Menu
▾
▴
perl-ldap-dev
You can subscribe to this list here.
| 2000 |
Jan
|
Feb
|
Mar
|
Apr
|
May
(200) |
Jun
(129) |
Jul
(184) |
Aug
(204) |
Sep
(106) |
Oct
(79) |
Nov
(72) |
Dec
(54) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2001 |
Jan
(83) |
Feb
(123) |
Mar
(84) |
Apr
(184) |
May
(106) |
Jun
(111) |
Jul
(104) |
Aug
(91) |
Sep
(59) |
Oct
(99) |
Nov
(100) |
Dec
(37) |
| 2002 |
Jan
(148) |
Feb
(88) |
Mar
(85) |
Apr
(151) |
May
(80) |
Jun
(110) |
Jul
(85) |
Aug
(43) |
Sep
(64) |
Oct
(89) |
Nov
(59) |
Dec
(42) |
| 2003 |
Jan
(129) |
Feb
(104) |
Mar
(162) |
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Sam T. <sa...@tr...> - 2000-12-12 19:07:50
|
Hello all. I'm trying to bind() to an Active Directory server using Net::LDAP. So far no matter what I try to use for a "dn" I get an AccessSecurityContext error in response. I can get access to the LDAP services with the LDP.EXE crap-ware provided with Windows 2000. Binding from within LDP.EXE works unless I uncheck NTLM Domain. Is it possible I need to turn off some MS-specific bind requirements? Kerberos, perhaps? I can post my test script if it would help. I can also run any queries you might want to see from the LDP.EXE program. Thanks for your help and advice. -sam |
|
From: Graham B. <gb...@po...> - 2000-12-12 19:03:15
|
----- Forwarded message from ati...@4u... -----
From: ati...@4u...
Date: Tue, 12 Dec 2000 18:16:07 +0100
X-Mailer: Mozilla 4.74 [en] (X11; U; Linux 2.2.16 i686)
To: gb...@po...
Subject: perl-ldap. How to find out if LDAP connection already exists
Hi Graham.
How is life.
I have been using your module in my projects.
Recently I started using it with mod_perl
I havent figured out how to find out of the connection to LDAP exists.
I dont want to make a connection each time.
my connect sub looks something like this.
sub connect {
if ($LDAP) {
return}
} else {
$LDAP=Net::LDAP->new($self->{'host'});
try($LDAP->bind(dn => $self->{'user'}, password =>
$self->{'pass'}));
}
}
This doesnt catch the exception that the connection is closed from the
server.
How may I test if the connection exists or not?
thanks for your help.
--
Atif Ghaffar
Internet Development Manager
4unet AG/SA
-------------------------.
+41 78 787 51 45 ¦ voice
+41 24 441 09 03 ¦ fax
http://www.4unet.net ¦ www
http://atif.developer.ch ¦ homepage
ati...@4u... ¦ email
Do you speak Unix?
