tag:www.nabble.com,2006:forum-14467Nabble - LDAP UMich Lists2008-12-04T14:16:52Ztag:www.nabble.com,2006:post-20843691Re: Is a searchable dc tree rooted in a null base suffix wrong or just hubris?2008-12-04T14:16:52Z2008-12-04T14:16:52ZEmmanuel Lecharny-3Bill Cole wrote:
<div class='shrinkable-quote'><br>> The question in my Subject is what all this boils down to, so if you
<br>> have no time to read a long explanation, feel free to answer it as
<br>> asked...
<br>>
<br>> Background: I'm working on my first attempt at doing the grand
<br>> architecture for a new LDAP instance, although I've been working with
<br>> LDAP as an admin for years: doing housekeeping on existing servers,
<br>> setting up simple small environments, and managing other systems using
<br>> LDAP as a utility data/auth source. I'm not a newbie to LDAP (or to
<br>> OpenLDAP, which I'm using for this project) but I haven't previously
<br>> had any reason to depart from fairly tame "cookbook" work.
<br>>
<br>> I now have to build a single directory to serve dozens of small to
<br>> medium businesses to authenticate users for a small collection of
<br>> mostly web-based applications that my employer provides for them. To
<br>> avoid complexity on the application side, we want to have a common
<br>> auth interface for all clients rather than proliferating a bunch of
<br>> per-client vhosts for little real purpose. Because we manage mail
<br>> systems for most of these companies, we have hard knowledge of user
<br>> email addresses, and those make the perfect globally-unique
<br>> identifiers for each user: we can enforce correctness and uniqueness,
<br>> and the users should have no trouble remembering what their login ID's
<br>> are.
<br>>
<br>> Because we already have some facilities using Apple's "Open
<br>> Directory" environment, which integrates OpenLDAP, Kerberos, and some
<br>> of their own facilities, we're hoping to piggyback on the existing
<br>> LDAP it uses, which uses a domain-based suffix: the FQDN of the server
<br>> split into dc components. The obvious way to add in our clients to
<br>> that without putting them into the part of the directory tree managed
<br>> by Open Directory is to build out the logical domain-based tree with
<br>> our clients having their own branches, i.e.
<br>> "dc=hostname,dc=oursite,dc=ourdomain,dc=net" already exists and is
<br>> where the Open Directory DIT lives, and I was hoping to create
<br>> "dc=client1,dc=com" and "dc=client2,dc=net" and so on for our clients.
<br>> This way, we could (in principle) have the authentication layer search
<br>> for <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20843691&i=0" target="_top" rel="nofollow">mail=username@...</a> with a null search base across the whole
<br>> DIT and find "uid=username,cn=users,dc=client1,dc=com" which apps
<br>> could use as a way to identify which client organization the user is
<br>> part of.
<br>>
<br>> However, I am finding that actually setting up a server to handle a
<br>> pure domain-based tree that can be searched in full from a null base
<br>> is a battle against the prevailing models. I have a working system
<br>> from the standpoint of searches: ldapsearch finds user records
<br>> wherever they are in the tree, and the DSE object has a single empty
<br>> namingContexts attribute. However, the effect of this has also been to
<br>> completely confuse other more user-friendly tools (Apple's Workgroup
<br>> Manager, JXplorer, Apache Directory Studio) and that's not going to
<br>> fly because while I can handle the fact that client records cannot be
<br>> seen in Apple's tools, I cannot break those tools for their existing
<br>> user or hand the front-line support staff a system that can only be
<br>> administered with command-line tools and LDIF files. Even when I
<br>> populate the logical nodes between the root and the domains that have
<br>> real content, browsing tools don't see them, apparently because they
<br>> don't like the null naming context as a naming context.
<br>>
<br>> So, I am looking here for an answer from the broad LDAP community to
<br>> the question in my Subject. I am concerned that while I may be trying
<br>> to do something that seems "right" based on my reading of RFC2247, I
<br>> may have missed something in my research and this may be conceptually
<br>> broken. While clearly I am doing something that is harder to get
<br>> working than I expected it to be, I am trying to not keep pounding
<br>> away at trying to get something to work that never will work or if I
<br>> manage it, *shouldn't* work.
</div>We can investigate your problem on Apache Direcroty Studio, and fix it,
<br>that's for sure. Can you post a mail to the apache directory mailing
<br>list with a short description of your problem, or even better, fill an
<br>issue ?
<br><br>links :
<br><a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20843691&i=1" target="_top" rel="nofollow">dev@...</a>
<br><a href="http://issues.apache.org/jira/browse/dirstudio" target="_top" rel="nofollow">http://issues.apache.org/jira/browse/dirstudio</a> (you will have to register)
<br><br>Thanks !
<br><br>--
<br>--
<br>cordialement, regards,
<br>Emmanuel Lécharny
<br>www.iktek.com
<br>directory.apache.org
<br><br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20842576Re: Is a searchable dc tree rooted in a null base suffix wrong or just hubris?2008-12-04T13:12:39Z2008-12-04T13:12:39ZDieter KluenterBill Cole <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20842576&i=0" target="_top" rel="nofollow">umldap-20081204@...</a>> writes:
<br><br>> The question in my Subject is what all this boils down to, so if you
<br>> have no time to read a long explanation, feel free to answer it as
<br>> asked...
<br>[...]
<br>Yes, it is valid to define a DIT with root "", but your clients should
<br>point to a defined subtree.
<br><br>-Dieter
<br><br>--
<br>Dieter Klünter | Systemberatung
<br><a href="http://www.dpunkt.de/buecher/2104.html" target="_top" rel="nofollow">http://www.dpunkt.de/buecher/2104.html</a><br>sip: +49.180.1555.7770535
<br>GPG Key ID:8EF7B6C6
<br>53°08'09,95"N
<br>10°08'02,42"E
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20841084Re: Is a searchable dc tree rooted in a null base suffix wrong or just hubris?2008-12-04T11:50:18Z2008-12-04T11:50:18ZQuanah Gibson-Mount-3--On Thursday, December 04, 2008 2:42 PM -0500 Bill Cole
<br><<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20841084&i=0" target="_top" rel="nofollow">umldap-20081204@...</a>> wrote:
<br><br>> So, I am looking here for an answer from the broad LDAP community to the
<br>> question in my Subject. I am concerned that while I may be trying to do
<br>> something that seems "right" based on my reading of RFC2247, I may have
<br>> missed something in my research and this may be conceptually broken.
<br>> While clearly I am doing something that is harder to get working than I
<br>> expected it to be, I am trying to not keep pounding away at trying to get
<br>> something to work that never will work or if I manage it, *shouldn't*
<br>> work.
<br><br>The client tools are what is broken. It is perfectly valid and reasonable
<br>to use "" as the root of your LDAP tree. We do that at Zimbra, for
<br>example, in part because we have plenty of clients who run hosted mail
<br>servers, and need to support multiple domains.
<br><br>--Quanah
<br><br>--
<br><br>Quanah Gibson-Mount
<br>Principal Software Engineer
<br>Zimbra, Inc
<br>--------------------
<br>Zimbra :: the leader in open source messaging and collaboration
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20840907Is a searchable dc tree rooted in a null base suffix wrong or just hubris?2008-12-04T11:42:38Z2008-12-04T11:42:38ZBill Cole-6The question in my Subject is what all this boils down to, so if you
<br>have no time to read a long explanation, feel free to answer it as
<br>asked...
<br><br>Background: I'm working on my first attempt at doing the grand
<br>architecture for a new LDAP instance, although I've been working with
<br>LDAP as an admin for years: doing housekeeping on existing servers,
<br>setting up simple small environments, and managing other systems
<br>using LDAP as a utility data/auth source. I'm not a newbie to LDAP
<br>(or to OpenLDAP, which I'm using for this project) but I haven't
<br>previously had any reason to depart from fairly tame "cookbook" work.
<br><br>I now have to build a single directory to serve dozens of small to
<br>medium businesses to authenticate users for a small collection of
<br>mostly web-based applications that my employer provides for them. To
<br>avoid complexity on the application side, we want to have a common
<br>auth interface for all clients rather than proliferating a bunch of
<br>per-client vhosts for little real purpose. Because we manage mail
<br>systems for most of these companies, we have hard knowledge of user
<br>email addresses, and those make the perfect globally-unique
<br>identifiers for each user: we can enforce correctness and
<br>uniqueness, and the users should have no trouble remembering what
<br>their login ID's are.
<br><br>Because we already have some facilities using Apple's "Open
<br>Directory" environment, which integrates OpenLDAP, Kerberos, and
<br>some of their own facilities, we're hoping to piggyback on the
<br>existing LDAP it uses, which uses a domain-based suffix: the FQDN of
<br>the server split into dc components. The obvious way to add in our
<br>clients to that without putting them into the part of the directory
<br>tree managed by Open Directory is to build out the logical
<br>domain-based tree with our clients having their own branches, i.e.
<br>"dc=hostname,dc=oursite,dc=ourdomain,dc=net" already exists and is
<br>where the Open Directory DIT lives, and I was hoping to create
<br>"dc=client1,dc=com" and "dc=client2,dc=net" and so on for our
<br>clients. This way, we could (in principle) have the authentication
<br>layer search for <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20840907&i=0" target="_top" rel="nofollow">mail=username@...</a> with a null search base
<br>across the whole DIT and find
<br>"uid=username,cn=users,dc=client1,dc=com" which apps could use as a
<br>way to identify which client organization the user is part of.
<br><br>However, I am finding that actually setting up a server to handle a
<br>pure domain-based tree that can be searched in full from a null base
<br>is a battle against the prevailing models. I have a working system
<br>from the standpoint of searches: ldapsearch finds user records
<br>wherever they are in the tree, and the DSE object has a single empty
<br>namingContexts attribute. However, the effect of this has also been
<br>to completely confuse other more user-friendly tools (Apple's
<br>Workgroup Manager, JXplorer, Apache Directory Studio) and that's not
<br>going to fly because while I can handle the fact that client records
<br>cannot be seen in Apple's tools, I cannot break those tools for their
<br>existing user or hand the front-line support staff a system that can
<br>only be administered with command-line tools and LDIF files. Even
<br>when I populate the logical nodes between the root and the domains
<br>that have real content, browsing tools don't see them, apparently
<br>because they don't like the null naming context as a naming context.
