Re: Update to 1.5.3 from 1.5.1
Hi Tony, Tony Thompson wrote: OK, I think I can reconfigure the 1.5.3 server.xml to match my install. But, it looks like a whole bunch of other stuff has changed. The first thing is the my directory information was in instances/default. Now it appears that it doesn't use that directory structure at all anymore. Yes, the structure has change. However, you won't be able to reuse the same data files from 1.5.1 and make them work with 1.5.3 : the way we are storing entries has totally changed. In the 1.5.3 server.xml, I specified the workingDirectory attribute on the defaultDirectoryService tag but it looks like it only goes one directory deep. If I specify workingDirectory=instances/defualt, it puts all the partition info directly into instances. If I copy my 1.5.1 partition data from instances/default/partitions to the 1.5.3 install, it appears that all of my directory data is gone. How do I get my 1.5.1 directory data into 1.5.3? There is only one option : export your data from 1.5.1 as a big ldif file, and re-import them in 1.5.3 More to come ... -- -- cordialement, regards, Emmanuel Lécharny www.nextury.com directory.apache.org
[Fwd: Application Period Opens for Travel Assistance to ApacheCon US 2008]
The Travel Assistance Committee is taking in applications for those wanting to attend ApacheCon US 2008 between the 3rd and 7th November 2008 in New Orleans. The Travel Assistance Committee is looking for people who would like to be able to attend ApacheCon US 2008 who need some financial support in order to get there. There are VERY few places available and the criteria is high, that aside applications are open to all open source developers who feel that their attendance would benefit themselves, their project(s), the ASF and open source in general. Financial assistance is available for flights, accomodation and entrance fees either in full or in part, depending on circumstances. It is intended that all our ApacheCon events are covered, so it may be prudent for those in Europe and or Asia to wait until an event closer to them comes up - you are all welcome to apply for ApacheCon US of course, but there must be compelling reasons for you to attend an event further away that your home location for your application to be considered above those closer to the event location. More information can be found on the main Apache website at http://www.apache.org/travel/index.html - where you will also find a link to the application form and details for submitting. Time is very tight for this event, so applications are open now and will end on the 2nd October 2008 - to give enough time for travel arrangements to be made. Good luck to all those that will apply. Regards, The Travel Assistance Committee ---BeginMessage--- Dear PMCs, Please could you forward the below message to your user@ and dev@ mailing lists, thanks in advance. - The Travel Assistance Committee is taking in applications for those wanting to attend ApacheCon US 2008 between the 3rd and 7th November 2008 in New Orleans. The Travel Assistance Committee is looking for people who would like to be able to attend ApacheCon US 2008 who need some financial support in order to get there. There are VERY few places available and the criteria is high, that aside applications are open to all open source developers who feel that their attendance would benefit themselves, their project(s), the ASF and open source in general. Financial assistance is available for flights, accomodation and entrance fees either in full or in part, depending on circumstances. It is intended that all our ApacheCon events are covered, so it may be prudent for those in Europe and or Asia to wait until an event closer to them comes up - you are all welcome to apply for ApacheCon US of course, but there must be compelling reasons for you to attend an event further away that your home location for your application to be considered above those closer to the event location. More information can be found on the main Apache website at http://www.apache.org/travel/index.html - where you will also find a link to the application form and details for submitting. Time is very tight for this event, so applications are open now and will end on the 2nd October 2008 - to give enough time for travel arrangements to be made. Good luck to all those that will apply. Regards, The Travel Assistance Committee - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] ---End Message---
Re: [ApacheDS] Weird issue with DIRSERVER-1285
Yiannis Mavroukakis wrote: Actually I don't think it matters much, as even with an incorrect password I get (from studio) The authentication failed [LDAP: error code 49 - Bind principalDn points to referral.] [LDAP: error code 49 - Bind principalDn points to referral.] With Studio 1.3.0 ? When I try to bind with a bad password, I get this : The authentication failed [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user uid=admin,ou=system] [LDAP: error code 49 - INVALID_CREDENTIALS: Bind failed: Cannot authenticate user uid=admin,ou=system] Can you sne dme your initial LDIF file and server.xml, so that I can test on my computer ? (send it privately, otherwise the attachments might be removed by the Apache mail server) -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [Studio] Integer Editor does not accept negative numbers
James Lentini wrote: On Thu, 15 Oct 2009, Emmanuel Lecharny wrote: James Lentini wrote: Hi, This is a question about Apache Directory Studio. The Integer Editor, the default editor for attributes using the Integer syntax (1.3.6.1.4.1.1466.115.121.1.27), doesn't allow negative numbers. Section 3.3.16 of RFC 4517 indicates that the Integer syntax allows negative numbers. Is this a know issue with the Integer Editor? As a workaround, I've found that selecting Edit Value With and using the In-Place Text Editor allows negative numbers to be entered. Probably a bug. Which version are you using ? Sorry, I should have mentioned that. Version: 1.4.0.v20090407 I believe that is the latest and greatest. Yep, last one. We will vote a 1.5 in the next few days, so it's really the last few minutes before we freeze the code :) Another thing : the best would be to fill a JIRA so that we can keep a track of this bug and don't forget to fix it. Sure. I looked through the JIRA database, but didn't find an open issue on this already. Do I need to create an account and login before I can create a new issue? Yes. You have to login so you must create an account. No need to provide your credit card number, though ;) -- -- cordialement, regards, Emmanuel Lécharny www.iktek.com directory.apache.org
Re: [ApacheDS] Querying for uniqueMember matches
Marian, can you create a JIRA so that I don't forget to check this ? Many thanks ! SCHEDENIG Marian a écrit : From: Emmanuel Lecharny [mailto:elecha...@apache.org] Sent: Mittwoch, 09. Dezember 2009 14:21 I will check what's going wrong with the nameAndOptionalUID's uniqueMemberMatch matchingrule. Thanks a lot. Cheers, Marian. -- Regards, Cordialement, Emmanuel Lécharny www.nextury.com
Re: filter
On 8/16/10 3:24 PM, LAFEUILLADE Paul wrote: So I can't filter on the dn because to make this I can only use extensibleMatchingRule??? Let me extrapolate. *if* what you want to do is to find an entry in the DIT when the entry's DN contains some specific attributeType and value, like : entry1 : cn=john doe,ou=people,dc=acme,dc=com entry2 : cn=john doe,ou=robot,dc=acme,dc=com with the following filter : ((ou:dn:=people)(cn=john doe)) then you won't find any entry using this request, while you would have expected to get entry1 only (because entry2's dn does not contain ou=people) Now, *if* what you want to do is to find an entry which has one Attribute's value contaning a specific D, that's another story. Suppose that you have such an entry : dn: cn=test,ou=Groups,dc=acme,dc=com objectClass: groupOfUniqueNames objectClass: top cn: test uniqueMember: uid=jdoe1,ou=People,dc=acme,dc=com uniqueMember: uid=jdoe2,ou=People,dc=acme,dc=com uniqueMember: uid=jane,ou=People,dc=acme,dc=com uniqueMember: uid=john,ou=People,dc=acme,dc=com then a filter like (uniqueMember=uid=ja*) will give you back the entry, while (uniqueMember=uid=k*) will not find it. Not sure what kind of search you really want to do though... If you could be a bit more explicit, that could help... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: SSO with Google Apps
On 8/18/10 5:30 PM, Shane D. Eckert wrote: Emmanuel, Good advice. I grabbed the LDAP book from O'reilly last night and got through 3 chapters. Good stuff. LDAP seems simple, until you jump into the soup. Well, more like mud than soup... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Too Many Open Files with SocketConnector on 1.1.7
On 9/19/10 4:59 PM, Charles Hudak wrote: The problems I had previously with out of order messaging was an issue with MINA 2.0. This was happening with a pc client talking to a pc server. I'd like to give this problem a second try (pr a first try ;) now that MINA 2.0.0 is (almost) out. Would you mind sending me the informations I need to trouble shoot this problem ? (ie, code, whatever is relevant to reproduce the problem). -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Error message: ERR_00004 The PDU buffer size is too small !
On 9/23/10 3:32 PM, Wasscher, Ewald wrote: Good day Emmanuel, Thank you for the reply, I just created this entry: https://issues.apache.org/jira/browse/DIRSERVER-1556 Thanks for that ! And the burden is no problem. Personally I hate it when users complain it doesn't work without giving information, so I understand your question completely. It's still a problem, because if the server is unable to generate a correct PDU for a simple request, then your clients are unlikely to be the one having issues with the server... What could really help here is a LDIF for the entry that cause the problem (Of course, if there are some confidentiality issues, something I can understand, please contact me directly to see what we can do). Many thanks ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Problem creating ldap entries
On 10/7/10 5:51 PM, Massimiliano Ziccardi wrote: Which version ? 1.5.7 and you are able to get them back ? Yes.. So it seems they are registred... We don't correctly support all the ;binary values in the server, this is still a grey area atm. We will most certainly improve it in the near future, and we already have a partial fix for this issue : https://issues.apache.org/jira/browse/DIRSERVER-1198 -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [Community] Proposals for those interested in participating
On 3/1/11 5:50 PM, Stefano Gargiulo wrote: Very interesting! Proposal #1 Will rock (world need this kind of webapps) and also the new api is a great thing for who wants to write a custom user management interface (i need this, for now i wrote one in php but i will be very happy to switch to your ldap api when mature) I would add something regarding the Web UI : we would be very interested in using Eclipse RAP [1] to get the current Apache Studio application available as a Web UI, with the same look and feel. We have already conducted some experiments the last two years, and we know we aren't too far from being able to provide a single applications which can be used either as a standalone application, or as a plugin inside eclipse, or thanks to RAP, as a web UI. What would be absolutely great would be to see if this can be done with the current version (RAP 1.4-M6 is announced for march 18), and what are the impacts on the current application. Maybe Pierre-Arnaud or Stefan can elaborate a bit more on this. Thanks ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [Community] Proposals for those interested in participating
On 3/1/11 11:10 PM, Stefan Seelmann wrote: On Tue, Mar 1, 2011 at 5:58 PM, Emmanuel Lécharnyelecha...@apache.org wrote: On 3/1/11 5:50 PM, Stefano Gargiulo wrote: Very interesting! Proposal #1 Will rock (world need this kind of webapps) and also the new api is a great thing for who wants to write a custom user management interface (i need this, for now i wrote one in php but i will be very happy to switch to your ldap api when mature) I would add something regarding the Web UI : we would be very interested in using Eclipse RAP [1] to get the current Apache Studio application available as a Web UI, with the same look and feel. We have already conducted some experiments the last two years, and we know we aren't too far from being able to provide a single applications which can be used either as a standalone application, or as a plugin inside eclipse, or thanks to RAP, as a web UI. What would be absolutely great would be to see if this can be done with the current version (RAP 1.4-M6 is announced for march 18), and what are the impacts on the current application. I think RAPification of Studio is a bit special. First, as Alex already mentioned, it will be a heavy web application. Second, Studio uses shared and Server components, they are heavily modified, I don't foresee stability here within the next months. It would be necessary to deal with changed packages and dependencies all the time. That doesn't make it easy to work on a RAP version. Last not least, IMHO it is required to have deep knowledge of Eclipse RCP and Plugin development. Also experience with RAP would be good. I don't think that it is possible to get it working with 'only' Java skills within a fair time, this is really a big task. Yeah, you are most certainly right. Thinking about it again, I think we should proceed in another way regarding any RCP/RAP application : starting with RAP first, and see if it does not limit too much the RCP application. In any case, none of those approach fits with Studio, and it's better to start from scratch with a simpler Web UI. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Apacheds for authetication in Debian
On 3/16/11 9:32 PM, Ricardo Román Brenes wrote: ok so, help me out a bit more out here please; i have changed the m-disabled to FALSE as it said on the link emmanuelle showed me (thanks) but now what? How do i make something like dc=myown and then make a user there following the PosixAccount? Well, I could drive you by the hand here, but frankly, the web site contains a lot of information describing how to use the server on this page : http://directory.apache.org/apacheds/1.5/apacheds-v15-basic-users-guide.html And for the other part (ie make Apacheds the base for your linux athentication), you have a lot of documentation on the web. A bit of googling helps. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Apacheds for authetication in Debian
On 3/17/11 4:26 PM, Ricardo Román Brenes wrote: i really dont see where in the poor documentation says that... and i have searched in google for 4 days. Apacheds is in fact my last try, since ive tried slapd, fedora-ds, webmin, phpldapadmin, and none have worked May be you'll have to buy one book about LDAP basis first. (http://www.amazon.com/Understanding-Deploying-Directory-Architecture-Development/dp/1578700701, for instance). It seems you are confusing some terminology. slapd, fedora-ds are LDAP servers, when webmin and phpldapadmin are LDAP UI. What you are looking for is some help about LDAP usage and integration, which is not something easy to provide by mail. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Apacheds for authetication in Debian