----- End forwarded message -----
|
|
From: Mark W. <mew...@un...> - 2000-12-07 20:49:08
|
I think removing it's a bit extreme since it's one of the more complete LDAP resources out there. Mark Clif Harden wrote: > > > > On Thu, Dec 07, 2000 at 05:11:06PM +0000, Chris Ridd wrote: > > > Clif Harden <cl...@di...> wrote: > > > > > > > > I have updated the faq with two new ldap URLs. > > > > > > > > LDAPs, also known as ldapguru, at http://www.ldaps.com > > > > > > I don't want to appear *too* picky, but could you either remove that link > > > from the FAQ or at least put a darn great warning by it noting that the > > > ldapguru considers it OK to resize your (Netscape) browser window to > > > completely cover your screen? > > > > > > It's pretty anti-social of him IMO. > > > > They also have an incorrect link for perl-ldap, but evey email address > > I tried bounced :( > > > > Graham. > > > > I will probably remove it from the faq. > > Later, > > Clif Harden INTERNET: c-h...@ti... > Texas Instruments > Directory Services > 6500 Chase Oaks Blvd, M/S 8412 > Plano, TX 75023 > Voice: 972-575-0855 > FAX: 972-575-2418 |
|
From: Clif H. <cl...@di...> - 2000-12-07 19:51:37
|
> > On Thu, Dec 07, 2000 at 05:11:06PM +0000, Chris Ridd wrote: > > Clif Harden <cl...@di...> wrote: > > > > > > I have updated the faq with two new ldap URLs. > > > > > > LDAPs, also known as ldapguru, at http://www.ldaps.com > > > > I don't want to appear *too* picky, but could you either remove that link > > from the FAQ or at least put a darn great warning by it noting that the > > ldapguru considers it OK to resize your (Netscape) browser window to > > completely cover your screen? > > > > It's pretty anti-social of him IMO. > > They also have an incorrect link for perl-ldap, but evey email address > I tried bounced :( > > Graham. > I will probably remove it from the faq. Later, Clif Harden INTERNET: c-h...@ti... Texas Instruments Directory Services 6500 Chase Oaks Blvd, M/S 8412 Plano, TX 75023 Voice: 972-575-0855 FAX: 972-575-2418 |
|
From: Graham B. <gb...@po...> - 2000-12-07 18:37:43
|
On Thu, Dec 07, 2000 at 05:11:06PM +0000, Chris Ridd wrote: > Clif Harden <cl...@di...> wrote: > > > > I have updated the faq with two new ldap URLs. > > > > LDAPs, also known as ldapguru, at http://www.ldaps.com > > I don't want to appear *too* picky, but could you either remove that link > from the FAQ or at least put a darn great warning by it noting that the > ldapguru considers it OK to resize your (Netscape) browser window to > completely cover your screen? > > It's pretty anti-social of him IMO. They also have an incorrect link for perl-ldap, but evey email address I tried bounced :( Graham. |
|
From: Chris R. <chr...@me...> - 2000-12-07 17:11:20
|
Clif Harden <cl...@di...> wrote: > > I have updated the faq with two new ldap URLs. > > LDAPs, also known as ldapguru, at http://www.ldaps.com I don't want to appear *too* picky, but could you either remove that link from the FAQ or at least put a darn great warning by it noting that the ldapguru considers it OK to resize your (Netscape) browser window to completely cover your screen? It's pretty anti-social of him IMO. > eMailman at http://www.emailman.com/ldap He lists MessagingDirect's server so he's alright. ;-) Keep up the good work! Cheers, Chris |
|
From: Clif H. <cl...@di...> - 2000-12-07 13:51:18
|
I have updated the faq with two new ldap URLs. LDAPs, also known as ldapguru, at http://www.ldaps.com eMailman at http://www.emailman.com/ldap The updated FAQ has been committed to CVS and is on the web at http://www.utdallas.edu/~charden/FAQ.html Regards, Clif Harden INTERNET: c-h...@ti... |
|
From: Chris R. <chr...@me...> - 2000-12-07 11:08:25
|
ritu rani jaiswal <lin...@re...> wrote: > hello, > i am having a problem with replication..... > e.g: there are 3 servers > A,B,C > A----master > B----slave > C----slave > > B server neednot have the information required for C > server and vice-versa. > > Is it possible to replicate the data of B server only > onto B and not onto C server and vice-versa....... > > If this is possible this reduces the network load..... > > Thank you, > Ritu This has nothing to do with perl-ldap. You need to talk to the vendor of your directory server, or at least read their server's manual! Cheers, Chris |
|
From: ritu r. j. <lin...@re...> - 2000-12-07 06:52:16
|
hello,
i am having a problem with replication.....
e.g: there are 3 servers
A,B,C
A----master
B----slave
C----slave
B server neednot have the information required for C
server and vice-versa.
Is it possible to replicate the data of B server only
onto B and not onto C server and vice-versa.......
If this is possible this reduces the network load.....
Thank you,
Ritu
_____________________________________________________
Chat with your friends as soon as they come online. Get Rediff Bol at
http://bol.rediff.com
Participate in crazy auctions at http://auctions.rediff.com/auctions/
|
|
From: ritu r. j. <lin...@re...> - 2000-12-07 06:52:07
|
hello,
i am having a problem with replication.....
e.g: there are 3 servers
A,B,C
A----master
B----slave
C----slave
B server neednot have the information required for C
server and vice-versa.
