On 6/11/19 8:03 pm, Emmanuel Lécharny wrote:
Hi Brian,
Hi Emmanuel. I thought you would be too busy for more than a one-line
response. It's really nice to know my question interested you
sufficiently to be a bit chatty. Please forgive me for taking this
opportunity to continue the discussion...
just FTR, the ads-contextentry configuration element contains the
partition context entry (doh !) :
Yes, I thought you realised I knew that from the way I framed my question.
ads-contextentry::
ZG46IGRjPWV4YW1wbGUsZGM9Y29tCmRjOiBleGFtcGxlCm9iamVjdGNsY
XNzOiBkb21haW4Kb2JqZWN0Y2xhc3M6IHRvcAoK
translates to :
dn: dc=example,dc=com
dc: example
objectclass: domain
objectclass: top
when you decode the base64 value.
My cribs work the example partition hash backwards, forwards, via
strings and files, just to prove I am deeply paranoid!
Obviously, the base64 is order dependent. Typically, encoding teh same
entry with a reverted attribute like :
dn: dc=example,dc=com
dc: example
objectclass: top
objectclass: domain
gives this result :
ads-contextentry::
ZG46IGRjPWV4YW1wbGUsZGM9Y29tCmRjOiBleGFtcGxlCm9iamVjdGNsY
XNzOiB0b3AKb2JqZWN0Y2xhc3M6IGRvbWFpbg==
Been there, done that, got the T-shirt! It's (not really) fun to play
with newline, case and embedded white space... not to mention the
end-of-file marker!
Note that regardless of the change, the server will accept both entries
and will work fine.
I had not realised that!
I was obsessed with matching the auto-generated hash, rather than making
any "grand circuit" of possible failure conditions.
Without having time to dig into the code, I'm somewhat intrigued by your
comment. I guess it de-hashes the four elements and then compares them
separately in order of occurrence. (Maybe a StringTokenizer with NL
tokens fed into a small hash table?)
Now, if you want to generate the proper Base64 encoding from a LDIF
entry, I suggest you use a tool like https://www.base64encode.org/,
where you can copy/paste the entry and encode it (be aware that spaces
or NL at the end of the file will also be translated). You will then
just have to copy/paste the result into the ads-contextentry attribute.
I hit issues with base64 because it is limited to a length of 64 byes
and this messed up the output hashes.
I switched to openssl with the -A parameter, which happily encodes
longer strings. It works fine (and is available to windoze users), so I
prefer to stick with it.
The reason we store the entry base 64 encoded is because it will contain
NL, and that will not fit well with the containing LDIF file. For
instance, using that :
ads-contextentry: dn: dc=example,dc=com
dc: example
objectclass: top
objectclass: domain
will simply not work, as the configuration reader will not be able to
understand what these "dc" and "ObjectClass" lines are good for...
I hope I clarified this part of the configuration...
I sort-of understand what you mean, but probably have enough other
headaches to let that issue slip slightly hazily past me!
HOWEVER...
I /still/ don't know which elements of my "old school" directory root
need to be hashed to generate an acceptable ads-contextentry value!
On 06/11/2019 10:36, Brian Burch wrote:
Emmanuel helped me a lot when I added the new section to the wiki more
than 2 years ago. The users mailing list thread carried the subject
"ApacheDS 2.0.0-M23 non-gui adding a partition".
<snip/>
The top entry looks like this:
dn: O=PingToo.com
objectclass: top
objectclass: organization
o: PingToo.com
Obviously, the order of these attributes and also the exact use of
letter case (and any white space ) will alter the resultant
ads-contextentry hash.
Q1: I guess I can use the dn and objectclass top lines as-is.
Q2: Can I use the o value for my ads-partitionid (I think the answer is
yes).
Q3: [Your previous advice implied all 4 lines were required to have the
example partition created]. What should I do with my objectclass
organization line? Should it be changed to "domain", left as-is, or
simply eliminated?
Any enlightenment would be very welcome!
Merci d'avance (sorry, that sounds less polite to me than the English
"Thanks in anticipation"),
Brian
Once I have successfully created my new partition I hope to understand
the algorithm properly and will update the wiki page to explain the
process more clearly.
Regards,
Brian
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