On 3/17/11 5:38 PM, Ricardo Román Brenes wrote: im not gonna start a fight with some kind of stranger over the internet but. i was precise and explicit, this aint for home work and im not crying for help, i asked though the offial media of support of this software. My problem is taht i have to configure this server i have installed to be able to serve usernames and passwords to the cluster nodes. I have installed the software and apacheds is running on port 389. What do i have to do to make a base DC and users that follow the PosixAccount in LDAP? It's neither precise, nor explicit. *Assuming* you had a previous Fedora-DS server installed, I *thought* you were using it to manage your users. If so, the only thing missing was to enable the NIS schema in ApacheDS, and of course inject your entries into the server. My answer was based on assumptions, not facts. Then you posted i have changed the m-disabled to FALSE as it said on the link emmanuelle showed me (thanks) but now what? How do i make something like dc=myown and then make a user there following the PosixAccount? which makes no sense to me. Its vague, non explicit and impossible to answer with accuracy. In fact, here again, I *assumed* you needed some tight directions on LDAP, not on ApacheDS. I'm not blaming you here, not I want to start a fight, I have no time for that i'm just trying to drive you out of a dead-end : the most precious resource in OSS is time, so please be explicit, and you not only will save my time, but also yours. Thanks to understand my POV. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS and Samba
On 4/17/11 5:42 AM, Jeffrey Reynolds wrote: Just a few things. Wiki page? Excellent idea. If I ever get this working I'll try to throw it together over a weekend. There are a few more issues, the samba schema is missing a few more attributes, and seems like it needs an overhaul anyway. Yeah, we don't maintain the samba schema. It keeps evolving over the time. It would be good to update it with the latest version in the next ADS release. I'm wondering if its planed to be updated in version 2.0. We can do that, of course. Anyway, those items seem inconsequential enough, just limit a bit of functionality. Anyway, the biggest problem is that this is what my issue appears to be. Once an object is created with a given set of objectClasses, it can only be referenced by those object classes. For example, I created an inetOrgPerson, which also includes organizationPerson, person, and top objectClasses. If I run ldapsearch looking for anyone of those objectClasses, I can find that entry. Later I can add another objectClass to the entry, say posixAccount, but ldapsearch returns nothing for that entry when search for the objectClass=posixAccount attribute. However, if I create an object that has all five objectClasses, then searching for any of them will return a result. I have seen you JIRA for this one, and replied to it. Sounds like a bug in the way we update index in 1.5.7. Can you try to extract all your objects, and reinject them ? We are going to check this in trunk, as it has evolved a lot since 1.5.7... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS and Samba
On 4/17/11 5:52 AM, Jeffrey Reynolds wrote: Oh one other thing, I'm not sure if it's a performance issue since I am running Apache DS in a VM, but whenever I go to full debug mode for logging, the server crashes (IE Apache DS stops running), and it seems that anything less does not yield any relevant log info in apache-rolling.log Strange... Another JIRA ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: LDAP scalability
On 5/18/11 1:13 AM, Bren Norris wrote: Oh and on a side note, never have I seen facebook directly disclose its infrastructure. http://www.infoq.com/presentations/Facebook-Software-Stack But it was back in 2009... Yes there are rumours it uses a mySQL database however I say that (a) it is a rumour and (b) it would be highly modified. (a) is not a rumor :) and (b) is true... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] prescriptiveACI not working
On 5/23/11 6:24 PM, Ron Woods wrote: Hi, Emmanuel, Yes, I did stop and start the server after inserting the prescriptiveACI attributes, but it still didn't work. What I meant is that if you stopped the server, as the cache isn't correctly updated in 1.5.7, the ACI has been lost in the process... Sorry to hear that there is no current workaround; however, we can probably wait for the next release: Our application is still in design, at present. Not a problem : we are currently discussing about releasing a new version very soon, as we have quite a few problematic issues that have been fixed since we released 1.5.7, and this could happen in the next couple of weeks. While waiting for a reply to my question, I discovered that Apache Directory Studio can create servers. Yes. We did that in order to give a tool to people who want to play with a server without having to go through the pain of installing it beside. It's really very handy. I did that and noticed the version is 1.5.6. Thinking that maybe it would work in the prior version, I imported our directory into that server. I added the prescriptiveACI, but it didn't work in that context, either. Should it be working in version 1.5.6? No. Same problem. We are also trying to cut a 1.5.4 release, with a more updated version of the server. Damn, all those releases are depending on each others :/ Keep tuned, many new things will certainly occur in june. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Custom Schemas and Partitions
On 7/1/11 5:46 PM, Luke Shannon wrote: The devAccounts object is coming from a custom schema. I was able to load this using the Schema browser. However it seems my server does not have access to the objects I loaded. Do ldap servers have a context or something? First, can you tell us exactly what is the server you use ? Then, how did you injected the OC into the schema ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS Tools dump question
On 9/29/11 4:17 PM, Steve Hayden wrote: Greetings, Thanks for your prompt reply and information. Unfortunately using the Studio export/import is not an option in my application. What I am actually trying to do is to create a failover mechanism for when a master directory fails and must switch to another LDAP server (perhaps a sloave) that contains the same (or most of) the data contained in the master. In the ApacheDS source code, there is some replication code, but it does not seem to do much/anything. Do you have any advice on how to implement failover/redundancy? The best would be to use ldapsearch. I don't know if it exists on windows, but it should be easy to find out... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Performance issues and strange logs
On 10/13/11 5:53 PM, Craig Setera wrote: Is it possible to switch out just MINA or would that break something? It *should* be possible, as the MINA API has been frozen in 2.0.0-RC1. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Performance issues and strange logs
On 10/13/11 6:52 PM, Craig Setera wrote: We have a custom interceptor plugged in to 1.5.5. Did anything change in 1.5.7 that would break that? If not, we may be best off to just move to 1.5.7. I don't know. Can you post the interceptor method's signatures? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Performance issues and strange logs
On 10/13/11 11:01 PM, Craig Setera wrote: I appreciate the offer. Unfortunately, it is quite a lot of code. I'm going to try a new version of MINA inside of 1.5.5 and see what happens. Just the method's signature, not the code. If there is some issue with 1.5.7, it will be around the signatures. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Performance issues and strange logs
On 10/13/11 11:22 PM, Craig Setera wrote: Having connected my code to the 1.5.7 code it is more than that. I think I may have reached into more internals for my implementation than I should have and that that is the primary problem. With that said, my initial tests with Mina 2.0.4 underneath 1.5.5 seem to be working. Is there anything I would want to look for that might not be obvious in that scenario? Not that much. May be compare the LdapServer class, we may have changed the way we have initialized the MINA layer there (the startNetwork method, from the top of my head). -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Apache Directory LDAP client API persistent search
On 10/14/11 12:33 AM, Stefan Seelmann wrote:
On Thu, Oct 6, 2011 at 11:05 PM, Emmanuel Lecharnyelecha...@gmail.com wrote:
On 10/6/11 10:44 PM, Charles FENDT wrote:
Hi,
I'm trying to work with Apache DS for a central repository and Apache
Directory LDAP Client API on Java servers to request in the repository.
It work pretty good... except one thing : I need to make persistent sear
in the LDAP server... and i can't make it work...
I didn't found any example or howto on which base my code...
So I'm asking for some help !
You may check this test :
http://svn.apache.org/viewvc/directory/apacheds/trunk/server-integ/src/test/java/org/apache/directory/server/operations/search/PersistentSearchIT.java?revision=1124675view=markup
It implements a persistent search.
Be aware that this test is a bit complex, but feel free to post your
question on this mailing list.
Hm, the linked test uses JNDI to perform persistent search. Does the
LDAP API also support persistent search and if yes are there examples?
Well, we have to inject the PersistentSearch control this way :
@Test
public void testSimpleSearchWithControl() throws Exception
{
SearchRequest searchRequest = new SearchRequestImpl().setBase(
new Dn( ou=system ) ).setFilter( (objectclass=*) )
.setScope( SearchScope.ONELEVEL ).addControl( new
PersistentSearchImpl() );
EntryCursor cursor = connection.search( ou=system,
(objectclass=*), SearchScope.ONELEVEL );
Now, we have to deal with the result. It's a bit late for me to add a
test that does it.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: Upgrading to apacheds-service-2.0.0-M3.jar - ClassNotFoundException
On 10/15/11 2:06 AM, Harakiri wrote: --- On Fri, 10/14/11, Emmanuel Lecharnyelecha...@gmail.com wrote: From: Emmanuel Lecharnyelecha...@gmail.com Subject: Re: Upgrading to apacheds-service-2.0.0-M3.jar - ClassNotFoundException To: users@directory.apache.org Date: Friday, October 14, 2011, 9:06 AM On 10/14/11 2:43 PM, Harakiri wrote: Hello, im trying to port my custom partition from 1.5.x to 2.0.0-M3. Im getting a ClassNotFoundException when using schemaManager.loadAllEnabled(); lang.ClassNotFoundException: org.apache.directory.shared.ldap.schema.comparators.IntegerOrderingComparator I think we have removed this (useless) class. Use the IndexComparator instead; The rational is that when comparing integers, there is no need of two function, one to compare if the integers are equal, and an other one to tell if an integer is lower or higher than another one : this can be done by one single class, returning -1, 0 or 1 depending on the integers. I think you dont understand - your own code is calling IntegerOrderingComparator but it doesnt exist! i dont call it - i only call loadAllEnabled - the jar references a class which does not exist in the jar! Oops, sorry, yes, I misunderstood... However, I did a grep -R 'IntegerOrderingComparator' . on the server code (rev 2.0.0-M3) and it brings back nothing, which means this method is not present in the code base. Can you do the same thing on your computer, and give us the result ? I'd like to know which ldif file contain this class name. IMO, as Alex said, it's very likely that you are still using an old ldif file which was coming from an old version. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Upgrading to apacheds-service-2.0.0-M3.jar - ClassNotFoundException
On 10/18/11 5:46 PM, Harakiri wrote: --- On Tue, 10/18/11, Emmanuel Lécharnyelecha...@apache.org wrote: Can you test the same code without the ;binary ? serverEntry.put(userCertificate, byte..); I'm sure that we should support the ';binary' in entries, and I'm positive that is a bug. Can you please fill a JIRA, so that we don't forget to fix it ? Many thanks ! The code works fine without the binary - but im a bit confused now - the whole point of the JIRA entry was to add support for binary attributes - why do you want to open another? This issue should just be reopened: https://issues.apache.org/jira/browse/DIRSERVER-1198 (I can add a new entry but i dont see the point) Ah, yes, sure. But can you add the exact reason why its failing ? It seems to be a different failure : we are trying to look for 'usercertificate;binary' in the schema on the client side, and obviously, t's not working. Doing the same thing in the server is handled correctly (well, it's a disgusting hack, frankly :/). In any case, it should be fixed... Thanks for the feedback, and sorry for the pain ... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] Re: Access Restriction
On 11/4/11 2:13 PM, Kevin Hamilton wrote: version: 1 dn: uid=admin2,ou=systemobjectclass: organizationalPersonobjectclass: personobjectclass: inetOrgPersonobjectclass: topcn: admin2sn: admin2mail:admin@umem.orguid: admin2userPassword:: REMOVED for e-mailadministrativeRole: accessControlSpecificAreacreateTimestamp: 2004121155ZcreatorsName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=systementryCSN: 2004121347.312000Z#00#000#00entryParentId: 1entryUUID:: REMOVED for e-mailmodifiersName: 0.9.2342.19200300.100.1.1=admin,2.5.4.11=systemmodifyTimestamp: 2004121347ZpwdHistory:: REMOVED for e-mail Thanks, but the error messag was not for this entry, but for cn=admin2Test,uid=admin2,ou=system Do you have the LDIF for this entry ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Issue with file loading under Windows (LDAP API 1.0.0-M10)
Le 2/22/12 2:35 PM, Vitali Baumtrok a écrit : The method org.apache.directory.shared.ldap.sp.JavaStoredProcUtils.getClassFileAsStream(clazz: Class?): byte[] returns zero bytes under Windows if the path to the class contains at least one space character. Because of that the org.apache.directory.shared.ldap.sp.JavaStoredProcUtils.loadStoredProcedureClass(ctx: LdapContext, clazz: Class?) doesn't work properly. For example: Reading the file C:\a a\foo.class would return zero bytes, because clazz.getResource( classFileName ).getFile() returns the String /C:/a%20a/foo.class. So in the following URL url = clazz.getResource( classFileName ); File file = new File( url.getFile() ); the file can not be found, because it searches for the C:/a%20a directory which doesn't exist. Solution: Instead of url.getFile() use url.toURI() Good catch !! Can you fill a JIRA ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: How to use ApacheDS 2.0 for unit tests
Le 2/26/12 8:40 AM, Christoph Czurda a écrit : Hi, I want to use ApacheDS 2.0 for unit testing as described here: http://directory.apache.org/apacheds/1.5/42-using-apacheds-for-unit-tests.html However this document is written for 1.5 and contains some outdated information. How can I use my own connection for the tests so that I can verify certain conditions using connection.exists(...) ? What does the test class have to look like? I want to test against an external servier (ie not an embedded one) so that I can still use Studio to check the current state of the server. The server is running on localhost, port 10389 and is authenticated with default uid=admin,ou=system. Kind regards, Christoph Hi, The best would be to look at some of the existing tests and mimic them : http://svn.apache.org/viewvc/directory/apacheds/trunk/ldap-client-test/src/test/java/org/apache/directory/shared/client/api/LdapConnectionTest.java?revision=1243572view=markup It's not well documented atm, and I have a low bandwith connection, but eventually ping us again next week so that I can update the doco with a 2.0 sample. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Apahe Directory Studio -- LDIF Export BASE-64 Encoding Strings
