry, but it will delete 
the other mail: antries:


#

change.diff file:

dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=com
changetype: modify
replace: mail
mail: otheru...@example.com
-


In other words, it did exactly what you told it to do i.e. replace an 
attribute that happened to have multiple values with one that has but a 
singe value; you need to specify the entire set of desired values.


What a third-party application does is irrelevant; plainly it hid this 
detail from you.


--
Dave Horsfall DTM (VK2KFU)  "Those who don't understand security will suffer."

Re: Ensure uniqueness over multiple attributes?

2017-10-13 Thread Michael Ströder 
Karsten Heymann wrote:
> IMHO this does not work without adding all possible values to at least
> one of the attributes *or* SUP-ing all attribute values from a common
> attribute type.
> 
> How would attribute inheritance tie into this? I'm relatively free in
> modifying our ldap schema so making mailAlias SUP mail would be possible. 

slapo-unique simply searches for an attribute type and value (should be
eq-indexed). A SUP-ed attribute type also matches a search for all
sub-types.

E.g. try searching with parent attribute 'name'.

Note: Depending on your clients and attributes used this might *not* be
what you want.

In my LDAP directories for e-mail the value in 'mail' is always also
present in e.g. 'mailLocalAddress' for which I have a unique constraint.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ldapmodify] multiple entries of the same attibute

2017-10-13 Thread Michael Ströder 
richard lucassen wrote:
> How do I tell ldapmodify just to delete 1 particular item with
> AttributeValue=X, and not all of them?

Read about LDIF change records in RFC 2849.
Especially the examples section.

https://tools.ietf.org/html/rfc2849

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ldapmodify] multiple entries of the same attibute

2017-10-13 Thread richard lucassen 
On Fri, 13 Oct 2017 08:10:44 -0700
Quanah Gibson-Mount  wrote:

> > How do I tell ldapmodify just to delete 1 particular item with
> > AttributeValue=X, and not all of them?
> 
> You do a delete+add, just like Dieter said.  What you did in your
> example was a replace op.
> 
> I.e., you'd do something like:
> 
> dn: 
> changetype: modify
> delete: mail
> mail: my-value
> -
> add: mail
> mail: my-value

Ah, ok, the manpage does not provide this information. There is just a
"replace" example.

Thnx to the both of you!

R.

-- 
richard lucassen
http://contact.xaq.nl/

Re: [ldapmodify] multiple entries of the same attibute

2017-10-13 Thread Ralf Mattes 

Am Freitag, 13. Oktober 2017 17:06 CEST, richard lucassen 
 schrieb:

> On Fri, 13 Oct 2017 14:29:23 +0200
> "Ralf Mattes"  wrote:
>
> > > mail: us...@example.com
> > > mail: us...@example.com
> > > mail: us...@example.com
> > >
> > > Is there a way to tell ldapmodify to change just a particular entry?
> >
> > A change of a single value equals a delete of that value plus an add
> > of the new value, doesn't it?
>
> Yep, but ldapmodify deletes *all* "mail:" entries. If I tcpdump the
> stream of a jxplorer session, I see a modify request, which consists of
> indeed a delete and an add. But the "delete" has an attribute value:

Off course, that was my whole point - you need to delete the value you want to
modify, then add the new value.

> +modification: 2 items
>  +modification: item
>operation: delete (1)
>+ modification: mail
>   type: mail
>  + vals: 1 item
> AttributeValue: us...@example.com
>operation: add (0)
>+ modification: mail
>   type: mail
>  + vals: 1 item
> AttributeValue: otheru...@example.com
>
> How do I tell ldapmodify just to delete 1 particular item with
> AttributeValue=X, and not all of them?

changetype: modify
delete: 
: 

HTH, Ralf Mattes

>
> R.
>
> --
> richard lucassen
> http://contact.xaq.nl/
>

Re: [ldapmodify] multiple entries of the same attibute

2017-10-13 Thread Quanah Gibson-Mount 
--On Friday, October 13, 2017 6:06 PM +0200 richard lucassen 
 wrote:



How do I tell ldapmodify just to delete 1 particular item with
AttributeValue=X, and not all of them?


You do a delete+add, just like Dieter said.  What you did in your example 
was a replace op.


I.e., you'd do something like:

dn: 
changetype: modify
delete: mail
mail: my-value
-
add: mail
mail: my-value

--Quanah




--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: [ldapmodify] multiple entries of the same attibute

2017-10-13 Thread richard lucassen 
On Fri, 13 Oct 2017 14:29:23 +0200
"Ralf Mattes"  wrote:

> > mail: us...@example.com
> > mail: us...@example.com
> > mail: us...@example.com
> > 
> > Is there a way to tell ldapmodify to change just a particular entry?
> 
> A change of a single value equals a delete of that value plus an add
> of the new value, doesn't it?

