Re: Schema object DN in OpenLdap

[Emmanuel Lécharny]

Le 24/09/15 14:32, Syed Mudassir Ahmed a écrit :
> In Windows active directory, the schema object is 
> cn=schema,cn=configuration,dc=...
> In OpenLdap, what's the DN for so?
>
> Sent from my iPad
You just have to get the subschemaSubentry attribute in any entry, it
will tell you where the schema it depends on is stored.

This is explained in https://tools.ietf.org/html/rfc4512#section-4.4

Re: Get all attributes

[Emmanuel Lécharny]

Le 24/09/15 15:19, Syed Mudassir Ahmed a écrit :
> This solution applies to Windows active directory. For each value of 
> objectClass (top, person, etc) there is an object in 
> cn=schema,cn=configuration,dc=... . Each of these objects tells required and 
> optional attributes. For the given entry, get all the values of its 
> objectClass and query those objects for attributes.
yes, but this is not the solution to the very question you asked. Here,
what you are doing is that you fetch the schema, and then you deduce the
optional AttributeTypes a specific entry can have by checking for its
ObjectClasses.

Your question was "When I do search or lookup operation, I am getting
only 'n' attributes listed. I need the reamining (m-n) attributes as
well." and the short answer is : you can't. It's a two step operation,
actually...

Now, yes, fecthing the schema is the way to go, and you have to store
the information locally. The LDAP API can do that, so you won't need to
specifically request for the information every tilme you fecth an entry.
(although for AD, this is a bt more complex than just fetching teh
schema, just because AD is not implementng LDAP the way it should ;-)

Re: Question about fetching attributes

[Emmanuel Lécharny]

Le 18/09/15 13:47, Syed Mudassir a écrit :
> Hi Everybody,
>I am able to connect to Windows Active Directory.  I am able to lookup an 
> object and get the attributes.  However, this is the problem I am facing.
>Suppose an entry has 'm' attributes out of which 'n' attributes are 
> assigned 
> values.  The remaining attributes are simply unassigned.
>When I do search or lookup operation, I am getting only 'n' attributes 
> listed.  I need the reamining (m-n) attributes as well.
>Anyone can help how to do that?

The list of attributes that an entry can contain is available in the
combinaison of ObjectClasses this entry is subject to. Two things though :
- ObjectClasses can inherit from some other ObjectClasses, and those
parent ObjectClasses may not be present in teh Entry. You will have to
know about them on the client side
- if one of the ObjectClass is extensibleObject, then the entry may
contain *any* attribute, even some that the server does not support.

In any case, your client application must have some knowledge about your
LDAP server schema.

Otherwise, any reason you need to know which are the missing attributes ?

Re: Get all attributes

[Emmanuel Lécharny]

Le 21/09/15 20:03, Syed Mudassir Ahmed a écrit :
> Hello all, it's actually possible to list all the possible attributes for a 
> given entry (both assigned and unassigned). I have done it after a hard r

What is a hard r ?

Re: Get all attributes

[Emmanuel Lécharny]

Le 25/09/15 02:43, Syed Mudassir Ahmed a écrit :
> I am curious to know how ldap API can do that?

As the subschema tells where the schema is, we can load it on demand.
Actually, this is not what we do : we fetch teh schema from the rootDSE,
which always hold a reference to the schema (see later why we don't
fetch teh schema from the subschemaSubentry attrubte).

Once we know where the schema is stored, and assuming it is stored with
respect to teh RFC, it's all about loading all the schema elements into
a SchemaManager, and eventually check that the schema is consistent (and
sadly, none of the existing LDAP server out there - execpt ApacheDS -
is. Not that it's a bad thing, but we are extremely picky with the
respect of standards). As some LDAP server are a bit lax about teh
schema consistency, there is a relaxed mode taht allows us to load most
of teh server's schema.

Frankly, this is not perfect, and it's more a work in progress, but it
already works quite well with OpenLDAP and a few others.

Bottom line, behind the curtain, it's just a matter of reading teh AT,
OC and a few other elements, parsing them and store them. The process is
partially explained on
http://directory.apache.org/api/user-guide/4-schema-management.html
(this is not fully completed).

Why don't we load the schemaManager from the subschemaSubentry found in
each entry ? For two reasons :
- first because I don't know about any LDAP server that is defining more
than one schema for the entire server (although this is mandated by the
scpecification)
- and second because accordingly to RFC 2252, it was not mandatory to
store a subschemaSubentry in each entry, and apacheDS didn't do iut.
Obviously, this is a mistake that will be fixed soon.

Re: [ApacheDS] Bind with hashed password

[Emmanuel Lécharny]

Le 08/12/15 15:48, M. P. a écrit :
>
>>
>> Hope you can explain that to your application developpers...
>
> I started to explain them that it should not be done the way it is
> done now. I can provide them a newer version of the directory, more
> secure, but like I said before, they use this behaviour/issue
> currently and if I want to migrate to a newer version, I have to
> provide them some compatibility possibility the time this is fixed in
> the app.
>
> This is the reason I ask here. Maybe apacheDS was working like this
> before, maybe this is a bug, I don't know what else ...

My personal bet : it was a bug in 1.5.7


> When searching for an explanation, I saw that there are interceptors
> in apacheDS and as a supposition, maybe playing with them allows
> apacheDS to accept these bindings.
That's a possibility. Have they added an interceptor, or a specific
authenticator ? Adding an authenticator that accepts such broken
passwords is a solution that would work.

Re: [ApacheDS] Bind with hashed password

[Emmanuel Lécharny]

Le 08/12/15 12:09, M. P. a écrit :
> Hi all,
>
> I'm working for a new company for some months now and I have as a
> project to renew our directory server. The company uses ApacheDS 1.5.7
> and I have a question about it's behaviour.

Pretty old. Switch to the latest version as fast as possible !
>
> We can bind to this apacheDS server providing plain passwords and also
> providing full userPassword fields when password are encrypted in the
> directory.
Password are *not* encrypted : they are hashed. This is really a
different thing.

> I mean providing {enc_mecanism}hashed_password as a password.

Doh... You mean you actually *can* bind using something like
{SHA}kfghgkFgvkjh as a credential?

>
> This behaviour is very strange for me and in my point of view is a big
> security issue. What I want to know is how is it possible that you can
> bind providing hashed password ?
No, why would you be able to do that ? That would be almost equivalent
than storing the password in clear text in the server !

OTOH, if ApacheDS 1.5.7 allows such a thing, then it's an obvious bug.
Now, 1.5.7 is more than 5 years old, so...
>
> I ask because some apps here rely on this behaviour/issue and I want
> to know how I can reproduce it for compatibility reasons ? (that will
> be discarded later)
Weird apps that try to bind using a hashed password... This is all but
safe !

Follow me on that :

- the idea is that the password should *not* be exposed to the world
- hashing them on the server make them impossible to retreive, if one
get access to the raw data
- one condition, of course, is that the original passwords were complex
enough to not be present in a rainbow dictionary (ie, passwords like
'secret', 'system', '007' etc have well known hash, so it's easy to test
them against the data).
- when a client connects to a server, it sends its password *in clear text*
- then the server hashes the received password, and compares it to what
it has in its database. If it matches, bingo, the client is identified.
- obviously, as the password is transmitted in clear text, the
connection *MUST* be safe, thoiugh SSL/TLS
- Last, not least, you can also use other mechnisms, way safer :
certificates, for instance, or Kerberos.

Hope you can explain that to your application developpers...

Re: [ApacheDS] Bind with hashed password

[Emmanuel Lécharny]

Le 09/12/15 11:32, M. P. a écrit :
> Le 2015-12-08 16:22, Emmanuel Lécharny a écrit :
>>
>>> When searching for an explanation, I saw that there are interceptors
>>> in apacheDS and as a supposition, maybe playing with them allows
>>> apacheDS to accept these bindings.
>> That's a possibility. Have they added an interceptor, or a specific
>> authenticator ? Adding an authenticator that accepts such broken
>> passwords is a solution that would work.
>
> I don't know. The team currently working on these apps don't know too.
> The guys that worked on that are not there any more. I have to check
> that later.

Check for any classes implementing the Authenticator interface. Here are
the existing ones (in 2.0.0) :

Authenticator
  AbstractAuthenticator
AnonymousAuthenticator
DelegatingAuthenticator
DummyAuthenticator
SimpleAuthenticator
StrongAuthenticator

If there is some other, then that means they have added a specific
authenticator.

Same for Interceptors.

Re: disable password policy for admin

[Emmanuel Lécharny]

Le 18/12/15 00:52, Ezsra McDonald a écrit :
> Is there a way to apply a new password policy that does not enforce
> password aging? I am trying to add the pwdPolicySubEntry attribute to a
> user using the Directory Studio but no luck so far.

from te top of my head, if you use 0 as the value, it's equivalent to
infinite.

Re: disable password policy for admin

[Emmanuel Lécharny]

Le 18/12/15 00:02, Ezsra McDonald a écrit :
> How do you prevent the Admin user's password from expiring? We would like
> to have that user ignore the policy.
>
This has been fixed recently :

https://issues.apache.org/jira/browse/DIRSERVER-2084

We still have to release 2.0.0-M21 (something I'm currently working on)

Re: DHCPOption problem

[Emmanuel Lécharny]

Le 15/12/15 19:18, Sherman Lilly a écrit :
> Can I do it with Apache Directory Studio

Yes. You can associate the dhcpOption Attribute to an editor that allows
you to set its value. Check in the Preferences.

Re: Vulnerability in apache-commons-collections 3.2.1

[Emmanuel Lécharny]

Le 19/11/15 17:41, Kiran Ayyagari a écrit :
> On Fri, Nov 20, 2015 at 12:37 AM,  wrote:
>
>>
>> Hi,
>>
>> We have a customer that's concerned about a reported vulnerability with
>> commons-collections.
>>
>> The collections jar (I believe) is a runtime dependency for the ApacheDS
>> api. The binary api download includes it among others and we've always just
>> shipped the entire kit.
>>
>>
>>
>> If the URL doesn't come through, the JIRA is COLLECTIONS-580<
>> https://issues.apache.org/jira/browse/COLLECTIONS-580>
>>
>>   https://issues.apache.org/jira/browse/COLLECTIONS-580
>>
>> Our use of the ApacheDS api is not open to external calls such as web
>> services, REST end points, etc.
>> So I'm not completely understanding the risks related to this issue if
>> any. Can someone chime in on what the actual exposures might be?
>>
> none, ApacheDS doesn't use commons-collections for de/serialization and
> additionally there are no
> external endpoints from which ApacheDS reads serialized objects.

No matter what, I'm currently bumping up the commons-collection library
version to 3.2.2 which fixes the issue. I will cut a release of teh LDAP
API shortly after, and ApacheDS then.

As Kiran says, we *don't* use the critical part of the Collection API,
so it's absolutely safe.

Re: Move ADS to new location on disk

[Emmanuel Lécharny]

Le 09/06/16 à 17:18, Ezsra McDonald a écrit :
> Good question, sorry
>
> The OS is Enterprise Linux.
>
> I used the apacheds-2.0.0-M20-64bit.bin installer.

The directories teh server is using are described in
http://directory.apache.org/apacheds/advanced-ug/2.2-instance-layout.html

Data will be stored in the partitions sub-directory.

If you move the whole tree, it should work, assuming you also change the
/etc/init.d/apacheds script to point on this new directory.

You may have a look at the various configuration files that may contain
root based paths.

Re: Command Line tools?

[Emmanuel Lécharny]

Le 08/06/16 à 09:43, Peter Jamieson a écrit :
>> -Original Message-
>> From: Jim Willeke [mailto:j...@willeke.com]
>> Sent: 07 June 2016 14:20
>> To: users@directory.apache.org
>> Subject: Command Line tools?
>>
>> Are command line tools like ldapsearch included with the directory install
>> packages?
>>
>> Is there a way to get the command line tools installed on a local client?
>>
> I would be interested in the accepted way to do this.
> I have installed openldap-clients, which works well (as apacheDS is 
> compatible)
Openldap-client is most certainly teh right way to go.

Let me give you a bit of feedback about the ldap-tools sub-projet at
ApacheDS : I started to work on it 10 years ago, but there is a big
issue with it : it requires that you launch a JVM every time you use a
command. That means, around 1s delay. When using it in a script, this is
just obverkilling. Plus if you consider that you have the proven tools
already available, that was a duplication of effort.

The project still exists, though :
http://svn.apache.org/viewvc/directory/clients/trunk/ldap/

It's not activelly maintained.

Re: ApacheDS replication

[Emmanuel Lécharny]

Le 08/06/16 à 10:55, Peter Jamieson a écrit :
> Hi,
>
> I've had the occasional issue with changes I make on one side of apacheDS not 
> being replicated.
>
> Is there a way of forcing a synchronization?

Hmmm, not that I know of. Once replication is setup, it's supposed to
cacth up. I it's not, it's a bug.

Kiran ?

Re: Move ADS to new location on disk

[Emmanuel Lécharny]

Le 10/06/16 à 00:13, Ezsra McDonald a écrit :
> I found a wrapper.log in /opt/ApacheDS/opt/bin
>
> STATUS | wrapper  | 2016/06/08 16:57:41 | --> Wrapper Started as Daemon
> STATUS | wrapper  | 2016/06/08 16:57:41 | Launching a JVM...
> ERROR  | wrapper  | 2016/06/08 16:57:41 | JVM exited while loading the
> application.
> INFO   | jvm 1| 2016/06/08 16:57:41 | Error: Could not find or load
> main class Main
> STATUS | wrapper  | 2016/06/08 16:57:45 | Launching a JVM...
> ERROR  | wrapper  | 2016/06/08 16:57:45 | JVM exited while loading the
> application.
> INFO   | jvm 2| 2016/06/08 16:57:45 | Error: Could not find or load
> main class Main
> STATUS | wrapper  | 2016/06/08 16:57:49 | Launching a JVM...
> ERROR  | wrapper  | 2016/06/08 16:57:49 | JVM exited while loading the
> application.
> INFO   | jvm 3| 2016/06/08 16:57:49 | Error: Could not find or load
> main class Main
> STATUS | wrapper  | 2016/06/08 16:57:54 | Launching a JVM...
> ERROR  | wrapper  | 2016/06/08 16:57:54 | JVM exited while loading the
> application.
> INFO   | jvm 4| 2016/06/08 16:57:54 | Error: Could not find or load
> main class Main
> STATUS | wrapper  | 2016/06/08 16:57:58 | Launching a JVM...
> ERROR  | wrapper  | 2016/06/08 16:57:58 | JVM exited while loading the
> application.
> INFO   | jvm 5| 2016/06/08 16:57:58 | Error: Could not find or load
> main class Main
> FATAL  | wrapper  | 2016/06/08 16:57:58 | There were 5 failed launches in a
> row, each lasting less than 300 seconds.  Giving up.
> FATAL  | wrapper  | 2016/06/08 16:57:58 |   There may be a configuration
> problem: please check the logs.
> STATUS | wrapper  | 2016/06/08 16:57:58 | <-- Wrapper Stopped

The wrapper.conf file will refer to the UberMain.jar file, which you
probably moved alobg with the data.

Re: ApacheDS issues TGT kerberos ticket with address on IBM java

[Emmanuel Lécharny]

Le 28/06/16 à 07:45, Martin Choma a écrit :
> Hi,
>
> ApacheDS issues TGT kerberos ticket with address on IBM java , even if
> noaddresses = true is explicitelly set in krb5.conf.

This is not an Kerberos flag, it's an indication for the kerberos client
to not send an address to the server, AFAICT. Now, under such
circonstance, we do process the request, and send back teh ticket with
no client address.

The thing is that we would need to see what's going on on teh server,
using the logs, to see why the ticket that is sent back is incorrect.

Could you set the server's log to DEBUG, create a JIRA issue, and attach
teh logs you get ?

Kai, can you check on Kerby if this is something you support correctly ?

Re: add new attribute via LDIF file

[Emmanuel Lécharny]

Le 06/02/16 23:34, Timothy Keith a écrit :
> How can I add a new attribute through an LDIF file ?
>
> For this DN I would like to add a new attribute "telephoneNumber" with a 
> value.
>
>  DN: uid=tkeith,ou=users,ou=system
>
>
> Tim
Use ldapmodify (http://www.tldp.org/HOWTO/LDAP-HOWTO/utilities.html)

Re: Password policy

[Emmanuel Lécharny]

Le 29/01/16 02:26, akary...@yahoo.gr a écrit :
> Hi,
> I'd like to enforce some rules for password values (such as use of at least 2 
> capitals, 1 number, 1 symbol, etc). Is it possible to do this with 
> configuration in the server? I've seen the password policy view in Apache 
> Directory Studio but it doesn't have anything like that.