Le 2/27/12 7:25 PM, Lohse Chris a écrit : [ApacheDS] Using version 1.5.3 of Apache Directory Studio to export an LDIF. I have some attributes that are Directory String types, but they have some markup in them. The LDIF export is BASE-64 encoding these strings, and I'm unable to find a way to force it to just output the string as-is. For example: A displayName value of 'bEngineering Support/b (Also Select Home Page)' Becomes (in the LDIF): 'displayName:: PGI+RW5naW5lZXJpbmcgU3VwcG9ydDwvYj4gKEFsc28gU2VsZWN0ICJIb21lIFBhZ2UiKQ==' Other displayName values (without any markup) export fine (as simple text). Advice? A value starting with '' will be base 64 encoded. That's what specify RFC 2849 : value-spec = : (FILL 0*1(SAFE-STRING) / : FILL (BASE64-STRING) / FILL url) ; See notes 7 and 8, below SAFE-STRING = [SAFE-INIT-CHAR *SAFE-CHAR] SAFE-INIT-CHAR = %x01-09 / %x0B-0C / %x0E-1F / %x21-39 / %x3B / %x3D-7F ; any value= 127 except NUL, LF, CR, ; SPACE, colon (:, ASCII 58 decimal) ; and less-than ( , ASCII 60 decimal)--- The reason is that a value like : displayName: (some URI) will get its value from a URI. There is no way to force your data to be in clear text. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ava.io.EOFException: ERR_00021 EOF encountered in middle of object; org.apache.directory.shared.asn1.der.ASN1InputStream.readFully
();
sd.parseMessages ();
}
public static byte[] stringToHex (String inString, int startPos) {
String strTemplate = 0123456789ABCDEF;
int length = inString.length();
int resLen = (length-startPos)/2;
byte[] res = new byte[resLen];
// System.out.println (::stringToHex inString = + inString);
for (int i = 0; i resLen; i++) {
char c1 = inString.charAt(2*i + startPos);
int pos1 = strTemplate.indexOf (c1);
char c2 = inString.charAt(2*i+1 + startPos);
int pos2 = strTemplate.indexOf (c2);
/// System.out.println (Integers are ( + pos1 + , + pos2 +
));
res[i] = (byte )(( pos1 4 | pos2) 0xff);
}
return res;
}
}
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: ava.io.EOFException: ERR_00021 EOF encountered in middle of object; org.apache.directory.shared.asn1.der.ASN1InputStream.readFully
453e03eed6a2950955c40a7ce04b1bc0b725614ea7a34885903d544de4339e1218e3afc0438598eab59d2fbb59bdec951df6055ecc449dfc041534d125a71851fb9de91eec35af9d8c588a32929e1ea31fdd8d40987af5cdaa70f6ad06cac744cf7989be7c668a4d0af97cf3865e5070c6ff44d3f1abf3fbae432e3336d8b4d06daa0181c98485f4d331d29fafd01a0625673ba3dd9fe65f4317f3c4fa3c45a26ccc3caa6515b585a2bb3c3fa781046274e33bc94518cc2fd27fb60ecbe2479f330b3530a011865ff0a15282d27e5b3f1e2e34131efe28ed819b1c73ce27dfb1c5e5419aa68fcc3c3994bdc37c53e1ac03f645fb00bc24ff3506a9d11c7e63e938ac88947f810217be6f5bb1c3d691a07374e4580a34c56b04f0823e6569f0a8c51b3c8c8a0fbb9663859e0ec210e61e22860ae4c56611b2bfe375438838cd11c593d0e2cf6208f3d0f2166d23f6350253bc0171a72dcda3d31d33d64607537dbb19c76b8f684d3c619eba19ed8be70b6510a9a578832568bf844f1ea911896af6055eb3a6bfb126c7aa9f951475f336c7d6fa7ef48cd39e8d9946641291ec6799c304d095875c560056c6c482194d0d095859ae46297b9d757a6120482a2ba7c073cc842cb6a0f39294bd7acc7f19e4e12702278624c0d3000580466be313a59d1f4b47f2a699f6da2213997a42483b18f717eff959b330d73c61bf60b3d6b350528b464302b70207c9cabe51ae10898a36c4e939cf412b6f99a09ca86aac8c0043c117a6c4e5f8b606fcab0caeaefae70f359338e58ad16eb5cd3d20c4f758f852c18eec1302cebb63c0c8f448bccb36c2a62e2be3534aba816b7e26672e76e35af3790f84cb57eaaa05bfb49949f8c7bccbb6d228ec49e19dac51cb67ee8908f5772973e5ab000f0ca600bc87f631d21534f69aca1bd656efbf4f26c659b23435c1357091a5ea4166d21ee3f077b889281b9c996678d257e2849aa2c21d32c2e28406dd64a7521d809db154b6f36a68399bedcb3ac90906f316b8b67ebbc3cd3b5b5e991a25139ee8bff94935340c7ddb2d33783bfdb9b79dc13b62e600c801b0f990830391b7526352bf4c799e309371dc1090765649d2a934f0ca9e07a78f8cd59e42f9c80246c29fe17d33b96b2b7d364b291e8645f0aa6e7263c1eab1e7a3231f5562fa9b77632c2c489609bee158c1a682010b30820107a003020111a103020102a281fa0481f738bfbdef7613dede4f09662460db2ebcad50fa61f8cba9ccbdc15a5048f2de99f6c9ec4a68dff595ed928b9328d104bca86823f85959d821c62f488acf50431840890d521be2d8332571a43e0d238735a8d188a23b5e81776b151770b516c0e3478daabd7533b8d91f80744635b31e6e85dfe01200c716503983e57672e496244a9e156e6adcbd1bba35997e8df93abd1e6a5ff979744db98e180cc5653a5981a38285fcf1323a247887fcf1df760d15a4bf2f2c5f1cc88c8d3ead1f1bd8fa9641f3212c13924d9874756c822c0bebe4d45bc2a47ae41d319a267ed26ad9d7f9671c38a28105e18bbe5c7dd2a00c0af08a481335db9da3;
private byte asRepBytes[] = null;
private byte asErrBytes[] = null;
public void init () {
asRepBytes = stringToHex (asRepStr, 0);
asErrBytes = stringToHex (asErrorStr, 0);
}
public void parseMessages () {
try {
System.out.println (# of bytes = +
asRepBytes.length);
ByteBuffer buf = ByteBuffer.wrap (asRepBytes);
org.apache.directory.server.kerberos.shared.io.decoder.KdcReplyDecoder
kryDecoder = new
org.apache.directory.server.kerberos.shared.io.decoder.KdcReplyDecoder ();
KdcReply kry = kryDecoder.decode (buf);
ErrorMessageDecoder emd = new ErrorMessageDecoder ();
ByteBuffer buf2 = ByteBuffer.wrap (asErrBytes);
ErrorMessage em = emd.decode (buf2);
System.out.println (em.toString ());
} catch (Exception ex) {
ex.printStackTrace ();
}
}
public static void main (String[] args) {
SimpleDecoder sd = new SimpleDecoder ();
sd.init ();
sd.parseMessages ();
}
public static byte[] stringToHex (String inString, int startPos) {
String strTemplate = 0123456789ABCDEF;
int length = inString.length();
int resLen = (length-startPos)/2;
byte[] res = new byte[resLen];
// System.out.println (::stringToHex inString = + inString);
for (int i = 0; i resLen; i++) {
char c1 = inString.charAt(2*i + startPos);
int pos1 = strTemplate.indexOf (c1);
char c2 = inString.charAt(2*i+1 + startPos);
int pos2 = strTemplate.indexOf (c2);
/// System.out.println (Integers are ( + pos1 + , + pos2 +
));
res[i] = (byte )(( pos1 4 | pos2) 0xff);
}
return res;
}
}
++ CODE ENDS ++
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: Quesiton about best way to index attributes
Le 2/29/12 7:50 PM, Kiran Ayyagari a écrit : On Wed, Feb 29, 2012 at 11:44 PM,carlo.acco...@ibs-ag.com wrote: Hi, We have apacheds 2.0-M5 db setup with all ~90k users under one OU. Yes, I know they should be stored with some hierarchy but that's not an option for this particular customer. Having 90K users in one single OU is *not* a bad practice. You may want to setup a hierarchy, but this is not mandatory. I want to optimize searching by lastname, (sn), firstname (givenName) and displayName. I have created indexes under the partition and we see ads-indexcachesize is set by default to 100. Assuming the value correlates to a value for the attribute, Can I set this to 50,000 for each of the attribs?. that won't help much, setting up more memory for the JVM will help You still can increase the number to a higher value, but you must know that as soon as the higher BTree pages will be loaded, the speedup will be lower. With 100 pages loaded, you have most of the BTree loaded. If you have enough memory, just increase this value to 50 000, should not harm. In any case, I would suggest that once you have increased those values for each index that you do a full search to load all of them in memory, to check that you don't get an OOM, before running in production. Also, is there a way to rebuild the indexes in 2.0? I can't seem to find how that's done. no, one way is to delete the index and restart the server followed by adding the index and restart, then the server will automatically build the index during startup Kiran : haven't we added some utility tool to do that ? (It's a bit far in the past.. If we don't have them, we must add them) I'm wondering if we don't have a JIRA for that... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: What about Stored Procedures and Triggers?
Le 3/1/12 3:00 PM, Vitali Baumtrok a écrit : Hi, basically I'm testing the possibilities of ApacheDS, especially stored procedures (SPs) and triggers (TRs). But it seems like they not working now, because of some code changes/refactoring, so I just wanted to ask, are you planing to change the API for SPs/TRs or will it stay like it is (LDAP API 1.0.0-M11)? Definitively, yes, we intend to fix teh Triggers/SP for 2.0.0-RC1. Currently, we are fixing some huge issues in the core server, but when it'll be done, be sure we will refactor this part too : it's one of the most interesting feature of ApacheDS. One of the refactoring we want to do is to get rid of JNDI in SP/Triggers, to switch to the API. Franckly, it should not take more than one or two weeks, but we are still blocked until we get other issues fixed (like replication) Can you roughly estimate when the refactoring is done and SPs/TRs are fixed? We just released ApacheDS 2.0.0-M6 this week, and we expect to release a M7 by the end of march, with one of the major fix we want to integrate. Then a M8 shoudl follow shortly (april ?) with replication. The next step is probably to fix the triggers/SP and also AdministrativePoint handling. That leads us to end of june. May be earlier. May be later... Hope it helps. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ERROR] Failed to execute goal org.apache.maven.plugins:maven-shade-plugin:1.5:shade (default) on project shared-all: Error creating shaded jar: error in opening zip file C:\tmp\apacheds\apacheds-
Le 3/1/12 6:42 PM, Wang, Xunhua - wangxx a écrit : Just downloaded mvn, checked out apacheds-trunk on Ubuntu 10 (with jdk 1.6.0_20), ran the following command, and got this error: 1.6.0_20 is *really* old. I just tested on Ubuntu 11.10, with Java 1.6.0-29, it builds. Note that I get a failure with Java 7 (the same than the one you've got). May I suggest you fill a JIRA describing the failure ? I think we should get rid of this shade-plugin error on windows... Thanks ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ERROR] Failed to execute goal on project apacheds-all: Could not resolve dependencies for project org.apache.directory.server:apacheds-all:jar:2.0.0-M7-SNAPSHOT: Could not find artifact
Le 3/1/12 8:24 PM, Wang, Xunhua - wangxx a écrit : Thank you. In my case, upgrading JDK to 1.6.0_30 does _not_ help. Still got the following error: Can you give it a try with the latest trunk ? We have fixed some pom.xml, it might be better. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ERROR] Failed to execute goal on project apacheds-all: Could not resolve dependencies for project org.apache.directory.server:apacheds-all:jar:2.0.0-M7-SNAPSHOT: Could not find artifact
Le 3/2/12 12:50 AM, Wang, Xunhua - wangxx a écrit : Just tried and went much farther than before: + ERROR BEGINS + [INFO] [INFO] Reactor Summary: [INFO] [INFO] ApacheDS All .. SUCCESS [24.507s] [INFO] ApacheDS Logger Interceptor ... SUCCESS [5.476s] [INFO] ApacheDS Password Hashing Interceptor . SUCCESS [3.603s] [INFO] ApacheDS Core Integration . SUCCESS [16:44.523s] [INFO] ApacheDS Server Integration ... SUCCESS [7:26.849s] [INFO] ApacheDS DirectoryService-WebApp bridge ... SUCCESS [6.447s] [INFO] ApacheDS Jetty HTTP Server Integration SUCCESS [12.112s] [INFO] ApacheDS Service Builder .. SUCCESS [6.531s] [INFO] ApacheDS Protocol Kerberos Test ... FAILURE [5:13.429s] [INFO] Apache Directory LDAP Client API test . SKIPPED [INFO] ApacheDS Service .. SKIPPED [INFO] ApacheDS Wrapper .. SKIPPED [INFO] ApacheDS Installers Maven Plugin .. SKIPPED [INFO] ApacheDS Installers ... SKIPPED [INFO] ApacheDS Manuals .. SKIPPED [INFO] ApacheDS Build With Dependencies .. SKIPPED [INFO] [INFO] BUILD FAILURE [INFO] [INFO] Total time: 30:29.313s [INFO] Finished at: Thu Mar 01 18:06:41 EST 2012 [INFO] Final Memory: 62M/148M [INFO] [ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12:test (default-test) on project apacheds-kerberos-test: There are test fa ilures. [ERROR] [ERROR] Please refer to C:\tmp\apacheds\apacheds-trunk\apacheds\kerberos-test\target\surefire-reports for the individual test results. [ERROR] - [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvngoals -rf :apacheds-kerberos-test + ERROR ENDS + Again which KDC server does apacheds-kerberos-test test? It's the Apache DS KDC server. How can I pass the apacheds-kerberos-test to finish the whole process? can you provide the test that fail in C:\tmp\apacheds\apacheds-trunk\apacheds\kerberos-test\target\surefire-reports ? There are .txt files in this directory, and some of them will contain some info. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ERROR] Failed to execute goal on project apacheds-all: Could not resolve dependencies for project org.apache.directory.server:apacheds-all:jar:2.0.0-M7-SNAPSHOT: Could not find artifact
Le 3/2/12 1:54 AM, Wang, Xunhua - wangxx a écrit : can you provide the test that fail in C:\tmp\apacheds\apacheds-trunk\apacheds\kerberos-test\target\surefire-reports? There are .txt files in this directory, and some of them will contain some info. All files in that directory are attached. Thanks. That's weird... The buidl works like a charm on Maxc OS.X, but fails on Ubuntu 11.10 (I just tested this morning, and got the same error). It seems to work on windows though... We are conducting some more tests. Keep tuned ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ERROR] Failed to execute goal on project apacheds-all: Could not resolve dependencies for project org.apache.directory.server:apacheds-all:jar:2.0.0-M7-SNAPSHOT: Could not find artifact
Le 3/2/12 12:11 PM, Emmanuel Lécharny a écrit : Le 3/2/12 1:54 AM, Wang, Xunhua - wangxx a écrit : can you provide the test that fail in C:\tmp\apacheds\apacheds-trunk\apacheds\kerberos-test\target\surefire-reports? There are .txt files in this directory, and some of them will contain some info. All files in that directory are attached. Thanks. That's weird... The buidl works like a charm on Maxc OS.X, but fails on Ubuntu 11.10 (I just tested this morning, and got the same error). It seems to work on windows though... We are conducting some more tests. Ok, I know what's going on. The Kerberos test is passing fine if you use an old JVM (1.6.0-26 in my case), but due to some change in the sun.security.krb5.KrbKdcReq API, it breaks in Java 1.6.0-30 :/ I will try to get this test fixed now. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ERROR] Failed to execute goal on project apacheds-all: Could not resolve dependencies for project org.apache.directory.server:apacheds-all:jar:2.0.0-M7-SNAPSHOT: Could not find artifact
Le 3/2/12 2:51 PM, Emmanuel Lécharny a écrit : Le 3/2/12 12:11 PM, Emmanuel Lécharny a écrit : Le 3/2/12 1:54 AM, Wang, Xunhua - wangxx a écrit : can you provide the test that fail in C:\tmp\apacheds\apacheds-trunk\apacheds\kerberos-test\target\surefire-reports? There are .txt files in this directory, and some of them will contain some info. All files in that directory are attached. Thanks. That's weird... The buidl works like a charm on Maxc OS.X, but fails on Ubuntu 11.10 (I just tested this morning, and got the same error). It seems to work on windows though... We are conducting some more tests. Ok, I know what's going on. The Kerberos test is passing fine if you use an old JVM (1.6.0-26 in my case), but due to some change in the sun.security.krb5.KrbKdcReq API, it breaks in Java 1.6.0-30 :/ I will try to get this test fixed now. I think the kerberos tests are now passing well on both Linux and Mac OSX. Can you give it a try with the latest trunk ? Thanks ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Is it faster/better to include one objectclass or all in query?
