[389-users] 389 python library and freeipa scripts
Hi Rich and any other interested people, I create a new branch of dsadmin library to reorganize its methods. https://github.com/ioggstream/dsadmin/tree/renaming_methods While doing this I'll try to merge some of the work made in freeipa .py scripts - partly based on Rich work. The final result should let you access stuff like this: conn = DSAdmin(host='localhost', port=389) # all backend methods under .backend conn.backend.add() conn.backend.list(suffix=None) # all replication stuff under .replica conn.replica.add() conn.replica.list() #entries conn.replica.agreements(dn=True) # list only agreements' dn conn.replica.agreements_add() conn.replica.ruv(suffix=None) #get ruv Your opinion/support is welcome! Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389 hang while upgrading from 1.2.2 to 1.2.10
Hi Rich, On Tuesday 19 March 2013 13:19:08 Rich Megginson wrote: Looks like you might need to do a manual db upgrade procedure, even though you should not be affected by the subtree rename conditions, as in http://port389.org/wiki/Subtree_Rename#warning:_upgrade_from_389_v1.2.6_.28a.3F.2C_rc1_.7E_rc6.29_to_v1.2.6_rc6_or_newer Thank you very much for your support! Maybe it's better to trash the old data and reinitialize the newly installed server using replication or a restore ;) Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente.-- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] dsadmin python library - using signature to document methods
Hi Rich, what do you think about using function signature to improve method documentation? Ex. in def setupReplica(self, args): we 1- have to document the whole args behavior 2- need to setup default values with args.get(name, defaultvalue) I think that the following signature is cleaner: 1- def setupReplica(suffix, binddn, rtype=MASTER_TYPE, legacy=False, rid=None) 2- get rid of args.get with default values using eg. suffix, rtype, legacy, binddn, rid = map(args.get 'suffix type legacy binddn id'.split()) Moreover the **magic applied to a dict, still allows us to call setupReplica(**args) Let me know + Peace, R. --- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] dsadmin python library
On Thursday 14 March 2013 11:04:46 Rich Megginson wrote: > What about the scripts such as dirsynccrtl.py, winsyncssl.py, etc. that > use dsadmin.py? Should they be in the same repo as dsadmin.py? your choiche ;) I would just separate the "reusable" stuff from the perl and bug one. I really hope that dsadmin.py & co will be added to 389 rpm as soon as we end a small facelift. Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] dsadmin python library
Hi Rich, why don't move the useful dsadmin python library in a separate repo? I could contribute: * doc * code refactoring with new-style classes * some more exception stuff Let me know + Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] About 389 cache and backend behavior
Hi all, where can I find a brief description of the 389 communication between: - client - 389 cache - 389 backend - COS and VLV Is there a way to dwell into it without reading the code? Thx+ Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Questions on RedHat DS9.0 Deployment Guide (schema replication)
Hi Rich, firstly, thanks again for your time and for your support! I'll file bugs on trac, right? Rich Megginson > Right, although note that schema replication is single master. You > should choose a master to make it the "primary" master for schema updates. * are there any issues to let 389 create/modify custom schema files instead of putting everything in 99user.ldif? I mean something like: # ldapmodify -v dn: cn=schema changetype: modify schemafile: 60example.ldif add: attributetypes attributetypes: ( 1.2.3.4.5.6.1 NAME 'dateofbirth' DESC 'For employee birthdays' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VALUED X-ORIGIN 'Example defined') * did you experience any issue using schema replication in "primary" master mode (eg. decreased manageability, lack of tracking of schema files,...)? Thx+Peace, R: -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Questions on RedHat DS9.0 Deployment Guide (schema replication)
