FDS and Samba
by Phil Daws
Hi,
I read, Howard Chu 2003, that a SLAPI plug-in was available for syncing LDAP passwords to the equivalent Samba NT/LM. Would anybody know whether this is still available ? or is there another solution now ?
--
Thanks, Phil
14 years, 2 months
stuck on a single entry
by Christopher Wood
I'm having another issue that I'm not making headway on. This time, I can't import a single value into one attribute in my directory. The attribute in question is a DirectoryString . (Previously it was an IA5String and I had issues with many values, but I changed it to DirectoryString and now only this entry is giving me trouble.)
Question:
What troubleshooting steps can I use to identify the portion of the user-supplied string that is causing the "value #0 invalid per syntax" error?
Here's the error I get from ldapmodify:
modifying entry "ldapAuthControlCode=1234567, ou=UsersByControlCode, o=mycompany"
ldap_modify: Invalid syntax (21)
additional info: ldapAuthSieve: value #0 invalid per syntax
Here's the schema for ldapAuthSieve from /opt/dirsrv/etc/dirsrv/slapd-cwlab-02/schema/99user.ldif:
attributeTypes: ( 1.3.6.1.4.1.2805.1.1.1.1.36 NAME 'ldapAuthSieve' DESC 'The v
acation message subject line' SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 SINGLE-VA
LUE X-ORIGIN 'user defined' )
Points:
The value I'm having trouble with is base64 encoded.
The text inside the base64 encoding is bilingual English/French. It at least displays fine in my xterm.
I can ldapmodify this attribute in this entry with other base64-encoded strings.
I can ldapmodify this attribute in this entry with a much longer base64-encoded string, so I'm fairly sure I haven't hit a limit on the number of characters.
Error log output with debug level of 1 when I was running ldapmodify:
[25/Mar/2010:13:23:04 -0400] - reslimit_update_from_entry(): setting limit for handle 1 (based on nsSizeLimit)
[25/Mar/2010:13:23:04 -0400] - reslimit_update_from_entry(): setting limit for handle 2 (based on nsTimeLimit)
[25/Mar/2010:13:23:04 -0400] - reslimit_update_from_entry(): setting limit for handle 3 (based on nsIdleTimeout)
[25/Mar/2010:13:23:04 -0400] - <= reslimit_update_from_entry() returning status 0
[25/Mar/2010:13:23:08 -0400] - ldbm backend flushing
[25/Mar/2010:13:23:08 -0400] - ldbm backend done flushing
[25/Mar/2010:13:23:08 -0400] - ldbm backend flushing
[25/Mar/2010:13:23:08 -0400] - ldbm backend done flushing
[25/Mar/2010:13:23:08 -0400] - ldbm backend flushing
[25/Mar/2010:13:23:08 -0400] - ldbm backend done flushing
[25/Mar/2010:13:23:35 -0400] - => ids_sasl_server_new (cwlab-02.pvt.primus.ca)
[25/Mar/2010:13:23:35 -0400] - ids_sasl_getopt: plugin= option=log_level
[25/Mar/2010:13:23:35 -0400] - ids_sasl_getopt: plugin= option=auto_transition
[25/Mar/2010:13:23:35 -0400] - <= ids_sasl_server_new
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7248, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7188, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7008, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e70c8, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - add_pb
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7188, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7008, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e70c8, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - get_pb
[25/Mar/2010:13:23:35 -0400] - do_bind
[25/Mar/2010:13:23:35 -0400] - BIND dn="cn=Directory Manager" method=128 version=3
[25/Mar/2010:13:23:35 -0400] - => get_ldapmessage_controls
[25/Mar/2010:13:23:35 -0400] - <= get_ldapmessage_controls no controls
[25/Mar/2010:13:23:35 -0400] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.16)
[25/Mar/2010:13:23:35 -0400] - <= slapi_control_present 0 (NO CONTROLS)
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7248, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7188, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7008, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e70c8, handle=3
[25/Mar/2010:13:23:35 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:35 -0400] - do_bind: version 3 method 0x80 dn cn=Directory Manager
[25/Mar/2010:13:23:35 -0400] - => slapi_pw_find value: "password"