Le 3/14/12 3:51 PM, carlo.acco...@ibs-ag.com a écrit : Hi, when searching for a user having this objectclass hierarchy top |_person |_organizationalPerson |_inetOrgPerson and uid = 'jsmith' Which query would be less expensive or better/faster? Thanks! ( (objectclass=inetOrgPerson) (uid=jsmith) ) OR ( ((objectclass=top) (objectclass=person) (objectclass= organizationalPerson) (objectclass=inetOrgPerson)) (uid=jsmith) ) It depends on the number of entries selected by each of the filters. The way the filtering works - for an AND operation at least - is that we first evaluate the number of elements returned by each single filter, then we pick the smallest one and we process the search using this filter. For instance, in your case, we will have : (objectclass=top) - matches all the entries (obviously) (objectclass=person) - matches 1000 entries (objectclass= organizationalPerson) - matches 100 entries (less than for the previous filter because organizationalPerson has person as a superior) (objectclass=inetOrgPerson) - matches 10 entries (same raisonning than upper) now, - if (uid=jsmith) matches 55 entries, then we will use the (objectclass=inetOrgPerson) filter - if (uid=jsmith) matches 7 entries, then we will use this filter at the end, we will browse 10 or 7 entries, depending on the number of matched entries considering the filter. If we take your first filter ( (objectclass=inetOrgPerson) (uid=jsmith) ) it's even simpler, as we don't have to evaluate the hierarchy of ObjectClasses. End of the day : no need to pile up the atomic filters in your request, just use those that are the most discriminant. Last, not least, the 'cost' difference will be minimal anyway, as the evaluation is a pretty fast operation compared to pulling entries from the backend to return them. You will see no difference. The best thing to do is to have the correct index set depending on the requests you will submit. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Is it faster/better to include one objectclass or all in query?
Le 3/14/12 4:18 PM, carlo.acco...@ibs-ag.com a écrit : Emmanuel, thank you. One follow-up and I should have included this in the original message. My query includes an OU as the base dn in the search. All entries in this OU all have the same 4 objectclass values. No other objectclass types are in this particular OU. Say I had 1000 entries. Each count for top, person, organizationalPerson and inetOrgperson would all yield 1000 hits. In this case, should I include the objectclass in the query at all? If you start your search from a given baseDN, and if there is no children, then there is no need to use any (objectClass=XXX) in your filter, as it will match all the entries at this level. And as we use a special index for searches starting at a position in the DIT, it's enough. You have 3 specific index that I have not talked about : - ONE_LEVEL index, which is used to select all the entries from a position in the DIT, plus all theirs direct children (excluding the descendants) - SUB_LEVEL index, which selects all the descendant entries from a position, except the given base DN - RDN index : which is internally use to browse the DIT If you have specified a baseDN, and a scope (default is SUBTREE), those index will be used anyway. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Is it faster/better to include one objectclass or all in query?
Le 3/14/12 5:08 PM, Alex Karasulu a écrit : On Wed, Mar 14, 2012 at 4:51 PM,carlo.acco...@ibs-ag.com wrote: Hi, when searching for a user having this objectclass hierarchy top |_person |_organizationalPerson |_inetOrgPerson and uid = 'jsmith' Which query would be less expensive or better/faster? Thanks! ( (objectclass=inetOrgPerson) (uid=jsmith) ) This would be faster and more efficient since the evaluation is on a more specific objectClass which reduces the search space from the get go. To understand this you need to know about how the optimizer works with scan counts that are returned. LDAP search filters are expanded out into an AST (abstract syntax tree) with the leaves of the tree being assertions the branch nodes being operators. Then the optimizer annotates this AST with scan counts, which basically is asking each index, Hey how many results would you return for this assertion? So the more specific inetOrgPerson is more likely to return a smaller scan count. Now if you have an index on uid then the scan count on this will be 1 since UID should be unique (our DSA does not enforce this tho) Uh ? Sorry, Alex, but if you manage more than one linux server, you might have more than one uid in your LDAP server, no ? Plus uid is not a SINGLE_VALUE, so you maye have more than one value in the AT. You may have a higher number of uid=XXX in this case. If you do not have an index on uid I suggest you index it. But if you don't then the candidates will be generated off the objectClass index which always exists since it is a system index. The server will then iterate through the entire set of inetOrgPersons in your DIB and de-serialize the entry from the master table then check (after normalizing the uid attribute) if it is in fact equal to jsmith. This could be huge. Yeah, this is a better explaination than mine : ObjectClasses are indexed DIT wide. So index your uids and don't bother with the objectClass stuff if you don't vary the OC of the people in your DIB. This is the right thing to do, really.
Re: Problem Importing LDIF files : ordering of entries
Le 3/31/12 7:48 PM, Jim Willeke a écrit : This is typical of all LDAP servers. There are some LDIF sort apps available. Might be a nice improvement to Apache Studio to include such an option on import/export. That would worth a JIRA, I think. Good suggestion ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Problem Importing LDIF files : ordering of entries
Le 4/4/12 5:25 PM, Jim Willeke a écrit : Finally got around to creating the Jira Entry: https://issues.apache.org/jira/browse/DIRSTUDIO-801 Thanks ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Plea for help with search performance
Le 4/11/12 4:31 PM, carlo.acco...@ibs-ag.com a écrit : Hi, we have a project has 80,000 users in one OU. This is a requirement. Hmm, you mean 80 000 entries under ou=something, I guess ? Like : cn=user1, ou=something cn=user2, ou=something ... cn=user8, ou=something ? With guidance from this group, I've tried dozens of combinations of indexing attributes, setting their cache sizes, increasing the partition caches, timeout settings, etc. We're using the 64 bit java service wrapper and have given the JVM 5GB of memory. Despite this, we still have 20+ second response times when searching on displayName and employeeNumber . This is consistent with multiple ldap clients. That's not normal. It should be immediate. Can you tell us what kind of request you send to the server ? Also what kind of network configuration are you going through (firewall, etc). It would be interesting to see if you get the same 'level' of (un)performance if you do the search on the server. Every time we've made configuration or index changes, it's been to a clean empty system and then we load our LDIF file with the 80k users. You've all been very helpful to us but we're backed into wall with this. The response times are unacceptable and we don't know what else we can do. Yeah, I understand. It's definitively not acceptable, and we never had such performances on our tests, even with 5 000 000 entries under one single branch. Could someone provide us with an idea of how to configure the system to get the best performance when searching for displayName and employeeNumber? The displayName lengths are up to 80 characters, the employeeNumber is 25. The best thing is certainly to index those two attributes. You might also face a bug. Which version of the server are you using ? Thanks ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Plea for help with search performance
Ok, after some investigation, I'm pretty sure that the indexes are not created. When I create the indexes, I get those results : - 8 entries injected into the server, with uid=number - displayName is indexed, uid is not indexed - first search : connection.search(dc=example,dc=com, (displayName=12345Awg-Rosli, Awg-Abd-Rahim SMDS-UIA/G/MMO52D), SearchScope.SUBTREE, * ); result : Delta search : 16 ms entry found : dn[n]: uid=12345,dc=example,dc=com objectclass: organizationalPerson objectclass: person objectclass: inetOrgPerson objectclass: top title: Snr Operations Technician (D) uid: 12345 description: UI - S businesscategory: Ops MDS (Malaysia) Sdn Bhd departmentnumber: SMDS - UIA/G/MMO52D employeenumber: A-A-R.Awg-Rosli givenname: Awg-Abd-Rahim cn: Awg-Rosli, Awg-Abd-Rahim SMDS-UIA/G/MMO52D sn: Awg-Rosli telephonenumber: 555-1212 mail: a-a-r.awg-ro...@acme.com displayname: 12345Awg-Rosli, Awg-Abd-Rahim SMDS-UIA/G/MMO52D - Second search : connection.search(dc=example,dc=com, (displayName=34567*), SearchScope.SUBTREE, * ); result : Delta search substring : 9 ms entry found : dn[n]: uid=34567,dc=example,dc=com objectclass: organizationalPerson objectclass: person objectclass: inetOrgPerson objectclass: top title: Snr Operations Technician (D) uid: 34567 description: UI - S businesscategory: Ops MDS (Malaysia) Sdn Bhd departmentnumber: SMDS - UIA/G/MMO52D employeenumber: A-A-R.Awg-Rosli givenname: Awg-Abd-Rahim cn: Awg-Rosli, Awg-Abd-Rahim SMDS-UIA/G/MMO52D sn: Awg-Rosli telephonenumber: 555-1212 mail: a-a-r.awg-ro...@acme.com displayname: 34567Awg-Rosli, Awg-Abd-Rahim SMDS-UIA/G/MMO52D -third search : connection.search(dc=example,dc=com, (uid=67890), SearchScope.SUBTREE, * ); result : Delta search no index : 38985 ms entry found : dn[n]: uid=67890,dc=example,dc=com objectclass: organizationalPerson objectclass: person objectclass: inetOrgPerson objectclass: top title: Snr Operations Technician (D) uid: 67890 description: UI - S businesscategory: Ops MDS (Malaysia) Sdn Bhd departmentnumber: SMDS - UIA/G/MMO52D employeenumber: A-A-R.Awg-Rosli givenname: Awg-Abd-Rahim cn: Awg-Rosli, Awg-Abd-Rahim SMDS-UIA/G/MMO52D sn: Awg-Rosli telephonenumber: 555-1212 mail: a-a-r.awg-ro...@acme.com displayname: 67890Awg-Rosli, Awg-Abd-Rahim SMDS-UIA/G/MMO52D So if the index is properly set, the search takes milliseconds to complete (which is expected). Otherwise, it can take tens of seconds... Two possibilities : - you don't initialize the index correctly. Please provide your configuration and if you are using ADS embedded, please provide the code that you use to embed it - we have an issue in the way we initialize the index, which is more likely to be the problem, as I fixed one issue in this area 2 weeks ago (in M7-SNAPSHOT) and I just fixed another one while doing the experiment... I'd like to rule out the first hypothesis first, but in any case, I'll do some more check tonite or tomorrow. Many thanks for your patience. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Cannot build from trunk, goal apacheds-interceptors-admin missing dependency
[3.870s] [INFO] ApacheDS Protocol Ldap SUCCESS [11.830s] [INFO] ApacheDS Protocol Ntp . SUCCESS [5.006s] [INFO] Apacheds Server Annotations ... SUCCESS [20.035s] [INFO] ApacheDS Server Config SUCCESS [23.654s] [INFO] ApacheDS Server JNDI .. SUCCESS [2.230s] [INFO] ApacheDS Server Replication Service ... SUCCESS [2.530s] [INFO] ApacheDS Test Framework ... SUCCESS [1:06.336s] [INFO] ApacheDS Generalized (X) DBM Tools SUCCESS [2.471s] [INFO] ApacheDS All .. SUCCESS [3.701s] [INFO] ApacheDS Logger Interceptor ... SUCCESS [1.100s] [INFO] ApacheDS Password Hashing Interceptor . SUCCESS [1.110s] [INFO] ApacheDS Core Integration . SUCCESS [4:45.252s] [INFO] ApacheDS Server Integration ... FAILURE [3:12.803s] [INFO] ApacheDS DirectoryService-WebApp bridge ... SKIPPED [INFO] ApacheDS Jetty HTTP Server Integration SKIPPED [INFO] ApacheDS Service Builder .. SKIPPED [INFO] ApacheDS Protocol Kerberos Test ... SKIPPED [INFO] Apache Directory LDAP Client API test . SKIPPED [INFO] ApacheDS Service .. SKIPPED [INFO] ApacheDS Wrapper .. SKIPPED [INFO] ApacheDS Installers Maven Plugin .. SKIPPED [INFO] ApacheDS Installers ... SKIPPED [INFO] ApacheDS Manuals .. SKIPPED [INFO] ApacheDS Build With Dependencies .. SKIPPED [INFO] -- -- [INFO] BUILD FAILURE [INFO] -- -- [INFO] Total time: 15:13.488s [INFO] Finished at: Thu Apr 12 23:13:58 EDT 2012 [INFO] Final Memory: 104M/1106M [INFO] -- -- [ERROR] Failed to execute goal org.apache.maven.plugins:maven-surefire-plugin:2.12:test (default-test) on project apacheds-serve r-integ: There are test failures. [ERROR] [ERROR] Please refer to D:\cygwin\svn\apacheds\trunk-with-dependencies\apacheds\server-integ\target\surefire-reports for the ind ividual test results. [ERROR] - [Help 1] [ERROR] [ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch. [ERROR] Re-run Maven using the -X switch to enable full debug logging. [ERROR] [ERROR] For more information about the errors and possible solutions, please read the following articles: [ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/MojoFailureException [ERROR] [ERROR] After correcting the problems, you can resume the build with the command [ERROR] mvngoals -rf :apacheds-server-integ Regards, Carlo Accorsi Carlo Accorsi | Technical Services IBSAmerica, Inc. | www.ibs-us.com | Visit IBS on LinkedIn 24 Hartwell Ave | Lexington | Massachusetts | 02421 +1-781-862-9002 (Office) | +1-781-676-8129 (Direct) | +1-781-862-9003 +(Fax) Sign up for the IBS Blog today! IBS provides integrated management solutions that help companies improve quality and lower costs. -Original Message- From: Emmanuel Lécharny [mailto:elecha...@gmail.com] Sent: Thursday, April 12, 2012 7:46 PM To: users@directory.apache.org Subject: Re: Cannot build from trunk, goal apacheds-interceptors-admin missing dependency Le 4/12/12 9:20 PM, carlo.acco...@ibs-ag.com a écrit : Hi. Anyone else getting this error? Yep :/ Now, I never build the server skipping the tests (just because I want to be sure that tests are passing before committing code). It seems that there is a problem with dependencies when runing without tests, as some projects are expecting some tests jars to have been built, and they are not. I suggest two things : 1) build the project using mvn clean install -Dintegration (it'll take at least 15 mins, if you have a fast computer) 2) fill a JIRA with the info you provided so that we can fix the build when run without tests. Thanks ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com -- Kiran Ayyagari -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Update 2.0.0-M7 and indexes