No, it's not a policy you can enforce atm. That would require some
extension to the server.

> If it's not configurable out of the box, is there maybe an API that one could 
> use to write a custom "plugin" class that would be invoked whenever an 
> attempt to change the userPassword attribute's value is made?
You can replace the PasswordValidator hat is used by default. There is
an interface
(http://directory.apache.org/apacheds/gen-docs/2.0.0-M20/apidocs/org/apache/directory/server/core/api/authn/ppolicy/PasswordValidator.html)
that can be implemented (here is the code for the default impl :
http://directory.apache.org/apacheds/gen-docs/2.0.0-M20/xref/org/apache/directory/server/core/api/authn/ppolicy/DefaultPasswordValidator.html).

Once you have created your own validator, you have to modify the server
configuration to tell the server what class to use to run a custom
validator : feed the ads-pwdValidator attribute with your password
validator FQCN. The parameter is described on
http://directory.apache.org/apacheds/advanced-ug/2.1-config-description.html#password-policies

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 28/01/16 15:46, Sherman Lilly a écrit :
> How to do I do that?

Assuming that you have a backup of your database content in a LDIF
format, just delete the existing data from your disk (/instance//partitions/)

Typically, on my linux box :

/opt/apacheds-2.0.0-M22-SNAPSHOT/instances/default/partitions/example :
[root@brie example]# ll
total 620
-rw-r--r--. 1 root root 0 Jan 27 15:55 0.9.2342.19200300.100.1.1.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 0.9.2342.19200300.100.1.1.lg
-rw-r--r--. 1 root root   222 Jan 27 15:55 0.9.2342.19200300.100.1.1-uid.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 0.9.2342.19200300.100.1.25.db
-rw-r--r--. 1 root root   257 Jan 27 15:55 0.9.2342.19200300.100.1.25-dc.txt
-rw-r--r--. 1 root root 41362 Jan 27 15:55 0.9.2342.19200300.100.1.25.lg
-rw-r--r--. 1 root root   273 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.3-apachePresence.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.3.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.3.lg
-rw-r--r--. 1 root root   264 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.50-apacheRdn.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.50.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.50.lg
-rw-r--r--. 1 root root   211 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.5-apacheOneAlias.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.5.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.5.lg
-rw-r--r--. 1 root root   208 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.6-apacheSubAlias.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.6.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.6.lg
-rw-r--r--. 1 root root   204 Jan 27 15:55
1.3.6.1.4.1.18060.0.4.1.2.7-apacheAlias.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.7.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.18060.0.4.1.2.7.lg
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.4203.666.1.7.db
-rw-r--r--. 1 root root   246 Jan 27 15:55
1.3.6.1.4.1.4203.666.1.7-entryCSN.txt
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.4203.666.1.7.lg
-rw-r--r--. 1 root root 0 Jan 27 15:55 1.3.6.1.4.1.5322.10.1.1.db
-rw-r--r--. 1 root root   215 Jan 27 15:55
1.3.6.1.4.1.5322.10.1.1-krb5PrincipalName.txt
-rw-r--r--. 1 root root 41362 Jan 27 15:55 1.3.6.1.4.1.5322.10.1.1.lg
-rw-r--r--. 1 root root   148 Jan 27 15:55 2.5.18.5-administrativeRole.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.18.5.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.18.5.lg
-rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.4.0.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.4.0.lg
-rw-r--r--. 1 root root   184 Jan 27 15:55 2.5.4.0-objectClass.txt
-rw-r--r--. 1 root root 0 Jan 27 15:55 2.5.4.11.db
-rw-r--r--. 1 root root 41362 Jan 27 15:55 2.5.4.11.lg
-rw-r--r--. 1 root root   257 Jan 27 15:55 2.5.4.11-ou.txt
-rw-r--r--. 1 root root 40960 Jan 27 15:55 master.db
-rw-r--r--. 1 root root 8 Jan 27 15:55 master.lg


Just get rid of all that. They will be recreated when you inject the
LDIF that contains your data.

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 29/01/16 00:45, Sherman Lilly a écrit :
> I haven't installed any relevant data that is important. So deleting the
> database is not important but how do I start a new and make that
> modification to the dhcp schema and the server startup properly. Since it
> wasn't working I did load any data yet. This is just to see if I can get it
> to work with DHCP lookup.
As soon as you have blanked your data, restarted the server, then you
should be able to modify your schema, stop and restart the server, and
then reinject the data into your started server.

Re: incorrect pattern ?

[Emmanuel Lécharny]

Le 26/01/16 09:10, Blangille Denis a écrit :
> Hello,
>
> i'm sorry to be incomprehensible.
>
> When i talk about 'pattern', this is apacheds schema's.

What LDAP schema are you using ?

In any case, with Studio, you should be able to connect on the server
and check the loaded schemas, to see if the radius one is there.

> Actually, i try to link apacheds ldap server(M 20) with a radius server 
> (freeradius v3.04)
> When i run the radius server in debug mode and after the bind is successful, 
> apacheds send a connection reset.
We need some logs here. There are so many possible cause for such an
error...

Try to be explicit and exhaustive, instead of providing fragment of
informations about what you are trying to do and how you do it. It's
impossible for us to give you some help otherwise !

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 01/02/16 20:22, Sherman Lilly a écrit :
> Remember from previous post that I modified the dhcp schema to fix a
> attribute description bug. But when I create the attribute it is list in
> the drop down list when I select it. Also when I load the schema in a
> schema browser it shows up.

Studio will shwo all the schema elements it can read. That does not mea
that the server will accept them, if for instance the dhcp schela is
disabled.

Can you tell me what the value of the m-disabled attribute when you
click on the cn=dhcp,ou=schema entry on your server's DIT ? If it's
TRUE, change it to FALSE, save the changed entry, and restart your server.

I just tested it, it works (and I get the same error when the dhcp
schema m-disabled attribute is TRUE)

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 01/02/16 14:53, Sherman Lilly a écrit :
> OK. I have blanked out the data and restarted the server. The server starts
> up fine now. Now anytime I try to add a dhcp shema definition I get an
> error.
>
> ERR_04269 ATTRIBUTE_TYPE for OID dhcpserverdn does not exist!
This attribute is not defined in any schema.

Where does it come from ?

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 01/02/16 17:32, Sherman Lilly a écrit :
> Sorry for the typo. I have to type what I see. Copy and paste isn't working.
>
> When you set object Class dhcpserver it requires the attribute
> dhcpservicedn.

It should be present. Is the DHCP schema enabled ?

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 28/01/16 14:50, Sherman Lilly a écrit :
> Adding the above ldif resulted in the server not able to start. Running
> server in console mode shows this error.
>
> ERR_134 Cannot deserialize the entry : ERR_04269 ATTRIBUTE_TYPE for OID
> 2.16.840.1.113719.1.203.4.19 does not exist!

Yes, you need to celanup the server and reinject the full entries,
because the schema has changed and it impacts the existing entries.

Re: Rebooted ApacheDS M2 getting invalid type 31

[Emmanuel Lécharny]

Le 27/01/16 22:44, steve.hamm...@oracle.com a écrit :
> Everything was working for months.
> Then search stopped working, so I thought I would resstart apache ds.
>
> How can I get my system back to running?

Corupted database :/

Either you have a backup, or you might want to test an experimental
package that can clean the database using the command 'apacheds.sh
repair'. I just brew it last week-end, and made it available on 
people.apache.org/~elecharny. This is a full installer for a full
server, which will restart if you run 'apacheds.sh start'.

If you feel like being a guinea pig, I'm around to give you any help. We
intend to release that version asap, when we have tested it a bit more
thoroughly.

Note : THIS IS *NOT* an official release.

Re: ApacheDS and commons.io 2.5

[Emmanuel Lécharny]

Le 22/02/16 23:17, Accorsi, Carlo a écrit :
> Hi Folks,
>
> Wondering if the next drop of Apache DS can include and updated dependency 
> for  commons-io 2.5 ?
> Security conscious customer is asking us..
> https://issues.apache.org/jira/browse/IO-487
>
>
> Let me know and I'll create a JIRA if needed. Thanks!
>
Yes, please. That would help us remember to get rid of commons.io.

FTR, here are the places where we use this lib :

API :

./ldap/extras/sp/META-INF/MANIFEST.MF:Import-Package:
org.apache.commons.io;version="2.4",org.apache.commons.l
./ldap/extras/sp/src/main/java/org/apache/directory/api/ldap/sp/JavaStoredProcUtils.java:import
org.apache.commons.io.IOUtils;
./ldap/schema/data/src/test/java/org/apache/directory/api/ldap/schema/extractor/SchemaLdifExtractorTest.java:import
org.apache.commons.io.FileUtils;
./ldap/schema/data/src/test/java/org/apache/directory/api/ldap/schema/loader/LdifSchemaLoaderTest.java:import
org.apache.commons.io.FileUtils;
./ldap/schema/data/src/test/java/org/apache/directory/api/ldap/schema/loader/MatchingRuleTest.java:import
org.apache.commons.io.FileUtils;
./ldap/schema/data/src/test/java/org/apache/directory/api/ldap/schema/loader/SchemaManagerAddTest.java:import
org.apache.commons.io.FileUtils;
./ldap/schema/data/src/test/java/org/apache/directory/api/ldap/schema/loader/SchemaManagerDelTest.java:import
org.apache.commons.io.FileUtils;
./ldap/schema/data/src/test/java/org/apache/directory/api/ldap/schema/loader/SchemaManagerEnableDisableLoadTest.java:import
org.apache.commons.io.FileUtils;
./ldap/schema/data/src/test/java/org/apache/directory/api/ldap/schema/loader/SchemaManagerLoadTest.java:import
org.apache.commons.io.FileUtils;
./ldap/schema/data/src/test/java/org/apache/directory/api/ldap/schema/loader/SchemaManagerLoadWithDepsTest.java:import
org.apache.commons.io.FileUtils;

ApacheDS :

./bulkloader/src/main/java/org/apache/directory/mavibot/btree/MavibotPartitionBuilder.java:import
org.apache.commons.io.FileUtils;
./bulkloader/src/test/java/org/apache/directory/mavibot/btree/MavibotPartitionBuilderTest.java:import
org.apache.commons.io.FileUtils;
./core-annotations/META-INF/MANIFEST.MF:Import-Package:
org.apache.commons.io;version="[1.4,2)",org.apache.direc
./core-annotations/src/main/java/org/apache/directory/server/core/factory/DefaultDirectoryServiceFactory.java:import
org.apache.commons.io.FileUtils;
./core-annotations/src/test/java/org/apache/directory/server/core/factory/DirectoryServiceAnnotationTest.java:import
org.apache.commons.io.FileUtils;
./core-annotations/src/test/java/org/apache/directory/server/core/factory/DirectoryServiceFactoryTest.java:import
org.apache.commons.io.FileUtils;
./core-api/src/main/java/org/apache/directory/server/core/api/CacheService.java:import
org.apache.commons.io.FileUtils;
./core-integ/src/main/java/org/apache/directory/server/core/integ/IntegrationUtils.java:import
org.apache.commons.io.FileUtils;
./core-integ/src/test/java/org/apache/directory/server/core/schema/PartitionSchemaLoaderIT.java:import
org.apache.commons.io.FileUtils;
./jdbm-partition/src/test/java/org/apache/directory/server/core/partition/impl/btree/jdbm/JdbmIndexTest.java:import
org.apache.commons.io.FileUtils;
./jdbm-partition/src/test/java/org/apache/directory/server/core/partition/impl/btree/jdbm/JdbmRdnIndexTest.java:import
org.apache.commons.io.FileUtils;
./jdbm-partition/src/test/java/org/apache/directory/server/core/partition/impl/btree/jdbm/JdbmStoreTest.java:import
org.apache.commons.io.FileUtils;
./kerberos-test/src/test/java/org/apache/directory/server/kerberos/kdc/AbstractKerberosITest.java:import
org.apache.commons.io.FileUtils;
./ldif-partition/src/test/java/org/apache/directory/server/core/partition/ldif/LdifPartitionTest.java:import
org.apache.commons.io.FileUtils;
./mavibot-partition/src/test/java/org/apache/directory/server/core/partition/impl/btree/mavibot/MavibotIndexTest.java:import
org.apache.commons.io.FileUtils;
./mavibot-partition/src/test/java/org/apache/directory/server/core/partition/impl/btree/mavibot/MavibotStoreTest.java:import
org.apache.commons.io.FileUtils;
./server-annotations/src/test/java/org/apache/directory/server/factory/CreateKdcServerAnnotationTest.java:import
org.apache.commons.io.FileUtils;
./server-annotations/src/test/java/org/apache/directory/server/factory/DirectoryServiceAnnotationTest.java:import
org.apache.commons.io.FileUtils;
./server-config/src/test/java/org/apache/directory/server/config/ChangePasswordConfigReaderTest.java:import
org.apache.commons.io.FileUtils;
./server-config/src/test/java/org/apache/directory/server/config/ConfigPartitionReaderTest.java:import
org.apache.commons.io.FileUtils;
./server-config/src/test/java/org/apache/directory/server/config/ConfigWriterTest.java:import
org.apache.commons.io.FileUtils;
./server-config/src/test/java/org/apache/directory/server/config/HttpServerConfigReaderTest.java:import
org.apache.commons.io.FileUtils;

Re: StartTLS enforced

[Emmanuel Lécharny]

Le 25/02/16 16:33, s_humbi a écrit :
> Hello,does anybody know, if there is a way to force the ldap-client to use 
> StartTLS ? I dont wont to offer our ldap-clients an unsecure way to talk with 
> our LDAP-Server.
> Yes I can disable the default-Port 389 and only enable the SSL-Port 636.But 
> there is written in the DS documentation: " **LDAPS** is considered as 
> deprecated. You should always favor startTLS instead. "
> And I also need the port 389 (with StartTLS) for replication, so i can not 
> disable it.
> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the 
> users can still connect without TLS.
> I found this interesting paper:
> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> see 
> Caption caption:  "The correct and standard approach is to start LDAP without 
> encryption and then negotiate the TLS security layer. If necessary, the 
> server can be configured to refuse all operations other than 'Start TLS' 
> until TLS is in place"
>
> Is this possible with Apache DS ?
> Many Thanks for helping ...Humbi
>
>
>
>
No, sorry, we can't enforce that atm. At least, here is no way to do
that through configuration.

And yes, this is missing. In OpenLDAP, you can enforce TLS through some
parameter, and I think that would be a good addition to ApacheDS.
Would you fancy creating a JIRA with such a demand ?

Thanks !

Re: StartTLS enforced

[Emmanuel Lécharny]

Le 25/02/16 18:25, Ogg a écrit :
> sure, i was aware of this feature, however it would be nice to see a roadmap 
> to have those insecure versions actually removed from apacheDS, eg promote 
> better security choices by not offering obviously broken protocols. 

It would be good if they were banned from any of the existing
applications ;-)

Sadly, many people are still using them... Consider that Microsoft IE 11
is still accepting SSL 3.0 if you enable it (FF removed support for SSL
3 in June 2015 and Chrome in April 2015). TLS 1.0 is still enabled on
all the browsers.

Re: StartTLS enforced

[Emmanuel Lécharny]

Le 25/02/16 17:59, Ogg a écrit :
> I also would be interested in the feature. It, would also be interesting to 
> deprecate TLS 1.0, TLS 1.1  and SSL any flavor.

You can actually prohibit the use of ancient versions of SSL/TLS. We
have added some parameter to do that : ads-enabledProtocols. For instance :

dn:
ads-transportid=ldaps,ou=transports,ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config
ads-systemport: 10636
ads-transportenablessl: true
ads-transportaddress: localhost
ads-transportid: ldaps
ads-needClientAuth: false
ads-wantClientAuth: true
ads-enabledCiphers: AAA
ads-enabledCiphers: BBB
ads-enabledCiphers: CCC
ads-enabledCiphers: DDD
ads-enabledProtocols: TLSv1
ads-enabledProtocols: TLSv1.1
ads-enabledProtocols: TLSv1.2
objectclass: ads-transport
objectclass: ads-tcpTransport
objectclass: top
ads-enabled: true


enables TLSv1, TLSv1.1 and TLSv1.2. You can just remove the two first
parameters.

Re: Get the count of matching results for a search

[Emmanuel Lécharny]

Le 25/02/16 14:18, Pushpalanka Jayawardhana a écrit :
> Hi All,
>
> ​This is regarding getting the count of matching results for a LDAP search
> we execute.​
> ​I found this [1] posted in 2013, which says A
> pacheDs does not support numSubordinates
> ​.​
> Is this still valid or, do we have a way to get the count of results
> without getting the whole results out?

The response is still valid.