<br><br>So, I am looking here for an answer from the broad LDAP community to
<br>the question in my Subject. I am concerned that while I may be trying
<br>to do something that seems "right" based on my reading of RFC2247, I
<br>may have missed something in my research and this may be conceptually
<br>broken. While clearly I am doing something that is harder to get
<br>working than I expected it to be, I am trying to not keep pounding
<br>away at trying to get something to work that never will work or if I
<br>manage it, *shouldn't* work.
<br><br><br>--
<br>Bill Cole
<br><a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20840907&i=1" target="_top" rel="nofollow">bill@...</a>
<br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20787511Re: Help2008-12-01T23:44:43Z2008-12-01T23:44:43ZManilal K MSo you are trying to authenticate desktop users from LDAP, right?
<br>Please give more details, such as which version of LDAP,
<br>OS/distribution used, a brief description about your LDAP structure,
<br>etc..
<br>Your description is too vague to give you an accurate solution.
<br><br>2008/12/2 akhil bhardwaj <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20787511&i=0" target="_top" rel="nofollow">akhil.bhardwaj@...</a>>:
<div class='shrinkable-quote'><br>> Dear Sir,
<br>>
<br>> First login user and type 'passwd' commadn on terminal.
<br>>
<br>> Regards
<br>> Akhil Bhardwaj
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>> Manilal K M wrote:
<br>>
<br>> 2008/12/2 Akhil Bhardwaj <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20787511&i=1" target="_top" rel="nofollow">akhil.bhardwaj@...</a>>
<br>>
<br>>
<br>> Dear,
<br>>
<br>> I am new for ldap am configuring open ldap as a domain controller my
<br>> clients are also working fine but my open ldap users cannot change our own
<br>> password please help me about this problem
<br>>
<br>>
<br>>
<br>> How did you tried to change the password?
<br>>
<br>> --
<br>> Manilal K M : മണിലാല് കെ എം.
<br>> <a href="http://libregeek.blogspot.com" target="_top" rel="nofollow">http://libregeek.blogspot.com</a><br>>
<br>>
</div><br><br><br>--
<br>Manilal K M : മണിലാല് കെ എം.
<br><a href="http://libregeek.blogspot.com" target="_top" rel="nofollow">http://libregeek.blogspot.com</a><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20787375Re: Help2008-12-01T23:30:23Z2008-12-01T23:30:23ZManilal K M2008/12/2 Akhil Bhardwaj <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20787375&i=0" target="_top" rel="nofollow">akhil.bhardwaj@...</a>>:
<br>> Dear,
<br>>
<br>> I am new for ldap am configuring open ldap as a domain controller my
<br>> clients are also working fine but my open ldap users cannot change our own
<br>> password please help me about this problem
<br>>
<br>>
<br><br>How did you tried to change the password?
<br><br>--
<br>Manilal K M : മണിലാല് കെ എം.
<br><a href="http://libregeek.blogspot.com" target="_top" rel="nofollow">http://libregeek.blogspot.com</a><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20787334Help2008-12-01T23:26:41Z2008-12-01T23:26:41ZAkhil BhardwajDear,
<br><br>I am new for ldap am configuring open ldap as a domain controller my
<br>clients are also working fine but my open ldap users cannot change our own
<br>password please help me about this problem
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20176718Re: Guessing root DNs for active directory2008-10-26T11:53:24Z2008-10-26T11:53:24ZChristoffer AnderssonYou can try to query the DSA (null search base) for defaultNamingContext. = Should be the NC of the domain you have perform:ed a bind to. Or namingContexts to get a list of NCs that the DSA is hosting.
<br><br>/C
<br><br><blockquote class="quote light-black dark-border-color"><div class="quote light-border-color">
<div class="quote-author" style="font-weight: bold;">zippy1981 wrote:</div>
<div class="quote-message shrinkable-quote">Hi,
<br>Let me know if this is the wrong list for this question, and where best to
<br>ask this.
<br><br>I am trying to write a simple program in java that "guesses" if the machine
<br>is running on active directory and connects to the domain controller via
<br>LDAP. My goal is to submit a patch to JXPlorer (and eventually other
<br>software like apache directory studio) to "detect" active directory and
<br>"auto-configure" a connection to it.
<br><br>Right now I am grabing the envirormental variable "USERDNSDOMAIN", and
<br>transforming it from "foo.com" to "dc=foo,dc=com". This works good enough.
<br>However, Is it possible via some sort of LDAP query to get the base DN of
<br>either the domain I am authenticated to, or better yet all domains in the
<br>forest?
<br><br>If anyone cares to help me in my research, or laugh at a .NET programmer
<br>trying to write JAVA, feel free to take a poke at my code in SVN,
<br><a href="http://nightelves.svn.sourceforge.net/viewvc/nightelves/LI-PHP/LDAP/LDAP.Tests/src/LDAP/Tests.java?revision=57&view=markup" target="_top" rel="nofollow">http://nightelves.svn.sourceforge.net/viewvc/nightelves/LI-PHP/LDAP/LDAP.Tests/src/LDAP/Tests.java?revision=57&view=markup</a><br><br>Thanks and Regards,
<br><br>Justin Dearing
</div>
</div></blockquote>
<p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20167039Re: Guessing root DNs for active directory2008-10-25T12:09:27Z2008-10-25T12:09:27Zzippy1981Mark,
<br><br>Finally got to give this a try, One small mistake on your part. It's
<br>_ldap._tcp.domain. Corrected queries below. Just pointing this out to
<br>not fustrate anyone that finds this thread later.
<br><br>On Mon, Oct 13, 2008 at 11:36 AM, Mark H. Wood <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20167039&i=0" target="_top" rel="nofollow">mwood@...</a>> wrote:
<br><br>> That is: if the machine is named "host.baz.bar.foo.xcorp.com" you
<br>> would try to resolve:
<br>>
<br>_ldap._tcp.baz.bar.foo.xcorp.com SRV
<br>_ldap._tcp.bar.foo.xcorp.com SRV
<br>_ldap._tcp.foo.xcorp.com SRV
<br>_ldap._tcp.xcorp.com SRV
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20114030Re: newbie question: how to put company structure to ldap2008-10-22T08:57:42Z2008-10-22T08:57:42Zdpuryear<br><br><br>You should probably get a LDAP book or read a few online
<br>tutorials. That said, the approach depends on whether you use groups or
<br>roles.
<br><br>groups-
<br>Do a filter on
<br>(&(objectClass=groupOfNames)(cn=TEAM-NAME)) and grab all the member
<br>attributes. Then you have to scan through each member in a second pass.
<br><br>roles-
<br>Just do a filter on the role itself and you get the
<br>members in the first pass.
<br><br>On a side note, while there may be
<br>some disagreement on this list about the use of groupOfUniqueNames, the
<br>fact is it's used almost interchangeably with groupOfNames these days (I
<br>do it) and you should always be ready to support it.
<br><br>You
<br>can do that by writing the appropriate filters:
<br><br>(&(|(objectClass=groupOfNames)(objectClass=groupOfUniqueNames))(cn=TEAM-NAME))
<br><br>And then determining how to read the entry (member vs.
<br>uniqueMember) or have a configuration file that specifies the filter and
<br>attribute to look at.
<br><br>> Hello Dustin,
<br>>
<br>>
<br>thanks for answering.
<br>> Nice to hear that I do not have to modify
<br>a lot :-)
<br>>
<br>> But there's one answer left. How can I
<br>search for all members of a
<br>> certain team.
<br>> e.g.: I
<br>want to have a list of sn,mail,phone of all members of team a
<br>>
<br><br>> I have no idea how to create this type of search ?
<br>>
<br><div class='shrinkable-quote'><br>> any help appreciated.....GERD.....
<br>>
<br>>
<br>>
<br>> Am 22.10.2008 um 17:27 schrieb Dustin Puryear:
<br>>
<br>>>
<br>>>
<br>>>
<br>>> What
</div>you are trying to do is just create a set of users and teams
<br>>> (groups of users). You can use LDAP groups or roles for the
<br>team
<br>>> implementation. Let's just use groups.
<br>>>
<br><br>>> root
<br>>> - users
<br>>> -- uid=bob
<br>(inetOrgPerson)
<br>>> -- uid=frank
<br>>> (inetOrgPerson)
<br><br>>> - groups
<br>>> -- cn=teama (groupOfNames or
<br>>> groupOfUniqueNames)
<br>>> -- cn=teamb (groupOfNames or
<br><br>>> groupOfUniqueNames)
<br>>>
<br>>> To make
<br>bob a member of teama, then add
<br>>> uniqueMember=uid=bob,... to
<br>cn=teama. Ditto for teamb. To remove
<br>>> bob from
<br>>> teama, remove their uniqueMember=uid=bob,... from cn=teama.
<br>>>
<br>>> This is essentially what you did. It works and
<br>it's how most of us do
<br>>> it.
<br>>>
<br>>>
<br>With roles, you would actually edit the user entry instead
<br>>>
<br>and add a role attribute. Also, if you are using an LDAP server that
<br>>> supports dynamic roles, you can probably maintain groups and
<br>get the
<br>>> benefit of having roles (which are read directly
<br>from the user entry).
<br>>>
<br>>>> Hello,
<br>>>>
<br>>>> I'm going to create a ldap
<br>>> directory for the company to have a central
<br>>>>
<br>place for user
<br>>> administration.
<br>>>> I've
<br>started with an example found in the web.
<br>>> First of all I
<br>created
<br>>>> the top level dc=example,dc=com and the
<br>>> manager
<br>>>> (cn=manager,dc=example,dc=com).
<br>>>> Afterwards I
<br>>> created 2 organizational units:
<br><br>>>> ou=persons
<br>>>> ou=teams
<br>>>
<br><br>>>> and filled them with content (see at bottom of the
<br>email).
<br>>>>
<br>>>> I'm in doubt if this is the
<br>correct way to build the
<br>>> directory and
<br>>>>
<br>"connect" each user to its team. I only
<br>>> set the
<br>"ou=" property of each
<br>>>> person to its
<br>>> teamname, and added one "member=" entry for each
<br>person to
<br>>>> the team-object. I'm not happy with such
<br>setting.