Hi all, just some easy questions. The quoted text is taken from Red Hat DS 9.0 Deployment Guide. §7.4.4 Schema Replication > In all replication scenarios...[cut] The following conditions apply: > If the version of the schema ...[master has newer]...the supplicer server replicates to the consumer Q1: shouldn't this happen only when changes are done via ldapmodify (as stated in the note at the ending of the chapter)? Q2: changes made with 98example.ldif shouldn't propagate, right? > If the version of the schema...[slave has newer]...the server may return many errors... Q3: so replication still happens. I would state this clearly, like "replication happens even in case of schema mismatching" > A consumer might contain replicated data from two suppliers, each with different schema. Whichever supplier was updated last wins, and its schema is propagated to the consumer. Q4: imho it seems a wider highway to hell -_- As of Q1,2 I can avoid it using ldif, right? > Changes made to custom schema files are only replicated if the schema is updated using LDAP or the Directory Server Console Q5: I have understood that you can't change a custom schema file using LDAP/DSConsole. All modifications go to 99user.ldif: right? I hope I haven't bored you too much... Thx+Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Schema upgrade and a little error in wiki
Hi Rich, Rich Megginson > > On RH documentation I read to: > > - upgrade all masters; > > - then upgrade slaves; > > - lately restart. > > Yes. This is the recommended procedure. > > > This approach seems to lead to some service discontinuity, as - during > > this migration - I should stop writes to all master/slaves. > Why? To avoid discontinuity, I should do a rolling restart, right? Rolling restart means I have a small time frame T0 where schemas are different between nodes. If during T0 a write is replicated between NodeB and NodeA, I suppose replication will fail due to mismatching schema, right? > > I found a possible typo here: > > http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema > Yes. I have fixed the wiki ... attributetypes, objectclasses, matchingrules, are now operational is there a way to tell 389 to print all operational attributes? Thx + Peace, R: -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Schema upgrade and a little error in wiki
Hi Rich|All, = Stuff 1 = I'm planning a schema upgrade on a platform with 4 ds. The schema is on a 98myschema.ldif. I got 2 MMR on backend and 2 replica on FE. On RH documentation I read to: - upgrade all masters; - then upgrade slaves; - lately restart. This approach seems to lead to some service discontinuity, as - during this migration - I should stop writes to all master/slaves. How would you do it? = Stuff 2 = I found a possible typo here: http://directory.fedoraproject.org/wiki/Dynamically_Reload_Schema The following command doesn't write out the schema # ldapsearch -D "cn=Directory Manager" -w password -b "cn=schema" -T "(objectclass=*)" you need to specify the attributes, eg: # ldapsearch ... -b "cn=schema" -T "(objectclass=*)" "*" objectclasses Does it happen to you too? Thx+ Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] continuously segfault: 389ds 1.2.10.2 - 1.el6
Hi Rich, Rich Megginson > ...I'm planning a 1.2.10.3 release which will have that patch and a > couple of others. you always rock! Thx++ && Peace, R. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] continuously segfault: 389ds 1.2.10.2 - 1.el6
Hi Mark, Mark Reynolds > We actually just fixed this on Friday via Ticket 305. Rich would know > more about the next release that would contain this fix. This is it https://fedorahosted.org/389/ticket/305 The stuff is cos-related, and I saw the patch. The "guilty" lines are moved... Can I just apply that patch or do I have to checkout the whole new tree? Peace, R. > > > Regards, > Mark > > On 03/05/2012 09:18 AM, Roberto Polli wrote: > > Hi Rich | everybody, > > > > We just experience a continuous segfault (each 20mins). > > > > This is the interesting part: > > #3 0x7f8e635c20c6 in malloc_printerr () from /lib64/libc.so.6 > > #4 0x7f8e65ac8b16 in slapi_ch_free (ptr=0x7f8e28017480) at > > ldap/servers/slapd/ch_malloc.c:363 > > #5 0x7f8e5cfe7190 in cos_cache_query_attr (ptheCache=0x7f8e280178d0, > > context=0x0, e=0x7f8dc8016d00, type=0x7f8e28003760 "inetcos", > > out_attr=0x0, test_this=0x0, result=0x0, > > > > When exploring the dump, I found that: > >- everything happens