ldapfuse-user Mailing List for LDAP access via FUSE
Status: Beta
Brought to you by:
jengelh
Menu
▾
▴
ldapfuse-user — General discussion about ldapfuse
This list is closed, nobody may subscribe to it.
| 2011 |
Jan
|
Feb
|
Mar
(1) |
Apr
(10) |
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(2) |
Dec
|
|---|
|
From: Jan E. <je...@me...> - 2011-11-26 04:24:49
|
On Sunday 2011-11-20 22:26, Christian Svensson wrote:
>Patch 1:
>Adds -T option which allows the user to specify a timeout (in seconds) until
>an I/O error occurs. Without -T the operation is unchanged and I/O will lock
>indefinitely.
Inspected. Concept is ok, no blocker for merge (other me being
distracted by work on libHX ;-).
Sometimes I think the openldap API was just tossed together without
much thought. Or why would the timeout parameter be non-const? Does
openldap update the timeval struct? It does not say in the bad to
non-existing docs. Because if it does put a remaining time back in
(similar to ye olde select(2)), then one needs to make TLS-secure
this operation.
>Patch 2 (patch is made with patch 1 applied):
>When a search operation returns with LDAP_SERVER_DOWN, this patch will try
>to reconnect and retry the search operation until it succeeds or an other
>error is encountered.
I would prefer if the do{}while loop around LDAP operations disappears
into a separate function, e.g.
ldapfuse_search(...)
{
do {
...
} while (ret == LDAP_SERVER_DOWN ...)
return ret;
}
ret = ldapfuse_search(...)
That way there is minimal replication, and less changes at the callsites.
|
|
From: Jan E. <je...@me...> - 2011-04-24 21:50:27
|
On Sunday 2011-04-24 22:38, Christian Svensson wrote on lda...@li...: >>I can really recommend it ;-) It is already in all significant >>Linux distros, so one can start right away. > >Yes, I hadn't heard of it before hacking on ldapfuse but it is quite >neat. As a note, the library is also present in FreeBSDs ports >collection. Getting ldapfuse to work on FreeBSD is my next goal, it >"should" be no problems - but you never know. I have not tried compiling it on FreeBSD for quite a while. But with pam_mount and ttyrpld, there are potential candidates why it might be in ports. Ports? Now that is interesting. Had not expected that happening. CC Silvio: looking over $FreeBSD: ports/lang/libhx/Makefile,v 1.10$ instead of moving the pkgconfig file in post-inst, you could use configure's --with-pkgconfigdir switch. post-patch should not be needed anymore either. If you need more descriptive Summary/Description lines, confer with http://tinyurl.com/3onzkms [ https://build.opensuse.org/package/view_file?file=libHX.spec&package=libHX&project=devel%3Alibraries%3Ac_c%2B%2B ] |
|
From: Christian S. <bl...@cm...> - 2011-04-24 20:39:04
|
Hello.
On Sun, Apr 24, 2011 at 22:04, Jan Engelhardt <je...@me...> wrote:
> On Sunday 2011-04-24 14:59, Christian Svensson wrote:
>
> >I reworked the patch to use the map branch. My approach is to simply
> delete
> >the leaf if it is too old and then fall back into the normal "create new
> >leaf" code. I haven't worked with libHX before so I am not sure how
> >HXmap_del handles free()-ing, so please review that part.
>
> ldapfuse_cache_ops specifies a d_free function, so that will invoked
> when an object is removed from the map.
>
>
Yes, I figured that it might work that way.
> >The patch lacks #ifdefs but I would assume that timeout is something that
> >most people would want.
>
> Ultimately, it leaves an issue open - the entries are never freed,
> just updated. With a large enough LDAP tree, I suppose that will lead to
> a memory exhaustion at one point.
>
>
True.
>
> >While researching how the map is used, I stumbled upon:
> >
> > if (pthread_equal(pthread_self(), obj->tid)) {
> > fprintf(stderr, "%s: attempted to free cache object %p using "
> > "thread %tu, but must use %tu instead.\n",
> > __func__, obj, static_cast(uintptr_t, pthread_self()),
> > static_cast(uintptr_t, obj->tid));
> > return;
> > }
> >
> >- shouldn't that if statement be negated?
>
> Yeah. But it's dead code, so was just removed.
>
> I added your patch, and amended it a bit. For one, the object does not
> need to be deleted, libHX allows for simple overwrite. Such is
> especially helpful since a delete-add cycle might incur unnecessary ADT
> relayouting (hash resize, tree rotate,..).
>
>
Nice, I thought it might do that aswell but was too afraid to try :-)
> I can really recommend it ;-) It is already in all significant Linux
> distros, so one can start right away.
>
Yes, I hadn't heard of it before hacking on ldapfuse but it is quite neat.