<br>>>>
<br>>>> What if a person changes
<br>the team, do I have to update the person's
<br>>>
<br>>>> "ou=" and the "member=" section of the
<br><br>>> teams ??
<br>>>>
<br>>>> Is this
<br>really the way to implement such a
<br>>>
<br>company->team->person hierarchy
<br>>>> ?
<br>>>>
<br>>>>
<br>>> any help
<br>appreciated....GERD....
<br>>>>
<br>>>> dn: cn=Tinky
<br><br>>> Winky,ou=people,dc=example,dc=com
<br>>>>
<br>objectclass: inetOrgPerson
<div class='shrinkable-quote'><br>>>
<br>>>> sn: Tinky
<br>>>> cn: Tinky Winky
<br>>>> uid: twinky
<br>>>> userpassword: twinky
<br>>>> ou: support
<br>>>> dn:
<br>>> cn=Dipsy,ou=people,dc=example,dc=com
<br>>>> objectclass: inetOrgPerson
<br>>>
<br>>>> sn: Dipsy
<br>>>> cn: Dipsy
<br>>>>
</div>uid: dipsy
<br>>>>
<br>>> userpassword: dipsy
<br>>>> ou: support
<br>>>> dn: cn=Laa
<br>>>
<br>Laa,ou=people,dc=example,dc=com
<br>>>> objectclass:
<br>inetOrgPerson
<br>>>> sn: Laa
<br>>>> cn: Laa Laa
<br><br>>>> uid: laa
<br>>>>
<br>>>
<br>userpassword: laa
<br>>>> ou: marketing
<br>>>> ##
<br>team MARKETING
<br>>>
<br>>>> dn:
<br>cn=marketing,ou=teams,dc=transporeon,dc=nil
<br>>>>
<br>>> objectclass: groupofnames
<br>>>> cn: marketing
<br>>>> description:
<br>>> team marketing
<br>>>> member: cn=Laa
<br>>>
<br>Laa,ou=people,dc=transporeon,dc=nil
<br>>>> ## team SUPPORT
<br>>>>
<br>>> dn:
<br>cn=support,ou=teams,dc=transporeon,dc=nil
<br>>>> objectclass:
<br><br>>> groupofnames
<br>>>> cn: support
<br>>>> description: team support
<br>>>
<br>>>>
<br>member: cn=Tinky Winky,ou=people,dc=transporeon,dc=nil
<br>>>>
<br>member: cn=Dipsy,ou=people,dc=transporeon,dc=nil
<br>>>>
<br>>>>
<br>>>>
<br>>>>
<br>>>> --
<br><br>>>> This message was
<br>>> scanned by ESVA and is
<br>believed to be clean.
<br>>>> Click here to
<br>>>
<br>report this message as spam.
<br>>>>
<br>>>
<br><a href="http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=" target="_top" rel="nofollow">http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=</a>
<br>>>>
<br><br>>>>
<br>>>
<br>>>>
<br>>>
<br>>>
<br>>> --
<br>>> Dustin Puryear
<br>>>
<br>President and
<br>>> Sr. Consultant
<br>>> Puryear
<br>Information Technology, LLC
<br>>> 225-706-8414 x112
<br>>> <a href="http://www.puryear-it.com" target="_top" rel="nofollow">http://www.puryear-it.com</a>
<br>>>
<br>>> Author,
<br><br>>> "Best Practices for Managing Linux and UNIX
<br>Servers"
<br>>>
<br><a href="http://www.puryear-it.com/pubs/linux-unix-best-practices/" target="_top" rel="nofollow">http://www.puryear-it.com/pubs/linux-unix-best-practices/</a>
<br>>>
<br><br>>>
<br>>
<br>>
<br>>
<br>> --
<br>>
<br>This message was scanned by ESVA and is believed to be clean.
<br>>
<br>Click here to report this message as spam.
<br>>
<br><a href="http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=" target="_top" rel="nofollow">http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=</a>
<br>>
<br>>
<br><br>>
<br><br><br>--
<br>Dustin Puryear
<br>President and
<br>Sr. Consultant
<br>Puryear Information Technology, LLC
<br>225-706-8414 x112
<br><a href="http://www.puryear-it.com" target="_top" rel="nofollow">http://www.puryear-it.com</a>
<br><br>Author,
<br>"Best Practices for Managing Linux and UNIX Servers"
<br><a href="http://www.puryear-it.com/pubs/linux-unix-best-practices/" target="_top" rel="nofollow">http://www.puryear-it.com/pubs/linux-unix-best-practices/</a>
<br><br><br><br><div class="signature">--
<br>Dustin Puryear
<br>President and Sr. Consultant
<br>Puryear Information Technology, LLC
<br>225-706-8414 x112
<br><a href="http://www.puryear-it.com" target="_top" rel="nofollow">http://www.puryear-it.com</a><br><br>Author, "Best Practices for Managing Linux and UNIX Servers"
<br> <a href="http://www.puryear-it.com/pubs/linux-unix-best-practices/" target="_top" rel="nofollow">http://www.puryear-it.com/pubs/linux-unix-best-practices/</a><br></div><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20113569Re: newbie question: how to put company structure to ldap2008-10-22T08:38:06Z2008-10-22T08:38:06ZGerd KönigHello Dustin,
<br><br>thanks for answering.
<br>Nice to hear that I do not have to modify a lot :-)
<br><br>But there's one answer left. How can I search for all members of a
<br>certain team.
<br>e.g.: I want to have a list of sn,mail,phone of all members of team a
<br><br>I have no idea how to create this type of search ?
<br><br>any help appreciated.....GERD.....
<br><br><br><br>Am 22.10.2008 um 17:27 schrieb Dustin Puryear:
<br><div class='shrinkable-quote'><br>>
<br>>
<br>>
<br>> What you are trying to do is just create a set of users and teams
<br>> (groups of users). You can use LDAP groups or roles for the team
<br>> implementation. Let's just use groups.
<br>>
<br>> root
<br>> - users
<br>> -- uid=bob (inetOrgPerson)
<br>> -- uid=frank
<br>> (inetOrgPerson)
<br>> - groups
<br>> -- cn=teama (groupOfNames or
<br>> groupOfUniqueNames)
<br>> -- cn=teamb (groupOfNames or
<br>> groupOfUniqueNames)
<br>>
<br>> To make bob a member of teama, then add
<br>> uniqueMember=uid=bob,... to cn=teama. Ditto for teamb. To remove
<br>> bob from
<br>> teama, remove their uniqueMember=uid=bob,... from cn=teama.
<br>>
<br>> This is essentially what you did. It works and it's how most of us do
<br>> it.
<br>>
<br>> With roles, you would actually edit the user entry instead
<br>> and add a role attribute. Also, if you are using an LDAP server that
<br>> supports dynamic roles, you can probably maintain groups and get the
<br>> benefit of having roles (which are read directly from the user entry).
<br>>
<br>>> Hello,
<br>>>
<br>>> I'm going to create a ldap
<br>> directory for the company to have a central
<br>>> place for user
<br>> administration.
<br>>> I've started with an example found in the web.
<br>> First of all I created
<br>>> the top level dc=example,dc=com and the
<br>> manager
<br>>> (cn=manager,dc=example,dc=com).
<br>>> Afterwards I
<br>> created 2 organizational units:
<br>>> ou=persons
<br>>> ou=teams
<br>>
<br>>> and filled them with content (see at bottom of the email).
<br>>>
<br>>> I'm in doubt if this is the correct way to build the
<br>> directory and
<br>>> "connect" each user to its team. I only
<br>> set the "ou=" property of each
<br>>> person to its
<br>> teamname, and added one "member=" entry for each person to
<br>>> the team-object. I'm not happy with such setting.
<br>>>
<br>>> What if a person changes the team, do I have to update the person's
<br>>
<br>>> "ou=" and the "member=" section of the
<br>> teams ??
<br>>>
<br>>> Is this really the way to implement such a
<br>> company->team->person hierarchy
<br>>> ?
<br>>>
<br>>>
<br>> any help appreciated....GERD....
<br>>>
<br>>> dn: cn=Tinky
<br>> Winky,ou=people,dc=example,dc=com
<br>>> objectclass: inetOrgPerson
<br>>
<br>>> sn: Tinky
<br>>> cn: Tinky Winky
<br>>> uid: twinky
<br>>> userpassword: twinky
<br>>> ou: support
<br>>> dn:
<br>> cn=Dipsy,ou=people,dc=example,dc=com
<br>>> objectclass: inetOrgPerson
<br>>
<br>>> sn: Dipsy
<br>>> cn: Dipsy
<br>>> uid: dipsy
<br>>>
<br>> userpassword: dipsy
<br>>> ou: support
<br>>> dn: cn=Laa
<br>> Laa,ou=people,dc=example,dc=com
<br>>> objectclass: inetOrgPerson
<br>>> sn: Laa
<br>>> cn: Laa Laa
<br>>> uid: laa
<br>>>
<br>> userpassword: laa
<br>>> ou: marketing
<br>>> ## team MARKETING
<br>>
<br>>> dn: cn=marketing,ou=teams,dc=transporeon,dc=nil
<br>>>
<br>> objectclass: groupofnames
<br>>> cn: marketing
<br>>> description:
<br>> team marketing
<br>>> member: cn=Laa
<br>> Laa,ou=people,dc=transporeon,dc=nil
<br>>> ## team SUPPORT
<br>>>
<br>> dn: cn=support,ou=teams,dc=transporeon,dc=nil
<br>>> objectclass:
<br>> groupofnames
<br>>> cn: support
<br>>> description: team support
<br>>
<br>>> member: cn=Tinky Winky,ou=people,dc=transporeon,dc=nil
<br>>> member: cn=Dipsy,ou=people,dc=transporeon,dc=nil
<br>>>
<br>>>
<br>>>
<br>>>
<br>>> --
<br>>> This message was
<br>> scanned by ESVA and is believed to be clean.
<br>>> Click here to
<br>> report this message as spam.