Why would you do that anyway ? Is there any good reason why you may want
to know how many result you'll get ?

Re: Get the count of matching results for a search

[Emmanuel Lécharny]

Le 26/02/16 13:11, Lothar Haeger a écrit :
> Emmanuel Lécharny wrote:
>
>>> Often organizations need to know how many entries are present within a
>>> directory or container for audit purposes of security, legal, billing or
>>> other purposes.
>> Ok, why not. But LDAP does not provide such a mechanism. Even if the
>> search engine knows about how many entries are going to be returned I
>> see no standard way to send it back to the requester (it would require a
>> dedicated control or extended operation).
> You are talking about search result count, Jim talks about the number of
> subordinates in a container. 
Both were mentionned : the initial question was about the number of
returned entries for a search, and the numSubordinates was also mentionned.

I'm replying to the initial question : the number of result following a
search request.

We do store the number of subordinate (and the number of children) in
ApacheDS, but we don't expose them. We could though and it would be easy
to add a 'virtual' attribute to every entry returned.


> Not sure about the OP, wording suggests count of
> search results, the reference to an earlier forum post mentiones
> numSubordinate...
Yep. I do think the focus is on nb of search result.
>
> A simple operational attribute can present the latter just like Sun/Oracle 
> DSEE
> does with numSubordinates or Edirectory with subordinateCount. There are
> definitely use cases for this, as well as reference implementations. Would be
> nice if a similar operational attribute would make it into ApachDS, too.
That would be quite easy to provide. I even consider doing it right
away. Can someone fill a JIRA for that feature request ?

Thanks !

Re: Get the count of matching results for a search

[Emmanuel Lécharny]

Le 26/02/16 11:34, Jim Willeke a écrit :
> numberSuborinates is not (at least what I have seen) used to show the
> number of results, but rather the count of entries within a container entry.

True.
>
> Often organizations need to know how many entries are present within a
> directory or container for audit purposes of security, legal, billing or
> other purposes.

Ok, why not. But LDAP does not provide such a mechanism. Even if the
search engine knows about how many entries are going to be returned I
see no standard way to send it back to the requester (it would require a
dedicated control or extended operation).

What I would see as a valid requirement is to keep a track of all
operations that have been done on an audit part of the DIrectory server,
with informations like the number of returned entries.

OTOH, such demand are pretty equivalent to people wanting to do
something likle a SQL "select count(*) ..." which is frequently severly
abused request (how many times have I seen people writing code that
first does a select count(*) before doing the same request again,
allegedly to "know about the number of elements I will get back, to
correctly manage my web page presentation" ?)


>
> When you have 1,000 or even perhaps 100,000 this is a minor item as you can
> just do a search.

You are likely to hit the configured limit anyway...

Re: StartTLS enforced

[Emmanuel Lécharny]

Le 26/02/16 17:01, s_humbi a écrit :
> OK. I tested:Setting the value of attribute ads-confidentialityRequired to 
> TRUE and restart the server,
> This attribute is present in the entry 
> ads-serverId=ldapServer,ou=servers,ads-directoryServiceId=default,ou=config 
> And yes! It is working!--> I closed the JIRA-Issue.Maybe i will open a 
> feature request for Apache-DS-Studio to make this config-option visible.
> Thx. Humbi

Good catch !

And thanks Kiran to be the living memory of the project ;-)

Re: StartTLS enforced

[Emmanuel Lécharny]

Le 25/02/16 22:53, Stefan Seelmann a écrit :
> On 02/25/2016 05:56 PM, Emmanuel Lécharny wrote:
>> Le 25/02/16 16:33, s_humbi a écrit :
>>> Hello,does anybody know, if there is a way to force the ldap-client to use 
>>> StartTLS ? I dont wont to offer our ldap-clients an unsecure way to talk 
>>> with our LDAP-Server.
>>> Yes I can disable the default-Port 389 and only enable the SSL-Port 636.But 
>>> there is written in the DS documentation: " **LDAPS** is considered as 
>>> deprecated. You should always favor startTLS instead. "
>>> And I also need the port 389 (with StartTLS) for replication, so i can not 
>>> disable it.
>>> At the moment i use onlyTLSV1.2 (attribute ads-enabledProtocols). But the 
>>> users can still connect without TLS.
>>> I found this interesting paper:
>>> http://people.apache.org/~elecharny/ldapcon/Andrew%20Findlay-paper.pdf--> 
>>> see Caption caption:  "The correct and standard approach is to start LDAP 
>>> without encryption and then negotiate the TLS security layer. If necessary, 
>>> the server can be configured to refuse all operations other than 'Start 
>>> TLS' until TLS is in place"
>>>
>> No, sorry, we can't enforce that atm. At least, here is no way to do
>> that through configuration.
>>
>> And yes, this is missing. In OpenLDAP, you can enforce TLS through some
>> parameter, and I think that would be a good addition to ApacheDS.
>> Would you fancy creating a JIRA with such a demand ?
> But that cannot prevent the client from sending a request, e.g. a simple
> bind with plain text password, right? 
It will. Check on http://www.openldap.org/doc/admin24/security.html,
par.14.2.1. Setting the 'security' parameter to a value > 1 will reject
any non-encrypted connection.


> Even if the server then refuses
> the operation, the password was sent over the wire. Would it then be
> appropriate to lock the account automatically?
You won't be able to send a request in clear text, AFAIU.

Re: Apache Directory Studio getting "stuck" on opening LDAP connection login

[Emmanuel Lécharny]

Le 21/01/16 10:02, Philip Colmer a écrit :
> This is really weird ... switching back to LDAP API now works *and*
> ADS is able to display the default schema, which wasn't working
> yesterday.
>
> BTW, it is OpenLDAP that I'm connecting to and, yes, it is via LDAPS.

FTR, Radovan detected a bug in the network layer we are using that makes
it possible for a LDAPS connection to get stuck in some corner cases.

It's likely to be teh pb you are facing, considering that there was a
modification done in this layer between M8 and M10.

Re: incorrect pattern ?

[Emmanuel Lécharny]

Le 25/01/16 19:44, Blangille Denis a écrit :
> Hello,
Hi,
>
> How can i verify if a imported pattern is correct ? This is to link apacheds 
> and freeradius server.
> Is a pattern for openldap works with apacheds ? Because freeradius server 
> provides this pattern.

Can you be a bit more explicit about whatyou call a 'pattern' ?
Actually, a full description of what you are trying to do would be useful.

Thanks !

Re: DHCP using Apache directory server

[Emmanuel Lécharny]

Le 20/01/16 23:16, Stefan Seelmann a écrit :
> On 01/19/2016 02:46 PM, Sherman Lilly wrote:
>> I have got my schemas installed and working and the directory server is
>> working properly. I am trying to add a value to "dhcpOption" and it will
>> only accept a binary value. I figured out the value has to be utf8 encoded
>> value. How do I use Directory Studio to insert this value? Let say the
>> string is "broadcast 192.168.255.255". Not really sure how to convert that
>> to utf8 encoded binary and insert it into "dhcpOption" thorugh Directory
>> Studio.
>>
>> Any help is appreciated.
> First I have to tell you that the DHCP (and also DNS) servers are not
> maintained since years, I not even can find any server-side integration
> test that tests the functionality. So very likely those won't work at
> all or include major bugs. Help to test, fix, and document is however
> appreciated :)

indeed...
>
> I just tried to add a "dhcpOption" value with Studio. As this attribute
> is of syntax octet string the Hex Editor opens. I then choosed the "Edit
> as Text" option. The resulting binary is a proper UTF-8 encoded value.
> But when saving that there is an error on server side, I think that is a
> bug in the LDAP API.

No, it's a bug in the schema definition. I think we took it from
https://www.ietf.org/proceedings/53/I-D/draft-ietf-dhc-ldap-schema-00.txt,
where it says :

( 2.16.840.1.113719.1.203.4.7 
  NAME 'dhcpOption' 
  DESC 'Encoded optio values to be sent to clients.  Each value represents a 
single option and contains (OptionTag, Length, OptionValue) encoded in the 
format used by DHCP.' 
  SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )

Our definition is slightly different :

attributetype ( 2.16.840.1.113719.1.203.4.7 
NAME 'dhcpOption' 
DESC 'Encoded option values to be sent to clients. Each value 
represents a single option and contains (OptionTag, Length, OptionValue) 
encoded in the format used by DHCP.' 
EQUALITY caseIgnoreIA5Match 
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 
 )

The pb is that using a caseIgnoreIA5Match matching rule for a OCTET STRING 
syntax is simply not working, and leads to an error when we try to inject a 
dhcpOption in the server.


The only way to get this fixed would be to fix the schema, and use a 
1.3.6.1.4.1.1466.115.121.1.26 Syntax (IA5String).

We can do that...

Re: Apache Directory Studio getting "stuck" on opening LDAP connection login

[Emmanuel Lécharny]

Le 25/01/16 09:50, Philip Colmer a écrit :
> Hi Stefan
>
> I've managed to get a thread dump for you.

Ok, many thanks.

That confirms what has been found last week by Radovan : there is a bug
in the SslHandler class, and it causes an infinite loop.

The bug is now fixed, and we will release shortly a new version of all
the component to get this problem back us.

Many thanks for you patience !

Re: logging all incoming requests

[Emmanuel Lécharny]

Le 15/02/16 18:55, Timothy Keith a écrit :
> I am attempting to do pass-through authentication from an OpenLDAP
> server.  I would to have debugging logs for all incoming requests.
>
> Tim
What kind of log do you want exactly ?

If you want to have some logs about every received message, you can
modify the log4j.properties to set the
org.apache.directory.server.ldap.handlers.request package to DEBUG.


You'll receive logs like :

LOG.debug( "Received: {}", bindRequest );
LOG.debug( "Handling request: {}", req );
LOG.debug( "Handling compare request while ignoring referrals:
{}", req );
LOG.debug( "Handling request: {}", req );
LOG.debug( "Handling modify dn request while ignoring referrals:
{}", req );
LOG.debug( "Handling request : {}", req );
LOG.debug( "Handling single reply request: {}", req );
LOG.debug( "Received: {}", unbindRequest );

Four problems here :
- not all the messages get logged (Abandon)
- not all extended operations are logged, and they use a different logger
- overall, the messages are not consistent
- you'll be flooded by logs you do'nt want.

A better option would be to set a logger on
org.apache.directory.api.ldap.codec.api.LdapDecoder. You will then get
the fully decoded LDAP message like :

LOG.debug( "Decoded LdapMessage : " + container );

Re: connection refused on Windows 7

[Emmanuel Lécharny]

Le 16/02/16 17:30, Timothy Keith a écrit :
> The Apache Directory Studio and the server are on the same Windows 7 computer.
> The only recent changes were the log4.properties file - attempting to
> use DEBUG settings

Check that you are connecting on the right port with the correct DN and
password.

Re: logging all incoming requests

[Emmanuel Lécharny]

Le 19/02/16 03:27, Timothy Keith a écrit :
> On Thu, Feb 18, 2016 at 1:40 PM, Timothy Keith
> <timothy.g.ke...@gmail.com> wrote:
>> On Mon, Feb 15, 2016 at 4:36 PM, Timothy Keith
>> <timothy.g.ke...@gmail.com> wrote:
>>> On Mon, Feb 15, 2016 at 1:37 PM, Emmanuel Lécharny <elecha...@gmail.com> 
>>> wrote:
>>> It would first help me to know how to configure the location for the
>>> wrapper.log on Microsoft Windows, and any other log files. In
>>> wrapper.conf see a reference to "wrapper.log" file, but the single
>>> occurrence of that file was only written to during the install of
>>> Apache DS. Tim 
>> Sometimes the search logs stop showing any result of ldapsearch
>> requests. This Apache Directory Studio 2.0.0 on a a Windows 7
>> system.
>>
>> Tim
>
> Is it generally recommended to run Apache DS on Linux vs Windows?

No, not at all.

We prefer linux because we don't have to pay to have an OS installed on
our machines, that's all, but we provide builds for windows because it's
widely used, like it or not.

Re: acl in apacheDS

[Emmanuel Lécharny]

Le 18/03/16 10:06, Peter Jamieson a écrit :
> Hi Emmanuel,
>
> What I want is effectively the peername restriction in openldap acl.
> Is it worth me raising an improvement JIRA for this?

Definitively.
>
> Do you think it is something that could be done with a custom interceptor?  
> Is this detail available?
The IP Peer is always available in the LdapSession, doing 
session.getIoSession().getRemoteAddress(). A custom interceptor would be
a solution (or at least a workaround, until we find the time to
completely review the ACL handing in ApacheDS...).

Re: acl in apacheDS

[Emmanuel Lécharny]

Le 18/03/16 10:41, Peter Jamieson a écrit :
>>> Is there a way I can prevent modifications to the directory from all 
>>> servers except the local one (or a named address)?
>> Not really. Protection are based on bound users, not on IP address or 
>> server's name. Now, if you have the DN of the servers you want to forbid 
>> modification from, then it's possible.
> I missed the last part at first, but it sounds interesting.
> Do I have to explicitly give a DN to a server?
> Turning this round the other way, I only want to allow from a single server 
> (or pre-defined group);  Your response suggests this may be possible.

The ACLs are based on the DN the client used to bind. So if a server
does not access your LDAP server anonymously, then you should be able to
authenticate it with teh DN it uses to bind.

Now, it's really not convenient as you probably provision those servers
with a unique DN. being able to authz based on teh IP address would
definitively be a plus.

Re: acl in apacheDS

[Emmanuel Lécharny]

Le 18/03/16 11:36, Peter Jamieson a écrit :
>> Le 18/03/16 10:41, Peter Jamieson a écrit :
> Is there a way I can prevent modifications to the directory from all
>> servers except the local one (or a named address)?
 Not really. Protection are based on bound users, not on IP address or
>> server's name. Now, if you have the DN of the servers you want to forbid
>> modification from, then it's possible.
>>> I missed the last part at first, but it sounds interesting.
>>> Do I have to explicitly give a DN to a server?
>>> Turning this round the other way, I only want to allow from a single server
>> (or pre-defined group);  Your response suggests this may be possible.
>>
>> The ACLs are based on the DN the client used to bind. So if a server does not
>> access your LDAP server anonymously, then you should be able to
>> authenticate it with teh DN it uses to bind.
>>
>> Now, it's really not convenient as you probably provision those servers with 
>> a
>> unique DN. being able to authz based on teh IP address would definitively be
>> a plus.
> Ahh, it's the authz interceptor that does this ... good to know :)
>
> Is this correct?  The first section of the delete method of 
> DefaultAuthorizationInterceptor is: -
>
> if ( 
> deleteContext.getSession().getDirectoryService().isAccessControlEnabled() )
> {
> next( deleteContext );
> return;
> }
>
> Shouldn't that be "if ( ! ... )" or am I misunderstanding?

Ouch... Seems that interecptor is largely buggy. We don't even have a
check for teh ADD operation...

Actually, we have 2 authz interceptors that are actiaved : the ACI
interceptor and teh Default one. There is some room for improvement here...
>
> So, I update the directory with ldapadd, e.g.: -
>
> ldapadd -h localhost -p 10389 -D "uid=admin,ou=system" -w $PASS -f 
> /opt/ivb/config/apacheds/example_user.ldif
>
> Is this anonymous access?  
No, you are specifying a DN with -D

> If not, which is the DN?

uid=admin,ou=system

Re: acl in apacheDS

[Emmanuel Lécharny]

Le 18/03/16 09:23, Peter Jamieson a écrit :
> Hi,
>
> I googled for ACLs in apacheds and got this link: -
>
> https://directory.apache.org/api/user-guide/5.1-aci-and-acls.html
>
> I was very excited until I saw the content :)

Sorry for that... It really need some love :/
>
> Is there a way I can prevent modifications to the directory from all servers 
> except the local one (or a named address)?

Not really. Protection are based on bound users, not on IP address or
server's name. Now, if you have the DN of the servers you want to forbid
modification from, then it's possible.

Re: ApacheDS exception saving configuration

[Emmanuel Lécharny]

Le 26/03/16 16:00, Richard Sand a écrit :
> Hi - I've installed a clean w2k8 VM and installed ApacheDS and
> ADStudio. I can bind to both 10389 and 10636 with uid=admin,ou=system
> and was able to create my schema extensions. But when I try to do
> anything with the configuration, e.g. turning off anonymous binds, or
> creating a new partition, I get a generic Exception when saving the
> configuration.

Yes, this is a known problem that going to be fixed in the next Studio
release.

In the mean time, the only way is to use the unofficial nightly build :

https://builds.apache.org/view/A-D/view/Directory/job/dir-studio/

Re: ApacheDS with Mavibot anytime soon?