[25/Mar/2010:13:23:35 -0400] - <= slapi_pw_find matched "cGFzc3dvcmQK" using scheme "SSHA"
[25/Mar/2010:13:23:35 -0400] - => send_ldap_result 0::
[25/Mar/2010:13:23:35 -0400] - <= send_ldap_result
[25/Mar/2010:13:23:38 -0400] - ldbm backend flushing
[25/Mar/2010:13:23:38 -0400] - ldbm backend done flushing
[25/Mar/2010:13:23:38 -0400] - ldbm backend flushing
[25/Mar/2010:13:23:38 -0400] - ldbm backend done flushing
[25/Mar/2010:13:23:38 -0400] - ldbm backend flushing
[25/Mar/2010:13:23:38 -0400] - ldbm backend done flushing
[25/Mar/2010:13:23:48 -0400] - add_pb
[25/Mar/2010:13:23:48 -0400] - get_pb
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7188, handle=3
[25/Mar/2010:13:23:48 -0400] - do_modify
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - => get_ldapmessage_controls
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7008, handle=3
[25/Mar/2010:13:23:48 -0400] - <= get_ldapmessage_controls no controls
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=2
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e70c8, handle=3
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=1
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - => compute_limits: sizelimit=-1, timelimit=-1
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'ACL preoperation' #1 type 403
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'deref' #2 type 403
[25/Mar/2010:13:23:48 -0400] deref-plugin - --> deref_pre_search
[25/Mar/2010:13:23:48 -0400] deref-plugin - <-- deref_pre_op
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Legacy replication preoperation plugin' #4 type 403
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Multimaster replication preoperation plugin' #6 type 403
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0x0, handle=0
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - => find_entry_internal (dn=ldapauthcontrolcode=1234567,ou=usersbycontrolcode,o=mycompany) lock 0
[25/Mar/2010:13:23:48 -0400] - => dn2entry "ldapauthcontrolcode=1234567,ou=usersbycontrolcode,o=mycompany"
[25/Mar/2010:13:23:48 -0400] - <= dn2entry 9b6fd490
[25/Mar/2010:13:23:48 -0400] - <= find_entry_internal_dn found (ldapauthcontrolcode=1234567,ou=usersbycontrolcode,o=mycompany)
[25/Mar/2010:13:23:48 -0400] - candidate list has 1 ids
[25/Mar/2010:13:23:48 -0400] id2entry - => id2entry(633364)
[25/Mar/2010:13:23:48 -0400] id2entry - <= id2entry 9b6fd490, dn "ldapauthcontrolcode=1234567,ou=usersbycontrolcode,o=mycompany" (cache)
[25/Mar/2010:13:23:48 -0400] - => send_ldap_search_entry (ldapAuthControlCode=1234567, ou=UsersByControlCode, o=mycompany)
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'deref' #2 type 410
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Legacy replication preoperation plugin' #4 type 410
[25/Mar/2010:13:23:48 -0400] - <= send_ldap_search_entry
[25/Mar/2010:13:23:48 -0400] - => send_ldap_result 0::
[25/Mar/2010:13:23:48 -0400] - <= send_ldap_result
[25/Mar/2010:13:23:48 -0400] - modify_update_last_modified_attr
[25/Mar/2010:13:23:48 -0400] - Calling plugin '7-bit check' #0 type 405
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'ACL preoperation' #1 type 405
[25/Mar/2010:13:23:48 -0400] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.12)
[25/Mar/2010:13:23:48 -0400] - <= slapi_control_present 0 (NO CONTROLS)
[25/Mar/2010:13:23:48 -0400] - => slapi_control_present (looking for 2.16.840.1.113730.3.4.18)
[25/Mar/2010:13:23:48 -0400] - <= slapi_control_present 0 (NO CONTROLS)
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Legacy replication preoperation plugin' #4 type 405
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Linked Attributes' #5 type 405
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - --> linked_attrs_pre_op
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - --> linked_attrs_get_dn
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - <-- linked_attrs_get_dn
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - --> linked_attrs_dn_is_config
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - <-- linked_attrs_dn_is_config
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - <-- linked_attrs_pre_op
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Multimaster replication preoperation plugin' #6 type 405