<br>>>
<br>> <a href="http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=" target="_top" rel="nofollow">http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=</a><br>>>
<br>>>
<br>>
<br>>>
<br>>
<br>>
<br>> --
<br>> Dustin Puryear
<br>> President and
<br>> Sr. Consultant
<br>> Puryear Information Technology, LLC
<br>> 225-706-8414 x112
<br>> <a href="http://www.puryear-it.com" target="_top" rel="nofollow">http://www.puryear-it.com</a><br>>
<br>> Author,
<br>> "Best Practices for Managing Linux and UNIX Servers"
<br>> <a href="http://www.puryear-it.com/pubs/linux-unix-best-practices/" target="_top" rel="nofollow">http://www.puryear-it.com/pubs/linux-unix-best-practices/</a><br>>
<br>>
</div><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20114012Re: newbie question: how to put company structure to ldap2008-10-22T08:27:03Z2008-10-22T08:27:03Zdpuryear<br><br><br>What you are trying to do is just create a set of users and teams
<br>(groups of users). You can use LDAP groups or roles for the team
<br>implementation. Let's just use groups.
<br><br>root
<br>- users
<br>-- uid=bob (inetOrgPerson)
<br>-- uid=frank
<br>(inetOrgPerson)
<br>- groups
<br>-- cn=teama (groupOfNames or
<br>groupOfUniqueNames)
<br>-- cn=teamb (groupOfNames or
<br>groupOfUniqueNames)
<br><br>To make bob a member of teama, then add
<br>uniqueMember=uid=bob,... to cn=teama. Ditto for teamb. To remove bob from
<br>teama, remove their uniqueMember=uid=bob,... from cn=teama.
<br><br>This is essentially what you did. It works and it's how most of us do
<br>it.
<br><br>With roles, you would actually edit the user entry instead
<br>and add a role attribute. Also, if you are using an LDAP server that
<br>supports dynamic roles, you can probably maintain groups and get the
<br>benefit of having roles (which are read directly from the user entry).
<br><br>> Hello,
<br>>
<br>> I'm going to create a ldap
<br>directory for the company to have a central
<br>> place for user
<br>administration.
<br>> I've started with an example found in the web.
<br>First of all I created
<br>> the top level dc=example,dc=com and the
<br>manager
<br>> (cn=manager,dc=example,dc=com).
<br>> Afterwards I
<br>created 2 organizational units:
<br>> ou=persons
<br>> ou=teams
<br><br>> and filled them with content (see at bottom of the email).
<br>>
<br>> I'm in doubt if this is the correct way to build the
<br>directory and
<br>> "connect" each user to its team. I only
<br>set the "ou=" property of each
<br>> person to its
<br>teamname, and added one "member=" entry for each person to
<br>> the team-object. I'm not happy with such setting.
<br>>
<br>> What if a person changes the team, do I have to update the person's
<br><br>> "ou=" and the "member=" section of the
<br>teams ??
<br>>
<br>> Is this really the way to implement such a
<br>company->team->person hierarchy
<br>> ?
<br>>
<br>>
<br>any help appreciated....GERD....
<br>>
<br>> dn: cn=Tinky
<br>Winky,ou=people,dc=example,dc=com
<br>> objectclass: inetOrgPerson
<br><br>> sn: Tinky
<br>> cn: Tinky Winky
<br>> uid: twinky
<br>> userpassword: twinky
<br>> ou: support
<br>> dn:
<br>cn=Dipsy,ou=people,dc=example,dc=com
<br>> objectclass: inetOrgPerson
<br><br>> sn: Dipsy
<br>> cn: Dipsy
<br>> uid: dipsy
<br>>
<br>userpassword: dipsy
<br>> ou: support
<br>> dn: cn=Laa
<br>Laa,ou=people,dc=example,dc=com
<br>> objectclass: inetOrgPerson
<br>> sn: Laa
<br>> cn: Laa Laa
<br>> uid: laa
<br>>
<br>userpassword: laa
<br>> ou: marketing
<br>> ## team MARKETING
<br><br>> dn: cn=marketing,ou=teams,dc=transporeon,dc=nil
<br>>
<br>objectclass: groupofnames
<br>> cn: marketing
<br>> description:
<br>team marketing
<br>> member: cn=Laa
<br>Laa,ou=people,dc=transporeon,dc=nil
<br>> ## team SUPPORT
<br>>
<br>dn: cn=support,ou=teams,dc=transporeon,dc=nil
<br>> objectclass:
<br>groupofnames
<br>> cn: support
<br>> description: team support
<br><br>> member: cn=Tinky Winky,ou=people,dc=transporeon,dc=nil
<br>> member: cn=Dipsy,ou=people,dc=transporeon,dc=nil
<br>>
<br>>
<br>>
<br>>
<br>> --
<br>> This message was
<br>scanned by ESVA and is believed to be clean.
<br>> Click here to
<br>report this message as spam.
<br>>
<br><a href="http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=" target="_top" rel="nofollow">http://esva.puryear-it.com/cgi-bin/learn-msg.cgi?id=</a>
<br>>
<br>>
<br><br>>
<br><br><br>--
<br>Dustin Puryear
<br>President and
<br>Sr. Consultant
<br>Puryear Information Technology, LLC
<br>225-706-8414 x112
<br><a href="http://www.puryear-it.com" target="_top" rel="nofollow">http://www.puryear-it.com</a>
<br><br>Author,
<br>"Best Practices for Managing Linux and UNIX Servers"
<br><a href="http://www.puryear-it.com/pubs/linux-unix-best-practices/" target="_top" rel="nofollow">http://www.puryear-it.com/pubs/linux-unix-best-practices/</a>
<br><br><br><br><div class="signature">--
<br>Dustin Puryear
<br>President and Sr. Consultant
<br>Puryear Information Technology, LLC
<br>225-706-8414 x112
<br><a href="http://www.puryear-it.com" target="_top" rel="nofollow">http://www.puryear-it.com</a><br><br>Author, "Best Practices for Managing Linux and UNIX Servers"
<br> <a href="http://www.puryear-it.com/pubs/linux-unix-best-practices/" target="_top" rel="nofollow">http://www.puryear-it.com/pubs/linux-unix-best-practices/</a><br></div><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20084051newbie question: how to put company structure to ldap2008-10-20T23:14:48Z2008-10-20T23:14:48ZGerd KönigHello again,
<br><br>in my first email there was an copy-paste error.
<br><br>The dn of the teams are also of the format
<br>dn=<teamname>,ou=teams,dc=example,dc=com
<br><br>any help appreciated....GERD....
<br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20083915newbie question: how to put company structure to ldap2008-10-20T23:01:25Z2008-10-20T23:01:25ZGerd KönigHello,
<br><br>I'm going to create a ldap directory for the company to have a central
<br>place for user administration.
<br>I've started with an example found in the web. First of all I created
<br>the top level dc=example,dc=com and the manager
<br>(cn=manager,dc=example,dc=com).
<br>Afterwards I created 2 organizational units:
<br>ou=persons
<br>ou=teams
<br>and filled them with content (see at bottom of the email).
<br><br>I'm in doubt if this is the correct way to build the directory and
<br>"connect" each user to its team. I only set the "ou=" property of each
<br>person to its teamname, and added one "member=" entry for each person to
<br>the team-object. I'm not happy with such setting.
<br><br>What if a person changes the team, do I have to update the person's
<br>"ou=" and the "member=" section of the teams ??
<br><br>Is this really the way to implement such a company->team->person hierarchy ?
<br><br>any help appreciated....GERD....
<br><br>dn: cn=Tinky Winky,ou=people,dc=example,dc=com
<br>objectclass: inetOrgPerson
<br>sn: Tinky
<br>cn: Tinky Winky
<br>uid: twinky
<br>userpassword: twinky
<br>ou: support
<br>dn: cn=Dipsy,ou=people,dc=example,dc=com
<br>objectclass: inetOrgPerson
<br>sn: Dipsy
<br>cn: Dipsy
<br>uid: dipsy
<br>userpassword: dipsy
<br>ou: support
<br>dn: cn=Laa Laa,ou=people,dc=example,dc=com
<br>objectclass: inetOrgPerson
<br>sn: Laa
<br>cn: Laa Laa
<br>uid: laa
<br>userpassword: laa
<br>ou: marketing
<br>## team MARKETING
<br>dn: cn=marketing,ou=teams,dc=transporeon,dc=nil
<br>objectclass: groupofnames
<br>cn: marketing
<br>description: team marketing
<br>member: cn=Laa Laa,ou=people,dc=transporeon,dc=nil
<br>## team SUPPORT
<br>dn: cn=support,ou=teams,dc=transporeon,dc=nil
<br>objectclass: groupofnames
<br>cn: support
<br>description: team support
<br>member: cn=Tinky Winky,ou=people,dc=transporeon,dc=nil
<br>member: cn=Dipsy,ou=people,dc=transporeon,dc=nil
<br><br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20070933Re: LDAP Error 32 v/s Empty Result Set2008-10-20T07:09:15Z2008-10-20T07:09:15ZHallvard B FurusethMark H. Wood writes:
<br>> WebLogic has a problem which is independent of the LDAP service's
<br>> behavior: it is searching the wrong context. If this is not the
<br>> result of misconfiguration by the customer, then they should fix that.
<br>> I would simply refuse *any* arguments concerning the LDAP response to
<br>> an incorrect query until the query is corrected. I would keep
<br>> pointing to the error in WebLogic until it is acknowledged.
<br><br>Sorry, no. It's irritating but normal for LDAP clients to try several
<br>searches until one succeeds, and to not offer a way to turn off searches
<br>that the user knows will find nothing. Furthermore "no such object" can
<br>mean user misconfiguration - "you must point the group base DN at an
<br>actual entry" while no search results is normal. Assuming that group DN
<br>is actually configured and necessary, of course.
<br><br>I've lost track of this discussion a bit, but anyway: Possibly it would
<br>help to point the group DN at the parent entry so that a search for the
<br>"group" will find users too. Depends on whether group searches use
<br>subtree scope and filter for groups.
<br><br>--
<br>Hallvard
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20069910Re: LDAP Error 32 v/s Empty Result Set2008-10-20T06:26:59Z2008-10-20T06:26:59ZMark H. WoodOn Fri, Oct 17, 2008 at 10:03:27AM -0400, Agarwal, Sharad wrote:
<br>> This puts me in a tough predicament. Both parties have a plausible argument. WebLogic complains that the LDAP is not standards compliant. And LDAP complains that WebLogic should not search for groups in the user DN. And if it does, it should handle/ignore the error.