[Emmanuel Lécharny]

Le 25/03/16 17:21, Ashma Shrestha a écrit :
> Carlos,
>
> Thanks for the help.
>
> @Emmanuel - I know you have a busy schedule however, is there a timeline to
> when we can expect a fix? Currently we are working a system which might
> make this scenario of concurrent update and search occur more.
No, saldy not, I don't have any timeframe.

My dayjob is totally killing me atm, and it's the very same for Kiran.
We would LOVE finding people capable of giving some hands... The other
option would be for my company to let me spent one month on that, but
they are not philantropists ;-)

Re: command line commands

[Emmanuel Lécharny]

Le 03/03/16 23:39, brock samson a écrit :
> i am running apacheds 2-m17, and i am trying to run command line commands 
> such as ldapdelete, ldapadd, etc. how do i go about making those command run 
> properly from my command line? do i need to set something into the PATH 
> variable, or reference some directory where file(s) representing those 
> command actually reside? thanks.
>
>
I don't know which system you are riunning on. Assuming it's a unix box,
you will get some info on
http://www.tldp.org/HOWTO/LDAP-HOWTO/utilities.html, but there are many
other places you can find some instructions.

Re: command line commands

[Emmanuel Lécharny]

Le 04/03/16 18:25, brock samson a écrit :
> actually i am running in windows. and i obviously cannot run those commands 
> directly from command line without referencing their definition from some 
> location. do they perhaps reside within the apacheds-service-2.0.0-m17.jar?

I'm sorry, we don't offer any ldap command line client. We had it a long
time ago, but we stopped supporting it.

You probably will have to install the Windows version of Openldap that
should offer the ldapsearch... command line
(https://sourceforge.net/projects/openldapwindows/)

Re: ADS returns password expired when wrong password provided

[Emmanuel Lécharny]

Le 31/03/16 20:21, Ezsra McDonald a écrit :
> We have ApacheDS configured to expire passwords after a fixed amount of
> time. If a user lets their password expire and that user attempts to
> authenticate with an *invalid* password, ADS will respond with an error
> code related to their password being expired rather than a response stating
> their password entry was invalid.

First of all, which version of ApacheDS are you using ?

Now, with the latest version (2.0.0-M21), when you try to bind with a
correct or incorrect password when the correct password has expired, you
get this response :


Correct Password, expired :
---
MessageType : BIND_RESPONSE
Message ID : 2
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : 'INVALID_CREDENTIALS: Bind failed:
password expired'

Incorrect Password, expired :
-
MessageType : BIND_RESPONSE
Message ID : 2
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : 'INVALID_CREDENTIALS: Bind failed:
ERR_229 Cannot authenticate user cn=userExpireWarningToo,ou=system'


The diagnostic message is different, but it's hard to use it. You still
can determinate in which case you are, if you add the PasswordPolicy
control to your BindRequest, because then you will get back the reason
why the bind was rejected :



Correct Password, expired, with PasswordPolicy control :

MessageType : BIND_RESPONSE
Message ID : 2
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : 'INVALID_CREDENTIALS: Bind failed:
password expired'
PasswordPolicy[criticality:false] PasswordPolicyResponse
[timeBeforeExpiration=-1, graceAuthNRemaining=-1,
ppolicyError=PASSWORD_EXPIRED]


Incorrect Password, expired, with PasswordPolicy control :
--
MessageType : BIND_RESPONSE
Message ID : 2
BindResponse
Ldap Result
Result code : (INVALID_CREDENTIALS) invalidCredentials
Matched Dn : ''
Diagnostic message : 'INVALID_CREDENTIALS: Bind failed:
ERR_229 Cannot authenticate user cn=userExpireWarningToo,ou=system'


As you can see, in the second case, you will get no PasswordPolicy
response control in the result.

>
> This is not the desired behavior for a couple of reasons. First, it is
> confusing our users because they assume that if our SSO portal tells them
> their password has expired, that they did enter the correct existing
> password. So when they get sent to our password change screen, they will
> enter the invalid existing password that they used initially, thinking it
> was correct.
It's up to you to send the PasswordPolicy control and return a message
to the user based on the response you get.

>
> The other issue is a matter of security. It is possible for anyone to
> determine if an account is expired just by entering the correct username.

If the password has expired, it's not anymore usable, so it's safe,
unless your user has picked a password that he/she use somewhere else.
there is a bit of education to push here...
Regardless, for an attacker, knowing that an account has expired if of
little interest.

Or Am I wrong ?

>
> Are there any suggestions on how to configure ADS to first verify the
> password is valid before responding with an account expired code.

No, but we can change the result we return. My perception is that the
base response should not tell the user that the password has expired,
unless the PasswordPolicy control is explicitely sent. It will be up to
the user to determinate if he wasn't able to login because his password
has expired or because he tried with the wrong password.

wdyt ?

Re: ldapcontext.reconnect and count of wrong passwords

[Emmanuel Lécharny]

Le 11/05/16 23:05, Jörg Weule a écrit :
> Hallo,
>
> my server with M21 is locking the account if I use a wrong password
> several times with ldapsearch. Unfortunately the counter seems not to be
> increased when the ldapcontext is binding with reconnect(null).
>
> Apache James for example makes first a lookup for the DN and then uses a
> ldapcontext.reconnect() with the users credentials at the environment. A
> wrong user password is checked several times without locking the account
> as expected. Is there any known bug or solution ?

IMO, there is no bind done when doing a JNDI reconnect : the connection
is simply reused and never closed. In this case, the counter will not be
incremented.

A quick sample would be useful to check that on a server.

Re: ERR_250_ENTRY_ALREADY_EXISTS

[Emmanuel Lécharny]

Le 18/05/16 à 13:25, Joel Arula a écrit :
> Hi
>
> I am using  embeded aopache ds version 2.0.0-M21
> When setting up clean installation every startup after first one is failing 
> with
> org.apache.directory.api.ldap.model.exception.LdapEntryAlreadyExistsException:
>  ERR_250_ENTRY_ALREADY_EXISTS
> What can be done in order to avoid this error, and what causes it ?
>
> Best Regards
>
> Joel Arula
>
Have you edited teh configuration with Apache Directory Studio ? If so,
you may have added the contextEntry in the configuration, and it will be
injected at startup. Sadly, once injected, it won't be removed from teh
config, and will be added again when you start the server again...


Can you check that ?

Re: ERR_250_ENTRY_ALREADY_EXISTS

[Emmanuel Lécharny]

Le 18/05/16 à 15:21, Joel Arula a écrit :
> Hi Emmanuel
>
> Yes indeed.  We have prepared customized configuration where there is.
>
> dn: ads-partitionId=ims,ou=partitions,ads-directoryServiceId=default,ou=config
> ads-contextEntry:: 
> ZG46IGRjPWltcyxkYz1wbGF5dGVjaCxkYz1jb3JwCm9iamVjdGNsYXNzOiBkb
>  21haW4Kb2JqZWN0Y2xhc3M6IHRvcApkYzogaW1zCgo=
> entryCSN: 20160512143435.245000Z#00#000#00
>
> If I remember it right our problem started after upgrading the configuration.
> Is  it OK to remove this entry?
Yes.

You can also fill a JIRA, so that we fix this annoying error in the next
version (we will simply ignore the error message)

Thanks !

Re: Apache Directory LDAP API support & documentation

[Emmanuel Lécharny]

Le 15/05/16 à 14:41, ywies...@bgu.ac.il a écrit :
> Hey,
>
> We want to use your library in our project, but in your website it seems that 
> there are no new versions from the last half a year 

The latest version has been released on December, 2015, and we just
talking about releasing a 1.0.0 final this week.

> and the documentation is very partially and deprecated.
True dat.

>
> 1.   Is there any plan to keep developing this package? 
Look at the commits
(http://mail-archives.apache.org/mod_mbox/directory-commits/). Since the
last release, we have had 110 commits on the API code base.

> Does it have any support?

Depends on what you call support. You can post question on the mailing
list, or contact some company that offer commercial support
(http://directory.apache.org/commercial-support.html), or contact
developpers on the mailing list : some of us are freelancer and woul
probably be pleased to provide some consulting.
>
> 2.   Is there more complete and updated documentation?
We are working on it, when we have time. There are plentiful of unit
tests using the code base, which is actually the best source to see how
to use it.

Re: uid=admin,ou=system password expired

[Emmanuel Lécharny]

Le 03/05/16 18:50, Hal Deadman a écrit :
> I have a replicated directory in my dev lab where the admin  user has an
> expired password on one of the two servers. Since I can't login as admin,
> how might I go about resetting the password on that user short of
> re-creating the instance?

the uid=admin,ou=system user bypasses the passwordPolicy (at least in
the latest version). That shpuld allow you to change the password.

What version are you using ?

Re: Whare are the Nightly Builds for Apache Studio?

[Emmanuel Lécharny]

Le 09/05/16 18:45, Jim Willeke a écrit :
> This older link does not seem to work:
> https://cwiki.apache.org/confluence/display/DIRxSTUDIO/Nightly+Builds

https://builds.apache.org/view/A-D/view/Directory/job/dir-studio/

Don't abuse it ;-)

Re: uid=admin,ou=system password expired

[Emmanuel Lécharny]

Le 07/05/16 02:00, Hal Deadman a écrit :
> I was able to recreate the issue with a test instance.
>
> I created a fresh instance of M21 directory using M10 studio. I set
> password expiration on password policy to some number, turned off grace
> logins, and changed the password of the admin user. I reconnected with the
> new password, and set the pwdChangedTime of admin user to a date in in the
> past (far enough to cause expiration) and then tried to reconnect,  got
> "Bind failed: password expired".

Ok, clearly a bug. Can you fill a JIRA ?

Re: ApacheDS 64-bit Heap Limit

[Emmanuel Lécharny]

Le 01/08/16 à 10:20, Hakan Çelik a écrit :
> Hi team,

Hi Hakan,
>
> We're testing ApacheDS for storing our ~500k customer base.
whoa ! It should have take hours to inject all of them ! FTR, we have
worked on a bulk loader, but only with the Mavibot partition, which is
not yet the default partition. That will allow you to inject data *way*
faster (we are ttalking orders of magnitude fastern here...).
>
> We couldn't go beyond 4GB heap size for ApacheDS (version 2.0 M21). 4GB was
> not enough for our data, frequent GCs were scaring us for a possible memory
> related shutdown. Btw backend became corrupted one time because of a
> permgen space issue. We had to start from scratch :(  So an unexpected
> shutdown can be really really messy.
Indeed. In 2.0-M23 we have added a 'repair' mode that can be used to fix
this corruption problem (you just have to use 'repair' instead of
'start' when launching the server, with the path to the partition to repair)

But the long term for us is to re-place the backend (JDBM) with Mavibot,
somethinhg we are working on for now 2 years, but it requires one or 2
months of work to complete, and we don't have them atm :/ (volunteer
based work is the pb here : would we have some financement to get it
done, that would be a game changer !)

>
> Anyway, i've checked Tanuki wrapper release notes, i saw they've removed
> 4GB limit as of 3.3.0 version. (
> https://wrapper.tanukisoftware.com/doc/english/release-notes.html#3.3.0)

three things :
- I think you can go beyond this limit in linux boxes. Are you usng
windows ?
- We intend to switch to another wrapper, like YAJSW, which does not
have the same limits
- You can also use teh default installer, which does not depend on the
Tanuki wrapper.

>
> As a solution i've upgraded my ApacheDS instance's *lib/libwrapper.so*,
> *lib/wrapper.jar*, *bin/wrapper* to the latest (3.5.29 - community),
> removed old wrapper jar, kept wrapper configs as is.. It looks like working
> fine now.

That will work. Sadly, we can't use this version, because it license
(GPL 2/3) is not compatible with The ASF AL 2.0 icense :/
>
> Please feel free to give any feedbacks/warnings about this. And kindly, you
> may consider updating this dependency version to latest for future releases.
Not option :/

Thanks for the feedback, and keep following the project, because the
switch to mavibot will solve a *lot* of the issues you are facing !

Re: Active Directory Connect Timeout

[Emmanuel Lécharny]

Le 04/08/16 à 18:09, Syed Mudassir Ahmed a écrit :
> Hi friends,
>  My Java application interacts with  Microsoft Active Directory server using 
> Java JNDI LDAP API.
>   My application runs successfully for about an hour connecting to AD 
> successfully. After about an hour my application fails. When I checked the 
> error logs I see connection timeout exception to AD server.  If I stop and 
> restart my application, then it connects to AD server successfully. Again, it 
> fails with connect timeout exception after an hour.
>   This behaviour is recurring and it's really hard to stop/start the 
> application every hour.
>   Any help on resolving this?

Why don't you ask either Microsoft or Oracle ?

We have nothing to do with JNDI or AD...

Re: [Studio] Some characters in quick filter are misinterpreted

[Emmanuel Lécharny]

Le 18/07/16 à 09:46, Stefan Düring a écrit :
> hello,
>
> in Apache Directory Studio (Version: 2.0.0.v20151221-M10) when I
> execute a search and try to filter the results via quick filter, some
> characters I enter in the filter field are interpreted as shortcuts.
>
> e.g.
> f - the quick filter disappears (like Strg + f)
> h - the search dialog appears (like Strg + h)
> n - like Strg + n
> w - like Strg + w

What is the 'Strg' key you are mentionning ?

Re: ApacheDS issues TGT kerberos ticket with address on IBM java

[Emmanuel Lécharny]

Le 28/06/16 à 15:44, Martin Choma a écrit :
> I have created https://issues.apache.org/jira/browse/DIRSERVER-2156 as you
> suggest. There really is address send in TGS-REQ for krbtgt. 
Can you send the bytes that are sent to the server ? I'd liek to have
alook at the content of the message. (you can attach them to the ticket)

> Is there way
> we can workaround this behaviour? Is it bug in ibm java ignoring
> noaddresses = true flag? 
It's a possibility.

> Is it possible to configure ApacheDS not to issue
> ticket with address or skip network address check?
I don't know. Atm, we send back what we got. I really want to know if a
special flag is transmitted, and if so,yes, we can fix the code to not
send back a address.

Re: Installation on Ubuntu

[Emmanuel Lécharny]

Le 05/07/16 à 13:46, Onno van der Straaten a écrit :
> Same thing btw with CentOS, same error message.

Indeed. I just tested it, same error.

As a workaround, remove line 38 in the
/opt/apacheds-2.0.0-M22/conf/wrapper.conf file :

# Java Additional Parameters
wrapper.java.additional.1=-Dlog4j.configuration=file:///%INSTANCE_DIRECTORY%/conf/log4j.properties
wrapper.java.additional.2=-Dapacheds.var.dir=%INSTANCE_DIRECTORY%
wrapper.java.additional.3=-Dapacheds.log.dir=%INSTANCE_DIRECTORY%/log
wrapper.java.additional.4=-Dapacheds.run.dir=%INSTANCE_DIRECTORY%/run
wrapper.java.additional.5=-Dapacheds.instance=%INSTANCE%
wrapper.java.additional.6=%REPAIR_COMMAND%   
<-- This line has to be deleted

You should be able to start the server.

Sorry for the inconvenience... That will be fixed in a new version

Re: Uneasy feeling about ApacheDS

[Emmanuel Lécharny]

Le 08/07/16 à 17:07, Accorsi, Carlo a écrit :
> Dear Sir, 
> We have a production system using ApacheDS that's been running since 2011 
> with 80,000+ users. 
> Emmanuel ,Kiran and the many other contributors have done an amazing job with 
> this software. Yes, there was a bit of a learning curve and for us that was 
> easily offset by its cost. If we used MS Azure Active Directory Basic instead 
> it would run $80K per month. 

Carlo, thanks A LOT for this feedback !

This is exactly the reason we keep going : because it helps people
around the world running their applications. Even if the road is
sometime bumpy !

Re: ERR_12005_NO_CHANGE No changes within entries

[Emmanuel Lécharny]

Le 11/07/16 à 14:36, Claude Libois a écrit :
> Hello,
> I'm using ApacheDS as embedded LDAP for unit testing.
> I'm trying to add some attribute definition through ldif file which
> contains:
> dn: cn=schema
> version: 1
> changetype: modify
> add: attributetypes
> attributetypes: ( 1.3.6.1.4.1.18060.0.4.3.2.1
>  NAME 'subjectDn'  DESC 'dqffq'
>  EQUALITY integerMatch SYNTAX 1.3.6.1.4.1.1466.115.121.1.27
>  SINGLE-VALUE)
> -
> With te following metadata I get
> 2016-07-11 14:31:00,392 ERROR LdifReader - ERR_12004_CHANGE_NOT_ALLOWED We
> cannot have changes when reading a file which already contains entries, at
> line 6
>
> @CreateLdapServer(
> transports =
> {
> @CreateTransport(protocol = "LDAP")
> }
> )
> @CreateDS(name = "classDS",
> partitions =
> {
> @CreatePartition(
> name = "XX",
> suffix = "o=XX,dc=XX,dc=be"
> )
> }
> )
> @ApplyLdifFiles({
> "ldif/addSubjectDn.ldif",
> }
> )
> @CreateLdapConnectionPool(
> maxActive = 1,
> maxWait = 5000)
>
> Does anybody knows how to fix this ? I'm rather a newbye for what concerns
> LDAP so this might be something obvious.