Is it possible to replicate the data of B server only
onto B and not onto C server and vice-versa.......
If this is possible this reduces the network load.....
Thank you,
Ritu
_____________________________________________________
Chat with your friends as soon as they come online. Get Rediff Bol at
http://bol.rediff.com
Participate in crazy auctions at http://auctions.rediff.com/auctions/
|
|
From: Graham B. <gb...@po...> - 2000-12-06 16:04:15
|
----- Forwarded message from Steven Hartland <st...@me...> -----
From: "Steven Hartland" <st...@me...>
To: <gb...@po...>
Subject: Insecure dependency in perl-ldap 0.21+
Date: Wed, 6 Dec 2000 11:58:15 -0000
X-Mailer: Microsoft Outlook Express 5.00.3018.1300
When running out scripts that use your perl-ldap module we get the
following error when we enable taint checking.
'error in embedded code: Insecure dependency in require
while running with -T switch at
/usr/lib/perl5/site_perl/5.005/Net/LDAP/Message.pm line 86,
<STDIN> chunk 11.'
Version 0.20 is fine but looking at it, it uses a different method at in
this procedure.
Steve
----- End forwarded message -----
|
|
From: Tom J. <tj...@do...> - 2000-12-05 22:40:38
|
ok, never mind. The problem was on the server side. Seems the Netscape
Directory Server will import a server cert without knowing anything about
the CA that signed it (and without warning you or prompting you to supply
the CA certificate).
After importing the CA certificate that signed my LDAP server's
certificate, everything started working.
--Tom
On Tue, 5 Dec 2000, Tom Jordan wrote:
>
> I can't seem to get the following bit of code to work properly:
>
> my $ldap = new Net::LDAPS('cautha.doit.wisc.edu',
> port => '637',
> verify => 'none',
> cafile => 'cacerts/cacert.pem') or die "$!";
>
>
> The error message I get back is:
>
> IO::Socket::SSL: at /usr/perl5/site_perl/5.005/Net/LDAPS.pm line 50
> Uncaught exception from user code:
> Bad file number at ./ssl_bind.pl line 26.
>
> I've tried setting capath as well as cafile, but to no avail. I tried
> naming the ca cert with it's hash as detailed in the docs for Net::LDAPS,
> but was unsuccessful with that as well.
>
> Can anyone shed some light on how this is supposed to work?
>
> Thanks,
> Tom
>
|
|
From: Tom J. <tj...@do...> - 2000-12-05 18:43:37
|
I can't seem to get the following bit of code to work properly:
my $ldap = new Net::LDAPS('cautha.doit.wisc.edu',
port => '637',
verify => 'none',
cafile => 'cacerts/cacert.pem') or die "$!";
The error message I get back is:
IO::Socket::SSL: at /usr/perl5/site_perl/5.005/Net/LDAPS.pm line 50
Uncaught exception from user code:
Bad file number at ./ssl_bind.pl line 26.
I've tried setting capath as well as cafile, but to no avail. I tried
naming the ca cert with it's hash as detailed in the docs for Net::LDAPS,
but was unsuccessful with that as well.
Can anyone shed some light on how this is supposed to work?