<br><br>WebLogic has a problem which is independent of the LDAP service's
<br>behavior: it is searching the wrong context. If this is not the
<br>result of misconfiguration by the customer, then they should fix that.
<br>I would simply refuse *any* arguments concerning the LDAP response to
<br>an incorrect query until the query is corrected. I would keep
<br>pointing to the error in WebLogic until it is acknowledged.
<br><br>--
<br>Mark H. Wood, Lead System Programmer <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20069910&i=0" target="_top" rel="nofollow">mwood@...</a>
<br>Typically when a software vendor says that a product is "intuitive" he
<br>means the exact opposite.
<br><br><br /> <div class="small"><br/><img src="http://www.nabble.com/images/icon_attachment.gif" > <strong>attachment0</strong> (204 bytes) <a href="http://www.nabble.com/attachment/20069910/0/attachment0" target="_top">Download Attachment</a></div><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20034874Re: LDAP Error 32 v/s Empty Result Set2008-10-17T07:50:59Z2008-10-17T07:50:59ZMichael StröderAgarwal, Sharad wrote:
<div class='shrinkable-quote'><br>> "Michael Ströder" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20034874&i=0" target="_top" rel="nofollow">michael@...</a>> wrote:
<br>>> So I'd be interested which LDAP clients the original poster is
<br>>> working with and which problems he experienced.
<br>>
<br>> WebLogic is the application in question. WebLogic allows us to define
<br>> Authenticators (code that connects to the LDAP server). Once an
<br>> Authenticator is defined, WebLogic offers a UI where all users and
<br>> groups can be listed.
<br>>
<br>> The group listing fails because of some code in WebLogic that tries
<br>> to find the description of a group. They have a generic function
<br>> getdescription() that is used for both users and groups. It ends up
<br>> searching for the group in the user base DN. And our LDAP returns an
<br>> Error 32.
</div><br>In any case the LDAP client should also handle noSuchObject more
<br>gracefully. Although more thorough analysis should be done I think in
<br>this particular case noSuchObject could also be handled the same way
<br>like no group entry found. And that's exactly what I meant with "In most
<br>cases the handling is mainly the same".
<br><br>Ciao, Michael.
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20034787Re: LDAP Error 32 v/s Empty Result Set2008-10-17T07:46:18Z2008-10-17T07:46:18ZAgarwal, SharadEmmanuel Lecharny wrote:
<br>> Now the funiest part : WebLogic and Oracle Virtual Directory (,
<br>> OctetString product) ar _both_ Oracle products ;) Either Oracle or
<br>> Oracle is not compliant somewhere...
<br><br>LOL. You are right, BEA was purchased by Oracle. They are indeed both
<br>Oracle products.
<br><br>What I am not sure is whether Oracle Virtual Directory sends the LDAP
<br>Error 32 by default; or if it is the implementation of the product at
<br>our organization. I suspect it is the latter.
<br><br>Thanks,
<br>Sharad
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20034529Re: LDAP Error 32 v/s Empty Result Set2008-10-17T07:33:19Z2008-10-17T07:33:19ZEmmanuel Lecharny-3Agarwal, Sharad wrote:
<div class='shrinkable-quote'><br>> "Michael Ströder" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20034529&i=0" target="_top" rel="nofollow">michael@...</a>> wrote:
<br>>
<br>>> So I'd be interested which LDAP clients the original poster is
<br>>> working with and which problems he experienced.
<br>>>
<br>>
<br>> WebLogic is the application in question. WebLogic allows us to define Authenticators (code that connects to the LDAP server). Once an Authenticator is defined, WebLogic offers a UI where all users and groups can be listed.
<br>>
<br>> The group listing fails because of some code in WebLogic that tries to find the description of a group. They have a generic function getdescription() that is used for both users and groups. It ends up searching for the group in the user base DN. And our LDAP returns an Error 32.
<br>>
<br>> As far as I can tell, WebLogic should not be searching for the group in the user context. But it is doing that. By the same token, the LDAP should not return LDAP Error 32. But it is doing that. And, together, the twain are resulting in the user seeing a stack trace instead of the Group listing.
<br>>
</div>Looking back to the request's base:
<br><br>String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain";
<br><br>if the ou=groups,ou=VgnLDAPRealm,dc=vgndomain branch does not exist in your LDAP DIT, then you will get a NoSuchObject resultcode.
<br><br>Your LDAP server is compliant if you get this result.
<br><br>> This puts me in a tough predicament. Both parties have a plausible argument. WebLogic complains that the LDAP is not standards compliant. And LDAP complains that WebLogic should not search for groups in the user DN. And if it does, it should handle/ignore the error.
<br>>
<br>Now the funiest part : WebLogic and Oracle Virtual Directory (AFAIR,
<br>OctetString product) ar _both_ Oracle products ;) Either Oracle or
<br>Oracle is not compliant somewhere...
<br><br>--
<br>--
<br>cordialement, regards,
<br>Emmanuel Lécharny
<br>www.iktek.com
<br>directory.apache.org
<br><br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20033944Re: LDAP Error 32 v/s Empty Result Set2008-10-17T07:03:27Z2008-10-17T07:03:27ZAgarwal, Sharad"Michael Ströder" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20033944&i=0" target="_top" rel="nofollow">michael@...</a>> wrote:
<br>> So I'd be interested which LDAP clients the original poster is
<br>> working with and which problems he experienced.
<br><br>WebLogic is the application in question. WebLogic allows us to define Authenticators (code that connects to the LDAP server). Once an Authenticator is defined, WebLogic offers a UI where all users and groups can be listed.
<br><br>The group listing fails because of some code in WebLogic that tries to find the description of a group. They have a generic function getdescription() that is used for both users and groups. It ends up searching for the group in the user base DN. And our LDAP returns an Error 32.
<br><br>As far as I can tell, WebLogic should not be searching for the group in the user context. But it is doing that. By the same token, the LDAP should not return LDAP Error 32. But it is doing that. And, together, the twain are resulting in the user seeing a stack trace instead of the Group listing.
<br><br>This puts me in a tough predicament. Both parties have a plausible argument. WebLogic complains that the LDAP is not standards compliant. And LDAP complains that WebLogic should not search for groups in the user DN. And if it does, it should handle/ignore the error.
<br><br>All - I really appreciate the various pointers I have received from this wonderful community.
<br><br>Thank you,
<br>Sharad
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20031873Re: LDAP Error 32 v/s Empty Result Set2008-10-17T04:55:59Z2008-10-17T04:55:59ZMichael StröderPierangelo Masarati wrote:
<div class='shrinkable-quote'><br>> ----- "Michael Ströder" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20031873&i=0" target="_top" rel="nofollow">michael@...</a>> wrote:
<br>>
<br>>> Pierangelo Masarati wrote:
<br>>>> ----- "Emmanuel Lecharny" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20031873&i=1" target="_top" rel="nofollow">elecharny@...</a>> wrote:
<br>>>>
<br>>> <a href="http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt" target="_top" rel="nofollow">http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt</a><br>>>> Iinternet Drafts are not authoritative sources of information.
<br>>> They
<br>>>> should never cited except as work-in-progress. No one seems to be
<br>>>> questioning that noSuchObject is a legitimate response code for
<br>>> LDAP
<br>>>> searches. The point is whether noSuchObject is appropriate for a
<br>>>> search whose searchBase exists.
<br>>> I wonder why that's such a big issue at all. When implementing LDAP
<br>>> client software one has to handle noSuchObject and an empty result
<br>>> set anyway. In most cases the handling is mainly the same.
<br>>
<br>> Let me disagree: from an implementation point of view, it depends on
<br>> what a client is supposed to do. If the client's task is over after
<br>> the search response is returned, I might agree. But in any case,
<br>> from a(n informed) user's perspective, the two responses are not the
<br>> same.
</div><br>That's why I wrote "In most cases the handling is mainly the same".
<br> ^^^^ ^^^^^^
<br><br>Most LDAP clients are not nifty interactive clients which try to guide
<br>the user what to do next. Most LDAP clients just log an error. While I'm
<br>pretty eager with fine-grained error handling in web2ldap I find myself
<br>writing the same application-level error handling for 1. noSuchObject
<br>and 2. empty result sets for simple cases. Only the log messages differ.
<br><br>So I'd be interested which LDAP clients the original poster is working
<br>with and which problems he experienced.
<br><br>Ciao, Michael.
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20017103Re: LDAP Error 32 v/s Empty Result Set2008-10-16T08:53:14Z2008-10-16T08:53:14ZKurt Zeilenga<br>On Oct 16, 2008, at 1:19 AM, Emmanuel Lecharny wrote:
<br><br>>>
<br>>> The point is whether noSuchObject is appropriate for a search whose
<br>>> searchBase exists.
<br>>
<br>> That's pretty clear it's not appropriate, RFC draft of not.
<br><br>Actually, there are cases where it is appropriate. For instance, when
<br>the user is not authorized to know if the searchBase exists. But this
<br>case doesn't seem to apply here.
<br><br>What should be clear is that by returning noSuchObject, the server is
<br>reporting that the baseObject of the search does not exist. This
<br>quite different than reporting there are no entries which match the
<br>search criteria.
<br><br>-- Kurt
<br><br><br><br>> However,
<br>> it's still better to expose the fact that this point is being
<br>> clarified in a RFC draft, for those who haven't been read extensively
<br>> all the LDAP RFCs. May be the official drafts are not clear enough,
<br>> too.
<br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20015970Re: LDAP Error 32 v/s Empty Result Set2008-10-16T08:03:15Z2008-10-16T08:03:15ZPaul Engle-----BEGIN PGP SIGNED MESSAGE-----
<br>Hash: SHA1
<br><br><br>- --On Thursday, October 16, 2008 4:29 PM +0200 Pierangelo Masarati <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20015970&i=0" target="_top" rel="nofollow">ando@...</a>> wrote:
<br><div class='shrinkable-quote'><br>>
<br>> ----- "Michael Ströder" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20015970&i=1" target="_top" rel="nofollow">michael@...</a>> wrote:
<br>>
<br>>> Pierangelo Masarati wrote:
<br>>> > ----- "Emmanuel Lecharny" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20015970&i=2" target="_top" rel="nofollow">elecharny@...</a>> wrote:
<br>>> >
<br>>> >>
<br>>> <a href="http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt" target="_top" rel="nofollow">http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt</a><br>>> >
<br>>> > Iinternet Drafts are not authoritative sources of information.