This is not a bug, this is a limitation. Don't do a Modify, do an Add,
that should work.

Re: Uneasy feeling about ApacheDS

[Emmanuel Lécharny]

Le 06/07/16 à 07:15, Onno van der Straaten a écrit :
> I'm new to ApacheDS and have been trying to setup a working configuration.
> Failing. I am abandoning attempts to use this and will recommending against
> using ApacheDS on the project I am currently working on.
>
> There are too many issues, it gives me very uneasy feeling.
>
>
>- I tried the latest release M22, it doesn't work, fails to install on
>Ubuntu and CentOS.

There is a bug in the wrapper-conf file that make teh script failing. I
already replied to your previous mail about how to workaround the issue,
and we are working on a quick fix for this one.
>- I tried M20, which installs and works but found that studio does not
>work DIRSTUDIO-889

A new version of Studio is currently being built to fix this issue
>- Previous studio version had another issue. Open configuration does not
>work, shows message "OID ads-basedn does not exist!".
Same problem, same solution.
>- Purportedly studio version should match servers version so I tried
>complete new install of M8 of studio and server. This version also produces
>error message on open configuration ATTRIBUTE_TYPE for" OID
>ads-dsmaxpdusize does not exist!".
>
>
> My conclusion is that there is no clear stable working ApacheDS release at
> this point. That navigating around various issues surrounding combination
> of server and studio is time consuming is one thing. The key thing however
> is that the many issues raise questions about quality.

Quality is one thing, but time is another one. Note that beside the
obvious M22 bug that was introduced lately (and will be fixed very
soon), there are workarounds :
- you don't necessarilly have to use Studio to configure ApacheDS. The
configuration is stored ina LDIF file, which can be modified using a
text editor.
- you can even use studio and connect on the server to configure it
through the entry editor.

So, what about time ? Days have 24h, we do have to sleep at some point,
say, 6h, plus a few minutes for other biological activities, that left
us around 16h per day. Out of which mainly 10 are already dedicated to
our day job. 6h left. We also have a social life (ie, spouse/husband,
children, friends. This is quite demanding.) Bottom line, I'm *very*
happy if I can spend 2h every day on the project.

Now, please consider this : ApacheDS project is quite big. The LDAP API,
APacheDS and Studio, all together, represent 659 050 SLOCs (Single Lines
of Code, ie anything that is not a blank line or a comment). Navigating
through all that takes time.

To be clear : we *do* care about quality, but quality is not a magic
things that comes for free : it requires tests, time and dedication.
Sometime, we do fuck up things (like the latest M22 release I just cut
last week). If you wonder why I didn't announced it, that just because
someone found the pb with the strating script on linux.

What can we do about it ? Well, fix it asap, something we are working
on, if you have 2 minutes of your time to spend on the dev mailing list
you'll see that we are discussing about the pb and the fix
(https://lists.apache.org/thread.html/356ab8ca1f64adf5ad7bf342a38049b345968b4ff080d2cf4d31073d@%3Cdev.directory.apache.org%3E).
That's what we do on our side, plus spending time answering user's mail
(https://lists.apache.org/thread.html/ce3b13d91b9dc2d7373bb6424e158beccc4eb85eb8873572ea501f54@%3Cusers.directory.apache.org%3E)

Now, what ? Well, I would urge you to try to workaround, and provide
some feedback about it. This is not the perfect solution, but at least,
that will let you play with the server and studio. As I already said in
my first answer : fill a JIRA. This really help us tracking issues.

In the mean time, complaining about 'quality' does not bring you
anywhere : we already are perfectly aware of this issue, and we are
already working on it. Ok, I know, you are venting your frustration on
the mailing list, yada yada. That's fine. But be constructive : read the
mails, try the workarounds, fill JIRA, that is really helping...

Thanks.

Re: Upgrade procedures?

[Emmanuel Lécharny]

Le 09/08/16 à 00:30, Hal Deadman a écrit :
> I have two servers running M21 and replicating to each other. I stopped the
> both and replaced the M21 jars with M23 jars and restarted the servers.
> They started up but when I connected to the servers I couldn't see any
> data. I also saw the following exception in the log on startup:
>
> [18:08:48] INFO [org.apache.directory.server.ldap.LdapServer] - Added
> Extended Request Handler: 1.3.6.1.4.1.4203.1.11.3
> [18:08:48] INFO [org.apache.directory.server.ldap.LdapServer] - Added
> Extended Request Handler: 1.3.6.1.4.1.18060.0.1.3
> [18:08:48] INFO [org.apache.directory.server.ldap.LdapServer] - Added
> Extended Request Handler: 1.3.6.1.4.1.4203.1.11.1
> [18:08:48] INFO [org.apache.directory.server.ldap.LdapServer] - Added
> Extended Request Handler: 1.3.6.1.4.1.1466.20037
> [18:08:48] ERROR [org.apache.directory.server.PROVIDER_LOG] - Failed to
> load the replica information
> java.lang.NullPointerException
> at
> org.apache.directory.api.ldap.model.schema.AttributeTypeOptions.hashCode(AttributeTypeOptions.java:156)
> at java.util.HashMap.hash(HashMap.java:338)
> at java.util.HashMap.containsKey(HashMap.java:595)
> at java.util.HashSet.contains(HashSet.java:203)
> at
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor.processSubordinates(OperationalAttributeInterceptor.java:660)
> at
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor.access$600(OperationalAttributeInterceptor.java:76)
> at
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor$SubordinatesSearchFilter.accept(OperationalAttributeInterceptor.java:178)
> at
> org.apache.directory.server.core.api.filtering.EntryFilteringCursorImpl.next(EntryFilteringCursorImpl.java:454)
> at
> org.apache.directory.server.ldap.replication.provider.ReplConsumerManager.getReplicaEventLogs(ReplConsumerManager.java:277)
> at
> org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.loadReplicaInfo(SyncReplRequestHandler.java:1027)
> at
> org.apache.directory.server.ldap.replication.provider.SyncReplRequestHandler.start(SyncReplRequestHandler.java:211)
> at
> org.apache.directory.server.ldap.LdapServer.startReplicationProducer(LdapServer.java:567)
> at org.apache.directory.server.ldap.LdapServer.start(LdapServer.java:497)
> at
> org.apache.directory.server.ApacheDsService.startLdap(ApacheDsService.java:425)
> at
> org.apache.directory.server.ApacheDsService.start(ApacheDsService.java:187)
> at
> org.apache.directory.server.wrapper.ApacheDsTanukiWrapper.start(ApacheDsTanukiWrapper.java:203)
> at
> org.tanukisoftware.wrapper.WrapperManager$12.run(WrapperManager.java:2788)
> [18:08:48] INFO [org.apache.directory.server.ldap.LdapServer] - Successful
> bind of an LDAP Service (636) is completed.
> [18:08:48] INFO [org.apache.directory.server.ldap.LdapServer] - Successful
> bind of an LDAP Service (389) is completed.
>
>
>
> After startup their were lots of NPEs, mostly during attempts at
> replication:
>
> Caused by: java.lang.NullPointerException
> at
> org.apache.directory.api.ldap.model.schema.AttributeTypeOptions.hashCode(AttributeTypeOptions.java:156)
> at java.util.HashMap.hash(HashMap.java:338)
> at java.util.HashMap.containsKey(HashMap.java:595)
> at java.util.HashSet.contains(HashSet.java:203)
> at
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor.processSubordinates(OperationalAttributeInterceptor.java:660)
> at
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor.access$600(OperationalAttributeInterceptor.java:76)
> at
> org.apache.directory.server.core.operational.OperationalAttributeInterceptor$SubordinatesSearchFilter.accept(OperationalAttributeInterceptor.java:178)
> at
> org.apache.directory.server.core.api.filtering.EntryFilteringCursorImpl.next(EntryFilteringCursorImpl.java:454)
> at
> org.apache.directory.server.core.shared.DefaultCoreSession.sortResults(DefaultCoreSession.java:1310)
> at
> org.apache.directory.server.core.shared.DefaultCoreSession.search(DefaultCoreSession.java:1126)
> ... 19 more
>
>
> I went back to the M21 jars and the servers are working again. I will try
> upgrade later with and fresh instance and ldif export/import of the config
> and data.

Ah, crap... We added 2 newoperational attributes (nbChildren,
nbSubordinates, that contains the number of direct children and the
number of subordiante). Those AT will be missing and you'll get a NPE
when starting M23 with the M21 schema...

The server should work with your data, but with M23 schema. One option
would be to install M23, and just copy your partition data.

Re: Upgrade procedures?

[Emmanuel Lécharny]

Le 09/08/16 à 17:05, Hal Deadman a écrit :
> I copied over the two new attribute type ldif files from a default m23
> instance to the correct location in my existing instance and replaced the
> m21 jars with m23 jars in my existing install and the servers seem to have
> started up in working order.
>
> partitions\schema\ou=schema\cn=apache\ou=attributetypes\m-oid=1.3.6.1.4.1.18060.0.4.1.2.12.ldif
> partitions\schema\ou=schema\cn=apache\ou=attributetypes\m-oid=1.3.6.1.4.1.18060.0.4.1.2.13.ldif
>
> On an unrelated topic, is the data in syncrepl-data important or can it be
> purged at some point if both servers are up and in-sync?

AFAIR, it stores a limited number of updated entries. This is important
to avoid a full resync if a server gets disconnected for some time :
when reconnecting, if the oldest update in this file is older than teh
deconnection time, then replicatio will be done by sending all the
recent udpates to teh reconnected server.

If both server are in sync, you can purge this file.

kiran, can you confirm ?

Re: Upgrade procedures?

[Emmanuel Lécharny]

Le 09/08/16 à 17:43, Kiran Ayyagari a écrit :
> On Tue, Aug 9, 2016 at 8:50 PM, Emmanuel Lécharny <elecha...@gmail.com>
> wrote:
>
>> Le 09/08/16 à 17:05, Hal Deadman a écrit :
>>> I copied over the two new attribute type ldif files from a default m23
>>> instance to the correct location in my existing instance and replaced the
>>> m21 jars with m23 jars in my existing install and the servers seem to
>> have
>>> started up in working order.
>>>
>>> partitions\schema\ou=schema\cn=apache\ou=attributetypes\m-
>> oid=1.3.6.1.4.1.18060.0.4.1.2.12.ldif
>>> partitions\schema\ou=schema\cn=apache\ou=attributetypes\m-
>> oid=1.3.6.1.4.1.18060.0.4.1.2.13.ldif
>>> On an unrelated topic, is the data in syncrepl-data important or can it
>> be
>>> purged at some point if both servers are up and in-sync?
>> AFAIR, it stores a limited number of updated entries. This is important
>> to avoid a full resync if a server gets disconnected for some time :
>> when reconnecting, if the oldest update in this file is older than teh
>> deconnection time, then replicatio will be done by sending all the
>> recent udpates to teh reconnected server.
>>
>> If both server are in sync, you can purge this file.
>>
>> kiran, can you confirm ?
>>
> yes, this data can be copied over to the new location.
> Discarding this can cause losing some modify and delete events.
But if both servers are in sync, there is no risk of losing anything,
AFAICT.

The idea is to avoid copying useless data when migrating.

Re: Upgrade procedures?

[Emmanuel Lécharny]

Le 02/08/16 à 01:21, Ezsra McDonald a écrit :
> I did some searches for upgrade procedures. Are they posted somewhere?
>
> Upgrade from M20 to M23 using .bin binary package.

Although we haven't changed the underlaying data structure, which means
you should just be able to install the new version on top of your old
version, and having everything working, it's trongly suggested that you
extract your data in a LDIF file *before* doing so.

You also may want to save your configuration the same way.

Re: [Studio] Java requirements for Studio on OS X

[Emmanuel Lécharny]

Le 03/08/16 à 23:08, Sean Brown a écrit :
> What are the directory requirements for running Directory Studio on OS
> X? The download page says a Java runtime environment 7 or later, but
> when trying to run the download on OS X 10.11.6 with the latest Oracle
> JRE version 8, it complains
It has probably nothing to do with Java, but with OSX...

Of course, if you tell us more about the 'complaints' you get, we might
help...

>
> "To open ApacheDirectoryStudio you need to install the legacy Java SE 6
> Runtime"

Let me guess : it tries to use the default Apple JRE, which is a old
one. Apple is notorious bad at supporting Java, and with years , it
worsens more and more.

Again, I suggest you tell us about what you get when running studio with
a Java 8 JRZ.

Re: Index on mail attribute does not work

[Emmanuel Lécharny]

Le 01/07/16 à 04:25, Ezsra McDonald a écrit :
> We had to rebuild our ADS using the plumber and the indexes did not build
> right.
>
> We removed the mail index from the partition and restarted the instance.
> Then we added a partition back and started it again. It takes a while but
> finally starts. We still can do wild card searches like we could before.
> They take a long time to run.
>
> ldapsearch -LLL -x -H ldap://localhost:10389/ -b
> "ou=People,dc=www,dc=somewhere,dc=com" "mail=*usern...@somewhere.com*"

This kind of search will not use an index, because you have '*' on both
sides of the String. It does a full scan.

Re: Installation on Ubuntu

[Emmanuel Lécharny]

Le 01/07/16 à 12:56, Onno van der Straaten a écrit :
> Hi list,
> I am new to ApacheDS and I am trying to install it on Ubuntu. I am using
> Ubuntu 14.04 and I noticed that ApacheDS does not run on that Linux distro.

This is a clear bug introduced by the latest version. Can you create a
JIRA, in the mean time I'll find a workaround to get this fixed (this is
just a problem with the start script, which should be fiexed by
replacing the *REPAIR_COMMAND* in one of teh script. Inverstigating...)

Re: Exploring triggers

[Emmanuel Lécharny]

Le 03/02/2017 à 09:14, Jim Willeke a écrit :
> BTW: eDirectory has had LDAP Event Services which allows a client or a
> server process to register for events and take an action.
>
> https://www.novell.com/documentation/developer/ldapover/ldap_enu/data/ag7bleo.html

It's a slightly different system, AFAIU. events are sent to the client
for it to act. In ApacheDS, it's really a way to configure the server to
do something when a specific update occurs.

-- 

Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Is it possible to use separate kerberos server with ApacheDS ldap server?

[Emmanuel Lécharny]

Le 07/02/2017 à 08:20, Yu Wei a écrit :
> Hi,
>
>
> I setup MIT kerberos server and verified that it worked well.
>
> Could I use my MIT kerberos server with apacheds ldap server?

Why not ? People routinely use OpenLDAP in parallel of a MIT kerberos
server. ApacheDS is *just* a plain LDAP server, with an additional
Kerberos Server using ApacheDS LDAP server as a storage system.
>
> How could I configure it?
I don't know about the MIT server's configuration. You probably want to
look for places describing how to make OpenLDAP a backend for a Kerberos
server, and configure ApacheDS accordingly.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: ApacheDS 2.0.0-M23 non-gui adding a partition

[Emmanuel Lécharny]

Le 02/02/2017 à 15:44, Louis-Gabriel Thibault a écrit :
> Hello Brian,
>
> On Thu, Feb 2, 2017 at 4:04 AM, Brian Burch  wrote:
>
>> As I was using a development server, I decided to purge M23 and start
>> again. Before I started the new server for the first time, I edited
>> config.ldif and changed all the references for "example" to suit my own
>> partition. When I ran my first admin ldapsearch, the server created my
>> empty partition (and not the example one). I subsequently had no difficulty
>> running my first few 1.5.4 customisation scripts.
>>
>> Did I use the most suitable technique to create my partition under M23? Is
>> the best technique already documented somewhere, because I couldn't find it
>> in my searches? Should the best procedure be documented in the "adding
>> partition" page of the wiki? Can I do it, or must it be done by someone
>> with special access privileges?
>>
> We also deploy apacheds 2 M23 on ubuntu (14 and 16).  We use the same trick
> to create our own partition.
>
> We did encounter an issue when the OS sends SIGKILL to apacheds; the jdbm
> database becomes corrupted and makes apacheds unable to start again. That
> is very unfortunate.