Thanks,
Tom
|
|
From: Chris R. <chr...@me...> - 2000-12-04 09:13:55
|
ritu rani jaiswal <lin...@re...> wrote: > i want to give a group the access control list permissions and i dont > know how to create a group please can someone help me. Check RFC 2256 sections 7.10 and 7.18 for the standard object classes which describe groups. Cheers, Chris |
|
From: Chris R. <chr...@me...> - 2000-12-04 09:12:39
|
Brian Avis <bri...@se...> wrote: > I know that I can probably stuff my object class data and the > inetauthorized services into an array and pass it like this, > 'objectclass' => @objectclass Actually, you need to pass a reference to the array, not the array itself. 'objectclass' => \@objectclass Alternatively, 'objectclass' => [ 'inetOrgPerson', 'inetMailUser', 'person', 'imCalendarUser', 'inetSubscriber', 'inetMailRouting' ], which does the same thing without using an extra variable. Check out the perlref manual page, and/or the perlreftut manual page. You might also want to try this notation for your other attributes, even the ones that only have one value. eg 'imcalendaruserversion' => [ '1.0' ], Cheers, Chris |
|
From: ritu r. j. <lin...@re...> - 2000-12-02 04:59:02
|
i want to give a group the access control list permissions and i dont know how to create a group please can someone help me. _____________________________________________________ Chat with your friends as soon as they come online. Get Rediff Bol at http://bol.rediff.com Participate in crazy auctions at http://auctions.rediff.com/auctions/ |
|
From: Brian A. <bri...@se...> - 2000-12-01 19:42:30
|
Hello again,
Since Graham did such a great job with my last question I thought I
would throw another one at you all.
I am trying to add a user to the ldap server. All I want the admin
person to supply is the username and have the program build the DN and
add the person from that. The problem is that I keep getting LDAP
ENCODING ERRORS no matter how I try to format the data. So this is
probably something real simple. At any rate here is the code.
$suffix = "ou=People,dc=searhc,dc=org,o=internet";
$dn = qq("CN="$firstname $lastname ($findname)", $suffix");
$ldapadd = Net::LDAP::Entry->new;
$ldapadd->add(
dn => $dn,
attr => [ 'inetOrgPerson',
'inetMailUser',
'person',
'imCalendarUser',
'inetSubscriber',
'inetMailRouting'],
'inetauthorizedservices' => ['smtp',
'imap',
'pop3',
'pop3s',
'sunw_webaccess',
'sunw_calendar'],
'cn' => $quotedname,
'sn' => $quotedlastname,
'name' => $quotedname,
'givenname' => $quotedfirstname,
'mai' => $mailaddress,
'uid' => $quotedusername,
'maildeliveryoption' => 'mailbox',
'mailhost' => '$host',
'imcalendarhost' => '$calendarhost',
'imcalendaruserversion' => '1.0',
'imcalendername' => $quotedusername,
'inetmailuserversion' => '1.0',
'inetsubscriberstatus' => 'active',
'datasource' => 'imldifsync 4.0.149',
'mailfoldermap' => 'SUN-MS']
);
$mesg = $ldapadd->update($connection);
warn ldap_error_name($mesg->code) if $mesg->code;
warn ldap_error_text($mesg->code) if $mesg->code;
I know that I can probably stuff my object class data and the
inetauthorized services into an array and pass it like this,
'objectclass' => @objectclass
and I probably will once I get this working. So what else am I doing
wrong. Thanks in advance for any help, it is greatly appreciated.
--
Brian Avis
SEARHC Medical Clinic
Juneau, AK 99801
(907) 463-4049
If nautical nonsense be something you wish.
Then drop on the deck and flop like a fish.
|
|
From: Chris R. <chr...@me...> - 2000-11-30 08:52:13
|
Bing Du <Bi...@ci...> wrote: > I apologize if what I said is sort of off topic. I appreciate it if > somebody can point me to the right direction. > > Does anybody have any experience with implementing proxy in LDAP? > Specifically, here is what I want to accomplish: > > Assume there are two entries in the directory server like this: > > =================== > entry1: > > dn: cn=owner1, ou=xxx, dc=xxx, dc=xxx > name: owner1 > phonenumber: xxx > proxy: owner2 > > entry2: > > dn: cn=owner2, ou=xxx, dc=xxx, dc=xxx > name: owner2 > phonenumber: xxx > =================== > > As you can see, 'owner1' assigns 'owner2' as his proxy. So besides DSA > manager, only owner2 is able to modify owner1's entry. > > So far I have no idea where to start. Is this an ACL related issue? Yes, it's an access control issue. In the general case (allowing the proxy entry and the target entry to be anywhere in the DIT) you will need to add entryACI (an operational attribute with an ASN.1 (ie not text) syntax) to every entry with a proxy. If you keep all the entries maintained by one proxy in the same subtree (exclusively) then you would want to use prescriptiveACI (ACI which applies to all entries in a subtree.) Constructing the ACI values is not a huge problem if you can use Convert::ASN1 and know what the ACIitem syntax is (hint: read the manual!) This will technically work, but would cause a big management overhead especially if using the entryACI scheme. (eg how do you change the overall policy defining what the proxies are allowed to do to the entry?) You may want to carefully consider what you are trying to achieve here. Cheers, Chris |
|
From: Andrew T. <atr...@ac...> - 2000-11-30 06:56:39
|
I don't understand that while loop; why two calls to pop_entry()?