<br>>> They
<br>>> > should never cited except as work-in-progress. No one seems to be
<br>>> > questioning that noSuchObject is a legitimate response code for
<br>>> LDAP
<br>>> > searches. The point is whether noSuchObject is appropriate for a
<br>>> > search whose searchBase exists.
<br>>>
<br>>> I wonder why that's such a big issue at all. When implementing LDAP
<br>>> client software one has to handle noSuchObject and an empty result
<br>>> set
<br>>> anyway. In most cases the handling is mainly the same.
<br>>
<br>> Let me disagree: from an implementation point of view, it depends on what a client is supposed to do. If the client's task is over after the search response is returned, I might agree. But in any case, from a(n informed) user's perspective, the two responses are not the same. In case of "success", no entry matched the search criteria, while in case of "noSuchObject" one search criterium, the searchBase, was inappropriate.
</div><br>I agree. Client software should behave differently under an error condition than it would with an empty search result. That's why this discussion is not trivial or nonsense.
<br><br>> I concur that this whole discussion is a little nonsense, as I believe the expected behavior is so well explained in RFC 4511, which is the sole authoritative source of information for this topic, that there is no point in discussing it any further. Also, I believe many implementations 'round do not conform yet to RFC 451*, as they might still conform to RFC 225* (like OpenLDAP 2.3 itself). However, I don't see much difference with respect to this issue.
<br>>
<br>> p.
<br>>
<br><br>Ah, but the expected behavior is *not* well explained in this case. Appendix A only has this for the description of noSuchObject:
<br><br>"Indicates that the object does not exist in the DIT."
<br><br>Well, *which* object? It's not too much of a stretch to interpret that as "the object for which you were searching does not exist". In which case the server developer might feel justified in returning noSuchObject for an empty search.
<br><br>I believe that the interpretation should be that an object for a supplied DN (i.e., the bind DN or the search base) doesn't exist. You don't know the DN of the object you are searching for, so you haven't supplied it. Therefore the noSuchObject shouldn't be returned. But just because I & others interpret it that way doesn't mean it's clear to everyone.
<br><br>There should either be wording to specify that an empty search should or must not return noSuchObject, or the definition of that result code should be worded more explicitly to remove the ambiguity.
<br><br> -paul
<br><br>- --
<br>Paul D. Engle | Rice University
<br>Sr. Systems Adminstrator, RHCE | Information Technology - MS119
<br>713-348-4702 | PO Box 1892
<br><a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20015970&i=3" target="_top" rel="nofollow">pengle@...</a> | Houston, TX 77251-1892
<br>-----BEGIN PGP SIGNATURE-----
<br>Version: GnuPG v1.4.7 (MingW32)
<br><br>iD8DBQFI91e6CpkISWtyHNsRAlTzAJ4l48g+/hPqHKRle511h9ON3wkkTgCgtXwu
<br>QLQUYn5flFQyPim22ZvCnMs=
<br>=guBu
<br>-----END PGP SIGNATURE-----
<br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20015268Re: LDAP Error 32 v/s Empty Result Set2008-10-16T07:29:54Z2008-10-16T07:29:54ZPierangelo Masarati<br>----- "Michael Ströder" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20015268&i=0" target="_top" rel="nofollow">michael@...</a>> wrote:
<br><div class='shrinkable-quote'><br>> Pierangelo Masarati wrote:
<br>> > ----- "Emmanuel Lecharny" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20015268&i=1" target="_top" rel="nofollow">elecharny@...</a>> wrote:
<br>> >
<br>> >>
<br>> <a href="http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt" target="_top" rel="nofollow">http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt</a><br>> >
<br>> > Iinternet Drafts are not authoritative sources of information.
<br>> They
<br>> > should never cited except as work-in-progress. No one seems to be
<br>> > questioning that noSuchObject is a legitimate response code for
<br>> LDAP
<br>> > searches. The point is whether noSuchObject is appropriate for a
<br>> > search whose searchBase exists.
<br>>
<br>> I wonder why that's such a big issue at all. When implementing LDAP
<br>> client software one has to handle noSuchObject and an empty result
<br>> set
<br>> anyway. In most cases the handling is mainly the same.
</div><br>Let me disagree: from an implementation point of view, it depends on what a client is supposed to do. If the client's task is over after the search response is returned, I might agree. But in any case, from a(n informed) user's perspective, the two responses are not the same. In case of "success", no entry matched the search criteria, while in case of "noSuchObject" one search criterium, the searchBase, was inappropriate. I concur that this whole discussion is a little nonsense, as I believe the expected behavior is so well explained in RFC 4511, which is the sole authoritative source of information for this topic, that there is no point in discussing it any further. Also, I believe many implementations 'round do not conform yet to RFC 451*, as they might still conform to RFC 225* (like OpenLDAP 2.3 itself). However, I don't see much difference with respect to this issue.
<br><br>p.
<br><br><br>Ing. Pierangelo Masarati
<br>OpenLDAP Core Team
<br><br>SysNet s.r.l.
<br>via Dossi, 8 - 27100 Pavia - ITALIA
<br><a href="http://www.sys-net.it" target="_top" rel="nofollow">http://www.sys-net.it</a><br>-----------------------------------
<br>Office: +39 02 23998309
<br>Mobile: +39 333 4963172
<br>Fax: +39 0382 476497
<br>Email: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20015268&i=2" target="_top" rel="nofollow">ando@...</a>
<br>-----------------------------------
<br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20009470Re: LDAP Error 32 v/s Empty Result Set2008-10-16T01:37:43Z2008-10-16T01:37:43ZMichael StröderPierangelo Masarati wrote:
<br>> ----- "Emmanuel Lecharny" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20009470&i=0" target="_top" rel="nofollow">elecharny@...</a>> wrote:
<br>>
<br>>> <a href="http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt" target="_top" rel="nofollow">http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt</a><br>>
<br>> Iinternet Drafts are not authoritative sources of information. They
<br>> should never cited except as work-in-progress. No one seems to be
<br>> questioning that noSuchObject is a legitimate response code for LDAP
<br>> searches. The point is whether noSuchObject is appropriate for a
<br>> search whose searchBase exists.
<br><br>I wonder why that's such a big issue at all. When implementing LDAP
<br>client software one has to handle noSuchObject and an empty result set
<br>anyway. In most cases the handling is mainly the same.
<br><br>Ciao, Michael.
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20009207Re: LDAP Error 32 v/s Empty Result Set2008-10-16T01:19:00Z2008-10-16T01:19:00ZEmmanuel Lecharny-3> ----- "Emmanuel Lecharny" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20009207&i=0" target="_top" rel="nofollow">elecharny@...</a>> wrote:
<br>>
<br>> > <a href="http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt" target="_top" rel="nofollow">http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt</a><br>>
<br>> Iinternet Drafts are not authoritative sources of information. They should never cited except as work-in-progress. No one seems to be questioning that noSuchObject is a legitimate response code for LDAP searches.
<br><br>It seems that Agarwal's LDAP admins are questionning this simple fact :)
<br><br>> The point is whether noSuchObject is appropriate for a search whose searchBase exists.
<br><br>That's pretty clear it's not appropriate, RFC draft of not. However,
<br>it's still better to expose the fact that this point is being
<br>clarified in a RFC draft, for those who haven't been read extensively
<br>all the LDAP RFCs. May be the official drafts are not clear enough,
<br>too.
<br><div class='shrinkable-quote'><br>> Ing. Pierangelo Masarati
<br>> OpenLDAP Core Team
<br>>
<br>> SysNet s.r.l.
<br>> via Dossi, 8 - 27100 Pavia - ITALIA
<br>> <a href="http://www.sys-net.it" target="_top" rel="nofollow">http://www.sys-net.it</a><br>> -----------------------------------
<br>> Office: +39 02 23998309
<br>> Mobile: +39 333 4963172
<br>> Fax: +39 0382 476497
<br>> Email: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20009207&i=1" target="_top" rel="nofollow">ando@...</a>
<br>> -----------------------------------
<br>>
<br>>
</div><br><br>--
<br>Regards,
<br>Cordialement,
<br>Emmanuel Lécharny
<br>www.iktek.com
<br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20008273Re: LDAP Error 32 v/s Empty Result Set2008-10-16T00:03:54Z2008-10-16T00:03:54ZPierangelo Masarati<br>----- "Emmanuel Lecharny" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20008273&i=0" target="_top" rel="nofollow">elecharny@...</a>> wrote:
<br><br>> <a href="http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt" target="_top" rel="nofollow">http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt</a><br><br>Iinternet Drafts are not authoritative sources of information. They should never cited except as work-in-progress. No one seems to be questioning that noSuchObject is a legitimate response code for LDAP searches. The point is whether noSuchObject is appropriate for a search whose searchBase exists.
<br><br>p.
<br><br><br>Ing. Pierangelo Masarati
<br>OpenLDAP Core Team
<br><br>SysNet s.r.l.
<br>via Dossi, 8 - 27100 Pavia - ITALIA
<br><a href="http://www.sys-net.it" target="_top" rel="nofollow">http://www.sys-net.it</a><br>-----------------------------------
<br>Office: +39 02 23998309
<br>Mobile: +39 333 4963172
<br>Fax: +39 0382 476497
<br>Email: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20008273&i=1" target="_top" rel="nofollow">ando@...</a>
<br>-----------------------------------
<br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20000861Re: LDAP Error 32 v/s Empty Result Set2008-10-15T12:44:51Z2008-10-15T12:44:51ZEmmanuel Lecharny-3Paul Engle wrote:
<div class='shrinkable-quote'><br>> -----BEGIN PGP SIGNED MESSAGE-----
<br>> Hash: SHA1
<br>>
<br>>
<br>> Dieter beat me to the punch on citing RFC 4511 as the authoritative source for information. However, it doesn't really give guidelines on what result code to return for this (or any) situation.
<br>>
<br>> Appendix A of the same RFC also gives short descriptions of the result codes, breaking them down into "Non-Error Result Codes" and "Result Codes". Code 32 falls into the latter. Since that group is not "Non-Error", I would tend to interpret it to mean that those codes *are* errors.