As a note, the library is also present in FreeBSDs ports collection. Getting
ldapfuse to work on FreeBSD is my next goal, it "should" be no problems -
but you never know.
Anyhow, everything I need seems to be working - I thank you for your help
once again.
P.S. Thanks for the credits in the commit log, it made my day :-) D.S.
Greetings,
Christian
|
|
From: Jan E. <je...@me...> - 2011-04-24 20:04:31
|
On Sunday 2011-04-24 14:59, Christian Svensson wrote:
>I reworked the patch to use the map branch. My approach is to simply delete
>the leaf if it is too old and then fall back into the normal "create new
>leaf" code. I haven't worked with libHX before so I am not sure how
>HXmap_del handles free()-ing, so please review that part.
ldapfuse_cache_ops specifies a d_free function, so that will invoked
when an object is removed from the map.
>The patch lacks #ifdefs but I would assume that timeout is something that
>most people would want.
Ultimately, it leaves an issue open - the entries are never freed,
just updated. With a large enough LDAP tree, I suppose that will lead to
a memory exhaustion at one point.
>While researching how the map is used, I stumbled upon:
>
> if (pthread_equal(pthread_self(), obj->tid)) {
> fprintf(stderr, "%s: attempted to free cache object %p using "
> "thread %tu, but must use %tu instead.\n",
> __func__, obj, static_cast(uintptr_t, pthread_self()),
> static_cast(uintptr_t, obj->tid));
> return;
> }
>
>- shouldn't that if statement be negated?
Yeah. But it's dead code, so was just removed.
I added your patch, and amended it a bit. For one, the object does not
need to be deleted, libHX allows for simple overwrite. Such is
especially helpful since a delete-add cycle might incur unnecessary ADT
relayouting (hash resize, tree rotate,..).
I can really recommend it ;-) It is already in all significant Linux
distros, so one can start right away.
|
|
From: Jan E. <je...@me...> - 2011-04-24 10:15:29
|
On Sunday 2011-04-24 11:24, Christian Svensson wrote: >Hello again. > >I was testing the map branch but could not get it working - I didn't put any >time digging around, but all files I tried to read was garbled. Yeah a free() was called outside the error path, which was undesired. The branch has been refresh now. If you could update your time-based dropping of cache entries that would be cool. |
|
From: Christian S. <bl...@cm...> - 2011-04-24 09:25:30
|
Hello again.
I was testing the map branch but could not get it working - I didn't put any
time digging around, but all files I tried to read was garbled.
$ cat /ldap/objectClass
h??%
while it should read:
$ cat /ldap/objectClass
organizationalUnit
Anyhow, I can use the old cache with my hacked timeout solution for now.
I do however still have a merge request:
@@ -641,7 +653,7 @@ static bool ldapfuse_get_options(int *argc, const char
***argv)
HXOPT_AUTOHELP,
HXOPT_TABLEEND,
};
- if (HX_getopt(options_table, argc, argv, HXOPT_USAGEONERR) < 0)
+ if (HX_getopt(options_table, argc, argv, HXOPT_USAGEONERR |
HXOPT_PTHRU) < 0)
return false;
if (query_for_p) {
@@ -676,7 +688,7 @@ static int main2(int argc, char **argv)
new_argv = malloc(sizeof(char *) * (argc + 5));
new_argv[new_argc++] = argv[0];
- new_argv[new_argc++] = "-f";
+
fsname = ldapfuse_fsname_for_fuse(argv[1]);
snprintf(buf, sizeof(buf), "-osubtype=ldapfuse,fsname=%s", fsname);
new_argv[new_argc++] = buf;
This would make you able to use "-f" on the commandline instead of forcing
people to patch it away, it also allows for fstab usage (-o for usage with
allow_others among other things):
ldapfuse#ldaps://localhost/ou=people,dc=cmd,dc=nu /ldap fuse
noauto,allow_other 0 0
which is quite neat.
Greetings,
Christian.
On Sun, Apr 24, 2011 at 10:47, Christian Svensson <bl...@cm...> wrote:
>
> On Sun, Apr 24, 2011 at 02:41, Jan Engelhardt <je...@me...> wrote:
>
>> On Sunday 2011-04-24 01:21, Christian Svensson wrote:
>>
>> >>What broken daemon would that be?
>> >
>> >OpenSSHd actually. I want to store public keys in LDAP without using the
>> >openssh-lpk patch.
>> >
>> >Adding:
>> >AuthorizedKeysFile /ldap/cn=%u/sshPublicKey
>> >results in:
>> >/etc/ssh/sshd_config line 32: garbage at end of line; "%u/sshPublicKey".
>>
>> No idea who came up with the idea of throwing a key-value parser at
>> filenames. openSSH's readconf.c handling for sAuthorizedKeysFile calls
>> the strdelim function, which stops at every space, but also at every
>> equals sign. The space I can understand (like if you want multiple
>> keyfiles to be scanned, though whether that is actually possible is
>> another matter) - but the equals sign not.