[25/Mar/2010:13:23:48 -0400] - => find_entry_internal (dn=ldapauthcontrolcode=1234567,ou=usersbycontrolcode,o=mycompany) lock 1
[25/Mar/2010:13:23:48 -0400] - => dn2entry "ldapauthcontrolcode=1234567,ou=usersbycontrolcode,o=mycompany"
[25/Mar/2010:13:23:48 -0400] - <= dn2entry 9b6fd490
[25/Mar/2010:13:23:48 -0400] - <= find_entry_internal_dn found (ldapauthcontrolcode=1234567,ou=usersbycontrolcode,o=mycompany)
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Multimaster replication bepreoperation plugin' #0 type 451
[25/Mar/2010:13:23:48 -0400] - => entry_apply_mods_wsi
[25/Mar/2010:13:23:48 -0400] - <= entry_apply_mods_wsi 0
[25/Mar/2010:13:23:48 -0400] - => send_ldap_result 21::ldapAuthSieve: value #0 invalid per syntax
[25/Mar/2010:13:23:48 -0400] - <= send_ldap_result
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Retrocl postoperation plugin' #0 type 505
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Class of Service postoperation plugin' #1 type 505
[25/Mar/2010:13:23:48 -0400] - --> cos_post_op
[25/Mar/2010:13:23:48 -0400] - --> cos_cache_change_notify
[25/Mar/2010:13:23:48 -0400] - <-- cos_cache_change_notify
[25/Mar/2010:13:23:48 -0400] - <-- cos_post_op
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Distributed Numeric Assignment postop plugin' #2 type 505
[25/Mar/2010:13:23:48 -0400] dna-plugin - --> dna_config_check_post_op
[25/Mar/2010:13:23:48 -0400] dna-plugin - --> dna_get_dn
[25/Mar/2010:13:23:48 -0400] dna-plugin - <-- dna_get_dn
[25/Mar/2010:13:23:48 -0400] dna-plugin - --> dna_is_config
[25/Mar/2010:13:23:48 -0400] dna-plugin - <-- dna_is_config
[25/Mar/2010:13:23:48 -0400] dna-plugin - <-- dna_config_check_post_op
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Legacy replication postoperation plugin' #3 type 505
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Linked Attributes postop plugin' #4 type 505
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - --> linked_attrs_mod_post_op
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - --> linked_attrs_oktodo
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - <-- linked_attrs_oktodo
[25/Mar/2010:13:23:48 -0400] linkedattrs-plugin - <-- linked_attrs_mod_post_op
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Multimaster replication postoperation plugin' #5 type 505
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'Roles postoperation plugin' #6 type 505
[25/Mar/2010:13:23:48 -0400] - Calling plugin 'State Change Plugin' #7 type 505
[25/Mar/2010:13:23:48 -0400] statechange-plugin - --> statechange_post_op
[25/Mar/2010:13:23:48 -0400] statechange-plugin - <-- statechange_post_op
[25/Mar/2010:13:23:48 -0400] - do_unbind
[25/Mar/2010:13:23:48 -0400] - => get_ldapmessage_controls
[25/Mar/2010:13:23:48 -0400] - <= get_ldapmessage_controls no controls
[25/Mar/2010:13:23:48 -0400] - defbackend_noop
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7188, handle=3
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e7008, handle=3
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - => slapi_reslimit_get_integer_limit() conn=0xb01e70c8, handle=3
[25/Mar/2010:13:23:48 -0400] - <= slapi_reslimit_get_integer_limit() returning NO VALUE
[25/Mar/2010:13:23:48 -0400] - => reslimit_update_from_entry() conn=0xb01e7248, entry=0x0
[25/Mar/2010:13:23:48 -0400] - reslimit_update_from_entry(): setting limit for handle 0 (based on nsLookThroughLimit)
[25/Mar/2010:13:23:48 -0400] - reslimit_update_from_entry(): setting limit for handle 1 (based on nsSizeLimit)
[25/Mar/2010:13:23:48 -0400] - reslimit_update_from_entry(): setting limit for handle 2 (based on nsTimeLimit)
[25/Mar/2010:13:23:48 -0400] - reslimit_update_from_entry(): setting limit for handle 3 (based on nsIdleTimeout)
[25/Mar/2010:13:23:48 -0400] - <= reslimit_update_from_entry() returning status 0
14 years, 2 months
getent passwd works, but not getent group
by Sean Carolan
For some reason my client server is not pulling group information from
the ldap server. "getent passwd" pulls over all the relevant accounts
from the ldap database. "getent group", however, is missing my
personal group. I don't have any entries for my user in /etc/passwd
or /etc/group on the local server.