Also, if I understand 'my' correctly, you won't have access to $entry
outside the else block. Try something like this,
my $entry;
if ($mesg->code) {
print $mesg->code." ".$mesg->error, "\n";
} else {
$entry = $mesg->pop_entry();
}
I have no idea how either of these things would cause pop_entry to
hang, but give it a try.
Best,
Andrew
-- On Nov 30, 6:21am, Graham Barr wrote:
> Subject: Re: LDAP Search and pop_entry
> I do seem to recall a bug in this part of the code in a previous release.
> What version of Net::LDAP do you have installed ?
>
> Graham.
>
> On Wed, Nov 29, 2000 at 04:29:35PM -0900, Brian Avis wrote:
> > Hello all,
> >
> > Having problems with ldap search and was hoping someone could help me
> > out.
> >
> > I am writing a utility to let our admin staff add and remove a user from
> > a group or a list of groups on the ldap server.
> >
> > So when the username is entered one of the first things I check is
> > whether that user is in the LDAP server or not.... if they are then get
> > their DN.
> >
> > This is the code in question.
> >
> > $mesg = $connection->search(base => $basedn,
> > filter => "(uid=$uid)",
> > timelimit => 10);
> >
> >
> > if ($mesg->code) {
> > print $mesg->code." ".$mesg->error;
> > print "\n";
> > } else {
> >
> > my $entry;
> > while ($entry = $mesg->pop_entry()) {
> >
> > $entry = $mesg->pop_entry();
> >
> > }
> > }
> >
> > if (!defined $entry) {
> > print "\n$realname is not a valid user in the LDAP server\n";
> > redo;
> > }
> >
> > my $userDN = $entry->dn();
> >
> >
> > The funny thing is that this was working for a couple of days but has
> > quit working this afternoon. Go figure. Now though, when it gets to the
> > $entry = $mesg->pop_entry(); line it hangs. The programs stops
> > responding (and yes I waited a good long time for it to come back). When
> > I looked up the pop_entry bit in the documentation this is all I found.
> >
> > pop_entry
> > Pop an entry from the internal list of Net::LDAP::Entry
> > objects for this search. If there are not more entries
> > then undef is returned.
> >
> > This call will block, if the list is empty, until the
> > server returns another entry.
> >
> > The last bit where it says this call will block if list is empty is
> > probably what is causing me problems.
> >
> > So I guess the question is what is the best way to tell if a user exists
> > in the LDAP server and if they do exists what is the best way to return
> > their DN?
> >
> > Thanks in advance for the help.
> >
> > --
> > Brian Avis
> > SEARHC Medical Clinic
> > Juneau, AK 99801
> > (907) 463-4049
> > If nautical nonsense be something you wish.
> > Then drop on the deck and flop like a fish.
> >
-- End of excerpt from Graham Barr --
--
and...@uc... Unix Systems Group, UC Riverside
|
|
From: Graham B. <gb...@po...> - 2000-11-30 06:22:40
|
I do seem to recall a bug in this part of the code in a previous release.
What version of Net::LDAP do you have installed ?
Graham.
On Wed, Nov 29, 2000 at 04:29:35PM -0900, Brian Avis wrote:
> Hello all,
>
> Having problems with ldap search and was hoping someone could help me
> out.
>
> I am writing a utility to let our admin staff add and remove a user from
> a group or a list of groups on the ldap server.
