Hi Brian,
just FTR, the ads-contextentry configuration element contains the
partition context entry (doh !) :
ads-contextentry:: ZG46IGRjPWV4YW1wbGUsZGM9Y29tCmRjOiBleGFtcGxlCm9iamVjdGNsY
XNzOiBkb21haW4Kb2JqZWN0Y2xhc3M6IHRvcAoK
translates to :
dn: dc=example,dc=com
dc: example
objectclass: domain
objectclass: top
when you decode the base64 value.
Obviously, the base64 is order dependent. Typically, encoding teh same
entry with a reverted attribute like :
dn: dc=example,dc=com
dc: example
objectclass: top
objectclass: domain
gives this result :
ads-contextentry:: ZG46IGRjPWV4YW1wbGUsZGM9Y29tCmRjOiBleGFtcGxlCm9iamVjdGNsY
XNzOiB0b3AKb2JqZWN0Y2xhc3M6IGRvbWFpbg==
Note that regardless of the change, the server will accept both entries
and will work fine.
Now, if you want to generate the proper Base64 encoding from a LDIF
entry, I suggest you use a tool like https://www.base64encode.org/,
where you can copy/paste the entry and encode it (be aware that spaces
or NL at the end of the file will also be translated). You will then
just have to copy/paste the result into the ads-contextentry attribute.
The reason we store the entry base 64 encoded is because it will contain
NL, and that will not fit well with the containing LDIF file. For
instance, using that :
ads-contextentry: dn: dc=example,dc=com
dc: example
objectclass: top
objectclass: domain
will simply not work, as the configuration reader will not be able to
understand what these "dc" and "ObjectClass" lines are good for...
I hope I clarified this part of the configuration...
On 06/11/2019 10:36, Brian Burch wrote:
Emmanuel helped me a lot when I added the new section to the wiki more
than 2 years ago. The users mailing list thread carried the subject
"ApacheDS 2.0.0-M23 non-gui adding a partition".
I am slowly working my way through migration of my ubuntu 16.04 LTS
i386 apacheds M23 production system to an ubuntu 18.04 LTS amd64 AM25
platform. I won't bore you with my war stories, but I intend to
reflect some of my lessons learnt in the wiki.
I've had a painful and frustrating time trying to follow my own
instructions in the wiki! Eventually, I realised my M23 partition was
working fine /even though/ its ads-contextentry value has always been
completely wrong! I haven't investigated how this might have happened,
but I want to be sure the new partition I create on my AM25 system is
correct.
I have created a series of scripts and crib sheets to document clearly
how the ads-contextentry base64 hash has been generated for the
example partition. However, I now realise I am not 100% clear how to
create a valid base64 for my own partition.
By carefully hashing 4 specific lines of the example root entry I can
generate the correct hash. These lines are:
dn: dc=example,dc=com
dc: example
objectclass: domain
objectclass: top
The dn value corresponds to the ads-partitionsuffix attribute. The dc
value corresponds to the ads-partitionid attribute.
The objectclass value of top is required in all ldapobjects, but I
don't see where the "objectclass: domain" comes from, or even why it
is specified before top, because their respective orders will alter
the value of the base64 hash.
Also, I am puzzled about what ldapattributes I need to hash for my own
partition. It's top-level ldapentry follows the "old school"
convention, and I am very reluctant to change it because there are so
many dependencies within the directory, but also the various
applications which rely on the directory.
The top entry looks like this:
dn: O=PingToo.com
objectclass: top
objectclass: organization
o: PingToo.com
Obviously, the order of these attributes and also the exact use of
letter case (and any white space ) will alter the resultant
ads-contextentry hash.
Can anyone offer me some advice on how and why to do this correctly,
please?
Once I have successfully created my new partition I hope to understand
the algorithm properly and will update the wiki page to explain the
process more clearly.
Regards,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@directory.apache.org
For additional commands, e-mail: dev-h...@directory.apache.org