<br>>
<br>> Not finding what you were searching for is not, in my opinion, a protocol error. To return an error code for a successful search operation doesn't seem right to me. Every LDAP directory I've worked with returns a Success (0) for an empty search result.
<br>>
</div><br><a href="http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt" target="_top" rel="nofollow">http://www.watersprings.org/pub/id/draft-just-ldapv3-rescodes-02.txt</a><br><br>5.2.2.2.1noSuchObject(32)
<br><br> Applicable operations: all except for Bind.
<br><br> This error should only be returned if the target object cannot be
<br> found. For example, in a search operation if the search base can not
<br> be located in the DSA the server should return noSuchObject. If,
<br> however, the search base is found but does not match the search
<br> filter, success, with no resultant objects, should be returned
<br> instead of noSuchObject.
<br><br>--
<br>--
<br>cordialement, regards,
<br>Emmanuel Lécharny
<br>www.iktek.com
<br>directory.apache.org
<br><br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20000795Re: LDAP Error 32 v/s Empty Result Set2008-10-15T12:40:31Z2008-10-15T12:40:31ZPaul Engle-----BEGIN PGP SIGNED MESSAGE-----
<br>Hash: SHA1
<br><br><br>Dieter beat me to the punch on citing RFC 4511 as the authoritative source for information. However, it doesn't really give guidelines on what result code to return for this (or any) situation.
<br><br>Appendix A of the same RFC also gives short descriptions of the result codes, breaking them down into "Non-Error Result Codes" and "Result Codes". Code 32 falls into the latter. Since that group is not "Non-Error", I would tend to interpret it to mean that those codes *are* errors.
<br><br>Not finding what you were searching for is not, in my opinion, a protocol error. To return an error code for a successful search operation doesn't seem right to me. Every LDAP directory I've worked with returns a Success (0) for an empty search result.
<br><br> -paul
<br><br>- --
<br>Paul D. Engle | Rice University
<br>Sr. Systems Adminstrator, RHCE | Information Technology - MS119
<br>713-348-4702 | PO Box 1892
<br><a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=0" target="_top" rel="nofollow">pengle@...</a> | Houston, TX 77251-1892
<br><br><br>- --On Wednesday, October 15, 2008 12:22 PM -0400 "Agarwal, Sharad" <<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=1" target="_top" rel="nofollow">Sharad.Agarwal@...</a>> wrote:
<br><div class='shrinkable-quote'><br>> Thanks Joe. Appreciate your patience.
<br>>
<br>> Is there some kind of authoritative source I could cite when I have this
<br>> discussion with the LDAP administrators? They are just telling me that
<br>> the application should handle the error and that LDAP Error 32 is 'No
<br>> Such Object'. And since there is no (uid=foo) object, it is standards
<br>> compliant behavior for the server to return LDAP Error 32.
<br>>
<br>> Thanks,
<br>> Sharad
<br>>
<br>> -----Original Message-----
<br>> From: joe [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=2" target="_top" rel="nofollow">joe@...</a>]
<br>> Sent: Wednesday, October 15, 2008 12:19 PM
<br>> To: Agarwal, Sharad; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=3" target="_top" rel="nofollow">adam@...</a>; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=4" target="_top" rel="nofollow">ldap@...</a>
<br>> Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br>>
<br>> Good example. I would say the LDAP server was sending back a
<br>> non-standard
<br>> response for that situation then.
<br>>
<br>> joe
<br>>
<br>> --
<br>> O'Reilly Active Directory Third Edition -
<br>> <a href="http://www.joeware.net/win/ad3e.htm" target="_top" rel="nofollow">http://www.joeware.net/win/ad3e.htm</a><br>>
<br>>
<br>> -----Original Message-----
<br>> From: Agarwal, Sharad [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=5" target="_top" rel="nofollow">Sharad.Agarwal@...</a>]
<br>> Sent: Wednesday, October 15, 2008 12:17 PM
<br>> To: joe; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=6" target="_top" rel="nofollow">adam@...</a>; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=7" target="_top" rel="nofollow">ldap@...</a>
<br>> Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br>>
<br>> Hi Joe,
<br>>
<br>> Thank you for elaborating on that.
<br>>
<br>> I think I was asking too generic a question. Here are two specific
<br>> queries
<br>> to the Oracle Virtual Directory server, both using the same bind
<br>> information. One succeeds, the other fails. The only difference between
<br>> the
<br>> two is that one is searching for (uid=vgnadmin) and the other for
<br>> (uid=foo).
<br>>
<br>> Query:
<br>> ~~~~
<br>> String searchBase = "ou=People,dc=fmr,dc=com";
<br>> String searchFilter = "(uid=vgnadmin)"; //WORKS ~~~~
<br>>
<br>> Output:
<br>> ~~~~
<br>> LDAPEntry: uid=vgnadmin,ou=People,dc=fmr,dc=com; LDAPAttributeSet:
<br>> LDAPAttribute: {type='cn', value='vgnadmin, VDS'} ~~~~
<br>>
<br>> Query:
<br>> ~~~~
<br>> String searchBase = "ou=People,dc=fmr,dc=com";
<br>> String searchFilter = "(uid=foo)"; //FAILS ~~~~
<br>>
<br>> Output:
<br>> ~~~~
<br>> Error: LDAPException: No Such Object (32) No Such Object
<br>> LDAPException: Server Message: LDAP Error 32 : No Such Object ~~~~
<br>>
<br>> -----Original Message-----
<br>> From: joe [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=8" target="_top" rel="nofollow">joe@...</a>]
<br>> Sent: Wednesday, October 15, 2008 11:27 AM
<br>> To: Agarwal, Sharad; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=9" target="_top" rel="nofollow">adam@...</a>; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=10" target="_top" rel="nofollow">ldap@...</a>
<br>> Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br>>
<br>> Does a base level search with a filter of objectclass=* return the base
<br>> object or does it return an error? Alternately if you change your filter
<br>> to
<br>> objectclass=* and leave the rest of the query the same does it work?
<br>>
<br>> I could this being a problem with your search base as well as the DN
<br>> specified for the uniqueMember match. Either of which not existing or
<br>> you
<br>> not having access rights to see them.
<br>>
<br>> joe
<br>>
<br>>
<br>> --
<br>> O'Reilly Active Directory Third Edition -
<br>> <a href="http://www.joeware.net/win/ad3e.htm" target="_top" rel="nofollow">http://www.joeware.net/win/ad3e.htm</a><br>>
<br>>
<br>> -----Original Message-----
<br>> From: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=11" target="_top" rel="nofollow">bounce-ldap-5210650@...</a>
<br>> [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=12" target="_top" rel="nofollow">bounce-ldap-5210650@...</a>] On Behalf Of
<br>> Agarwal,
<br>> Sharad
<br>> Sent: Wednesday, October 15, 2008 11:10 AM
<br>> To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=13" target="_top" rel="nofollow">adam@...</a>; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=14" target="_top" rel="nofollow">ldap@...</a>
<br>> Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br>>
<br>> Thanks Adam.
<br>>
<br>> My apologies, I should have been more clear on that front. Both the
<br>> searchBase and bind information is valid. The only thing out of order
<br>> (if we
<br>> can call it that) is that the search is for something that does not
<br>> exist.
<br>> Put another way, we are searching for an item that does not exist in the
<br>> searchBase.
<br>>
<br>> If the standard behavior for an LDAP server is to NOT give an error, can
<br>> you
<br>> please point me to an authoritative source that I could cite to the LDAP
<br>> administrators?
<br>>
<br>> Thanks,
<br>> Sharad
<br>>
<br>> -----Original Message-----
<br>> From: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=15" target="_top" rel="nofollow">bounce-ldap-5778666@...</a>
<br>> [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=16" target="_top" rel="nofollow">bounce-ldap-5778666@...</a>] On Behalf Of Adam
<br>> Tauno Williams
<br>> Sent: Wednesday, October 15, 2008 11:04 AM
<br>> To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=17" target="_top" rel="nofollow">ldap@...</a>
<br>> Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br>>
<br>>> Is it standard behavior for an LDAP server to respond with (LDAP Error
<br>>> 32) when a query is run that has no match?
<br>>
<br>> I suppose, if the specified searchBase does not exist or potentially if
<br>> the
<br>> simple bind fails (the latter isn't "correct" AFAIK, but I've seen it in
<br>> the
<br>> wild).
<br>>
<br>>> I tried a zero result query with the embedded LDAP Server (that comes
<br>>> with WebLogic). This query does not return LDAP Error 32, it just
<br>>> returns an empty result set.
<br>>>
<br>>> Code snippet:
<br>>> ~~~~
<br>>> int ldapVersion = LDAPConnection.LDAP_V3;
<br>>> int ldapPort = 27001;
<br>>> String ldapHost = "fesbosbgdd33v3";
<br>>> String loginDN =
<br>>> "uid=vgnadmin,ou=people,ou=VgnLDAPRealm,dc=vgndomain";
<br>>> String password = "password masked";
<br>>> String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain";
<br>>> String searchFilter =
<br>>>
<br>> "(&(uniquemember=cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai
<br>>> n)(objectclass=groupOfUniqueNames))";
<br>>> ~~~~
<br>>
<br>> --
<br>> Consonance: an Open Source .NET OpenGroupware client.
<br>> Contact:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000795&i=18" target="_top" rel="nofollow">awilliam@...</a>
<br>> <a href="http://freshmeat.net/projects/consonance/" target="_top" rel="nofollow">http://freshmeat.net/projects/consonance/</a><br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
<br>>
</div><br><br><br>-----BEGIN PGP SIGNATURE-----
<br>Version: GnuPG v1.4.7 (MingW32)
<br><br>iD8DBQFI9kcvCpkISWtyHNsRAu5SAJ908yiy3cT0Qq90DVWtJwjznWbl5gCgxiNb
<br>OUXuaW4Y1rl84cqp+eWMUw4=
<br>=ewtM
<br>-----END PGP SIGNATURE-----
<br><br><br><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-20000045Re: LDAP Error 32 v/s Empty Result Set2008-10-15T09:38:12Z2008-10-15T09:38:12ZdpuryearPerhaps you should give some actual examples of the DIT and some queries
<br>via ldapsearch. That may help. :)
<br><br>--
<br>Dustin Puryear
<br>President and Sr. Consultant
<br>Puryear Information Technology, LLC
<br>225-706-8414 x112
<br><a href="http://www.puryear-it.com" target="_top" rel="nofollow">http://www.puryear-it.com</a><br><br>Author, "Best Practices for Managing Linux and UNIX Servers"
<br> <a href="http://www.puryear-it.com/pubs/linux-unix-best-practices/" target="_top" rel="nofollow">http://www.puryear-it.com/pubs/linux-unix-best-practices/</a><br><br><br>Agarwal, Sharad wrote:
<div class='shrinkable-quote'><br>> Thanks Adam.