in cache; > >- it crashes while freeing a string containing a DN; > >- gdb was able to print out the given string; > >- the "guilty" code strangely clones the given string, then frees the > > > > original one with slapi_ch_free(); > > > > Two sample stack traces and rpm infos follow. > > > > Do you have any hint? > > Thx+Peace, > > R. > > > > > > > > = Version = > > > > rpm -qi 389-ds-base > > Name : 389-ds-base Relocations: (not relocatable) > > Version : 1.2.10.2 Vendor: (none) > > Release : 1.el6 Build Date: Thu 23 Feb 2012 05:13:45 PM CET > > Install Date: Mon 27 Feb 2012 12:17:52 PM CET Build Host: vmhost > > Group : System Environment/Daemons Source RPM: 389-ds- > > base-1.2.10.2-1.el6.src.rpm > > Size : 4847506 License: GPLv2 with exceptions > > Signature : (none) > > URL : http://port389.org/ > > Summary : 389 Directory Server (base) > > Description : > > 389 Directory Server is an LDAPv3 compliant server. The base package > > includes the LDAP server and command line utilities for server > > administration. > > > > = Trace 1 = > > > > #0 0x7f8e6357f885 in raise () from /lib64/libc.so.6 > > #1 0x7f8e63581065 in abort () from /lib64/libc.so.6 > > #2 0x7f8e635bc7a7 in __libc_message () from /lib64/libc.so.6 > > #3 0x7f8e635c20c6 in malloc_printerr () from /lib64/libc.so.6 > > #4 0x7f8e65ac8b16 in slapi_ch_free (ptr=0x7f8e28017480) at > > ldap/servers/slapd/ch_malloc.c:363 > > #5 0x7f8e5cfe7190 in cos_cache_query_attr (ptheCache=0x7f8e280178d0, > > context=0x0, e=0x7f8dc8016d00, type=0x7f8e28003760 "inetcos", > > out_attr=0x0, test_this=0x0, result=0x0, > > props=0x7f8d9c3f8a5c) at ldap/servers/plugins/cos/cos_cache.c:2393 > > #6 0x7f8e5cfea9aa in cos_cache_vattr_types (handle= > out>, e=0x7f8dc8016d00, type_context=0x7f8d9c3f8ad0, flags= > optimized out>) at ldap/servers/plugins/cos/cos_cache.c:2199 > > #7 0x7f8e65b3ad90 in slapi_vattr_list_attrs (e=0x7f8dc8016d00, > > types=0x7f8d9c3f8c78, flags=4, buffer_flags=0x7f8d9c3f8cbc) at > > ldap/servers/slapd/vattr.c:1289 > > #8 0x7f8e65b1fc00 in send_all_attrs (pb=0x2987dc0, e=0x7f8dc8016d00, > > ectrls=0x7f8dc8016cd8, attrs=0x0, attrsonly=0, send_result=0, nentries=0, > > urls=0x0) > > at ldap/servers/slapd/result.c:915 > > #9 send_ldap_search_entry_ext (pb=0x2987dc0, e=0x7f8dc8016d00, > > ectrls=0x7f8dc8016cd8, attrs=0x0, attrsonly=0, send_result=0, nentries=0, > > urls=0x0) at ldap/servers/slapd/result.c:1362 > > #10 0x7f8e65b2046c in send_ldap_search_entry (pb= > out>, e=, ectrls=, > > attrs=, > > attrsonly=) at ldap/servers/slapd/result.c:814 > > #11 0x004208e2 in ps_send_results (arg=) at > > ldap/servers/slapd/psearch.c:373 > > #12 0x7f8e63f516f3 in ?? () from /lib64/libnspr4.so > > #13 0x7f8e638f57f1 in start_thread () from /lib64/libpthread.so.0 > > #14 0x7f8e6363292d in clone () from /lib64/libc.so.6 > > > > = Trace 2 = > > #0 0x7f8e6357f885 in raise () from /lib64/libc.so.6 > > #1 0x7f8e63581065 in abort () from /lib64/libc.so.6 > > #2 0x7f8e635bc7a7 in __libc_message () from /lib64/libc.so.6 > > #3 0x7f8e635c20c6 in malloc_printerr () from /lib64/libc.so.6 > > #4 0x7f8e65ac8b16 in slapi_ch_free (ptr=0x7f8e28017480) at > > ldap/servers/slapd/ch_malloc.c:363 > > #5 0x7f8e5cfe7190 in cos_cache_query_attr (ptheCache=0x7f8e280178d0, > > context=
[389-users] continuously segfault: 389ds 1.2.10.2 - 1.el6
e Relocations: (not relocatable) Version : 1.2.10.2 Vendor: (none) Release : 1.el6 Build Date: Thu 23 Feb 2012 05:13:45 PM CET Install Date: Mon 27 Feb 2012 12:17:52 PM CET Build Host: vmhost Group : System Environment/Daemons Source RPM: 389-ds- base-1.2.10.2-1.el6.src.rpm Size : 4847506 License: GPLv2 with exceptions Signature : (none) URL : http://port389.org/ Summary : 389 Directory Server (base) Description : 389 Directory Server is an LDAPv3 compliant server. The base package includes the LDAP server and command line utilities for server administration. (14:44:45) # Francesco Fiore has ended his/her participation in the chat session. -- Roberto Polli Community Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.652.2736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Failure while Copy a subtree (deleteOldRdn: 0)