>
> So when the username is entered one of the first things I check is
> whether that user is in the LDAP server or not.... if they are then get
> their DN.
>
> This is the code in question.
>
> $mesg = $connection->search(base => $basedn,
> filter => "(uid=$uid)",
> timelimit => 10);
>
>
> if ($mesg->code) {
> print $mesg->code." ".$mesg->error;
> print "\n";
> } else {
>
> my $entry;
> while ($entry = $mesg->pop_entry()) {
>
> $entry = $mesg->pop_entry();
>
> }
> }
>
> if (!defined $entry) {
> print "\n$realname is not a valid user in the LDAP server\n";
> redo;
> }
>
> my $userDN = $entry->dn();
>
>
> The funny thing is that this was working for a couple of days but has
> quit working this afternoon. Go figure. Now though, when it gets to the
> $entry = $mesg->pop_entry(); line it hangs. The programs stops
> responding (and yes I waited a good long time for it to come back). When
> I looked up the pop_entry bit in the documentation this is all I found.
>
> pop_entry
> Pop an entry from the internal list of Net::LDAP::Entry
> objects for this search. If there are not more entries
> then undef is returned.
>
> This call will block, if the list is empty, until the
> server returns another entry.
>
> The last bit where it says this call will block if list is empty is
> probably what is causing me problems.
>
> So I guess the question is what is the best way to tell if a user exists
> in the LDAP server and if they do exists what is the best way to return
> their DN?
>
> Thanks in advance for the help.
>
> --
> Brian Avis
> SEARHC Medical Clinic
> Juneau, AK 99801
> (907) 463-4049
> If nautical nonsense be something you wish.
> Then drop on the deck and flop like a fish.
>
|
|
From: Brian A. <bri...@se...> - 2000-11-30 01:25:09
|
Hello all,
Having problems with ldap search and was hoping someone could help me
out.
I am writing a utility to let our admin staff add and remove a user from
a group or a list of groups on the ldap server.
So when the username is entered one of the first things I check is
whether that user is in the LDAP server or not.... if they are then get
their DN.
This is the code in question.
$mesg = $connection->search(base => $basedn,
filter => "(uid=$uid)",
timelimit => 10);
if ($mesg->code) {
print $mesg->code." ".$mesg->error;
print "\n";
} else {
my $entry;
while ($entry = $mesg->pop_entry()) {
$entry = $mesg->pop_entry();
}
}
if (!defined $entry) {
print "\n$realname is not a valid user in the LDAP server\n";
redo;
}
my $userDN = $entry->dn();
The funny thing is that this was working for a couple of days but has
quit working this afternoon. Go figure. Now though, when it gets to the
$entry = $mesg->pop_entry(); line it hangs. The programs stops
responding (and yes I waited a good long time for it to come back). When
I looked up the pop_entry bit in the documentation this is all I found.
pop_entry
Pop an entry from the internal list of Net::LDAP::Entry
objects for this search. If there are not more entries
then undef is returned.
This call will block, if the list is empty, until the
server returns another entry.
The last bit where it says this call will block if list is empty is
probably what is causing me problems.
So I guess the question is what is the best way to tell if a user exists
in the LDAP server and if they do exists what is the best way to return
their DN?
Thanks in advance for the help.
--
Brian Avis
SEARHC Medical Clinic
Juneau, AK 99801
(907) 463-4049
If nautical nonsense be something you wish.
Then drop on the deck and flop like a fish.