>>
>> However, reading the source reveals that you can use quoting:
>>
>> AuthorizedKeysFile ".ssh/authorized=keys"
>>
>> starts sshd without choking on the supposed garbage.
>>
>> >bug which appears when you enter the second or so level of directories.
>> >Since my LDAP structure is flat I did not encounter that problem until
>> just
>> >the other day. Do you have any better idea in how to solve the = issue?
>> The
>> >real solution would obviously be to patch OpenSSH to accept '=', but that
>> >seems like a long shot.
>>
>
> Oh, now I feel lazy :-) Thanks a lot! It works like a charm.
>
> Greetings,
> Christian.
>
>
|
|
From: Christian S. <bl...@cm...> - 2011-04-24 08:48:30
|
On Sun, Apr 24, 2011 at 02:41, Jan Engelhardt <je...@me...> wrote: > On Sunday 2011-04-24 01:21, Christian Svensson wrote: > > >>What broken daemon would that be? > > > >OpenSSHd actually. I want to store public keys in LDAP without using the > >openssh-lpk patch. > > > >Adding: > >AuthorizedKeysFile /ldap/cn=%u/sshPublicKey > >results in: > >/etc/ssh/sshd_config line 32: garbage at end of line; "%u/sshPublicKey". > > No idea who came up with the idea of throwing a key-value parser at > filenames. openSSH's readconf.c handling for sAuthorizedKeysFile calls > the strdelim function, which stops at every space, but also at every > equals sign. The space I can understand (like if you want multiple > keyfiles to be scanned, though whether that is actually possible is > another matter) - but the equals sign not. > > However, reading the source reveals that you can use quoting: > > AuthorizedKeysFile ".ssh/authorized=keys" > > starts sshd without choking on the supposed garbage. > > >bug which appears when you enter the second or so level of directories. > >Since my LDAP structure is flat I did not encounter that problem until > just > >the other day. Do you have any better idea in how to solve the = issue? > The > >real solution would obviously be to patch OpenSSH to accept '=', but that > >seems like a long shot. > Oh, now I feel lazy :-) Thanks a lot! It works like a charm. Greetings, Christian. |
|
From: Christian S. <bl...@cm...> - 2011-04-24 01:00:46
|
Hello! On Sun, Apr 24, 2011 at 00:48, Jan Engelhardt <je...@me...> wrote: > On Sunday 2011-03-13 20:15, Christian Svensson wrote: > > >Good day.First, thanks a lot for this project. It has opened for some very > >cool things. > > > >I have successfully modified ldapfuse to fit a project of mine. This > project > >required me to introduce some new features. > >The first three features are enclosed in their own #ifdef USE_X block and > >does not interfere with the old code when not activated. > > I thought I had replied to this, but apprently not. So here goes again :) No worries! > > >1. Symlinks > >Sadly I was unable to use the original ldapfuse because the path would > >contain equal signs, which a certain daemon did not like. With patching > the > >daemon out of the question, I resorted in creating symlinks like this: > >dr-xr-xr-x 1 bluecommand bluecommand 0 Jan 1 1970 cn=admin > >lr-xr-xr-x 1 bluecommand bluecommand 0 Jan 1 1970 cn.admin -> cn=admin > >dr-xr-xr-x 1 bluecommand bluecommand 0 Jan 1 1970 cn=testuser > >lr-xr-xr-x 1 bluecommand bluecommand 0 Jan 1 1970 cn.testuser -> > >cn=testuser > >-r--r--r-- 1 bluecommand bluecommand 4 Jan 1 1970 dc > >-r--r--r-- 1 bluecommand bluecommand 7 Jan 1 1970 o > >-r--r--r-- 1 bluecommand bluecommand 26 Jan 1 1970 objectClass > > What broken daemon would that be? > > OpenSSHd actually. I want to store public keys in LDAP without using the openssh-lpk patch. Adding: AuthorizedKeysFile /ldap/cn=%u/sshPublicKey results in: /etc/ssh/sshd_config line 32: garbage at end of line; "%u/sshPublicKey". While: AuthorizedKeysFile /ldap/cn.%u/sshPublicKey works just fine! > >2. Cache timeout > >I need to be able to add and remove attributes without requiring a remount > >of the filesystem. I added a simple timestamp which is checked against > >constant + time(NULL) when the cache is accessed. The cache object is > >refreshed if this timer has expired. > > A more sophisticated cache is in the works - you might have spotted the > 'map' branch. No I haven't - it might be just what I need. > >3. Base DN in URI > >Please enlighten me if I just missunderstood the URI syntax and this > feature > >is already available. > >I was unable to bind to my DN (dc=cmd,dc=nu) in any satisfactory way > >(ldaps://localhost/dc=cmd,dc=nu fails because of the comma) - with this > >patch the URI is changed to ldaps://localhost (binddn is still > dc=cmd,dc=nu) > >I was also forced to replace comma with something else before calling > >fuse_main (I chose forward