Yep, but ldapmodify deletes *all* "mail:" entries. If I tcpdump the
stream of a jxplorer session, I see a modify request, which consists of
indeed a delete and an add. But the "delete" has an attribute value:

+modification: 2 items
 +modification: item
   operation: delete (1)
   + modification: mail
  type: mail
 + vals: 1 item
AttributeValue: us...@example.com
   operation: add (0)
   + modification: mail
  type: mail
 + vals: 1 item
AttributeValue: otheru...@example.com

How do I tell ldapmodify just to delete 1 particular item with
AttributeValue=X, and not all of them?

R.

-- 
richard lucassen
http://contact.xaq.nl/

Re: Small tip to speed up large imports with ldapadd

2017-10-13 Thread Quanah Gibson-Mount 
--On Friday, October 13, 2017 5:44 PM +0200 Karsten Heymann 
 wrote:




Hi Quanah,



2017-10-13 16:15 GMT+02:00 Quanah Gibson-Mount :

Why not just set dbnosync option as documented in the
slapd-mdb(5)/slapd-bdb(5)/slapd-hdb(5) man pages?




I tried that as well, and it made the import faster, but at least in my
setup using eatmydata still was a *lot* faster. 


Another option, which I didn't think about when building my test setup,
would have been to put the data directory into a ram disk during the
import and move it to disk afterwards. 


Either way, each variant seem quite similiar with regard to what effort
they take, so I'm quite happy with my setup.


If you're using back-mdb, you could play with the writemap environment flag 
as well.


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Ensure uniqueness over multiple attributes?

2017-10-13 Thread Karsten Heymann 
2017-10-13 16:25 GMT+02:00 Michael Ströder :

> Dieter Klünter wrote:
> > slapo-unique(5) plus slapo-constraint(5)
>

Interesting, I hadn't that in mind. Unfortunately I think Michael is right
that using a constraint in this scenario won't work. But I have other uses
for slapo-contraint in mind already.


> IMHO this does not work without adding all possible values to at least
> one of the attributes *or* SUP-ing all attribute values from a common
> attribute type.
>

How would attribute inheritance tie into this? I'm relatively free in
modifying our ldap schema so making mailAlias SUP mail would be possible.

+Karsten

Re: Small tip to speed up large imports with ldapadd

2017-10-13 Thread Karsten Heymann 
Hi Quanah,

2017-10-13 16:15 GMT+02:00 Quanah Gibson-Mount :
>
> Why not just set dbnosync option as documented in the
> slapd-mdb(5)/slapd-bdb(5)/slapd-hdb(5) man pages?
>

I tried that as well, and it made the import faster, but at least in my
setup using eatmydata still was a *lot* faster.

Another option, which I didn't think about when building my test setup,
would have been to put the data directory into a ram disk during the import
and move it to disk afterwards.

Either way, each variant seem quite similiar with regard to what effort
they take, so I'm quite happy with my setup.

BR
Karsten

Re: Ensure uniqueness over multiple attributes?

2017-10-13 Thread Michael Ströder 
Dieter Klünter wrote:
> Am Fri, 13 Oct 2017 14:44:09 +0200
> schrieb Karsten Heymann :
>> does the unique overlay support checking multiple values for a single
>> uniqueness check? Our clients can use emails in two attributes (think
>> mail and mailAlias) and addresses have to be unique in regard to both
>> fields, which means an address that is used in either of them cannot
>> be used in any other of them. Is that possible?
> 
> slapo-unique(5) plus slapo-constraint(5)

IMHO this does not work without adding all possible values to at least
one of the attributes *or* SUP-ing all attribute values from a common
attribute type.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature

Re: [ldapmodify]multiple entries of the same attibute

2017-10-13 Thread Quanah Gibson-Mount 
--On Friday, October 13, 2017 3:29 PM +0200 Ralf Mattes  
wrote:



Is there a way to tell ldapmodify to change just a particular entry?


A change of a single value equals a delete of that value plus an add of
the new value, doesn't it?


Yes.

--Quanah



--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Small tip to speed up large imports with ldapadd

2017-10-13 Thread Quanah Gibson-Mount 
--On Friday, October 13, 2017 4:57 PM +0200 Karsten Heymann 
 wrote:



- I like the way ldapadd logs complete entries it failed to import, that
makes analyising the cause of the import error much simpler, after e.g.
fixing the schema I can ldapdd these error files directly again to see if
the fix works


Why not just set dbnosync option as documented in the 
slapd-mdb(5)/slapd-bdb(5)/slapd-hdb(5) man pages?


--Quanah

--

Quanah Gibson-Mount
Product Architect
Symas Corporation
Packaged, certified, and supported LDAP solutions powered by OpenLDAP:

Re: Ensure uniqueness over multiple attributes?