|
|
From: Bing D. <Bi...@ci...> - 2000-11-29 20:12:18
|
I apologize if what I said is sort of off topic. I appreciate it if somebody can point me to the right direction. Does anybody have any experience with implementing proxy in LDAP? Specifically, here is what I want to accomplish: Assume there are two entries in the directory server like this: =================== entry1: dn: cn=owner1, ou=xxx, dc=xxx, dc=xxx name: owner1 phonenumber: xxx proxy: owner2 entry2: dn: cn=owner2, ou=xxx, dc=xxx, dc=xxx name: owner2 phonenumber: xxx =================== As you can see, 'owner1' assigns 'owner2' as his proxy. So besides DSA manager, only owner2 is able to modify owner1's entry. So far I have no idea where to start. Is this an ACL related issue? BTW, we use MessagingDirect's directory server. Bing Bing Du <bi...@ta..., 979-845-9577> Texas A&M University, CIS, Operating Systems, Unix |
|
From: Chris R. <chr...@me...> - 2000-11-29 17:46:32
|
"Kurt D. Zeilenga" <Ku...@Op...> wrote: > At 05:15 PM 11/29/00 +0000, Chris Ridd wrote: >> "Kurt D. Zeilenga" <Ku...@Op...> wrote: >>> BTW, OpenLDAP 2.x provides an LDAPv3 implementation. >>> >>> At 10:46 AM 11/29/00 +0000, Chris Ridd wrote: >>>> OK, that's not the way LDAP does it really. LDAPv3 servers store schema >>>> in special places called subentries in the directory, and places >>>> pointers (ie DNs) to those subentries in the subschemaSubentry >>>> attribute in the root DSE. >>> >>> Every entry should have a subschemaSubentry attribute whose value >>> refers to the subschema entry (or subentry) which controls it. >> >> Whilst that is true (it is actually an operational attribute) I didn't >> describe that mechanism because it didn't appear to fit in with what >> Javier was doing. > > I thought Javier was attempting to discover the schema controlling > an entry. > > The general method for discover such is to obtain the controlling > schema from the subschema subentry referred to by the entry's > subschemaSubentry attribute. The Root DSE approach is known to > be seriously flawed and, IMO, should be avoided until the IETF > determines how to fix it. > > Kurt > That is the far superior approach, as otherwise you'd have to look at all the values of subschemaSubentry and work out which one is 'nearest' to you. Following X.500's line here is sensible. (X.500 has operational attributes on each entry called attributeTypes and objectClasses (etc) which provide the subschema information directly, without having to do the extra read of the subschema subentry.) Cheers, Chris |
|
From: Kurt D. Z. <Ku...@Op...> - 2000-11-29 17:33:02
|
At 05:15 PM 11/29/00 +0000, Chris Ridd wrote: >"Kurt D. Zeilenga" <Ku...@Op...> wrote: >> BTW, OpenLDAP 2.x provides an LDAPv3 implementation. >> >> At 10:46 AM 11/29/00 +0000, Chris Ridd wrote: >>> OK, that's not the way LDAP does it really. LDAPv3 servers store schema >>> in special places called subentries in the directory, and places >>> pointers (ie DNs) to those subentries in the subschemaSubentry attribute >>> in the root DSE. >> >> Every entry should have a subschemaSubentry attribute whose value >> refers to the subschema entry (or subentry) which controls it. > >Whilst that is true (it is actually an operational attribute) I didn't >describe that mechanism because it didn't appear to fit in with what Javier >was doing. I thought Javier was attempting to discover the schema controlling an entry. The general method for discover such is to obtain the controlling schema from the subschema subentry referred to by the entry's subschemaSubentry attribute. The Root DSE approach is known to be seriously flawed and, IMO, should be avoided until the IETF determines how to fix it. Kurt |
|
From: Chris R. <chr...@me...> - 2000-11-29 17:15:38
|
"Kurt D. Zeilenga" <Ku...@Op...> wrote: > BTW, OpenLDAP 2.x provides an LDAPv3 implementation. > > At 10:46 AM 11/29/00 +0000, Chris Ridd wrote: >> OK, that's not the way LDAP does it really. LDAPv3 servers store schema >> in special places called subentries in the directory, and places >> pointers (ie DNs) to those subentries in the subschemaSubentry attribute >> in the root DSE. > > Every entry should have a subschemaSubentry attribute whose value > refers to the subschema entry (or subentry) which controls it. Whilst that is true (it is actually an operational attribute) I didn't describe that mechanism because it didn't appear to fit in with what Javier was doing. Cheers, Chris |
7902 messages has been excluded from this view by a project administrator.