That is going to be fixed (don't have a date yet). And I wonder why a
SIGKILL is sent instead of a SIGTERM...
>
> Under ubuntu 14 we update-rc and add apacheds to system services. We had to
> add apacheds' pid to /run/sendsigs.omit.d and make the system wait on
> apacheds stop sequence. Otherwise after 10 seconds sendsigs SIGKILLs
> everything.

Thanks for the info. As soon a Mavibot will be feature complete, and
replace JDBM, ApacheDS will not anymore be subject to Database corruption.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: ApacheDS 2.0.0-M23 non-gui adding a partition

[Emmanuel Lécharny]

Le 02/02/2017 à 10:04, Brian Burch a écrit :
> I have a stable 1.5.4 production directory and felt it was time to
> upgrade to 2.0.0. All of my 1.5.4 customisation is done with shell
> scripts and ldif files, which I track through source management.
>
> I was dismayed when the server upgrade from ubuntu 14.04 LTS (which
> does not have an apacheds package at all) to 16.04 LTS installed
> apacheds 2.0.0-M15 and trashed my 1.5.4 installation. Luckily, I have
> a lot of backups and could restore the environment quickly!

2.0.0-M15 is not even recent. It's 3 years old.
>
> I decided to start again on a development server to see how well my
> 1.5.4 scripts ran against 2.0.0. This server already runs ubuntu 16.04
> LTS, so it seemed simplest to install M15 from the xenial repository.
> This version really went bad in combination with the enforced use of
> systemd (the subject of a future thread), so I decided to uninstall
> the package and purge all its files.
>
> I downloaded M23 as a deb from the apacheds web site and it installed
> OK. I looked for a systemd service file and quickly discovered this
> deb only installed a systemv script. It didn't automatically start the
> server, but the wiki said to start it manually, so I did.
>
> It ran with the default configuration, but I was surprised to find
> (unlike with M15) config.ldif had been renamed to
> config.ldif_migrated. This change is mentioned in:
>
> https://issues.apache.org/jira/browse/DIRSERVER-2050
>
> I needed to define my own partition, but the wiki page:
>
> http://directory.apache.org/apacheds/basic-ug/1.4.3-adding-partition.html
>
> ... only describes how to do this with studio, or programmatically. I
> "used my intiative" and extracted the entries from
> config.ldif_migrated which defined the "example" partition. I edited
> them to reflect my own partition and submitted an ldapmodify as admin,
> which ended with rc zero. Unfortunately, the directory was not built
> and populated in the partitions directory (alongside system, schema
> and example).
>
> I restarted the server, but still no partition. I then tried the
> "recover" option because I noticed it had been involved during the
> initial install, but it apparently it did nothing for me (and wrote no
> messages).
>
> As I was using a development server, I decided to purge M23 and start
> again. Before I started the new server for the first time, I edited
> config.ldif and changed all the references for "example" to suit my
> own partition. When I ran my first admin ldapsearch, the server
> created my empty partition (and not the example one). I subsequently
> had no difficulty running my first few 1.5.4 customisation scripts.
>
> Did I use the most suitable technique to create my partition under
> M23? Is the best technique already documented somewhere, because I
> couldn't find it in my searches? Should the best procedure be
> documented in the "adding partition" page of the wiki? Can I do it, or
> must it be done by someone with special access privileges?
The documentation is available at
https://svn.apache.org/repos/asf/directory/site/trunk/content/apacheds/
(yes, I know, it's still SVN :/) and in Markdown format, so you just
need a text editor to patch it and send a diff to us (in a JIRA). I
would be please to update the web site.

And btw, I'm sorry for the mess.


-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Exploring triggers

[Emmanuel Lécharny]

Le 02/02/2017 à 17:04, Sathyanarayan, Harish a écrit :
> Hi,
>
> Triggers in ApacheDS seems to be a fascinating topic from an LDAP server 
> pointof view,  though I do not find any specific examples or usages around 
> that. Please suggest anything that would be worth looking at that is out 
> there.

Hi,

this was an experiment, done a decade ago. We didn't had time to keep
going, but the code is still present in the server.

There is some available material here : http://people.apache.org/~ersiner/

It *has* worked, and I still do think it's a valuable feature.
Typically, that could be useful to manage users/group updates, or to
trigger some code execution on updates.

Right now, I'm pretty sure it's not anymore working due to the migration
from JNDI to the LDAP API (trigger code is still depending on JNDI,
while teh rest of teh server depends on teh LDAP API). However, I don't
think that reviving teh effort would take a lot of time, so if you are
interested in it, I can drive you through the existing code.


-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: ApacheDS 2.0.0-M23 non-gui adding a partition

[Emmanuel Lécharny]

Le 02/02/2017 à 16:17, Louis-Gabriel Thibault a écrit :
> Hello Emmanuel,
>
> On Thu, Feb 2, 2017 at 10:08 AM, Emmanuel Lécharny <elecha...@gmail.com>
> wrote:
>
>> That is going to be fixed (don't have a date yet). And I wonder why a
>> SIGKILL is sent instead of a SIGTERM...
>>
> Under ubuntu 14 the culprit is  /etc/init.d/sendsigs. It sends SIGTERM,
> waits 10 seconds, then SIGKILL.
>
>>> Under ubuntu 14 we update-rc and add apacheds to system services. We had
>> to
>>> add apacheds' pid to /run/sendsigs.omit.d and make the system wait on
>>> apacheds stop sequence. Otherwise after 10 seconds sendsigs SIGKILLs
>>> everything.
>> Thanks for the info. As soon a Mavibot will be feature complete, and
>> replace JDBM, ApacheDS will not anymore be subject to Database corruption.
>
> I was wondering how much effort would be required to support mysql as a
> backend.
A lot. And it would kill the performances.

We had someone working on implementing an Oracle backend once upon a
time (see https://issues.apache.org/jira/browse/DIRSERVER-1345), but
this was 7 years ago.

Upgrading that work to be based on MySql is definitively possible. The
thing is that using a relational database to store LDAP data is just
painful.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Exploring triggers

[Emmanuel Lécharny]

Le 07/02/2017 à 10:56, s_humbi a écrit :
> I was playing around a little bit with triggers and stored procedures.
>
> For me (as beginner) almost everything worked fine, except this big problem 
> (don't know if it is a bug or if i did something wrong):
> If you restart the server, the attribute triggerExecutionSubentry in the 
> subentry gets lost...
> [10:52:14] WARN [org.apache.directory.server.core.trigger.TriggerSpecCache] - 
> Found triggerExecutionSubentry 'cn=trigger,dc=ds,dc=test,dc=net' without any 
> prescriptiveTriggerSpecification

What is the content of the cn=trigger,dc=ds,dc=test,dc=net entry ?

You should have a prescriptiveTriggerSpecification attributeType in it
pointing to the triggerExecutionSubentry entry.

(actually, this is one of the pitfalls in this approach, as this
attributeType should be virtual, not physical : the server *knows* which
entries are part of the subentry's selected entries, and we can
dynamically add this attributeType when teh entry is requested by a
client. Sadly, we currently expect the entry itself to contain this
element...)

>
>
> This is what i found out (without warranty, comments/imporovements welcome). 
> Maybe it helps a little bit.
>
> Approach:
>
> 1Implementing Stored Procedure
> 2Adding entry for Stored Procedure
> 3Adding the trigger as Attritbute (trigger for one Entry only)
> 4Or adding Triggers for more Entries, e.g. (Sub)-Tree
> 5Activate and deactivate Triggers
>
>
> More docs:
> http://joacim.breiler.com/apacheds/ch09s02.html#Planned%20New%20Features%20for%20Triggers
> http://people.apache.org/~ersiner/ldapcon.2007/LDAPcon.2007_LDAP.Stored.Procedures.and.Triggers.in.ApacheDS_by.Ersin.Er_Paper.pdf
>
>
> 1Implementing the Stored Procedure
>
> Stored Prodedure are simple POJO with one or more public static methods 
> (later called by the trigger).
>
> Example:
>
> package com.test;
>
> import java.util.ArrayList;
> import org.apache.directory.api.ldap.model.entry.Entry;
> import org.apache.directory.api.ldap.model.entry.Modification;
>
> public class TestTriggerInterceptor {
>
> public static void helloTrigger(Entry oldEntry, ArrayList 
> mods ) {  
> System.out.println("Entry found: " + oldEntry.getDn());
>   
> for (Modification modification : mods) {
> System.out.println(modification.getOperation()
>+ " "
>+ modification.getAttribute());
> }
> }
> }

yes. This need to be documented, because there is many more to say about
this POJO, but basically, it's quite simple.

One aspect that absolutely *need* to be re-worked is teh security aspect
of this approach. Basically, we are giving a hell lot of power to those
being able to inject a storedProcedure into the server. ACIs can be a
first step, but we need more, and that may involve Java security.

As I said, all this trigger/SP feature is highly experimental, and is
currently not our main point of interest (there are a LOT of other basic
aspects that need our focus atm). But we would be really pleased to see
people being involved in it. As usual, contributions are very welcomed !


>
>
> 2Adding Stored Procedures
>
> Adding a new ou for triggers, for example: ou=Stored Procedures,ou=system
>
> Adding a new entry (=StoredProcedure) for saving the StoredProcedure  
> (ObjectClass  javaStoredProcUnit)
>
> Example:
>
> DN: storedProcUnitName=com.test.TestTriggerInterceptor,ou=Stored 
> Procedures,ou=system
>
> Definition LDAP Stored Procedure:
>
> •ObjectClass: javaStoredProcUnit and storedProcUnit
>
> •storedProcUnitName: complete classname, e.g. 
> com.test.TestTriggerInterceptor
> •storedProcLangId: always “Java”
> •javaByteCode: Upload byte-code with ds-studio (the .class - File)
>
>
> 3Adding the trigger as Attritbute  for one Entry only:
>
> Adding the attribut entryTriggerSpecification in the entry.
>
> The Value of the Attribute entryTriggerSpecification is the trigger, example:
> AFTER Modify CALL "com.test.TestTriggerInterceptor:helloTrigger" ($oldEntry, 
> $modification);
>
> -->helloTrigger is the public static Method, we implemented above
>
> Possible Triggers:
> •AFTER Modify CALL
> •AFTER Add CALL …
> •AFTER Delete CALL …
> •AFTER ModifyDN CALL …
>
>
> Some possible parameters for the trigger:
> (found in org.apache.directory.api.ldap.trigger.StoredProcedureParameter):
>
> Modify_OBJECT( "$object" )
> Modify_MODIFICATION( "$modification" )
> Modify_OLD_ENTRY( "$oldEntry" )
> Modify_NEW_ENTRY( "$newEntry" )
> Add_ENTRY( "$entry" )
> Add_ATTRIBUTES( "$attributes" )
> Delete_NAME( "$name" )
> Delete_DELETED_ENTRY( "$deletedEntry" )
> ModifyDN_ENTRY( "$entry" )
> ModifyDN_NEW_RDN( "$newrdn" )
> ModifyDN_DELETE_OLD_RDN( "$deleteoldrdn" )
> ModifyDN_NEW_SUPERIOR( "$newSuperior" )
> ModifyDN_OLD_RDN( "$oldRDN" )
> ModifyDN_OLD_SUPERIOR_DN( "$oldRDN" )
> ModifyDN_NEW_DN( "$oldRDN" )
>
> Examples for static mehtods and trigger 

Re: ApacheDS 2.0.0-M23 non-gui adding a partition

[Emmanuel Lécharny]

Le 04/02/2017 à 02:14, Brian Burch a écrit :
> 
>>
>> so you also have to change 'example' here, encoded it to base64 and
>> store the result in the entry.
>
> So /THAT/ is why my first attempt apparently had no effect at all. I
> cloned and renamed all the entries from config.ldif for "example" to
> my own partition, but I had no idea ads-contextentry was so
> significant, so I left it unchanged!
>
> I am surprised the default logging scheme did not reveal any error
> messages when I restarted the server with the new bad set of config
> entries for my new partition. Perhaps if I had increased logging I
> would have seen the reason for my failure?
Because this is not an error, as strange as it sounds :-)

If you install OpenLDAP, for instance, you won't have a contextEntry at
all, you will have to add it :-)

Actually, we added it for convenience (I always found it annoying that
starting a fresh installed server does not expose anything, simply
because the context Entry was missing).


>
>> You can add also any index you want.
>>
>> Last, not least, do not forget to restart the server.
>>
>> Ok, now, if you don't want to use Studio, then that is a PITA, and I
>> think it would be a great service for users to provide a script that
>> does that on teh command line... It should not be complex to add.
>
> I know I could un-base64 the ads-contextentry in my working partition,
> but forgive me for being a bit lazy...
>
> Q: should I base64 those four attributes exactly as shown, i.e. with
> single spaces, posix newlines, Latin-1 character set... or could I
> just use some random base64 string which is unique to the specific
> server instance? In other words, how strict are the validation rules
> which failed during my first attempt. If you aren't sure, perhaps you
> could point me somewhere near the appropriate area in the source code
> and I'll work it out for myself.

It has to be a valid LDIF file, encoded in base64. So newlines and
spaces are significant. Funny enough, if there is some secial chars in
your entry, then they should be base64 encoded *before* the entry can be
base64 encoded itself.

For instance :

dn: cn=lécharny,dc=com
ObjectClass: person
cn: lécharny
sn: Emmanuel Lécharny

is not a valid cotext entry, because the 'é' is not accepted in a LDIF,
so it should be :

dn:: Y249bMOpY2hhcm55LGRjPWNvbQ==
ObjectClass: person
cn:: TMOpY2hhcm55
sn:: RW1tYW51ZWwgTMOpY2hhcm55

(note that encoded values are prefixed with '::' instead of ':'. This is
a way to tell that the value is binary - or encoded... -)

Now, you can base 64 encode the entry, which gives :

ZG46OiBZMjQ5Yk1PcFkyaGhjbTU1TEdSalBXTnZiUT09DQpPYmplY3RDbGFzczogcGVyc29uDQpjbjo6IFRNT3BZMmhoY201NQ0Kc246OiBSVzF0WVc1MVpXd2dUTU9wWTJoaGNtNTU=

Now, if we add a '\n' at the end of this entry, the result will be
different :

ZG46OiBZMjQ5Yk1PcFkyaGhjbTU1TEdSalBXTnZiUT09DQpPYmplY3RDbGFzczogcGVyc29uDQpjbjo6IFRNT3BZMmhoY201NQ0Kc246OiBSVzF0WVc1MVpXd2dUTU9wWTJoaGNtNTUNCg==

You can trim the entry to have a limited number of char per line, but a
continued line must start with a space. For instance :


dn: dc=example,dc
 =com
ObjectClass: doma
 in
dc=example

will work.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Failed to setup kerberos with ApacheDS [Client not found in Kerberos database]

[Emmanuel Lécharny]

Le 06/02/2017 à 08:45, Yu Wei a écrit :
> Hi Guys,
>
> I tried to setup kerberos with ApacheDS Studio by following the instruction 
> https://directory.apache.org/apacheds/kerberos-ug/4.2-authenticate-studio.html.
>
> I got below errors indicating "Client not found in Kerberos database",

This error indicates that there is no entry for the user you are trying
to bind with in the LDAP database. Check that first.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [LDAP API 1.0.0-RC2] server side sorting control with DSMLv2

[Emmanuel Lécharny]

Le 30/01/2017 à 20:39, claud...@gmail.com a écrit :
> Thx for the patch. (Btw is that an svn patch? 
Indeed... We probably wil migrate to Git after 2.0.


> I was unable to apply it using "git apply" and using "patch -p0" I had
> rejects for every file so I had to make most changes manually...)
>
> With the patch I still get the issue, just now in a different place:
>
> Caused by: java.lang.ClassCastException:
> org.apache.directory.api.dsmlv2.DsmlControl cannot be cast to
> org.apache.directory.api.ldap.model.message.controls.SortRequest
> at
> org.apache.directory.api.ldap.codec.controls.sort.SortRequestDecorator.getSortKeys(SortRequestDecorator.java:219)
> at
> org.apache.directory.api.ldap.codec.controls.sort.SortRequestDecorator.computeLength(SortRequestDecorator.java:98)
> at
> org.apache.directory.api.ldap.codec.api.LdapEncoder.computeControlLength(LdapEncoder.java:73)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.api.LdapEncoder.computeMessageLength(LdapEncoder.java:279)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.api.LdapEncoder.encodeMessage(LdapEncoder.java:160)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolEncoder.encode(LdapProtocolEncoder.java:82)
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:299)
> ... 58 more
>
> I still have the feeling the issue is in the DSML lib rather than in
> the codec... IMHO DsmlControl should never reach the codec but it
> does, it gets wrapped:
>
> # SortRequestDecorator:219
>
> thisSortRequestDecorator  (id=12610)
> decoratedDsmlControl  (id=12489)
> decoratedSortRequestDecorator  (id=12486)
> decoratedSortRequestControlImpl  (id=12619)
>
> AbstractDsmlMessageDecorator is used by both request and response,
> addControl wraps the control into a DsmlControl if it isn't already...
> in case of request I would have expected the control to be added to
> the control map as is (without wrapping into DsmlControl). However,
> checking e.g. SearchRequestTest.testRequestWith1Control it expects
> DsmlControl in the assertion even though the request type is
> org.apache.directory.api.ldap.model.message.SearchRequest and not
> SearchRequestDsml.