Le 4/13/12 10:03 PM, carlo.acco...@ibs-ag.com a écrit : Hi Folks, we've made a lot of progress but it wouldn't be fun if there wasn't one more gotcha. :) We Built 2.0.0-M7 SHAPSHOT from the trunk and it installs and runs fine with 1GB memory / 32 bit JVM (Thanks Kiran for pointers last night) I create a partition and index several attributes. When the server restarts the user attribute DBM databases appear ! (Thanks Emmanuel) I load my ldif file with 80 k users. When the ldif is loaded, I can see all 80k users, everything seems fine, the indexes are populated I can search and it all works. Performances are good, I hope... Once I shut down the server, it will not restart. The wrapper fails with the error below. The size of the JVM goes from zero to 1.3GB, pauses and exists. I'm sure there's an OutOfMemory exception occurring but even with Debug it's not appearing in the logs. The question I have is with a partition this size, with this number of users, what can I do to make the jvm as small as possible to start? I've reset all my attribute indexes to 100, partition cache is set to 1000 BEFORE I loaded all the users. Still having same result. Any ideas? Many thanks. grmblgtmbl :/ I need to check what's going on when the serve ris stopped and restarted. This is clearly a bug, and it should be easy to fix. The thing is that this is a work in progress, and we have modified many things in the index area recently. This should not too much time to get a clue about what's going on and to fix the issue. I'l give it a try this week-end. At least, we are making progress ! Thanks for the info and the follow-up, this is really helpful for us. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: support Dot character in attribute name
Le 4/15/12 9:47 AM, Pradip Sonar a écrit : Hi, I am working on POC on Windows registry data migration to LDAP Structure in one of my project. I am using apacheds-1.5.6 and ApacheDirectoryStudio-win32-1.5.2. I am facing issues while trying to add new attribute name containing dot character(.). Plain normal. Dot is not a valid char in an attrbute name per RFC 4512. I found that ldap does not support for dot character in attribute name. True. Can you please suggest any configurations needs to be done in apache directory server/studio to support dot character in attribute name? Change your attributes name to comply to the specification. M$ does not give a shit about LDAP and broke the specification on purpose, but I'm sorry to say that's not our problem. AD is not an LDAP compliant server anyway... Replacing every dot by an hyphen using a small sed script should not be a big issue though. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Update 2.0.0-M7 and indexes
Le 4/14/12 5:12 AM, carlo.acco...@ibs-ag.com a écrit : Hi, regarding the server startup issue I'm having after loading a custom partition with 80k users, the problem seems to be the size of master.db For my partition. The file is 450 MB. If I delete my partition directory (and let to recreate on startup) the server starts fine. Here are some other things we tried, none of which worked. Don't waste your time doing experiments, tehre is a clear problem in the index construction when the server is restarted. I'm on it this afternoon. Seems like the index creation actually works, when we have a few hundreds of entries, but we have serious performance issues with 80 000 entries. I'm not sure it's a bug, but certainly some sub-optimal process. Keep tuned... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Update 2.0.0-M7 and indexes
Making progress... The index were deleted due to some regression introduced last year when using alias and not OIDs when creating index. Another issue is that the master tabl, containing all the entries, was read fully for each index to create, instead of reading it only once, and adding the read entries in all the indexes in one operation. I'm running some more tests before committing the changes. One suggestion : declare the index, stop the server, restart the server, then inject the entries. The index will be present and the server won't try to recreate them when starting, as they will already be present when you will start to inject the entries. You'll pay the price of injecting the entries and creating the indexes only once. More to come... Le 4/15/12 1:42 PM, carlo.acco...@ibs-ag.com a écrit : ok much appreciaed. Thank you! From: Emmanuel Lécharny [elecha...@gmail.com] Sent: Sunday, April 15, 2012 6:32 AM To: users@directory.apache.org Subject: Re: Update 2.0.0-M7 and indexes Le 4/14/12 5:12 AM, carlo.acco...@ibs-ag.com a écrit : Hi, regarding the server startup issue I'm having after loading a custom partition with 80k users, the problem seems to be the size of master.db For my partition. The file is 450 MB. If I delete my partition directory (and let to recreate on startup) the server starts fine. Here are some other things we tried, none of which worked. Don't waste your time doing experiments, tehre is a clear problem in the index construction when the server is restarted. I'm on it this afternoon. Seems like the index creation actually works, when we have a few hundreds of entries, but we have serious performance issues with 80 000 entries. I'm not sure it's a bug, but certainly some sub-optimal process. Keep tuned... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Adding custom .schema files
' EQUALITY caseExactIA5Match SUBSTR caseExactIA5SubstringsMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 ) objectclass ( 1.3.6.1.4.1.6757.100.1.1.5.2 NAME 'GLUE2Extension' DESC 'A key/value pair enabling the association of extra information' STRUCTURAL MUST ( GLUE2ExtensionLocalId $ GLUE2ExtensionKey $ GLUE2ExtensionValue $ GLUE2ExtensionEntityForeignKey ) ) .. End= Secondly do you suggest any developer reference (e.g. book) which I can use to create the desired application? Thanks in advance, -- Shiraz -- Cheers, Shiraz -- Kiran Ayyagari -- Cheers, Shiraz -- Kiran Ayyagari -- Cheers, Shiraz -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Update 2.0.0-M7 and indexes
,localport=31001]) wrapperp | accepted a socket from 127.0.0.1 on port 31001 wrapperp | read a packet KEY : 9v_49BY1PMOWCwTs wrapper | Got key from JVM: 9v_49BY1PMOWCwTs wrapperp | send a packet LOW_LOG_LEVEL : 1 wrapperp | send a packet PING_TIMEOUT : 24000 wrapperp | send a packet PROPERTIES : (Property Values) wrapper | Start Application. wrapperp | send a packet START : start jvm 1| Received a packet LOW_LOG_LEVEL : 1 jvm 1| Wrapper Manager: LowLogLevel from Wrapper is 1 jvm 1| Received a packet PING_TIMEOUT : 24000 jvm 1| PingTimeout from Wrapper is 2400 jvm 1| Received a packet PROPERTIES : (Property Values) jvm 1| Received a packet START : start jvm 1| calling WrapperListener.start() jvm 1| Waiting for WrapperListener.start runner thread to complete. jvm 1| WrapperListener.start runner thread started. wrapper | Startup failed: Timed out waiting for signal from JVM. wrapper | JVM did not exit on request, terminated wrapperp | server listening on port 32000. wrapper | JVM was only running for 30 seconds leading to a failed restart count of 1. wrapper | There were 1 failed launches in a row, each lasting less than 300 seconds. Giving up. wrapper | There may be a configuration problem: please check the logs. wrapper |-- Wrapper Stopped D:\Program Files\ApacheDSM7\binpause Regards, Carlo Accorsi Sign up for the IBS Blog today! IBS provides integrated management solutions that help companies improve quality and lower costs. -Original Message- From: Emmanuel Lécharny [mailto:elecha...@gmail.com] Sent: Sunday, April 15, 2012 6:33 AM To: users@directory.apache.org Subject: Re: Update 2.0.0-M7 and indexes Le 4/14/12 5:12 AM, carlo.acco...@ibs-ag.com a écrit : Hi, regarding the server startup issue I'm having after loading a custom partition with 80k users, the problem seems to be the size of master.db For my partition. The file is 450 MB. If I delete my partition directory (and let to recreate on startup) the server starts fine. Here are some other things we tried, none of which worked. Don't waste your time doing experiments, tehre is a clear problem in the index construction when the server is restarted. I'm on it this afternoon. Seems like the index creation actually works, when we have a few hundreds of entries, but we have serious performance issues with 80 000 entries. I'm not sure it's a bug, but certainly some sub-optimal process. Keep tuned... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Update 2.0.0-M7 and indexes
Le 4/17/12 11:18 PM, carlo.acco...@ibs-ag.com a écrit : Was away all day today. From the debug below, i'm using these memory settings. -Xms512m -Xmx1024m However i've tried 1024 / 1300 and the same thing occurs. I'll set up a 64bit wrapper later tonight and will assign 2GB. I'll let you know if this makes any difference. thanks. It's strange that the command line does not show the -XmxNNN value you have set. Injecting 80K entris should not eat more than 300Mo, so 512M should be just plain perfect. I'm fighting with verious versions of Linux on Virtual box to set up a configuration close to what you have. Wasted 3 hours at least with Ubuntu (man, those guys have lost their grinta...) and Fedora. Trying Mint now... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Update 2.0.0-M7 and indexes
Le 4/18/12 3:01 PM, Emmanuel Lécharny a écrit : Le 4/18/12 12:16 AM, Emmanuel Lécharny a écrit : Le 4/17/12 11:18 PM, carlo.acco...@ibs-ag.com a écrit : Was away all day today. From the debug below, i'm using these memory settings. -Xms512m -Xmx1024m However i've tried 1024 / 1300 and the same thing occurs. I'll set up a 64bit wrapper later tonight and will assign 2GB. I'll let you know if this makes any difference. thanks. It's strange that the command line does not show the -XmxNNN value you have set. Injecting 80K entris should not eat more than 300Mo, so 512M should be just plain perfect. I'm fighting with verious versions of Linux on Virtual box to set up a configuration close to what you have. Wasted 3 hours at least with Ubuntu (man, those guys have lost their grinta...) and Fedora. Trying Mint now... Ok, making progress... First, there is a missing option in the wrapper.conf file : wrapper.startup.timeout=0 It will not exit after 30 seconds (the default value) if the server is not started. Second, there is still a problem when you restart the server (even if you have created the index, stopped, restarted the server, injected the 80K entries, stopped and restarted the server) : the index are fully rebuilt, which is just plain wrong. I'll investigate this point and I'll probably be able to get a fix working for this issue today. Ok, the issue has been fixed with http://svn.apache.org/viewvc?rev=1327580view=rev I have tested the server with this scenario : - create a brand new server with nothing in it - added a context entry for dc=example,dc=com - added index for sn, cn and displayName - stopped the server - re-started the server, index are now present, but empty - injected 80 000 entries - the index are full of data - stopped the server - re-started the server the server was up and running in 15 seconds, with all the data present, and index working. I think we are done with those nasty bugs... pfewww... :) -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: help with subscription
Le 4/27/12 6:58 PM, Popova, Marina a écrit : Hello, Could somebody help me to subscribe to this list with my personal email? I used to be subscribed as mpopova at Emptoris dot come, but as this email is no longer valid I would like to re-subscribe with a different email: ppine7 at yahoo dot com. I tried subscribing from that email a few times, but every time requests are bounced back with a message that they were rejected as spam... Webmails and mail in HTML will be considered as spam, this is why you get rejected. Can't you use another mail ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] subschema subentries and DIT structure rules etc.
Le 4/30/12 11:53 AM, Alex Karasulu a écrit : On Mon, Apr 30, 2012 at 12:52 PM, Alex Karasuluakaras...@apache.orgwrote: On Mon, Apr 30, 2012 at 11:53 AM, Karl Weberkarl.webe...@googlemail.comwrote: Hi, as far as I read in the documentation for ApacheDS 1.5.7, ApacheDS does support subentries according to RFC 3672 with the exception of subschema subentries. Yes it does and so will all other implementations to come like 2.0 below. Ooop I read in correctly (thought you meant subentries), I see you mean schema subentries. True we don't suport this. Wrt RFC 3672, we currently have the support of SubtreeSpecification (this is used for ACIs) and a partial support of the Administrative model. The main issue we have wih the AA is the colision between Autonomous area and SpecificArea. It's really complex to compute the intersection of those areas, and we also have a discussion about how we should implement it : should we compute it once and store the information in every single entry, or should we evaluate each entry against the autonomous/specific area they depend on. This is a very interesting area, but quite complex... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] What is AciAuthorizationInterceptor for?
Le 5/3/12 11:56 PM, Javier Méndez Vásquez a écrit : Hi all, I’m using Apache DS 1.5.5. You should *really* switch to a more recent version ! At least 1.5.7, but probably to a 2.0.0 milestone (like 2.0.0-M6). 1.5.5. is 3 years old now... I have deployed an embedded version of ApacheDS in my application. I can start my embedded ApacheDS correctly with a custom partition, but in some cases it will fail with: -Searching for DN 0.9.2342.19200300.100.1.25=some,0.9.2342.19200300.100.1.25=dn,0.9.2342.19200300.100.1.25=net with filter (|:[9223372036854775807](objectClass=groupOfNames:[9223372036854775807])(objectClass=groupOfUniqueNames:[9223372036854775807])) 2012-05-03T17:06:02Z ERROR: Exception starting Directory Services server -javax.naming.directory.InvalidSearchFilterException: Unbalanced parenthesis; remaining name '0.9.2342.19200300.100.1.25=some,0.9.2342.19200300.100.1.25=dn,0.9.2342.19200300.100.1.25=net' I have no idea why, but the error occurs depending on my partition configuration. So, I decided to remove AciAuthorizationInterceptor from the default interceptor list (that’s the one submitting a search with the offending filter while initializing), as I don’t really need any authorization going on inside of ApacheDS. However, I want to make sure I’m not messing up with other functionality by doing this. Any advices or comments are welcome. Thanks! Javier Mendez -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: replication partially working
Le 5/11/12 11:12 AM, houmles a écrit : Guys i found the problem and don't know how to solve it.. DN's which have ACLs on them (administrativerole, accesscontrolsubentry) don't replicate attributes even when I grant everything for everyone. When i remove ACLs, everything works. I tested this on both master and slave clear servers, just added new partition, DN and ACL on it. I suppose this is not intended. Maybe its bug? I wonder if we transfert Operational Attributes. Can you add the followin values : ads-replattributes: administrativeRole ads-replattributes: accessControlSubentry -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: PasswordPolicy and admin user
Le 5/11/12 3:15 PM, Mathieu Pousse a écrit : Hi I spot a strange behaviour in Apache DS 2M6 (basic configuration, nothing special). When I try to bind with the admin account, asking for the PasswordPolicyControl, it fails to bind. As soon as I remove the control it works fine. What would be good is to provide the BindRequest the server receives. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Updating systems from trunk. How?