Hi all, I'm playing with the changeType: modrdn command, and I got the following issue. 1- I want to copy a subtree in another location: source: ou=People,dc=top dest: ou=PeopleBak,dc=top 2- I can move it with changeType: modrdn newrdn: ou=PeopleBak deleteoldrdn: 0 3- I would expect that "deleteOldRdn:0" would leave the old "ou=People" at its place. While "deleteOldRdn: 1" should remove it. Do you have any hint? Peace, R. -- Roberto Polli Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.6522736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] ldap proxy and entry-based chaining: writing a plugin?
Hi all, just a question. Does 389 provide a proxy functionality that can be used to identify immediately the right server to match? In case it's not supported, is it possible to develop a 389 plugin to manage it? Once developed, are you interested in merge that feature in the 389 upstream? Imagine the following configuration: U - user P - ldap proxy with two chained server: * R1- real server 1 * R2 - real server 2 Actually when U issue a search, on P forwards it on both the chained server. I'd like to know if there's a plugin or some sort of dynamic configuration that can be used to redirect the search directly on the right server using some further information provided (eg. regex & co). Here's a standard use case. 1- DIT: o=company, ou=italy, { dc=domain1.it, dc=domain2.it, dc=domain3.it} o=company, ou=france, { dc=domain1.fr, dc=domain2.fr, dc=domain3.fr} 2- Each county is managed by one cluster. The proxy is configured with two dblink/chain: ou=italy ->cluster1 ou=france->cluster2 3- the search is done on the proxy using one attribute "mail=u...@domain1.it" 4- I'd like that all domain matching .it$ are searched first on cluster1, and conversely if matching .fr$ on cluster2 Obviously if you're interested I'll clarify. Peace, R. -- Roberto Polli Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.9826.9651 M: +39.340.6522736 F: +39.06.9826.9680 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Building 1.2.7
Hi all, I tried to build 1.2.7 with openldap only, but it seems I still require mozldap for the ldif.h (like specified in the documentation). Do you suggesto to continue building 1.2.7 with mozldap only? Peace, R. -- Roberto Polli Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Bind to consumer binds to provider as well
I think the point is quite real. The "bind" operation can be the large part of traffic for authentication systems. Could be worth to file an issue/wish on bugzilla and continue the discussion there? Peace, R. -- Roberto Polli Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] perldap: perl-mozldap-1.5.3 bug+ patch for 1.5.3 ( latest stable )
On Wednesday 24 November 2010 13:51:06 Gerrard Geldenhuis wrote: > I don't believe that this is the most appropriate list for your post. afaik perl-mozldap is a requrement for building 389 ;) and I thought the info was worth the bits. Anyway excuse me for the OT. Peace, R: -- Roberto Polli Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] strong authentication (securid, two factor) with 389
Hi all, does 389 provide a strong authentication module like SecurID? Is there a way to provide it without using clear-text password? Peace, R. -- Roberto Polli Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Debian packaging and Ubuntu issues
On Thursday 21 October 2010 21:29:18 you wrote: > just removed them (just some .ico files and some example files where the can't we drop those files: 1- downloading the original src 2- using patch to remove unwanted stuff If it's ok I'll post a patch file on this list, so that you can validate it. Peace, R. -- Roberto Polli Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Debian packaging and Ubuntu issues
On Thursday 21 October 2010 12:12:52 Roberto Polli wrote: > W: Impossibile trovare il pacchetto mozilla-ldap-sdk > Trying to download tarball using uscan > uscan warning: In debian/watch no matching hrefs for version 6.0.6+dfsg in > watch line > http://ftp.mozilla.org/pub/mozilla.org/directory/c- > sdk/releases/v(.*)/src/mozldap-(.*)\.tar\.gz > Couldn't find a tarball manually downloaded from http://acksyn.org/ubuntu/pool/main/m/mozilla-ldap-sdk/ Peace, R. -- Roberto Polli - Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Debian packaging and Ubuntu issues