<br>>
<br>> My apologies, I should have been more clear on that front. Both the
<br>> searchBase and bind information is valid. The only thing out of order
<br>> (if we can call it that) is that the search is for something that does
<br>> not exist. Put another way, we are searching for an item that does not
<br>> exist in the searchBase.
<br>>
<br>> If the standard behavior for an LDAP server is to NOT give an error, can
<br>> you please point me to an authoritative source that I could cite to the
<br>> LDAP administrators?
<br>>
<br>> Thanks,
<br>> Sharad
<br>>
<br>> -----Original Message-----
<br>> From: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000045&i=0" target="_top" rel="nofollow">bounce-ldap-5778666@...</a>
<br>> [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000045&i=1" target="_top" rel="nofollow">bounce-ldap-5778666@...</a>] On Behalf Of Adam
<br>> Tauno Williams
<br>> Sent: Wednesday, October 15, 2008 11:04 AM
<br>> To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=20000045&i=2" target="_top" rel="nofollow">ldap@...</a>
<br>> Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br>>
<br>>> Is it standard behavior for an LDAP server to respond with (LDAP Error
<br>>> 32) when a query is run that has no match?
<br>>
<br>> I suppose, if the specified searchBase does not exist or potentially if
<br>> the simple bind fails (the latter isn't "correct" AFAIK, but I've seen
<br>> it in the wild).
<br>>
<br>>> I tried a zero result query with the embedded LDAP Server (that comes
<br>>> with WebLogic). This query does not return LDAP Error 32, it just
<br>>> returns an empty result set.
<br>>>
<br>>> Code snippet:
<br>>> ~~~~
<br>>> int ldapVersion = LDAPConnection.LDAP_V3;
<br>>> int ldapPort = 27001;
<br>>> String ldapHost = "fesbosbgdd33v3";
<br>>> String loginDN =
<br>>> "uid=vgnadmin,ou=people,ou=VgnLDAPRealm,dc=vgndomain";
<br>>> String password = "password masked";
<br>>> String searchBase = "ou=groups,ou=VgnLDAPRealm,dc=vgndomain";
<br>>> String searchFilter =
<br>>>
<br>> "(&(uniquemember=cn=Administrators,ou=groups,ou=VgnLDAPRealm,dc=vgndomai
<br>>> n)(objectclass=groupOfUniqueNames))";
<br>>> ~~~~
<br>>
</div><br><div class="signature">--
<br>Dustin Puryear
<br>President and Sr. Consultant
<br>Puryear Information Technology, LLC
<br>225-706-8414 x112
<br><a href="http://www.puryear-it.com" target="_top" rel="nofollow">http://www.puryear-it.com</a><br><br>Author, "Best Practices for Managing Linux and UNIX Servers"
<br> <a href="http://www.puryear-it.com/pubs/linux-unix-best-practices/" target="_top" rel="nofollow">http://www.puryear-it.com/pubs/linux-unix-best-practices/</a><br></div><p>From forum: <a href="http://www.nabble.com/LDAP-UMIch-List2-f14468.html" embed="fixTarget[14468]" target="_top" >LDAP UMIch List2</a></p>tag:www.nabble.com,2006:post-19999978Re: LDAP Error 32 v/s Empty Result Set2008-10-15T09:22:27Z2008-10-15T09:22:27ZAgarwal, SharadThanks Joe. Appreciate your patience.
<br><br>Is there some kind of authoritative source I could cite when I have this
<br>discussion with the LDAP administrators? They are just telling me that
<br>the application should handle the error and that LDAP Error 32 is 'No
<br>Such Object'. And since there is no (uid=foo) object, it is standards
<br>compliant behavior for the server to return LDAP Error 32.
<br><br>Thanks,
<br>Sharad
<br><br>-----Original Message-----
<br>From: joe [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=0" target="_top" rel="nofollow">joe@...</a>]
<br>Sent: Wednesday, October 15, 2008 12:19 PM
<br>To: Agarwal, Sharad; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=1" target="_top" rel="nofollow">adam@...</a>; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=2" target="_top" rel="nofollow">ldap@...</a>
<br>Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br><br>Good example. I would say the LDAP server was sending back a
<br>non-standard
<br>response for that situation then.
<br><br> joe
<br>
<br>--
<br>O'Reilly Active Directory Third Edition -
<br><a href="http://www.joeware.net/win/ad3e.htm" target="_top" rel="nofollow">http://www.joeware.net/win/ad3e.htm</a>
<br>
<br><br>-----Original Message-----
<br>From: Agarwal, Sharad [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=3" target="_top" rel="nofollow">Sharad.Agarwal@...</a>]
<br>Sent: Wednesday, October 15, 2008 12:17 PM
<br>To: joe; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=4" target="_top" rel="nofollow">adam@...</a>; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=5" target="_top" rel="nofollow">ldap@...</a>
<br>Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br><br>Hi Joe,
<br><br>Thank you for elaborating on that.
<br><br>I think I was asking too generic a question. Here are two specific
<br>queries
<br>to the Oracle Virtual Directory server, both using the same bind
<br>information. One succeeds, the other fails. The only difference between
<br>the
<br>two is that one is searching for (uid=vgnadmin) and the other for
<br>(uid=foo).
<br><br>Query:
<br>~~~~
<br> String searchBase = "ou=People,dc=fmr,dc=com";
<br> String searchFilter = "(uid=vgnadmin)"; //WORKS ~~~~
<br><br>Output:
<br>~~~~
<br>LDAPEntry: uid=vgnadmin,ou=People,dc=fmr,dc=com; LDAPAttributeSet:
<br>LDAPAttribute: {type='cn', value='vgnadmin, VDS'} ~~~~
<br><br>Query:
<br>~~~~
<br> String searchBase = "ou=People,dc=fmr,dc=com";
<br> String searchFilter = "(uid=foo)"; //FAILS ~~~~
<br><br>Output:
<br>~~~~
<br>Error: LDAPException: No Such Object (32) No Such Object
<br>LDAPException: Server Message: LDAP Error 32 : No Such Object ~~~~
<br><br>-----Original Message-----
<br>From: joe [mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=6" target="_top" rel="nofollow">joe@...</a>]
<br>Sent: Wednesday, October 15, 2008 11:27 AM
<br>To: Agarwal, Sharad; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=7" target="_top" rel="nofollow">adam@...</a>; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=8" target="_top" rel="nofollow">ldap@...</a>
<br>Subject: RE: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br><br>Does a base level search with a filter of objectclass=* return the base
<br>object or does it return an error? Alternately if you change your filter
<br>to
<br>objectclass=* and leave the rest of the query the same does it work?
<br><br>I could this being a problem with your search base as well as the DN
<br>specified for the uniqueMember match. Either of which not existing or
<br>you
<br>not having access rights to see them.
<br><br> joe
<br><br>
<br>--
<br>O'Reilly Active Directory Third Edition -
<br><a href="http://www.joeware.net/win/ad3e.htm" target="_top" rel="nofollow">http://www.joeware.net/win/ad3e.htm</a>
<br>
<br><br>-----Original Message-----
<br>From: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=9" target="_top" rel="nofollow">bounce-ldap-5210650@...</a>
<br>[mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=10" target="_top" rel="nofollow">bounce-ldap-5210650@...</a>] On Behalf Of
<br>Agarwal,
<br>Sharad
<br>Sent: Wednesday, October 15, 2008 11:10 AM
<br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=11" target="_top" rel="nofollow">adam@...</a>; <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=12" target="_top" rel="nofollow">ldap@...</a>
<br>Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br><br>Thanks Adam.
<br><br>My apologies, I should have been more clear on that front. Both the
<br>searchBase and bind information is valid. The only thing out of order
<br>(if we
<br>can call it that) is that the search is for something that does not
<br>exist.
<br>Put another way, we are searching for an item that does not exist in the
<br>searchBase.
<br><br>If the standard behavior for an LDAP server is to NOT give an error, can
<br>you
<br>please point me to an authoritative source that I could cite to the LDAP
<br>administrators?
<br><br>Thanks,
<br>Sharad
<br><br>-----Original Message-----
<br>From: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=13" target="_top" rel="nofollow">bounce-ldap-5778666@...</a>
<br>[mailto:<a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=14" target="_top" rel="nofollow">bounce-ldap-5778666@...</a>] On Behalf Of Adam
<br>Tauno Williams
<br>Sent: Wednesday, October 15, 2008 11:04 AM
<br>To: <a href="http://www.nabble.com/user/SendEmail.jtp?type=post&post=19999978&i=15" target="_top" rel="nofollow">ldap@...</a>
<br>Subject: [ldap] Re: LDAP Error 32 v/s Empty Result Set
<br><br>> Is it standard behavior for an LDAP server to respond with (LDAP Error
<br>> 32) when a query is run that has no match?
<br><br>I suppose, if the specified searchBase does not exist or potentially if
<br>the
<br>simple bind fails (the latter isn't "correct" AFAIK, but I've seen it in
<br>the
<br>wild).
<br><div class='shrinkable-quote'><br>> I tried a zero result query with the embedded LDAP Server (that comes
<br>> with WebLogic). This query does not return LDAP Error 32, it just
<br>> returns an empty result set.
<br>>
<br>> Code snippet:
<br>> ~~~~
<br>> int ldapVersion = LDAPConnection.LDAP_V3;
<br>> int ldapPort = 27001;
<br>> String ldapHost = "fesbosbgdd33v3";
<br>> String loginDN =
<br>> "uid=vgnadmin,ou=people,ou=VgnLDAPRealm,dc=vgndomain";
<br>> String password = "password masked";
<br>> String searchBase =