If you have any idea how to fix this, I'm all ears.
14 years, 2 months
About bug 387681
by Juan Asensio Sánchez
Hi
We have migrated two servers to 1.2.5 version from 1.1.3. These servers had
a Windows Sync agreement (only 389->AD, not AD->389, neither Password Sync).
The agreements were working fine before upgrade, until we realized the were
falling. Then we deleted the agreement and recreate again, but when try to
full-resync, it throws this error: "". Enabling replication debug, i get lot
of messages like this:
[25/Mar/2010:13:31:17 +0100] NSMMReplicationPlugin - received entry from
dirsync: CN=XXXXXXXXXXXXXXL
HP4200\0ADEL:123fa8cf-eabf-405c-ae24-abf065ff5767,CN=Deleted
Objects,DC=XXXX,DC=XXXX,DC=XXX
[25/Mar/2010:13:31:17 +0100] NSMMReplicationPlugin - agmt="cn=XXX-XXXX-XXXX"
(spirit:636): windows_process_dirsync_entry: failed to map tombstone dn.
I have seen this bug (https://bugzilla.redhat.com/show_bug.cgi?id=387681),
but we have the version that is supposed to be fixed. Any other reason why
this could be happen?
Regards.
14 years, 2 months
Password policy during grace login / expiration warning
by Aaron Hagopian
I am having an issue in regards to handling expiring passwords during the
grace period. I also filed a bug because I find the behavior to not be as
expected (https://bugzilla.redhat.com/show_bug.cgi?id=576303). But to
summarize my bug report, in my code that checks a user's credentials
(username / password) I ask the server for
the response controls (using Java/JNDI). When the user's pass hasn't
expired yet but they are in the warning period, in the response
I receive 2.16.840.1.113730.3.4.5 indicating the password is expiring, which
works great.
Then when their password actually expires and they still haven't changed it
yet (Glass half full, they just haven't logged in during that time and
didn't ignore my warnings) and I have say 3 grace logins allows in the
policy the server doesn't respond with the warning (2.16.840.1.113730.3.4.5)
or the password expired response control (2.16.840.1.113730.3.4.4).
The only way I can determine during the grace period that the password is
actually expired and I'm on my grace login seems to be by checking the
passwordExpiredTime attribute by hand. This just seems silly to me since
the server knows the password expired and it knows to increment
the passwordGraceUserTime attribute for each successful login after the
password expired. I would think the server would respond with
both 2.16.840.1.113730.3.4.5 and 2.16.840.1.113730.3.4.4 like it does when
your password is reset by the administrator.
Am I missing something? Anyone else have a cleaner way of determining that
it's a grace period login? By the way, for the record I'm accessing this in
Java, not sure it matters and here's a little code blurb:
LdapContext ctx = new InitialLdapContext(env, nul);
Control[] ctls = ctx.getResponseControls();
if(ctls != null) {
for(Control control : ctls) {
System.out.println(control.getID());
}
}
Also if this question should be on the devel list I apologize but I figured
that was for actually coding the 389 directory server.
Thanks,
Aaron Hagopian
14 years, 2 months
Re: [389-users] Optimising queries
by Rich Megginson
----- jim(a)scusting.com wrote:
> Hi, I have some queries which are showing in the logs as not being
> indexed (notes=U right?).
Right. You can also get notes=U if you are hitting the idlscanlist limit (which you are probably not doing).
> In the example below the accountid is
> indexed
> but the authrole is not, but I would of expected the query to use the
>
> accountid index?
The "&" operator in this case does not work like a short circuit AND operator in most programming languages. 389 ds may consult both indexes in an attempt to optimize the query.