On Monday 18 October 2010 20:41:33 Michele Baldessari wrote: > Hi Roberto, > > On Mon, Oct 18, 2010 at 12:15:44PM +0200, Roberto Polli wrote: > > The debian packages can't be straightforwardly installed on ubuntu due to > > mismatching dependencies (matter of names, I think). > > could you send me the log of how it fails? almost unuseful as these are related to my karmic ubuntu > http://raphaelhertzog.com/2010/09/27/different-dependencies-between-debian > -and-ubuntu-but-common-source-package/ nice! made svn update on alioth repo and try to build mozilla-ldap-sdk but it seems he can't find sources.. W: Impossibile trovare il pacchetto mozilla-ldap-sdk Trying to download tarball using uscan uscan warning: In debian/watch no matching hrefs for version 6.0.6+dfsg in watch line http://ftp.mozilla.org/pub/mozilla.org/directory/c- sdk/releases/v(.*)/src/mozldap-(.*)\.tar\.gz Couldn't find a tarball Any hint? Peace, R. -- Roberto Polli - Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Debian packaging and Ubuntu issues
Hi Michele+all, The debian packages can't be straightforwardly installed on ubuntu due to mismatching dependencies (matter of names, I think). Ryan's scripts case/switches dependencies depending on debian or ubuntu releases. @Michele: is there a way I can merge those files? Do I have to create * different debian/ directories? * different dependencies variables? Which is the best way to do it? I'd like to use this list for discussing the thread, so that Rich Megginson and other 389 people can track our issues... Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] build/package scripts for debian and ubuntu
On Thursday 07 October 2010 17:58:24 Rich Megginson wrote: > IMHO, the "official" place is either the 389 repo or the debian package > repo. The official debian distribution doesn't support 389: there are some extensions like EPEL repository. The 389 is in one of these named alioth. I'm in touch with that guy, but he has few time to maintain. Somebody forked that debian repo to create Ubuntu packages: the differences are in package dependencies like libc & co. > Why can't these scripts go into the debian package repo? I'm investigating in how to create officially supported package for debian. My aim is to create something that would fit both on debian and ubuntu: that should manage dependencies and versions. So I thought that an automatic script repo should fit for all... > Are they > different than the scripts used to produce the official debian packages? I don't think so. The QA procedures are different: ubuntu packages need to be gpg-signed by an authorized key and put on one PPA (personal repos). The debian race may be different... Today I'll publish on sourceforge Ryan scripts and start working on that... Keep in touch+Peace, R: -- Roberto Polli Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] build/package scripts for debian and ubuntu
On Thursday 07 October 2010 17:17:35 Rich Megginson wrote: > Do you want these scripts to go into 389 > upstream? not now ;) I wish we could create such a community to support and maintain in QA all the needed debian scripts. > But yes, > there should be an official place for debian build scripts There are plenty of part-time 389 packager for debian, ubuntu & co, everyone with his own repo. I tried to contact a lot of people these days, and only one responded... > - either they > should go into the debian build system, or into 389 upstream. I'd > rather have the former. Afaik all the packaging job is done outside the 389 community: to me this is wrong. The sabayon packaging taught me that distro-specific issues can improve the knowledge of the software. So the point: we need one "official" place tied to the 389 community. The repository doesn't have to be the 389 one, but anyway should be something more official. Glad to hear from you+Peace, R. PS: About the repos: I still manage several project on sourceforge, so I don't have to create another account. -- Roberto Polli Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] build/package scripts for debian and ubuntu
On Thursday 07 October 2010 16:50:43 Kevin Zambrano wrote: > Maybe you could be interested about this Debian Alioth project >http://pkg-fedora-ds.alioth.debian.org/ I'm in touch with the maintainer. As of now there are no such script cool like the Ryan one: while Ryan retrieve files from 389org website and packages them, debian archive needs to pull changes from svn and then rebuild. Anyway their work on debian/* files seems to be better, including some customisation for debian/ubuntu. I wish we'll be able to join all our efforts! Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] build/package scripts for debian and ubuntu