Le 5/14/12 10:23 PM, carlo.acco...@ibs-ag.com a écrit : Hi, I have a partition and system created from 2.0.0-M7. What is the correct way to upgrade to the 2.0.0-M8. ? In the past, I've just swapped out the jars with those I build from the trunk. For example replacing /lib/apacheds-service-2.0.0-M7-SNAPSHOT.jar /lib/apacheds-wrapper-2.0.0-M7-SNAPSHOT.jar Is this an acceptable way of doing it? Or do I need to export everything and rebuild the partition? I'm concerned about indexes created in M7 and trying to run M8 against them. The best solution would really be to export all the data, swap the bins, and reimpor the data. AFAIR, we haven't changed teh format for data, but as we have removed two indexes, and deeply modified the RDN index, keeping the data on disk will simply not work. Re-injecting the data will recreate all the indexes. Btw, 2.0.0-M7 is 2.5 faster than the previous version. Thanks ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS - Tanuki software JSW license
Le 5/21/12 11:03 AM, John Colvin a écrit : Hi ApacheDS ships with Tanuki software JSW which does not seem to be 'really' open source and not free to use and distribute. The version we are using (3.2.3) has a liberal license : Copyright (c) 1999, 2006 Tanuki Software, Inc. Permission is hereby granted, free of charge, to any person obtaining a copy of the Java Service Wrapper and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Portions of the Software have been derived from source code developed by Silver Egg Technology under the following license: BEGIN Silver Egg Techology License --- Copyright (c) 2001 Silver Egg Technology Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the Software), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sub-license, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED AS IS, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. END Silver Egg Techology License - This has been changed in 3.3.0, and this is the reason we haven't upgraded to a newer version. I would like to do a custom build and distribute ApacheDS with some interceptors and configuration bundled within the installation archive, including the linux bin and windows exe installers, but looking at the Tanuki software license I don't think I can do this without paying for licenses. If you keep using 3.2.3, you still can. Is there any plans in the future to remove JSW and replace it with Apache commons-daemon like what is used in Tomcat? Definitively, yes. This is just a matter of time. Is having a 3rd party dependency that can may incur license costs really in the the spirit of Apache?? The AL 2.0 license allows you to do whatever you want. That means you can include ApacheDS in your product, and sell it. The AL 2.0 license has been designed for this purpose. Just be sure that you read and fulfill the mandatory parts of the AL 2.0 license before release anything though... Now, if you feel like contributing to the project, please join us ! This is a community effort, and being part of the common effort is way more in the ASF spirit than anything else :) -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: How to Escape LDAP Filter Query ?
Le 5/30/12 10:08 PM, David Parker a écrit :
On 05/30/2012 12:55 PM, Hendy Irawan wrote:
Dear Apache Directory users,
How do I escape an LDAP filter query ?
e.g.
String searchTerm = ...; // from user input
String filter = ((objectclass=person)(cn=* +
escapeFunction(searchTerm)
+ *));
What is this escapeFunction ?
Hello,
What exactly do you want to escape in searchTerm? Are you trying to
prevent someone from entering something like
johndoe,o=x.com,dc=x,dc=com as the search term? If that is the
case, then you could sanitize the input using something like this:
if( searchTerm.contains(,) )
searchTerm = searchTerm.substring(0,searchTerm.indexOf(,));
Or you could simply sanitize the user input by checking for various
characters ( | ! , etc.) and rejecting the input if one of these is
found in the string.
I'm not much of a Java programmer, so there is probably a better way,
but I hope this helps.
- Dave
I guess expect something like a Filter.escape( String ) method that
creates a filter with escaped chars.
So if you call Filter.escape( (myAttr=I'm a \u002a) ), it will return
the escaped string (myAttr=I'm a \\2A)
Filter special chars in values are :
'*' translates to \2A
'(' translates to \28
')' translates to \29
'\' translates to \5C
0x00 translates to \00
Note that you still have to provide a String that distinguishes those 5
characters, so at some point, it's probably enough to do the escaping by
hand. The method I described would just be a bit superfluous...
Also note that no other character needs to be escaped but those 5 ones.
There is no risk that a , | or ! can be confused with an operator in a
value.
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: [ApacheDS] lost with decision where to implement custom permission
Le 6/5/12 6:28 PM, Garbage a écrit : I tried to build a working custom partition implementation for last days. I started with 1.5.7 but then found out that the working example I intended to base on does no longer compile because of some API changes. Because of this I switched to 1.5.5 and managed to get the example running (not that difficult, I have to admit ;-)) Unfortunately I don't have enough background knowledge to be able to extend the HelloWorldPartition example. I'm willing to learn and invest time but need expert advice if I should continue with 1.5 or 2.0. In addition I will need some guidance. In exchange for that I can offer you to update the docs for custom partitions. Definitively go for 2.0. The API has changed a lot, but this is (hopefully) for the best. Sadly, the documentation is not following the code modification pace :/ Do you have any specific question ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] lost with decision where to implement custom permission
Le 6/6/12 6:39 AM, Garbage a écrit : Am 06.06.2012 um 05:16 schrieb Emmanuel Lécharnyelecha...@gmail.com: Definitively go for 2.0. The API has changed a lot, but this is (hopefully) for the best. Sadly, the documentation is not following the code modification pace :/ Do you have any specific question ? Thanks for that information, this might be the explanation why I got lost in the transition from 1.5.5 to 2.0: I simply didn't understand what changes were to see. So I will head for 2.0, I expected that answer ;-) But I still have these questions: 1. Can M7 be considered stable enough for giving it a chance in a productive system? No. I'm sad to say that but M7 still have a huge bug that we are tracking. Not that you'll won't get a working server, but in some cases where concurrent writes and searches are done, you are very likely to get some failures during the searches. More than that, the database can get corrupted. We exactly know what is going wrong here, and we already have a fix, but this is in a branch, and we are currenly merging this branch into trunk, which is all but easy. M8 will solve this issue, and we expect to get it released ASAP. In the mean time, you can use the directory/apacheds/branches/apacheds-txns branch whch solve the issue. I only need ApacheDS to sit there and wait for incoming connections and forward them to my custom partition. There is no need for replication and all the other fancy stuff ApacheDS is able to do. You can still work on the trunk, until M8 get released. Just keep tuned, we are doing our best to get back to some solid and reliable server soon. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] Question regarding caching behavior [solved]
Le 6/8/12 1:37 PM, Garbage a écrit : Am 08.06.2012 um 08:55 schrieb Emmanuel Lécharnyelecha...@gmail.com: Le 6/8/12 6:42 AM, Garbage a écrit : From what I know ApacheDS supports caching of search results, that means when I issue the same search after e.g. one minute the result will be returned from the cache. First question: is this correct ? No, searches are computed every time you send a request. Is this something ApacheDS does on it's own or is this the job of the partitions involved ? Second question: when implementing a custom partition would I need to take care of caching on my own ? Atm, yes. We could have implemented a cache on top of partition, but it's not yet the case (such a cache will keep the entries assuming they have not been updated since their presence in the cache). This is certainly something we want to have alter, but atm we are working on stablizing the server itself... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com Thanks, so I know that it makes sense to implement caching in the partition. Just wanted to make sure that I don't create (at least for now) unnecessary code. This is not as simple. There are a few things you might want to cache on a LDAP server, but definitively caching entries is a major saver. Now, that raises a few concerns : - how many entries will you cache ? (an entry can be quite large, for instance for those entries having a JpegPhot AttributeType) - how do you ensure the cache concurrency ? You may have many threads accessing to this cache, and it requires careful protection against concurrent modifications - At some point, caching an entry might be overkilling : as you will any way modify the returned entry, as you'll remove some of the Attrbutes or values, you will copy this cached entry anyway (there are other options, like not copying the entry, but generate the final result on the fly, having gathered the requested Attributes to return, but this can be very tricky to implement. In any case, just try first to get your partiton working before implementing some cache :) -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] how can a partition return more than one result ?
Le 6/8/12 1:49 PM, Garbage a écrit : I learned a lot about the implementation of custom partitions and see the changes in the API from search and lookup returning an Entry in 1.5.x and an EntryFilteringCursor later on. I even was able to change an existing partition (shame on me: based on the 1.5.5 example, but I will switch to 2.0 soon) in a way that lets it return a fake group object that was created in my custom POJO. But I am only able to return ONE entry, I didn't find or understand the concept how MULTIPLE entries can be returned. Can someone show me the right direction ? The idea is to use a Cursor that maps around the partition and fetch the entries one by one. The way the server works is that based on your filter, you select the right index to use to fetch the entries. There are may possibilities here : - first, you may have to do a full scan (the filter is not selective enough, for instance). In this case, you don't use any index, you just use the MasterTable to get the entries. Now, for each entry you fetch, you'll have to filter them to see if it's a valid entry - or not. - or you can select an index. You will fetch the index elements, and for each of them, fetch the associated entry. Once done, you can check against the filter if the entry is valid - or not In any case, the cursor is your friend here : it maps the next() operation on top of your index. Now, if your Partition is a Btree, it's easier, as the AbstractBTreePartition class already handles everyting for you. If you don't inherit from this Abstract class, then it's way more complicated. I'll suggest you have a look at the AbstractBTreePartition to get a clue about how we process a search over a BTree based partition. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] how can a partition return more than one result ?
Le 6/8/12 2:05 PM, Garbage a écrit : Am 08.06.2012 um 13:58 schrieb Emmanuel Lécharnyelecha...@gmail.com: Le 6/8/12 1:49 PM, Garbage a écrit : I learned a lot about the implementation of custom partitions and see the changes in the API from search and lookup returning an Entry in 1.5.x and an EntryFilteringCursor later on. I even was able to change an existing partition (shame on me: based on the 1.5.5 example, but I will switch to 2.0 soon) in a way that lets it return a fake group object that was created in my custom POJO. But I am only able to return ONE entry, I didn't find or understand the concept how MULTIPLE entries can be returned. Can someone show me the right direction ? The idea is to use a Cursor that maps around the partition and fetch the entries one by one. The way the server works is that based on your filter, you select the right index to use to fetch the entries. There are may possibilities here : - first, you may have to do a full scan (the filter is not selective enough, for instance). In this case, you don't use any index, you just use the MasterTable to get the entries. Now, for each entry you fetch, you'll have to filter them to see if it's a valid entry - or not. - or you can select an index. You will fetch the index elements, and for each of them, fetch the associated entry. Once done, you can check against the filter if the entry is valid - or not In any case, the cursor is your friend here : it maps the next() operation on top of your index. Now, if your Partition is a Btree, it's easier, as the AbstractBTreePartition class already handles everyting for you. If you don't inherit from this Abstract class, then it's way more complicated. I'll suggest you have a look at the AbstractBTreePartition to get a clue about how we process a search over a BTree based partition. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com Thanks, I will investigate this. What a pity, I am able to map searches to string arrays containing the name of groups I want to return. But I understand why you don't support arrays directly, I will somehow manage to map to the Bree example. And if not I will show up here again ;-) If you already have an array, you just have to create your own cursor wraping it, maintaining the current index, and the next() call will simply fetch the next entry in the arry, incrementing the pointer. This is pretty simple to implement, I think. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Performance problems on live server vs local machine.
Le 6/8/12 7:19 PM, Kevin Hamilton a écrit : Hello, I have noticed performance differences in working on my local environment (OS X) and on my live server (Linux). I use ApacheDS to authenticate on my website and to check for second factor authentication afterwards. In my local environment, everything is fast and quick (extremely efficient). On the live server (which is a much beefier machine than my local machine), it is sluggish and takes a long time for a page to load when there are calls to the ApacheDS involved. Does this sound familiar to anyone and does anyone have any ideas as to what might be the problem? There is no reason for ApacheDS to be slower on Linux than on a mac. Have you checked if the server responds fast when you send direct requests to it ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] How to setup a debugging environment
Le 6/8/12 11:38 PM, garb...@gmx.de a écrit : In order to broaden my understanding I want to connect Eclipse to a running instance of ApacheDS 2.0M7. I retrieved the sources for M7 from the svn repository but failed in combining them. I do NOT want to build ApacheDS, my only intention is to make all the subprojects known to Eclipse to allow it to remotely debug ApacheDS. I want to connect to a running instance and use the debugger to trace what's going one in partitions. Can you explain me how to setup a debugging or if necessary a build environment in Eclipse ? You can run 'mvn eclipse:eclipse' to produce all the .classpath and .projects for Ads. I'm afraid you have to first build the project itself, which takes quite some time, unless you run 'mvn clean install -DskipTests' to avoir running the tests. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Performance problems on live server vs local machine.