It seems that you are converting a DSML request to a LDAP request, but
that the DsmlControl does not get converted in the process, is that
correct ? The SortRequestDecorator.computeLength is epxecting a
SortControl instance, when the DSMLControl is untyped. At some point, we
should make it so a DSMLControl is encapsulated into a typed control,
and that would either require a big convertor (ie, a method that check
the control's OID and create a typed control), or specific DSML controls
for each type of control.

I would go for option 2, it's more 'solid'.

Is it possible for you to provide a bit of code demonstrating the
problem (ideally, a unit test) ? I'd like to debug it in order to see
what's going on, and git this fixed.

thanks

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Full list of supported protocols

[Emmanuel Lécharny]

Le 01/02/2017 à 17:15, Laurence Blake a écrit :

> Hi there,
>
> We are interested in trying out Apache Directory Studio. Would you be able to 
> advise a full list of supported protocols by Apache Directory?

I guess you mean Apache Director *server*. Currently, it supports LDAP
and Kerberos. The DNS and DHCP parts aren't activated, NTP is only used
internally by the kerberos server.


Hope that helps.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Apache Directory Studio with Kerberos login

[Emmanuel Lécharny]

Le 25/01/2017 à 01:20, Lamar Hansford a écrit :
> Will do thanks!  
>
> Will work through the rest.

Thanks A LOT for the JIRA ticket !



-- 

Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [LDAP API 1.0.0-RC2] server side sorting control with DSMLv2

[Emmanuel Lécharny]

Le 30/01/2017 à 11:37, claud...@gmail.com a écrit :
> We don't directly send DSML, we have a custom version of Dsmlv2Engine
> that uses org.apache.directory.api.dsmlv2.Dsmlv2Parser. The issue only
> occurs if we provide the sort control, the code we have is working
> otherwise.

Yeah, sorry for having looked at the stack trace a bit too quickly.

DsmlControl don't have a type, while the various control factories are
expecting to work with a typed control like :

public class SortRequestFactory implements ControlFactory

Obviously, converting a DSMLControl, which definition is :

public class DsmlControl implements Control,
DsmlDecorator

won't work because the factory expect a SortRequest instance.

Changing the factory to be :

public class SortRequestFactory implements ControlFactory

would be better. Another (more 'typed') solution would be to create some
specific DSML control (ie, a SortRequestDsmlControl, etc)

Checking if it does not break the API code atm.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [LDAP API 1.0.0-RC2] server side sorting control with DSMLv2

[Emmanuel Lécharny]

Le 27/01/2017 à 19:13, claud...@gmail.com a écrit :
> Thanks for the fix.
>
> As I wrote initially I had already tried with registering the two
> factories and got a ClassCastException.
> I tried now with RC3 but as suspected I still get the same
> ClassCastException:
>
> java.lang.ClassCastException:
> org.apache.directory.api.dsmlv2.DsmlControl cannot be cast to
> org.apache.directory.api.ldap.model.message.controls.SortRequest
> org.apache.mina.filter.codec.ProtocolEncoderException:
> java.lang.ClassCastException:
> org.apache.directory.api.dsmlv2.DsmlControl cannot be cast to
> org.apache.directory.api.ldap.model.message.controls.SortRequest
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:330)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:629)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1500(DefaultIoFilterChain.java:48)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:957)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.filterWrite(DefaultIoFilterChain.java:881)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:629)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireFilterWrite(DefaultIoFilterChain.java:622)
> at
> org.apache.mina.core.session.AbstractIoSession.write(AbstractIoSession.java:574)
> at
> org.apache.mina.core.session.AbstractIoSession.write(AbstractIoSession.java:519)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4244)[88:org.apache.directory.api.ldap.client.api:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.searchAsync(LdapNetworkConnection.java:1838)[88:org.apache.directory.api.ldap.client.api:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.search(LdapNetworkConnection.java:1865)[88:org.apache.directory.api.ldap.client.api:1.0.0.RC3-SNAPSHOT]
>
> ...
>
> Caused by: java.lang.ClassCastException:
> org.apache.directory.api.dsmlv2.DsmlControl cannot be cast to
> org.apache.directory.api.ldap.model.message.controls.SortRequest
> at
> org.apache.directory.api.ldap.codec.controls.sort.SortRequestFactory.newCodecControl(SortRequestFactory.java:35)
> at
> org.apache.directory.api.ldap.codec.osgi.DefaultLdapCodecService.newControl(DefaultLdapCodecService.java:275)
> at
> org.apache.directory.api.ldap.codec.api.MessageDecorator.addControl(MessageDecorator.java:340)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.decorators.SearchRequestDecorator.addControl(SearchRequestDecorator.java:1118)
> at
> org.apache.directory.api.ldap.codec.decorators.SearchRequestDecorator.addControl(SearchRequestDecorator.java:83)
> at
> org.apache.directory.api.ldap.codec.api.MessageDecorator.getDecorator(MessageDecorator.java:225)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.api.LdapEncoder.encodeMessage(LdapEncoder.java:159)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolEncoder.encode(LdapProtocolEncoder.java:82)
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:299)
>
> I have the feeling that some link between DSML and codec is missing
> for the (sort) control...

Most certainly. D you have a fragment of code I can play with to find
out what's going on ?

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [LDAP API 1.0.0-RC2] server side sorting control with DSMLv2

[Emmanuel Lécharny]

Le 27/01/2017 à 14:09, Kiran Ayyagari a écrit :
> On Fri, Jan 27, 2017 at 5:46 PM, claud...@gmail.com 
> wrote:
>
>> Hi,
>>
>> I have an application running in an OSGi container that uses the LDAP API
>> and DSML parser and I would like to use the server side sorting control.
>>
>> When I send the following control...
>>
>> 
>> http://www.w3.org/2001/XMLSchema;
>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
>> xsi:type="xs:base64Binary">MAYwBAQCc24=
>> 
>>
>> ...I get an error: "sorted results control value is absent".
>>
>> 2017-01-27 12:19:37,304 | DEBUG | NioProcessor-1   | CODEC_LOG
>> | 94 - org.apache.directory.api.ldap.net.mina - 1.0.0.RC2 |
>> Decoded LdapMessage : MessageType : SEARCH_RESULT_DONE
>> Message ID : 4
>> Search Result Done
>> Ldap Result
>> Result code : (PROTOCOL_ERROR) protocolError
>> Matched Dn : ''
>> Diagnostic message : 'sorted results control value is absent'
>>
>> I saw that an OpaqueControl is created for the sort control. Debugging I
>> noticed that setEncodedValue is never called.
>>
>> org.apache.directory.api.ldap.model.message.SearchRequestImpl@7ea4768c
>> OpaqueControl Control
>> Type OID: '1.2.840.113556.1.4.473'
>> Criticality : 'true'
>>
>> Looking into this I came across the control factories registered on
>> LdapApiService and saw that there are two implementations:
>> - DefaultLdapCodecService
>> - StandaloneLdapApiService
>>
>> DefaultLdapCodecService is what is initialized in OSGi setup. I noticed
>> that DefaultLdapCodecService unlike StandaloneLdapApiService does not
>> register SortRequestFactory/SortResponseFactory. To try if this solves
>> the issue I registered the two factories but then I get a
>> ClassCastException:
>>
>> Caused by: java.lang.ClassCastException: 
>> org.apache.directory.api.dsmlv2.DsmlControl
>> cannot be cast to org.apache.directory.api.ldap.
>> model.message.controls.SortRequest
>> at org.apache.directory.api.ldap.codec.controls.sort.SortReques
>> tFactory.newCodecControl(SortRequestFactory.java:35)[89:org.
>> apache.directory.api.ldap.codec.core:1.0.0.RC2]
>> at org.apache.directory.api.ldap.codec.osgi.DefaultLdapCodecSer
>> vice.newControl(DefaultLdapCodecService.java:253)
>> at org.apache.directory.api.ldap.codec.api.MessageDecorator.add
>> Control(MessageDecorator.java:329)[89:org.apache.directory.
>> api.ldap.codec.core:1.0.0.RC2]
>> at org.apache.directory.api.ldap.codec.decorators.SearchRequest
>> Decorator.addControl(SearchRequestDecorator.java:1072)
>> at org.apache.directory.api.ldap.codec.decorators.SearchRequest
>> Decorator.addControl(SearchRequestDecorator.java:83)
>> at org.apache.directory.api.ldap.codec.api.MessageDecorator.get
>> Decorator(MessageDecorator.java:204)[89:org.apache.directory
>> .api.ldap.codec.core:1.0.0.RC2]
>> at org.apache.directory.api.ldap.codec.api.LdapEncoder.encodeMe
>> ssage(LdapEncoder.java:159)[89:org.apache.directory.api.
>> ldap.codec.core:1.0.0.RC2]
>> at org.apache.directory.api.ldap.codec.protocol.mina.LdapProtoc
>> olEncoder.encode(LdapProtocolEncoder.java:81)
>> at org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite
>> (ProtocolCodecFilter.java:299)
>> ... 58 more
>>
>> I do not understand how the DSMLv2 parser works together with the LDAP
>> codec and start to wonder if the server side sort control is even supposed
>> to work at the moment.
>> - Is it possible that the parser for DSMLv2 does not support the server
>> side sort control?
>>
> no this case shouldn't arise cause DSML engine internally uses LDAP API to
> perform the operation
>
>> - Should SortRequestFactory/SortResponseFactory be registered or is there
>> a reason why they are not registered on DefaultLdapCodecService per default?
>>
> I am suspecting that this might be the issue.

Yes, it seems the SortRequest/Response factories aren't declared in the
DefaultLdapCodecService. Adding those lines in the loadStockControls()
method should do the trick :


ControlFactory sortRequestFactory = new
SortRequestFactory( this );
controlFactories.put( sortRequestFactory.getOid(),
sortRequestFactory );
LOG.info( "Registered pre-bundled control factory: {}",
sortRequestFactory.getOid() );

ControlFactory sortResponseFactory = new
SortResponseFactory( this );
controlFactories.put( sortResponseFactory.getOid(),
sortResponseFactory );
LOG.info( "Registered pre-bundled control factory: {}",
sortResponseFactory.getOid() );

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [LDAP API 1.0.0-RC2] server side sorting control with DSMLv2

[Emmanuel Lécharny]

I have committed a fix for this problem. Yu might want to rebuild the
API and test it.


Le 27/01/2017 à 13:16, claud...@gmail.com a écrit :
> Hi,
>
> I have an application running in an OSGi container that uses the LDAP
> API and DSML parser and I would like to use the server side sorting
> control.
>
> When I send the following control...
>
> 
>  xmlns:xs="http://www.w3.org/2001/XMLSchema;
> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
> xsi:type="xs:base64Binary">MAYwBAQCc24=
> 
>
> ...I get an error: "sorted results control value is absent".
>
> 2017-01-27 12:19:37,304 | DEBUG | NioProcessor-1   |
> CODEC_LOG| 94 -
> org.apache.directory.api.ldap.net.mina - 1.0.0.RC2 | Decoded
> LdapMessage : MessageType : SEARCH_RESULT_DONE
> Message ID : 4
> Search Result Done
> Ldap Result
> Result code : (PROTOCOL_ERROR) protocolError
> Matched Dn : ''
> Diagnostic message : 'sorted results control value is absent'
>
> I saw that an OpaqueControl is created for the sort control. Debugging
> I noticed that setEncodedValue is never called.
>
> org.apache.directory.api.ldap.model.message.SearchRequestImpl@7ea4768c
> OpaqueControl Control
> Type OID: '1.2.840.113556.1.4.473'
> Criticality : 'true'
>
> Looking into this I came across the control factories registered on
> LdapApiService and saw that there are two implementations:
> - DefaultLdapCodecService
> - StandaloneLdapApiService
>
> DefaultLdapCodecService is what is initialized in OSGi setup. I
> noticed that DefaultLdapCodecService unlike StandaloneLdapApiService
> does not register SortRequestFactory/SortResponseFactory. To try if
> this solves the issue I registered the two factories but then I get a
> ClassCastException:
>
> Caused by: java.lang.ClassCastException:
> org.apache.directory.api.dsmlv2.DsmlControl cannot be cast to
> org.apache.directory.api.ldap.model.message.controls.SortRequest
> at
> org.apache.directory.api.ldap.codec.controls.sort.SortRequestFactory.newCodecControl(SortRequestFactory.java:35)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC2]
> at
> org.apache.directory.api.ldap.codec.osgi.DefaultLdapCodecService.newControl(DefaultLdapCodecService.java:253)
> at
> org.apache.directory.api.ldap.codec.api.MessageDecorator.addControl(MessageDecorator.java:329)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC2]
> at
> org.apache.directory.api.ldap.codec.decorators.SearchRequestDecorator.addControl(SearchRequestDecorator.java:1072)
> at
> org.apache.directory.api.ldap.codec.decorators.SearchRequestDecorator.addControl(SearchRequestDecorator.java:83)
> at
> org.apache.directory.api.ldap.codec.api.MessageDecorator.getDecorator(MessageDecorator.java:204)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC2]
> at
> org.apache.directory.api.ldap.codec.api.LdapEncoder.encodeMessage(LdapEncoder.java:159)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC2]
> at
> org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolEncoder.encode(LdapProtocolEncoder.java:81)
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:299)
> ... 58 more
>
> I do not understand how the DSMLv2 parser works together with the LDAP
> codec and start to wonder if the server side sort control is even
> supposed to work at the moment.
> - Is it possible that the parser for DSMLv2 does not support the
> server side sort control?
> - Should SortRequestFactory/SortResponseFactory be registered or is
> there a reason why they are not registered on DefaultLdapCodecService
> per default?
>
> I would appreciate any hints to get this working.
>
> Cheers
> Claudia
>

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Apache Directory Studio with Kerberos login

[Emmanuel Lécharny]

Le 25/01/2017 à 01:13, Lamar Hansford a écrit :
> Ok, found this is related to  the Server SASL settings in Studio.  Is this 
> expected behavior?  Isn't SASL an independent protocol?

Two things :

- first, the NPE is clarely a bug. We should have detected that the
entry was missing, instead of tryingt o access it. Can you fill a JIRA
for ths one ?
- second, Studio uses SASL when it tries to bind using the kerberos
credentials, this is done using GSSAPI, and it's plain normal.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: [LDAP API 1.0.0-RC2] server side sorting control with DSMLv2

[Emmanuel Lécharny]

Ah ! I think I see what's wrong  you are trying to send a DSML message
using a LdapNetwork connection. That will simply don't work because a
DSML request is not intended to be sent through a LDP connection, but
through a http connection.