Hi all, I'd create an git repository with Ryan scripts. they are great and really easy to understand! Moreover, as those scripts have some parts in common, I'm refactoring them using functions, tmpfiles and some further bash commodities.. I'm trying to involve other people too. @richm: if for Ryan is fine, can you create a git repository to let people collaborate about them? @ryan: feel free to chat me on robipo...@gmail.com for discussing on that issue Otherwise I'll create a yet-another-debian-scripts-for-389-org repository on sourceforge. Let me know+Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] build/package scripts for debian and ubuntu
On Thursday 07 October 2010 14:28:05 Roberto Polli wrote: > @Ryan: thx for your files: I'm going to test it! at a glance it worked nicely, I'll investigate into every single file ;) Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] build/package scripts for debian and ubuntu
Hi all, I'm trying to collect all the people interested in the ubuntu/debian packaging. As of now I'm in touch with one of the debian packager too. Probably this list is the best place where to share our infos.. @Ryan: thx for your files: I'm going to test it! @Rich: if the --openldap is not fully functional or needs some patches still not included in ubuntu, maybe it's better to remain on mozldap... Peace, R. -- Roberto Polli - Project Manager Babel S.r.l. - http://www.babel.it T: +39.06.91801075 M: +39.340.6522736 F: +39.06.91612446 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) CONFIDENZIALE: Questo messaggio ed i suoi allegati sono di carattere confidenziale per i destinatari in indirizzo. E' vietato l'inoltro non autorizzato a destinatari diversi da quelli indicati nel messaggio originale. Se ricevuto per errore, l'uso del contenuto e' proibito; si prega di comunicarlo al mittente e cancellarlo immediatamente. -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] 389 for Ubuntu: launchpad & co
Hi all, I saw that 389 for Ubuntu is quite old, like 1.2.0... I'd like to revive the launchpad repository but seems there's nobody there... Is there somebody of the ubuntu-packager *here* ? Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Segfault & Core Dumps
On Tuesday 07 September 2010 17:25:05 Dael Maselli wrote: > .. I can simulate a crash with kill -QUIT. maybe the sleep command doesn't trap this signal, thus generating a core file like in # man 7 signal. > But if I kill -QUIT ns-slapd no file is created. slapd will trap the QUIT and treat it as a proper EXIT >~/tmp/fedora-ds-base-1.1.2# egrep -r SIGQUIT . >./lib/base/file.cpp:signal(SIGQUIT, EXITFUNC); >./ldap/servers/slapd/tools/ldclt/ldclt.c: sigaddset (&(act.sa_mask), SIGQUIT); >./ldap/servers/slapd/tools/ldclt/ldclt.c: if (sigaction (SIGQUIT, &act, NULL) < 0) Moreover just quitting won't create the right core file (the one with the boundary condition resulting in segfault). HTH+Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] 389 v. 1.2.6 (bug) boolean value are case sensitive (eg."true" doesn't work)
On Friday 06 August 2010 15:43:12 Rich Megginson wrote: > Yes, this was changed due to RFC 4517 enforcement - > http://www.ietf.org/rfc/rfc4517.txt - section 3.3.3: > > The LDAP-specific encoding of a value of this syntax is >defined by the following ABNF: > > Boolean = "TRUE" / "FALSE" ok, I wish it will improve performance :DDD Peace, R: -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] 389 v. 1.2.6 (bug) boolean value are case sensitive (eg."true" doesn't work)
Hi all, Since 1.2.6 I found this bug. * lowercase boolean values are refused. ex. this won't work anymore syncmlEnabled: true I must use: syncmlEnabled: TRUE quite strange behavior: Let me know + Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] dynamic group expansion: summarizing ;)