slash) since FUSE could not parse a fsname with > >commas in it. > > This is corrected now. Perfect! I must say your solution is better, I didn't know that escaping commas would work - nice! > > >4. Removed -f and added passthrough for HX option parsing > >I needed to be able to add my own FUSE options and have ldapfuse become > >daemonized. > > -f is just used to facilitate debug. It is not planned to stay forever. > I guessed as much :-) Thanks for the heads-up and keep up the good work. I will give the map branch a try - as soon as I remember how to switch branch in git ;-) Regarding the equal sign symlink thing, I think the patch I sent contains a bug which appears when you enter the second or so level of directories. Since my LDAP structure is flat I did not encounter that problem until just the other day. Do you have any better idea in how to solve the = issue? The real solution would obviously be to patch OpenSSH to accept '=', but that seems like a long shot. Greetings, Christian |
|
From: Jan E. <je...@me...> - 2011-04-24 00:41:49
|
On Sunday 2011-04-24 01:21, Christian Svensson wrote: >>What broken daemon would that be? > >OpenSSHd actually. I want to store public keys in LDAP without using the >openssh-lpk patch. > >Adding: >AuthorizedKeysFile /ldap/cn=%u/sshPublicKey >results in: >/etc/ssh/sshd_config line 32: garbage at end of line; "%u/sshPublicKey". No idea who came up with the idea of throwing a key-value parser at filenames. openSSH's readconf.c handling for sAuthorizedKeysFile calls the strdelim function, which stops at every space, but also at every equals sign. The space I can understand (like if you want multiple keyfiles to be scanned, though whether that is actually possible is another matter) - but the equals sign not. However, reading the source reveals that you can use quoting: AuthorizedKeysFile ".ssh/authorized=keys" starts sshd without choking on the supposed garbage. >bug which appears when you enter the second or so level of directories. >Since my LDAP structure is flat I did not encounter that problem until just >the other day. Do you have any better idea in how to solve the = issue? The >real solution would obviously be to patch OpenSSH to accept '=', but that >seems like a long shot. |
|
From: Jan E. <je...@me...> - 2011-04-23 22:48:15
|
On Sunday 2011-03-13 20:15, Christian Svensson wrote: >Good day.First, thanks a lot for this project. It has opened for some very >cool things. > >I have successfully modified ldapfuse to fit a project of mine. This project >required me to introduce some new features. >The first three features are enclosed in their own #ifdef USE_X block and >does not interfere with the old code when not activated. I thought I had replied to this, but apprently not. So here goes again :) >1. Symlinks >Sadly I was unable to use the original ldapfuse because the path would >contain equal signs, which a certain daemon did not like. With patching the >daemon out of the question, I resorted in creating symlinks like this: >dr-xr-xr-x 1 bluecommand bluecommand 0 Jan 1 1970 cn=admin >lr-xr-xr-x 1 bluecommand bluecommand 0 Jan 1 1970 cn.admin -> cn=admin >dr-xr-xr-x 1 bluecommand bluecommand 0 Jan 1 1970 cn=testuser >lr-xr-xr-x 1 bluecommand bluecommand 0 Jan 1 1970 cn.testuser -> >cn=testuser >-r--r--r-- 1 bluecommand bluecommand 4 Jan 1 1970 dc >-r--r--r-- 1 bluecommand bluecommand 7 Jan 1 1970 o >-r--r--r-- 1 bluecommand bluecommand 26 Jan 1 1970 objectClass What broken daemon would that be? >2. Cache timeout >I need to be able to add and remove attributes without requiring a remount >of the filesystem. I added a simple timestamp which is checked against >constant + time(NULL) when the cache is accessed. The cache object is >refreshed if this timer has expired. A more sophisticated cache is in the works - you might have spotted the 'map' branch. >3. Base DN in URI >Please enlighten me if I just missunderstood the URI syntax and this feature >is already available. >I was unable to bind to my DN (dc=cmd,dc=nu) in any satisfactory way >(ldaps://localhost/dc=cmd,dc=nu fails because of the comma) - with this >patch the URI is changed to ldaps://localhost (binddn is still dc=cmd,dc=nu) >I was also forced to replace comma with something else before calling >fuse_main (I chose forward slash) since FUSE could not parse a fsname with >commas in it. This is corrected now. >4. Removed -f and added passthrough for HX option parsing >I needed to be able to add my own FUSE options and have ldapfuse become >daemonized. -f is just used to facilitate debug. It is not planned to stay forever. |
3 messages has been excluded from this view by a project administrator.