2017-10-13 Thread Dieter Klünter 
Am Fri, 13 Oct 2017 14:44:09 +0200
schrieb Karsten Heymann :

> Hi,
> 
> does the unique overlay support checking multiple values for a single
> uniqueness check? Our clients can use emails in two attributes (think
> mail and mailAlias) and addresses have to be unique in regard to both
> fields, which means an address that is used in either of them cannot
> be used in any other of them. Is that possible?

slapo-unique(5) plus slapo-constraint(5)

-Dieter

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

Re: Small tip to speed up large imports with ldapadd

2017-10-13 Thread Karsten Heymann 
Hi Ralf,

2017-10-13 15:43 GMT+02:00 Ralf Mattes :
>
> This might be a stupid question or I don't undersand your  goal, but if you
> shut down you operational server, why don't you use 'slapadd' (optionally
> with
> the '-q -s' option in case you know your input is consistent)?
>

 That's not a stupid question at all, but there are several reasons:

- I like the way ldapadd logs complete entries it failed to import, that
makes analyising the cause of the import error much simpler, after e.g.
fixing the schema I can ldapdd these error files directly again to see if
the fix works
- I don't want to disable any import checks, the main reason I'm doning
this imports is to hunt down import errors in subtrees from different
sources.
- I shortened the exaple a bit, in reality I'm adding multiple ldif files
into the database during the script

But otherwise slapadd would be of course the better solution.

BR
Karsten

Re: Small tip to speed up large imports with ldapadd

2017-10-13 Thread Ralf Mattes 

Am Freitag, 13. Oktober 2017 15:18 CEST, Karsten Heymann 
 schrieb:

> <>
> As I don't care for data consistency *while* importing (if the import
> should abort, I can alway restart the process), I'm stopping the regular
> slapd and run it manually under the control of 'eatmydata', a little tool
> that LD_PRELOAD's all filesystem sync operations to noops. This has
> increased the speed of my import tests by several orders of magnitude.

This might be a stupid question or I don't undersand your  goal, but if you
shut down you operational server, why don't you use 'slapadd' (optionally with
the '-q -s' option in case you know your input is consistent)?

Cheers, Ralf Mattes

Small tip to speed up large imports with ldapadd

2017-10-13 Thread Karsten Heymann 
Hi,

as I am in the situation where I have to do large imports with ldapadd, I
wanted to share a little tip that is saving me a lot of time and may be
helpful to others too.

As I don't care for data consistency *while* importing (if the import
should abort, I can alway restart the process), I'm stopping the regular
slapd and run it manually under the control of 'eatmydata', a little tool
that LD_PRELOAD's all filesystem sync operations to noops. This has
increased the speed of my import tests by several orders of magnitude.

Here's my script (slightly obfuscated):

systemctl stop slapd
rm -f /srv/ldap/data/*
systemd-run --unit=slapd-fastimport eatmydata /usr/sbin/slapd -d 0 -s 0 -h
ldapi:/// -g openldap -u openldap -F /etc/ldap/slapd.d
sleep 2
ldapadd -Y EXTERNAL -H ldapi:/// -Q -c -S errorlog -f data.ldif
systemctl stop slapd-fastimport
sleep 2
systemctl start slapd
grep Error: errorlog | sort | uniq -c | sort -n

Best regards
Karsten

Ensure uniqueness over multiple attributes?

2017-10-13 Thread Karsten Heymann 
Hi,

does the unique overlay support checking multiple values for a single
uniqueness check? Our clients can use emails in two attributes (think mail
and mailAlias) and addresses have to be unique in regard to both fields,
which means an address that is used in either of them cannot be used in any
other of them. Is that possible?

+Karsten

Re: [ldapmodify] multiple entries of the same attibute

2017-10-13 Thread Ralf Mattes 

Am Freitag, 13. Oktober 2017 14:16 CEST, richard lucassen 
 schrieb:

> Hello list,
>
> I've got records with e.g. multiple mail: entries per dn:
>
> dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=org
> [ 8< 8< 8< snip objectclasses and other stuff 8< 8< 8< ]
> mail: us...@example.com
> mail: us...@example.com
> mail: us...@example.com
>
> GUI ldap clients like jxplorer are able to change a single mail: entry.
> Using "ldapmodify" I replace the first mail: entry, but it will delete
> the other mail: antries:
> <>
>
> Is there a way to tell ldapmodify to change just a particular entry?

A change of a single value equals a delete of that value plus an add of the new 
value, doesn't it?

 Cheers, Ralf Mattes


> R.
>
> --
> richard lucassen
> http://contact.xaq.nl/
>

[ldapmodify] multiple entries of the same attibute

2017-10-13 Thread richard lucassen 
Hello list,

I've got records with e.g. multiple mail: entries per dn:

dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=org
[ 8< 8< 8< snip objectclasses and other stuff 8< 8< 8< ]
mail: us...@example.com
mail: us...@example.com
mail: us...@example.com

GUI ldap clients like jxplorer are able to change a single mail: entry.
Using "ldapmodify" I replace the first mail: entry, but it will delete
the other mail: antries:

#

change.diff file:

dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=com
changetype: modify
replace: mail
mail: otheru...@example.com
-

#

invoke:

ldapmodify -x -D "cn=admin,dc=example,dc=com" -W -f change.ldif

#

result:

dn: cn=Joe Sixpack,ou=addressbook,dc=example,dc=org
[ 8< 8< 8< snip objectclasses and other stuff 8< 8< 8< ]
mail: otheru...@example.com

#

Is there a way to tell ldapmodify to change just a particular entry?

R.

-- 
richard lucassen
http://contact.xaq.nl/