On Tuesday 01 June 2010 20:38:48 Nathan Kinder wrote: > On 05/31/2010 02:05 AM, Roberto Polli wrote: > > Hi all, > > > > I'll try to summarize: > > 1 - we like dynamic group expansion (memberURL is an ldap URI) > > 2 - ldapsearch -b GROUPDN "uniqueMember=*" retrieves both static and > > dynamic members > >2.1- the forementioned search should retrieve nested group members too > > 3 - (wish) memberOf plugin should dynamically set the memberOf attribute > > in underlying entries > >3.1 * if memberOf is a virtual attribute, it's impossible to use it in > > Searches (eg this won't work #ldapsearch "memberof=GROUPDN" ) > >3.2 * memberOf should be "real" > >3.3 * we need a listener on each Update to > > 3.3.1 * rescan all groups > > 3.3.2 * update the memberOf attribute > > There are likely some things you can do here to optimize for updates. > One idea would be to maintain an in-memory cache of dynamic group > filters that are present. You would have to scan for these groups at > server startup to populate the cache and maintain it whenever a group > filter is modified/added/deleted. > > When an entry is updated, you can use the group filter cache to quickly > determine if a change to an entry affects it's group membership instead > of searching for all of the groups each time. > > There may be better ideas than the above, but the cache idea was just a > quick thought that may help. added https://bugzilla.redhat.com/show_bug.cgi?id=618988 maybe better move discussion there or in the wiki. Let me know+Peace, R: -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] dynamic group expansion: summarizing ;)
Hi all, I'll try to summarize: 1 - we like dynamic group expansion (memberURL is an ldap URI) 2 - ldapsearch -b GROUPDN "uniqueMember=*" retrieves both static and dynamic members 2.1- the forementioned search should retrieve nested group members too 3 - (wish) memberOf plugin should dynamically set the memberOf attribute in underlying entries 3.1 * if memberOf is a virtual attribute, it's impossible to use it in Searches (eg this won't work #ldapsearch "memberof=GROUPDN" ) 3.2 * memberOf should be "real" 3.3 * we need a listener on each Update to 3.3.1 * rescan all groups 3.3.2 * update the memberOf attribute my opinion: - the dynamic memberOf plugin adds a lot of overhead on Update (that's no good) - its complexity grows with #groups and #users, so should be limited in some ways - 2 is a priority as that ldapsearch is expected to retrieve all group members another interesting thread is about group naming. in the sun mailgroup objectclass you can set an email address as a group name (eg. groups are mailinglist, with static or dynamic members). LetMeKnow+Peace, R. On Tuesday 18 May 2010 19:40:08 Rich Megginson wrote: > Nathan Kinder wrote: > > On 05/18/2010 09:50 AM, Rich Megginson wrote: > >> Nathan Kinder wrote: > >>> On 05/18/2010 08:48 AM, Rich Megginson wrote: > >>>> Roberto Polli wrote: > >>>>> On Tuesday 18 May 2010 16:28:48 Rich Megginson wrote: > >>>>>> ...I would start with the member of plugin code. > >>>>> > >>>>> I'll take a look. > >>>>> > >>>>> do you think it will be better to extend memberof plugin or play > >>>>> directly into the group entry > >>>> > >>>> not sure what you mean by "play directly into the group entry" > >>>> > >>>> You might be able to do this by extending the member of plugin. With > >>>> dynamic groups, you will probably still want to have the member of > >>>> functionality, and it should work with member of when using static > >>>> groups too. > >>> > >>> The difficult part is going to be making the memberOf plug-in work with > >>> dynamic groups. > >>> > >>> Is the idea to have the "member" attributes be virtual attributes that > >>> are generated on the fly when a client performs a search for the group? > >> > >> That might work, as long as you don't have to support searches in > >> dynamic group entries like (member=someUserDN) > >> > >>> I'm not quite sure how this approach can be made to work with the > >>> memberOf plug-in since it is triggered by write operations that affect > >>> group membership. > >> > >> However it works, it should work with memberof and generate memberof > >> attributes in user entries, whether the group is static or dynamic. > >> > >> I suppose it would work a little like persistent search - on every > >> update operation (not just group updates, but all updates), it would > >> have to scan every dynamic group entry, looking at the pre-update entry > >> and the post-update entry. If the pre-update entry does not match the > >> dynamic group definition, but the post-update entry does match the > >> dynamic group