>
> conn=308 op=1 SRCH base="o=blah.com" scope=2
> filter="(&(accountid=abc123)(authrole=PowerUser))" attrs=ALL
> conn=308 op=1 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
>
> Do I need to index the authrole attribute as well in order for the
> indexes to be used on a query like this?
Yes.
> If I need to add indexes for
>
> anything that maybe in included in an & LDAP query, and indexes for
> anything that may require sorting on (my previous post) then I'll end
> up
> with indexes for just about everything!
Perhaps.
>
> Can anyone recommend any good sites & tools for explaining LDAP
> queries
> and indexing? I did some searching but not found anything usefull
> which
> explains why the above would not be indexed. I have previously used
> MySQL and I'm sure the above equivalent which just use the accountid
> index and not worry about the authrole not being indexed.
In the LDAP world this is highly server dependent, so there is not really a sort of generic LDAP server index methodology, as there might be in the SQL world.
I suggest starting here - http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Managing_Indexes.... and here - http://www.redhat.com/docs/manuals/dir-server/8.1/admin/Tuning_DS_Perform...
>
> Thanks.
>
> Jim.
> --
> 389 users mailing list
> 389-users(a)lists.fedoraproject.org
> https://admin.fedoraproject.org/mailman/listinfo/389-users
14 years, 2 months
RHDS and Radius Certificate
by Natr Brazell
I am trying to configure my freeradius box to use TLS to my RHDS server. I
find many references to what to do with OpenLDAP however nothing good with
RHDS or FDS. Do I need a certificate for every user authenticating against
my LDAP server through Radius or just a certificate from my Radius server to
my LDAP server? Any pointers would be most helpful.
Thanks,
Nate
14 years, 2 months
Optimising queries
by Jim Tyrrell
Hi, I have some queries which are showing in the logs as not being
indexed (notes=U right?). In the example below the accountid is indexed
but the authrole is not, but I would of expected the query to use the
accountid index?
conn=308 op=1 SRCH base="o=blah.com" scope=2
filter="(&(accountid=abc123)(authrole=PowerUser))" attrs=ALL
conn=308 op=1 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
Do I need to index the authrole attribute as well in order for the
indexes to be used on a query like this? If I need to add indexes for
anything that maybe in included in an & LDAP query, and indexes for
anything that may require sorting on (my previous post) then I'll end up
with indexes for just about everything!
Can anyone recommend any good sites & tools for explaining LDAP queries
and indexing? I did some searching but not found anything usefull which
explains why the above would not be indexed. I have previously used
MySQL and I'm sure the above equivalent which just use the accountid
index and not worry about the authrole not being indexed.
Thanks.
Jim.
14 years, 2 months
Server side sort not using index
by Jim Tyrrell
Hi,
I noticed in our directory server logs a number of queries which are not
using indexes, and this appears to be down to sorting of the query being
done the server side:
----- Server sorted-------------
conn=1433 op=1 SRCH base="o=blah.com" scope=2
filter="(&(accountid=abc123)(objectClass=dnszone)(dnstype=soa))" attrs=ALL
conn=1433 op=1 SORT dnszonename (4)
conn=1433 op=1 RESULT err=0 tag=101 nentries=1 etime=0 notes=U
----- Not sorted ----------
conn=1440 op=1 SRCH base="o=blah.com" scope=2
filter="(&(accountid=abc123)(objectClass=dnszone)(dnstype=soa))" attrs=ALL
conn=1440 op=1 RESULT err=0 tag=101 nentries=1 etime=0
The 'accountid' field is indexed but when doing server side sorting it
seems to ignore this index - is this expected behaviour? What options
do I have to ensure the index is used - just get the developers to sort
the results in their code rather than on the server?
Thanks.
Jim.
14 years, 2 months
fedora directory as slave openldap
by Giovanni Sabatini
Hi, I'm new to this maillist.
I'm doing tests with Fedora Directory Server and I have this question.
I want to use the synchronization module fedora DS to windows AD and
to use Fedora DS as slave of openldap server.
OpenLdap Server (example: external student ldap server)
|
|
Fedora DS (as slave for a subsection of DIT) ---- > sync to windows
AD
The synchronization and replica system of Fedora DS and openldap are
compatible?
Regards.
Giovanni Sabatini.
14 years, 2 months