Le 6/8/12 9:16 PM, Kiran Ayyagari a écrit : in 2.0 you need not run any tool, just restart the server after adding a new index(es) I'm quite sure that this is not an index issue here. I would rather investigate the network, to see if there is no half-duplex configured rooter in the middle. Unless the server is running on a Pentium III ... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] How to setup a debugging environment
Le 6/10/12 2:45 PM, Garbage a écrit : Am 09.06.2012 um 00:03 schrieb Emmanuel Lécharnyelecha...@gmail.com: Le 6/8/12 11:38 PM, garb...@gmx.de a écrit : In order to broaden my understanding I want to connect Eclipse to a running instance of ApacheDS 2.0M7. I retrieved the sources for M7 from the svn repository but failed in combining them. I do NOT want to build ApacheDS, my only intention is to make all the subprojects known to Eclipse to allow it to remotely debug ApacheDS. I want to connect to a running instance and use the debugger to trace what's going one in partitions. Can you explain me how to setup a debugging or if necessary a build environment in Eclipse ? You can run 'mvn eclipse:eclipse' to produce all the .classpath and .projects for Ads. I'm afraid you have to first build the project itself, which takes quite some time, unless you run 'mvn clean install -DskipTests' to avoir running the tests. I have no maven infrastructure yet so I will start from scratch. Is it ok to use version 3 ? Yes, this is the version we use (3.0.4). Be sure to setup some options (MAVEN_OPTS=-Xmx512m) in your environment to be able to run all the tests. If you check out a version, just use http://svn.apache.org/repos/asf/directory/apacheds/trunk-with-dependencies. It will get all the sub-projects. Some of those sub-projects are side projects, you may want to comment them in the main pom.xml : modules moduleproject/module modulecheckstyle-configuration/module: You can comment this project modulejunit-addons/module moduleshared/module moduleapacheds/module moduleapacheds-manuals/module: You can comment this project !-- modulekerberos-client/module -- /modules -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] How to setup a debugging environment
Le 6/10/12 10:39 PM, Oliver Geishuettner a écrit : I have no maven infrastructure yet so I will start from scratch. Is it ok to use version 3 ? Yes, this is the version we use (3.0.4). Be sure to setup some options (MAVEN_OPTS=-Xmx512m) in your environment to be able to run all the tests. If you check out a version, just use http://svn.apache.org/repos/asf/directory/apacheds/trunk-with-dependencies. It will get all the sub-projects. Some of those sub-projects are side projects, you may want to comment them in the main pom.xml : modules moduleproject/module modulecheckstyle-configuration/module : You can comment this project modulejunit-addons/module moduleshared/module moduleapacheds/module moduleapacheds-manuals/module : You can comment this project !-- modulekerberos-client/module -- /modules I did this: md \temp\apacheds svn co http://svn.apache.org/repos/asf/directory/apacheds/trunk-with-dependencies cd trunk-with-dependencies mvn eclipse:eclipse and receive this error message: [ERROR] Failed to execute goal org.apache.maven.plugins:maven-remote-resources-p lugin:1.2.1:process (default) on project shared-ldap-client-api: Failed to resol ve dependencies for one or more projects in the reactor. Reason: Missing: [ERROR] -- [ERROR] 1) org.apache.directory.shared:shared-ldap-schema-data:jar:1.0.0-M13-SNA PSHOT Is this an error on my side is something wrong with the files I downloaded ? You can't run eclipse eclipse before having built the project at least once : the SNAPSHOTs aren't stored into the maven repository. Just run mvn clean install -DskpiTests first, then re-run mvn eclipse:eclipse -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: [ApacheDS] How to setup a debugging environment
Le 6/11/12 11:58 AM, Garbage a écrit : Is this an error on my side is something wrong with the files I downloaded ? You can't run eclipse eclipse before having built the project at least once : the SNAPSHOTs aren't stored into the maven repository. Just run mvn clean install -DskpiTests first, then re-run mvn eclipse:eclipse So i obviously got the order wrong. Now I succeeded with these commands. I set maven opts to the mentioned xmx setting and had to add a maxpermsize parameter, but this might be because of the buggy jdk I had installed (updated afterwards): C: cd \workspaces md apacheds cd apacheds svn co http://svn.apache.org/repos/asf/directory/apacheds/trunk-with-dependencies cd trunk-with-dependencies mvn clean install -DskipTests (Results can be found in trunk-with-dependencies\apacheds\all\target and trunk-with-dependencies\apacheds\service\target) mvn eclipse:eclipse Then went to eclipse and chose File / Import / General / Existing Projects into Workspace. For root directory I chose C:\workspaces\apacheds\trunk-with-dependencies Now I have a snapshot M8, can I do the same for M7 ? yes, of course. M7 is available in a tag : http://svn.apache.org/viewvc/directory/apacheds/tags/2.0.0-M7/ You just have to build apacheds in this case, as M7 is depending on released components of Shared, so just build the server with mvn eclipse:eclipse, it should be enough (the dependencies are all in the maven repository) -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Using ApacheDs as a ldap proxy server
Le 6/15/12 10:40 PM, Hartley, Brian (PS Swiss) a écrit : Hi. I want to use ApacheDs to proxy ldap requests. (I am not too sure about my terminology :) ) In fact I want it to take two Active directory servers (one particular OU from each AD, for example) and consolidate this in a single ldap view So ou=users,dc=example1,dc=net will map to ou=one,dc=myldap,dc=net And ou=users,dc=example2,dc=net will map to ou=two,dc=myldap,dc=net Is that possible, and if so where can I find some information about configuring it ? What you want to do is what we call a Virtual Directory. ApacheDS does not provide such a facility natively, and it's not that simple to code either. The only think you can do is to create referrals in ApacheDS, but this will just redirect you to the two AD servers when a user will send requests to ApacheDS. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: MutablePartitionConfiguration in Apache DS 1.5.5
Le 6/15/12 1:32 AM, Doal Miller a écrit : I was following some tutorials which were using MutablePartitionConfiguration, on Apache DS 1.0.2. Because of some limitations I switched to 1.5.5 and MutablePartitionConfiguration does not exist, or at least I can't find it. It was in package org.apache.directory.server.core.configuration. Where did it go or what should be used in place of it? We have changed everything related to Partitions in Apacheds 1.5 and 2.0 (note that 2.0-Mx are following directly 1.5.x releases, when we decided to switch from 1.5 to 2.0. So 2.0.0-M1 is the next iteration after 1.5.7) What were you trying to do with MutablePartitionConfiguration ? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: 2 issues with Password policy response warnings / types
Le 6/21/12 8:24 PM, carlo.acco...@ibs-ag.com a écrit :
Hi, we're deep into testing the password policy and we came across this
situation. Using DS built from the trunk version 1349996
Short description. In the ASN.1 response:
When the password is expiring in 60 seconds , the three bytes should be -128,
0, 60 instead they are -128, 1, 60
No. The second byte is the length of the next field. Controls are
encoded using BER encoding, which means every PDU is encoded to containg
a type, a length and a value (TLV). Here, the type is 0x80 for
timeBeforeExpiration and 0x81 for graceLoginsRemaining. As soon as you
have an integer type, then the L byte is something between 1 and 4,
*never* 0.
So 0x80 0x01 0x3C is correct.
When 4 grace logins remain, the three bytes should be -128, 1, 4 instead they
are -127, 1, 4
Again, graceLogin is encoded 0x81 (-127) per the specification :
SEQUENCE {
warning [0] CHOICE OPTIONAL {
timeBeforeExpiration [0] INTEGER (0 .. MaxInt), // 0x80- -128
graceLoginsRemaining [1] INTEGER (0 .. maxInt) } // 0x81- -127
so -127, 1, 4 is correct
We have a user that has the pwdReset = true Attribute AND their password is
about to expire.
This is the byte[] value returned after 3 consecutive logins, you can see the
password expiration working
[48, 8, -96, 3, -128, 1, 122, -127, 1, 2] // pw expires in 122 seconds
[48, 8, -96, 3, -128, 1, 83, -127, 1, 2] // pw expires in 83 seconds
[48, 8, -96, 3, -128, 1, 48, -127, 1, 2] // pw expires in 48 seconds
// here's the last case decoded.
48 (30) Skip
8 (8) Length = 8
-96 (160) Continue
This is 0xA0, the T for Warning[0] in the ASN/1 grammar
3 (3) Length = 3
-128 (128) Warning OK
this is 0x80, the T for timeBeforeExpiration [0] in the ASN/1 grammar
1 (1) Type 1-- ?? This should be error Type 0? Type 1 defines Grace Logins
This is not a type, it's the integer length for the timeBeforeExpiration
field
48 (48) 48 seconds remaining on password-- expected value but is getting set
in grace logins
Do you mean that the control is fed incorrectly ?
// loop again
-127 (129) Error OK
1 (1) length =1
2 (2) Error CHANGE_AFTER_RESET-- this is what we expect.
correct
Here's the same case, after the password expires. The Grace Login also has an
Error instead of a warning
[48, 8, -96, 3, -127, 1, 4, -127, 1, 2]
-127 (129) Error-- This should be a Warning -128
1 (1) Type 1 = Grace Logins remaining-- this is the correct warning type
4 (4) 4 logins remaining-- correct # of logins remaining
Not sure I get your point on this last sample.
If I decode the bytes, here is what I get :
0x30 0x08 // a SEQUENCE, 8 bytes long
0xA0 0x03 // Warning, 3 bytes
0x81 0x01 0x04 // graceLoginsRemaining, one byte, value = 4
0x81 0x01 0x02 // error, changeAfterReset
We may have some issues in the way we generate the response, but as far
as I can tell, the encoding is correct.
Do you mean that the resulting PasswordPolicy instance is not correctly
set ? This is not what I see in the decoder...
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: 2 issues with Password policy response warnings / types
Le 6/22/12 10:54 PM, carlo.acco...@ibs-ag.com a écrit :
Thanks that's great!
There is also a class that handle all the decoding and creates a plain
Java object with all the expected data :
DefaultLdapCodecService codec = new DefaultLdapCodecService();
PasswordPolicyDecorator control = new PasswordPolicyDecorator(
codec, true );
// bb contains the received bytes :
ByteBuffer bb = ByteBuffer.allocate( 0xA );
bb.put( new byte[]
{
0x30, 0x08,
( byte ) 0xA0, 0x03, // timeBeforeExpiration
( byte ) 0x80, 0x01, 0x01,
( byte ) 0x81, 0x01, 0x01 // ppolicyError
} );
bb.flip();
PasswordPolicy passwordPolicy = ( PasswordPolicy )
control.decode( bb.array() );
Here, you can no do :
if ( passwordPolicy.hasResponse() )
{
int expiration =
passwordPolicy.getResponse().getTimeBeforeExpiration();
int error =
passwordPolicy.getResponse().getPasswordPolicyError().getValue();
}
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: 2 issues with Password policy response warnings / types
Le 6/22/12 9:09 PM, carlo.acco...@ibs-ag.com a écrit : OK, Thank you very much for the clarification. I really thought I had it right. Last question on this. In the case where the length after the 0x80 is 1. As below, where the length is 2. 30, 9, a0, 4, 80, 2, 0, d0, 81, 1, 2, Do you know how to decode the int value? Just for the record, an integer above 0x7F and below7FFF will be encoded on 2 bytes. If the higher bit is 0, then the value is positive. I'm looking for 208, which is 0xd0 but not sure what to do with the other 0x00 byte? It's just there because you want a positive integer above 0x7F. Would you have 0x01 0xD0, it would be a negative value (-47). -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: FW: Hi Again, substring searches among 80K entires - still an issue
Le 6/23/12 11:52 AM, carlo.acco...@ibs-ag.com a écrit : Hi, using the api and the trunk, we're seeing the same result. Any ideas here? Send me on a mission. We'll go do any grunt work. Thanks. Again, if I ldif export / import the user, it can then be found again via substring search. Will give it a try tomorrow, rain is expecting to pour here. Right now, sun is shining, my GF is pushing me with a fork so that I mow the grass... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: FW: Hi Again, substring searches among 80K entires - still an issue
Ok, problem confirmed. I don't even have to create 80K entries, I get the issue with only 4 entries... Invertigation the issue right now. A clear bug, in any case ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: FW: Hi Again, substring searches among 80K entires - still an issue
I was able to make the test suceed, by simply replacing this line : connection.modify( dn, new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, displayName, Test User1 updated ) ); by connection.modify( dn, new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, displayName, test user1 updated ) ); That means the modify() operation does not normalize the value before storing it into the bakend, keeping the uper cases, when the filter use a regexp which is case sensitive. There is clearly a bug in the way we process the modification, the value *must* be normalized. I'll fix that asap. Le 6/25/12 1:31 PM, Emmanuel Lécharny a écrit : Ok, problem confirmed. I don't even have to create 80K entries, I get the issue with only 4 entries... Invertigation the issue right now. A clear bug, in any case ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: FW: Hi Again, substring searches among 80K entires - still an issue
Fixed http://svn.apache.org/viewvc?rev=1353518view=rev You can build the trunk and check if it's ok with your test. Le 6/25/12 2:00 PM, Emmanuel Lécharny a écrit : I was able to make the test suceed, by simply replacing this line : connection.modify( dn, new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, displayName, Test User1 updated ) ); by connection.modify( dn, new DefaultModification( ModificationOperation.REPLACE_ATTRIBUTE, displayName, test user1 updated ) ); That means the modify() operation does not normalize the value before storing it into the bakend, keeping the uper cases, when the filter use a regexp which is case sensitive. There is clearly a bug in the way we process the modification, the value *must* be normalized. I'll fix that asap. Le 6/25/12 1:31 PM, Emmanuel Lécharny a écrit : Ok, problem confirmed. I don't even have to create 80K entries, I get the issue with only 4 entries... Invertigation the issue right now. A clear bug, in any case ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: FW: Hi Again, substring searches among 80K entires - still an issue
Le 6/25/12 5:54 PM, carlo.acco...@ibs-ag.com a écrit : It works!! Thank you so much for everyone's help on this. I updated the JIRA but not sure if I should close it? Thanks! https://issues.apache.org/jira/browse/DIRSERVER-1724?focusedCommentId=13276714#comment-13276714 Thanks for the feedback. I have closed the issue. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: LdapNetworkConnection not thread-safe ?