definition, then you add the DN of that entry to the > >> member attribute in the group entry. If the pre-update matches but not > >> the post-update, you have to remove the member. > > > > I think this approach is best, assuming you are saying that the member > > of value is actually added to the group entry (not a virtual > > attribute). > > Yes, a real attribute, not virtual. The member attribute in the dynamic > group entry would be a real attribute. > > > This could be implemented as a new post-op plug-in. If > > plug-in ordering is used to have this new plug-in invoked before the > > memberOf plug-in, then the memberOf feature should work fine. > > Ok. > > >>>> static group: > >>>> cn=groupA, > >>>> objectclass: groupOfNames > >>>> member: uid=foo,...<- static member - must add/delete manually > >>>> member: uid=bar,...<- static member - must add/delete manually > >>>> > >>>> dynamic group: > >>>> cn=groupB,... > >>>> objectclass: groupOfDynNames<- need new objectclass that has both url > >>>> specifier attribute and member attribute > >>>>
Re: [389-users] How to do this best with 389ds
On Tuesday 18 May 2010 12:16:43 Roland Schwingel wrote: > Means the ldap search needs to return different attribute values when the > search is performed from different subnets try mixing vlv and smart referral. anyway ldap may not be the best place to play that game. let us know+Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] dynamic group expansion: writing a patch...
Hi all, I'd like to start a patch on dynamic group expansion, but dunno where to start. Can you point me? Should be something like reusing VLV code? Thx+Peace, R- -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Does 389org expand dynamic groups?
On Monday 17 May 2010 16:48:25 Rich Megginson wrote: > > Do I have to search them programmatically? > > Yes. This feature is on our roadmap - > http://directory.fedoraproject.org/wiki/Roadmap - Dynamic group expansion > I don't know when we will get around to it (patches welcome!) thx for your answer! Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] Does 389org expand dynamic groups?
Hi all, I'm playing with dynamic groups, but it seems that ldap doesn't evaluate them. The MemberOf plugin doesn't work with dynamic groups too... Do I have to search them programmatically? Thx+Peace, R. PS. a similar question has been asked but not answered http://lists.fedoraproject.org/pipermail/389-users/2008-May/007784.html -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] Cache tuning errors
On Thursday 01 April 2010 16:31:17 j...@scusting.com wrote: >... more than the available > physical memory, decreased to the largest available size (2072199168 > bytes). on 64bit or 32bit? Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
[389-users] retrieving csn with ldapsearch
hi all, I'm trying to retrieve the csn with ldapsearch and ldapadd/modify. I need it for syncing ldap with a custom backend. For now I'm using the modifytimestamp, but for each add/modify I have to issue a subsequent ldapsearch to retrieve the modifytimestamp... The control I'm trying to use is the following: https://www.opends.org/wiki/page/DefinitionCSNControl the csn of the entry is reported into fedorads logs. [18/Feb/2010:17:05:32 +0100] ... ADD dn="piEntryId=1..134c..." [18/Feb/2010:17:05:33 +0100] RESULT err=0 .. csn=4b7d654e0001 Hope somebody can help. Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users
Re: [389-users] id2entry.db4 very large
On Monday 08 February 2010 17:43:28 Noriko Hosoi wrote: > > Is not id2entry.db4 cleaned automatically? > No, it is not. does it mean it is a monotonically increasing file? Which is the reason not to garbage-clean it? Thx+Peace, R. -- Roberto Polli Babel S.r.l. - http://www.babel.it Tel. +39.06.91801075 - fax +39.06.91612446 Tel. cel +39.340.6522736 P.zza S.Benedetto da Norcia, 33 - 00040 Pomezia (Roma) "Il seguente messaggio contiene informazioni riservate. Qualora questo messaggio fosse da Voi ricevuto per errore, Vogliate cortesemente darcene notizia a mezzo e-mail. Vi sollecitiamo altresì a distruggere il messaggio erroneamente ricevuto. Quanto precede Vi viene chiesto ai fini del rispetto della legge in materia di protezione dei dati personali." -- 389 users mailing list 389-users@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/389-users