Le 27/01/2017 à 19:13, claud...@gmail.com a écrit :
> Thanks for the fix.
>
> As I wrote initially I had already tried with registering the two
> factories and got a ClassCastException.
> I tried now with RC3 but as suspected I still get the same
> ClassCastException:
>
> java.lang.ClassCastException:
> org.apache.directory.api.dsmlv2.DsmlControl cannot be cast to
> org.apache.directory.api.ldap.model.message.controls.SortRequest
> org.apache.mina.filter.codec.ProtocolEncoderException:
> java.lang.ClassCastException:
> org.apache.directory.api.dsmlv2.DsmlControl cannot be cast to
> org.apache.directory.api.ldap.model.message.controls.SortRequest
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:330)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:629)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.access$1500(DefaultIoFilterChain.java:48)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$EntryImpl$1.filterWrite(DefaultIoFilterChain.java:957)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain$TailFilter.filterWrite(DefaultIoFilterChain.java:881)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.callPreviousFilterWrite(DefaultIoFilterChain.java:629)
> at
> org.apache.mina.core.filterchain.DefaultIoFilterChain.fireFilterWrite(DefaultIoFilterChain.java:622)
> at
> org.apache.mina.core.session.AbstractIoSession.write(AbstractIoSession.java:574)
> at
> org.apache.mina.core.session.AbstractIoSession.write(AbstractIoSession.java:519)
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.writeRequest(LdapNetworkConnection.java:4244)[88:org.apache.directory.api.ldap.client.api:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.searchAsync(LdapNetworkConnection.java:1838)[88:org.apache.directory.api.ldap.client.api:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.ldap.client.api.LdapNetworkConnection.search(LdapNetworkConnection.java:1865)[88:org.apache.directory.api.ldap.client.api:1.0.0.RC3-SNAPSHOT]
>
> ...
>
> Caused by: java.lang.ClassCastException:
> org.apache.directory.api.dsmlv2.DsmlControl cannot be cast to
> org.apache.directory.api.ldap.model.message.controls.SortRequest
> at
> org.apache.directory.api.ldap.codec.controls.sort.SortRequestFactory.newCodecControl(SortRequestFactory.java:35)
> at
> org.apache.directory.api.ldap.codec.osgi.DefaultLdapCodecService.newControl(DefaultLdapCodecService.java:275)
> at
> org.apache.directory.api.ldap.codec.api.MessageDecorator.addControl(MessageDecorator.java:340)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.decorators.SearchRequestDecorator.addControl(SearchRequestDecorator.java:1118)
> at
> org.apache.directory.api.ldap.codec.decorators.SearchRequestDecorator.addControl(SearchRequestDecorator.java:83)
> at
> org.apache.directory.api.ldap.codec.api.MessageDecorator.getDecorator(MessageDecorator.java:225)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.api.LdapEncoder.encodeMessage(LdapEncoder.java:159)[89:org.apache.directory.api.ldap.codec.core:1.0.0.RC3-SNAPSHOT]
> at
> org.apache.directory.api.ldap.codec.protocol.mina.LdapProtocolEncoder.encode(LdapProtocolEncoder.java:82)
> at
> org.apache.mina.filter.codec.ProtocolCodecFilter.filterWrite(ProtocolCodecFilter.java:299)
>
> I have the feeling that some link between DSML and codec is missing
> for the (sort) control...
>
> On 27/01/17 15:38, Emmanuel Lécharny wrote:
>> I have committed a fix for this problem. Yu might want to rebuild the
>> API and test it.
>>
>>
>> Le 27/01/2017 à 13:16, claud...@gmail.com a écrit :
>>> Hi,
>>>
>>> I have an application running in an OSGi container that uses the LDAP
>>> API and DSML parser and I would like to use the server side sorting
>>> control.
>>>
>>> When I send the following control...
>>>
>>>  
>>>  >> xmlns:xs="http://www.w3.org/2001/XMLSchema;
>>> xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance;
>>> xsi:type="xs:base64Binary">MAYwBAQCc24=
>>>  
>>>
>>> ...I get an error: "sorted results control 

Re: starting apacheDS embedded instance with SSL support

[Emmanuel Lécharny]

Le 27/01/2017 à 23:06, Sathyanarayan, Harish a écrit :
> Hi,
>
> I am running an embedded ApacheDS instance with SSL using the below code but 
> am getting SSL handshake error, what am I missing? Pls advice.. thanks

What is the handshake error you get ?

have you tried runing the server using the addition parameter
-Djavax.net.debug=ssl:handshake:verbose ?
>
> ldapServer.setKeystoreFile("keystore.ks");
> ldapServer.setCertificatePassword("secret");
> ldapServer.loadKeyStore();
>
> ldapServer.addExtendedOperationHandler(new StartTlsHandler());
> ldap.setEnableSSL(true);
>
>
>
>
>

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Disabling SSLv3 Issues

[Emmanuel Lécharny]

Hi,


what version are you using ? What Java version are you using ? Do you
have any log on the server ?


Le 21/02/2017 à 21:54, Lemp, Dustin a écrit :
> Hey all,
> I have a question and hope that someone here can help me out. I'm trying to
> disable sslv3 on my openldap server. I'm adding "olcTLSCipherSuite:
> SECURE256:-VERS-SSL3.0" to my ssl config file. This fixes everything
> security-wise, but now I can't connect via ApacheDS. I'm still trying to
> connect via ldaps on port 636. Any ideas?
>
> Thanks!
> ___
> Dustin Lemp
> Systems Analyst
> Jefferson College
> 636-481-3477
>

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Upgrading ApacheDS

[Emmanuel Lécharny]

Le 20/02/2017 à 16:20, Mike Davis a écrit :
> We're currently running apacheds-2.0.0-M20 and would like to upgrade to
> apacheds-2.0.0-M23. I'm not finding any specifics on an upgrade versus a
> clean installation. Is there an upgrade process, or do we install the new
> version and migrate data from the old version via LDIF export/import?

Export/import data is the way to go, atm. It's even easier, as the
database format hasn't change since M20, so you ca simply copy/paste the
database files.

Note that we have updated the schema and added some configuration
elements, so be sure to review the config.

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Multiple ObjectClasses and attributes

[Emmanuel Lécharny]

Sure you can. Just select the import from OpenLDAP format, and pick the
file containing your definitions. Note that the syntex is slightly
different : each At and OC has to be prefixed by 'attributeType' and
'ObjectClass', like in :


attributetype ( 1.2.826.0.1268.1.0.1 NAME 'TESTSCHEMAVERSION20' EQUALITY
2.5.13.2 SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{1} SINGLE-VALUE )

attributetype ( 1.2.826.0.1268.1.1.1 NAME 'TESTSERVICESAUTHORISEDUSERS'
EQUALITY 2.5.13.1
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12{500} )

attributetype ( 1.2.826.0.1268.1.1.10 NAME 'TESTAVAILABLELICENCES'
EQUALITY 2.5.13.14
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{6} SINGLE-VALUE )

attributetype ( 1.2.826.0.1268.1.1.100 NAME 'TESTWSTYPE' EQUALITY
2.5.13.2 SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{10} SINGLE-VALUE )

attributetype ( 1.2.826.0.1268.1.1.101 NAME 'TESTSPURL' EQUALITY
2.5.13.2 SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )

attributetype( 1.2.826.0.1268.1.1.102 NAME 'TESTACCOUNTINGCODE' EQUALITY
2.5.13.2 SYNTAX
1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )



ObjectClass ( 1.2.826.0.1268.1.2.1 NAME 'TESTStructureOU' SUP
organizationalUnit MUST (
TESTSTRUCTURETYPE )  MAY ( TESTUSERLIST $ TESTSTAFFGRADE $ TESTMISGROUPS $
TESTLANGUAGESUPPORTED $ TESTCTIDDINUMBER $ TESTSENSITIVEENABLED $
TESTORSMAXTEAMLEADERS $ TESTMISSTRUCTURETYPE $ TESTORSMAXTEAMS $
TESTLISTSTAFFGRADES $ TESTPSEUDOENABLED $ TESTLISTUSERS $
TESTLISTTEAMLEADERS $ TESTLISTMISREPORTS $ TESTLISTADMINISTRATORS $
TESTTEAMLEADERRDN $ TESTORSMAXPERSONS $ TESTCTIUSERENABLED $
TESTCTITEAMGROUPENABLED $ TESTCTITEAMGROUPDN $ TESTTeamType $
TESTMIREFERENCE $ TESTLWFALTERNATESERVERS $ TESTLWFPRIMARYSERVER $
TESTBUREFID $ TESTACCOUNTINGCODE )  )

objectClass ( 1.2.826.0.1268.1.2.10 NAME 'TESTGroupOfServers' SUP
GroupOfNames MAY (
TESTACTIVEDIRECTORYDN $ TESTMemberOf $ TESTASSOCIATEDSERVER $ TESTADMEMBERDN
)  )

objectClass ( 1.2.826.0.1268.1.2.11 NAME 'TESTGroupOfServices' SUP
GroupOfNames )

objectClass ( 1.2.826.0.1268.1.2.12 NAME 'TESTGroupOfUsers' SUP
GroupOfNames MAY (
TESTACTIVEDIRECTORYDN $ TESTMemberOf $ TESTASSOCIATEDSERVER $ TESTADMEMBERDN
)  )

objectClass ( 1.2.826.0.1268.1.2.13 NAME 'TESTGroupOfWorkstations' SUP
GroupOfNames MAY
( TESTACTIVEDIRECTORYDN $ TESTADMEMBERDN )  )

objectClass ( 1.2.826.0.1268.1.2.14 NAME 'TESTJobfunction' SUP
organizationalUnit MAY (
TESTLISTTEAMTYPES $ TESTCSROLDRULES $ TESTCSRNEWRULES $ TESTLISTSTAFFGRADES
$ TESTSSICURAMPLAYER $ TESTSSISENSITIVEENHIBIT $ TESTLWFROLEQUOTA $
TESTMULTILWFENABLED $ TESTSSIBUSINESSALLOCATION $ TESTTeamType $
TESTSSIJOBTYPE )  )


Le 25/02/2017 à 10:45, Gary Singleton a écrit :
> attributeTypes {
>
> ( 1.2.826.0.1268.1.0.1 NAME 'TESTSCHEMAVERSION20' EQUALITY 2.5.13.2 SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15{1} SINGLE-VALUE )
>
> ( 1.2.826.0.1268.1.1.1 NAME 'TESTSERVICESAUTHORISEDUSERS' EQUALITY 2.5.13.1
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12{500} )
>
> ( 1.2.826.0.1268.1.1.10 NAME 'TESTAVAILABLELICENCES' EQUALITY 2.5.13.14
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.27{6} SINGLE-VALUE )
>
> ( 1.2.826.0.1268.1.1.100 NAME 'TESTWSTYPE' EQUALITY 2.5.13.2 SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15{10} SINGLE-VALUE )
>
> ( 1.2.826.0.1268.1.1.101 NAME 'TESTSPURL' EQUALITY 2.5.13.2 SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15{256} SINGLE-VALUE )
>
> ( 1.2.826.0.1268.1.1.102 NAME 'TESTACCOUNTINGCODE' EQUALITY 2.5.13.2 SYNTAX
> 1.3.6.1.4.1.1466.115.121.1.15{128} SINGLE-VALUE )
>
> }
>
>  
>
> objectClasses {
>
> ( 1.2.826.0.1268.1.2.1 NAME 'TESTStructureOU' SUP organizationalUnit MUST (
> TESTSTRUCTURETYPE )  MAY ( TESTUSERLIST $ TESTSTAFFGRADE $ TESTMISGROUPS $
> TESTLANGUAGESUPPORTED $ TESTCTIDDINUMBER $ TESTSENSITIVEENABLED $
> TESTORSMAXTEAMLEADERS $ TESTMISSTRUCTURETYPE $ TESTORSMAXTEAMS $
> TESTLISTSTAFFGRADES $ TESTPSEUDOENABLED $ TESTLISTUSERS $
> TESTLISTTEAMLEADERS $ TESTLISTMISREPORTS $ TESTLISTADMINISTRATORS $
> TESTTEAMLEADERRDN $ TESTORSMAXPERSONS $ TESTCTIUSERENABLED $
> TESTCTITEAMGROUPENABLED $ TESTCTITEAMGROUPDN $ TESTTeamType $
> TESTMIREFERENCE $ TESTLWFALTERNATESERVERS $ TESTLWFPRIMARYSERVER $
> TESTBUREFID $ TESTACCOUNTINGCODE )  )
>
> ( 1.2.826.0.1268.1.2.10 NAME 'TESTGroupOfServers' SUP GroupOfNames MAY (
> TESTACTIVEDIRECTORYDN $ TESTMemberOf $ TESTASSOCIATEDSERVER $ TESTADMEMBERDN
> )  )
>
> ( 1.2.826.0.1268.1.2.11 NAME 'TESTGroupOfServices' SUP GroupOfNames )
>
> ( 1.2.826.0.1268.1.2.12 NAME 'TESTGroupOfUsers' SUP GroupOfNames MAY (
> TESTACTIVEDIRECTORYDN $ TESTMemberOf $ TESTASSOCIATEDSERVER $ TESTADMEMBERDN
> )  )
>
> ( 1.2.826.0.1268.1.2.13 NAME 'TESTGroupOfWorkstations' SUP GroupOfNames MAY
> ( TESTACTIVEDIRECTORYDN $ TESTADMEMBERDN )  )
>
> ( 1.2.826.0.1268.1.2.14 NAME 'TESTJobfunction' SUP organizationalUnit MAY (
> TESTLISTTEAMTYPES $ TESTCSROLDRULES $ TESTCSRNEWRULES $ TESTLISTSTAFFGRADES
> $ TESTSSICURAMPLAYER $ TESTSSISENSITIVEENHIBIT $ TESTLWFROLEQUOTA $
> TESTMULTILWFENABLED $ TESTSSIBUSINESSALLOCATION $ TESTTeamType $
> TESTSSIJOBTYPE )  )

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Transferring an entire directory from one server to another

[Emmanuel Lécharny]

Le 09/02/2017 à 01:49, Steve Sobol - Lobos Studios a écrit :
> Good afternoon
>
> I'm using Studio (on Windows 10) to create a directory tree and do some
> local testing of a Java app I'm writing. I'm eventually going to want to
> copy the tree over to an ApacheDS server which will run on Ubuntu 16.04 (or
> 14.04, I forget which I have installed) and start populating it with live
> users.
>
> Is the process as simple as exporting everything from the Root DSE down as
> an LDIF? Or is it more nuanced than that?

It shoudl be as simple as that.
>
> Is there a command-line utility I can use to import the data on the Linux
> server? (If not, that's cool, I can use Studio over an SSH tunnel)

ldapadd , which is part of the OpenLDAP package (the client part)

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Embedded ApacheDS

[Emmanuel Lécharny]

Le 09/02/2017 à 16:18, Cyril FILLON a écrit :
> Hi all,
>
>
> I am trying to setup an embedded ApacheDS 2.0.0-M23 server from my java code, 
> snippet is given below.
>
> I tried to create a new partition, but unfortunately it fails miserably since 
> I cannot see this partition from ApacheDS Studio.

Have you added a context Entry ? If not, you won't see your partition in
Studio (but you should see in the rootDSE's NamingContexts)

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: user modification/deletion of operational attributes

[Emmanuel Lécharny]

Le 17/01/2017 à 15:36, Mike Davis a écrit :
> I have set up a special user that has rights to modify details of another
> user. This prevents the need for our applications to log in as the admin
> user, while still allowing password resets and such.
>
>  
>
> I'd like to give that user rights to delete the operational attribute
> pwdAccountLockedTime. I've created a subentry that allows the user to
> modify the password and such, but when I try to add in
> pwdAccountLockedTime, it's not allowing that to happen. The error message
> indicates that operational attributes cannot be modified by a user. 
>
>  
>
> Is there a way to allow for a user to delete that attribute?
no.

Here is the definition of this attributeType :

attributetype ( 1.3.6.1.4.1.42.2.27.8.1.17 NAME 'pwdAccountLockedTime'
DESC 'The time an user account was locked'
EQUALITY generalizedTimeMatch
ORDERING generalizedTimeOrderingMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24
SINGLE-VALUE
NO-USER-MODIFICATION<<<
USAGE userApplications )

as you can see, it's forbidden by definition (which is defined in the
PasswordPolicy RFC draft).


> If not, is there a way to configure Apache DS to delete that attribute on
> a password change?

You should be able to modify this attribute if you send a modifyRequest
on the entry with a Password Policy control (1.3.6.1.4.1.42.2.27.8.5.1)).

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org

Re: Failed to setup kerberos with Apache DS

[Emmanuel Lécharny]

Le 17/01/2017 à 10:19, Yu Wei a écrit :
> I used openjdk-1.8.0 and installed jce.
>
> [dcos@mesos-ds security]$ pwd
> /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.111-2.b15.el7_3.x86_64/jre/lib/security
> [dcos@mesos-ds security]$ ls -al
> total 64
> drwxr-xr-x. 2 root root  4096 1月  17 17:00 .
> drwxr-xr-x. 9 root root  4096 12月 21 13:55 ..
> -rw-r--r--. 1 root root  1273 11月 22 04:46 blacklisted.certs
> lrwxrwxrwx. 1 root root41 12月 21 13:55 cacerts -> 
> ../../../../../../../etc/pki/java/cacerts
> -rw-r--r--. 1 root root  2466 11月 22 04:46 java.policy
> -rw-r--r--. 1 root root 26712 1月   1 2014 java.security
> -rw-rw-r--. 1 root root  3035 12月 21 2013 local_policy.jar
> -rw-r--r--. 1 root root   556 1月   1 2014 local_policy.jar.bak
> -rw-r--r--. 1 root root   141 11月 22 04:54 nss.cfg
> -rw-rw-r--. 1 root root  3023 12月 21 2013 US_export_policy.jar
> -rw-r--r--. 1 root root   538 1月   1 2014 US_export_policy.jar.bak
>
>
> Then I still got the same error when running the test.
>
>
> Do I need to reinstall LDAP/Kerberos server? Or other advice?

Ok. What tool do you use to test the service ?

-- 
Emmanuel Lecharny

Symas.com
directory.apache.org