Le 6/27/12 5:23 PM, Hendy Irawan a écrit : Hi ApacheDS developers, I'm working on an open source project ( https://github.com/soluvas/ldap-tools ) which uses LdapNetworkConnection using shared v1.0.0-M12. Several threads are running in parallel (using Akka), all using the same LdapNetworkConnection to delete entries. It's not necessarily a good idea to use a single connection in many threads. Think about it as if they where JDBC connections. Note that it should be supported, as the response are associated with a request ID, which is incremented everytime you send a new request (and the responses are associated with the requestID, so we should not have a problem here.) I suggest you fill a JIRA expliciting the problem, we will investigate. In the mean ime, I assume it's safer to use one connection per thread. However in some cases it locks up (deadlock? race condition?) and the last logs I get is : ... 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [ldap_cli-akka.actor.default-dispatcher-14] INFO o.soluvas.ldaptools.cli.PersonClear - Deleting uid=setsuna_hinagiku,ou=users,dc=berbatik,dc=com 22:17:17 [ldap_cli-akka.actor.default-dispatcher-24] INFO o.soluvas.ldaptools.cli.PersonClear - Deleting uid=rumah_amal_salman_itb,ou=users,dc=berbatik,dc=com 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [ldap_cli-akka.actor.default-dispatcher-18] INFO o.soluvas.ldaptools.cli.PersonClear - Deleting uid=setyo_rini,ou=users,dc=berbatik,dc=com 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [ldap_cli-akka.actor.default-dispatcher-1] INFO o.soluvas.ldaptools.cli.PersonClear - Deleting uid=pipit_nugroho,ou=users,dc=berbatik,dc=com 22:17:17 [ldap_cli-akka.actor.default-dispatcher-15] INFO o.soluvas.ldaptools.cli.PersonClear - Deleting uid=yuliana_riris_basaria,ou=users,dc=berbatik,dc=com 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [ldap_cli-akka.actor.default-dispatcher-16] INFO o.soluvas.ldaptools.cli.PersonClear - Deleting uid=setia_budi,ou=users,dc=berbatik,dc=com 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 22:17:17 [NioProcessor-2] DEBUG o.a.m.f.codec.ProtocolCodecFilter - Processing a MESSAGE_RECEIVED for session 1 I also experience similar issues doing concurrent add()s. Is LdapNetworkConnection meant to be thread-safe? Or should I just use separate LdapConnection for each thread? -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: string to key implementation
Le 7/3/12 1:52 AM, Jim Shi a écrit : Hi, I check the source code of Apache DS. There is only one class DesStringToKey.java) which implements DES string to key. Why there is no implementation of, say AES string to key? Is this intentional because is not needed? I checked kdc c source code, it has support of AES string to key etc. It's not implemented because we haven't yet had time to do so. But if you feel like implementing it using AES, we would be please to add it to the server code ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: ApacheDS 2M7 Password
Le 7/13/12 8:15 AM, Philippe de Rochambeau a écrit : Hello, how does one change the ApacheDS password in ApacheDS 2M7? Just change the administrator entry passowrd (uid=admin, ou=password). Furthermore, where are the apacheds 2 tools? Apache Directory Studio has an ApacheDS configuration GUI. I would like to create an ldap directory but am not sure how, other than by using openldap. You can play with ApheceDS in Apache Directory Studio, as it's embedded. That will give you a godd feeling about the server. However, OpenLDAP is certainly not a bad choice. Keep in mind that atm, in M7, we don't have multi master replication. It will come soon. -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Cloning an ActiveDirectory tree
Le 7/13/12 8:26 AM, Philippe de Rochambeau a écrit : Hello, I would like to partially clone my company ActiveDirectory tree in ApacheDS 2M7 to test a Spring application which uses kerberos authentication on Centos. Any suggestions as to how I should do that? Not easy. AD is not exactly an LDAP compliant server, and it has thousands of specific attributes which are not present in ApacheDS or in OpenLDAP. Plus other schema elements are very specific to AD... All that I can say is that you should first determinate what are the data you want to migrate,before considering moving away from AD (even if moving away from AD is the right thing to do...) -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Creating a new partition in ADS2M7
Le 7/13/12 11:48 AM, phi...@free.fr a écrit : Hello, the documentation here http://directory.apache.org/apacheds/1.5/143-adding-your-own-partition-resp-suffix.html says that to create a new partition, you must add entries to the server.xml file. Since there is no server.xml file in ADS 2M7, as far as I know, where do you add the new entries? Many thanks. Philroc Sorry, this page is outdated. You'd better use ApacheDirectory Studio to add a new partition. There is a page with explains how to add a new partition using this tool : http://directory.apache.org/studio/static/users_guide/apacheds_configuration/configuration_editor_1.5.5_partitions.html -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: IllegalArgumentException: factory thrown when creating LdapNetworkConnection inside OSGi
] [Active ] [Created ] [ 80] org.soluvas.web.nav.ui (1.0.0.SNAPSHOT)
[ 386] [Active ] [Created ] [ 80] org.soluvas.web.jquery (1.0.0.SNAPSHOT)
[ 387] [Active ] [Created ] [ 80] org.soluvas.web.site (1.0.0.SNAPSHOT)
[ 389] [Active ] [Created ] [ 80] soluvas-json (1.0.0.SNAPSHOT)
[ 390] [Active ] [Created ] [ 80] com.wikindonesia.place (2.0.0.SNAPSHOT)
[ 393] [Active ] [ ] [ 80] soluvas-ldap (1.0.0.SNAPSHOT)
[ 394] [Active ] [ ] [ 80] com.wikindonesia.brand (2.0.0.SNAPSHOT)
[ 396] [Active ] [ ] [ 80] com.wikindonesia.cafe (2.0.0.SNAPSHOT)
[ 398] [Active ] [Created ] [ 80] org.soluvas.process (1.0.0.SNAPSHOT)
[ 400] [Active ] [Created ] [ 80] org.soluvas.web.jqueryui (1.0.0.SNAPSHOT)
[ 402] [Active ] [Created ] [ 80] org.soluvas.web.jquerynotify
(1.0.0.SNAPSHOT)
[ 403] [Active ] [Created ] [ 80] org.soluvas.web.backbone (1.0.0.SNAPSHOT)
[ 410] [Active ] [ ] [ 80] soluvas-async (0.0.0)
[ 411] [Active ] [Created ] [ 80] com.soluvas.process.shell
(1.0.0.SNAPSHOT)
[ 413] [Active ] [Created ] [ 80] org.soluvas.web.nav (1.0.0.SNAPSHOT)
[ 414] [Active ] [Created ] [ 80] org.soluvas.web.nav.shell
(1.0.0.SNAPSHOT)
[ 415] [Active ] [ ] [ 80] com.rabbitmq.client (2.8.4)
[ 418] [Active ] [ ] [ 80] soluvas-push (1.0.0.SNAPSHOT)
[ 419] [Active ] [Created ] [ 80] org.soluvas.web.stomp (1.0.0.SNAPSHOT)
[ 420] [Active ] [Created ] [ 80] com.soluvas.process.web (1.0.0.SNAPSHOT)
[ 422] [Active ] [Created ] [ 80] com.wikindonesia.web (2.0.0.SNAPSHOT)
[ 423] [Active ] [Created ] [ 80] org.soluvas.web.bootstrap
(1.0.0.SNAPSHOT)
[ 424] [Active ] [GracePeriod ] [ 80] com.wikindonesia.shell
(2.0.0.SNAPSHOT)
[ 425] [Active ] [ ] [ 80] soluvas-commons (0.0.0)
[ 426] [Active ] [Failure ] [ 80] com.wikindonesia.person (2.0.0.SNAPSHOT)
[ 427] [Active ] [ ] [ 80] soluvas-commons (1.0.0.SNAPSHOT)
[ 430] [Active ] [Created ] [ 80] com.wikindonesia.checkin (2.0.0.SNAPSHOT)
{code}
--
Regards,
Cordialement,
Emmanuel Lécharny
www.iktek.com
Re: 2nd Entry in Apache Directory Studio for Common Name
Le 8/1/12 10:55 PM, chris_n...@arcor.de a écrit : Hi, why is Apache Directory Studio adding a second Common Name entry, when importing an LDIF-file which contains a base64 encoded Common Name? Directory Studio creates a Common Name Entry: Joe Doe and a second one cn=Joe Doe. The cn= is part of the attribute's value! The cn= is not contained in the LDIF-file. Apache Directory Studio does not create this second value, if CN is not base64 encoded in the LDIF-file. ldapadd (OpenLDAP) never adds this redundant entry. Thank you in advance. Chris Hi, if you don't provide any more context, like the LDIF file you are trying to import, there is little we can tell you about what's going on. I suggest you read http://www.catb.org/~esr/faqs/smart-questions.html#beprecise... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: apacheds 1.5.7 kdc server problem on Mac OS X
Le 8/30/12 10:31 AM, Ivan Frain a écrit : Hi all, I am having trouble with the configuration of apcheDS kdcServer configuration. I am using apacheDS 1.5.7 from tar.gz archive and running on Mac OS X. My java version 1.7.0_05 64 bits I have successfully started the server and kdcServer is up and running. I have configured the partition and set up one user. The krb5key was generated since I enable the keyDerivation interceptor. The problem comes when I use kinit: $ kinit ifr...@hadoop.lan ifr...@hadoop.lan's Password: kinit: krb5_get_init_creds: KDC has no support for encryption type Any help would be much appreciated. Have you tried with the latest version, 2.0.0-M7 ? We have fixed *many* issues since 1.5.7, including kerberos bugs... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: apacheds documentation
Le 9/14/12 9:15 PM, Mark Fullerton a écrit : Hello The documentation makes no sense it seems there is a server.xml file for the 1.5.7 and below but nothing for 2.0 stream of development yet it seems the only way to make a partition is with the server.xml file. I am throughly confused as to how this software really works What can I say :/ Yes. We suck. We will do our best to review the complete documentation in the next four weeks, as we anyway have to migrate the site to a new CMS. Any help would be very welcome too ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Getting source for apacheds-1.0.3-SNAPSHOT
Le 10/9/12 12:03 AM, Johnson, Wayne a écrit : I'm trying to track down source for an old snapshot of ApacheDS so I can do some debugging.� Yea, it's old, stop laughing.� We are using apacheds-1.0.3-SNAPSHOT that was built on 8/9/2007.� Stop laughing.� My hope was to check out the source from subversion.� The web page suggests the URL http://svn.apache.org/repos/asf/directory/apacheds/branches/1.0-with-dependencies/ for that old branch but the URL no longer works and there does not appear to be a 1.0-with-dependencies anymore.� Anyone have any suggestions?� Was that branch deleted?� Any way to re-create it? Hopefully, with Subversion, you can still find the sources :) The 1.0.3-SNAPSHOT trunk should be available at revision 647850 : svn co http://svn.apache.org/repos/asf/directory/apacheds/branches/1.0@647850 will pull the server, and you will also need shared-0.9.5 and daemon-1.0 : svn co http://svn.apache.org/repos/asf/directory/daemon/branches/1.0@559605 svn co http://svn.apache.org/repos/asf/directory/shared/branches/1.0@559606 Last, not least, you'll also need the 'project' project in version 7 : svn co http://svn.apache.org/repos/asf/directory/project/tags/7 project and the root pom can be get with : svn co http://svn.apache.org/repos/asf/directory/apacheds/branches/1.0-with-dependencies@647850 . Not that you will get errors, as the externals have been removed, but that doe snot matter (also not the '.' at the end : it's andatory otherwise the check out will occur in a sub directory). I have some compilation failures when I run mvn clean install on the checked out code though. It may be due to the Java version I'm using (Java 6), as 1.0.3 was supposed to work with Java 1.4, and becaus ethere were some modifications in JNDI since then. We're in the process of migrating to DS 1.5.7 or 2.0.0 but we need some way to get the data migrated over.� I tried simply opening the JDBM files from 1.0.3 but it appears that the Java package names ensconced in the data serialization are not longer available under 1.5.7.� My next hope was to extract the data from the old 1.0.3 database with a serverless LDAP query (i.e. calling the Java methods without going over a network).� But to dig into the code to find those methods will require the source.� Thus the request. Why don't you just extract the data as a big LDIF file ? Studio should be able to connect to Apacheds 1.0.3, and thne, you extract everything from the server, before reimporting everything into the new version. That should definitively work. Anyone have any pointers on migration data from 1.0.3 to 1.5.7 (or better).� I suggest you get the 2.0.0-M8 which should be available very soon (in fact, I'm just releasing it atm, it should be available by the end of the week). Stop laughing... Frankly, I'm not laugning at all : the fact is you used a server that worked for 5 years before deciding to move on to a new version ! That's a pretty good news :) I'd like to listen about your usage... Thanks for using ADS ! -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: Getting source for apacheds-1.0.3-SNAPSHOT
Le 10/9/12 4:15 PM, Johnson, Wayne a écrit : Thanks for the fast response. I'm afraid I'm still a bit of a novice at using svn. I was able to checkout the project pom, apacheds and daemon source with no problem. I did modify your commands slightly: svn co http://svn.apache.org/repos/asf/directory/apacheds/branches/1.0@647850 apacheds svn co http://svn.apache.org/repos/asf/directory/daemon/branches/1.0@559605 daemon svn co http://svn.apache.org/repos/asf/directory/apacheds/branches/1.0-with-dependencies@647850 . I was not able to check out the shared source. I get the error: svn co http://svn.apache.org/repos/asf/directory/shared/branches/1.0@559606 shared svn: URL 'http://svn.apache.org/repos/asf/directory/shared/branches/1.0' doesn't exist My bad : svn co http://svn.apache.org/repos/asf/directory/shared/branches/0.9.5@559606 is the correct link (the copy/paste kept 1.0 instead of 0.9.5 at the end) -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: build monday from trunk very slow for ldif import
Le 10/10/12 4:55 AM, carlo.acco...@ibs-ag.com a écrit : Hi, I'm still trying finish the testing of all the Password policy work Karin did over the weekend but I have another issue that's come up. Ldif imports are extremely slow. During our testing, we often delete the entire partition directory to start fresh. When the server starts, it lays down the partition and .db files as defined config.ldif. Anyway, we used to import (via studio) an ldif file with 80k entries and it would load about 90 entries per second. That was great! With this build it's going at about 4-5 entries per second. Hmmm. This is very slow. How many indexed attributes do you have ? I have done some tests locally, and I'm able to get up to 200 add/s, but with a simpler entry. We noticed is that previously, the partition .db files would not change (on disk) until after the ldif import was complete. Then when we stopped the server, it was like the entire import got flushed to the disk at once. The files would go from 20K to 400MB. With this build, it seems to be updating the files as it goes. Could this be the reason? It may be because we flush on disk for every single write. You could turn the ads-partitionSyncOnWrite flag to FALSE, so that the data are flush only ever ads-dsSyncPeriodMillis (default to 15 seconds) Also, this is the first build I noticed the .lg files in the partition directory. I think they're there for journaling but don't know if that's an option something new? It's a JDBM file which is created beside the db files, AFAIR. I have to double check that. We removed all the password policy Attributes from my ldif file thinking that was slowing it down but it's essentially the same performance. Below is my partition and all the indexes are set like the one I included. Any changes that would affect this in the last few weeks. Anyone else seeing this? Thanks! dn: ads-partitionId=cpro,ou=partitions,ads-directoryServiceId=default,ou=config objectclass: top objectClass: ads-base objectclass: ads-partition objectclass: ads-jdbmPartition ads-indexes: apacheRdn ads-indexes: apacheSubLevel ads-indexes: apachePresence ads-indexes: apacheOneLevel ads-indexes: apacheOneAlias ads-indexes: apacheSubAlias ads-indexes: apacheAlias ads-indexes: entryCSN ads-indexes: krb5PrincipalName ads-indexes: objectClass ads-indexes: ou ads-indexes: uid ads-indexes: employeeNumber ads-indexes: displayName ads-indexes: cn ads-indexes: mail ads-indexes: roomNumber ads-indexes: pwdPolicySubEntry ads-indexes: member ads-indexes: description ads-indexes: givenName ads-indexes: sn ads-indexes: administrativeRole ads-partitionSuffix: o=cpro ads-jdbmpartitionoptimizerenabled: TRUE ads-partitioncachesize: 100 ads-partitionsynconwrite: TRUE ads-partitionid: cpro ads-enabled: TRUE #index example, they're all like this..HasReverse=FALSE dn: ads-indexAttributeId=uid,ou=indexes,ads-partitionId=cpro,ou=partitions,ads-directoryServiceId=default,ou=config ads-indexattributeid: uid ads-indexHasReverse: FALSE ads-indexcachesize: 100 objectclass: ads-index objectclass: ads-jdbmIndex objectclass: ads-base objectclass: top ads-enabled: TRUE -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
Re: build monday from trunk very slow for ldif import
Le 10/10/12 12:03 PM, carlo.acco...@ibs-ag.com a écrit : ads-partitionSyncOnWrite=FALSE did the trick! Back to 80 adds/sec, Thank you!! Cool. We may have to set this flag to false by default... -- Regards, Cordialement, Emmanuel Lécharny www.iktek.com
