"Consider green lakes... .....and the idiocy of clocks... Someone shot nostalgia in the back... Someone shot our innocence...and all our colours have run..." -Bauhaus, _Who Killed Mr. Moonlight_ Alas, I consider none of these things, I am building an LDAP schema via a vastly more iterative process than I enjoy. Most of my familiarity is with Netscape Directory Server, and I'm just learning OpenLDAP's server. That's not the difficulty, however-- the difficulty is that I've been asked to "just get something up" without regard to schema design. I know of at least 3 custom attributes that will be required within the first few days of use, and undoubtedly more will be designed. The right thing to do would be to take some combination of the IMPP draft, my own work on Internet Presence Server requirements, and the new fodder from IMUnify, figure out which to use as a base class, and cast in attributes (clearly labeled!) from the other two. Not to mention either differentiating between servers and clients (ok), enabling server placeholders for clients for P2P (better) or actually DESIGNING a real schema that allows both P2P and C2S2C and has affordances for being a searchable directory with some kind of meaning (best!!!). And folding in OpenDirectory and possibly some other categorization systems (Z39.50?). And designing a schema that can handle being scaled between multiple servers, is differently mastered depending on whether the section of the tree is doing frequent updates (DBMS w/ldap query front-end and backflow replication) or is mostly query-only (normal slave servers). But I'm not allowed to do any of that right now, since we are rushing towards a demo deadline. I know what it's going to be like to pick up the pieces afterward, but I have to let other people learn that. I verbally offered some alternatives, but will allow the chain of command to tangle around our legs until we learn not to stumble. It's part of being a team player-- tell people what they're doing wrong, show people what they're doing wrong, but ultimately if they choose to do it you can either leave or go with it. It won't be too bad a learning experience, it just annoys me that we have to have it when we could be getting so much done. Sigh. Lighting up LDAP: a programmer's guide to directory development, Part 1 is a pretty ok getting started guide, but don't listen when they tell you to go back to an "o=MyOrg, c=mycountry" kinda thing unless you really want to interoperate with X.big-n-ugly. If you're playing dot-com and want to use the recently suggested heresies, "dc=mydomain, dc=myTLD", you'll need to modify your ldapsearch query from what's in th document also. /usr/local/bin/ldapsearch -L -s base -b "cn=monitor" "objectclass=*"
should work for you. While we're at it, some useful content (why not?):

/usr/local/libexec/slapd        to invoke the server (as root!)

cat /usr/local/var/slapd.pid    for the PID of the server.

LDAP is on port 389.

/usr/local/etc/openldap         is where the conf files live.
/usr/local/etc/openldap/slapd.conf      is the main config file.
To get the list of variables and see the slapd is up:

/usr/local/bin/ldapsearch -L -s base -b "cn=monitor" "objectclass=*"

Returns the output:

version: slapd 1.2.11-Release (Wed Sep  6 16:16:49 CDT 2000)
threads: 1
connection: 7 : 20000907041638Z : 2 : 1 : cn=Manager, dc=mydomain, dc=net :currentconnections: 1
totalconnections: 2
dtablesize: 1024
writewaiters: 0
readwaiters: 0
opsinitiated: 5
opscompleted: 4
entriessent: 0
bytessent: 42
currenttime: 20000907041638Z
starttime: 20000907041330Z
nbackends: 1

NOTE-- if access control is turned on in the slapd.conf, you will
not get any response to this ldapsearch!

You will have to bind to the server as a valid user and give a password.
If the password is "secret", here is how to do it in plain text (not recommended)./usr/local/bin/ldapsearch -L -D "cn=Manager, dc=mydomain, dc=net" -w "secret" -s base -b "cn=monitor" "objectclass=*"

A smarter thing to do is use -W instead of -w "passwd", and you will be
prompted to enter the password.

/usr/local/bin/ldapsearch -L -D "cn=Manager, dc=mydomain, dc=net" -W  -s base -b "cn=monitor" "objectclass=*"

Enter LDAP Password:

version: slapd 1.2.11-Release (Wed Sep  6 16:16:49 CDT 2000)
threads: 1
connection: 7 : 20000907041638Z : 2 : 1 : cn=Manager, dc=mydomain, dc=net :
currentconnections: 1
(and so on)
OK, so you can tell by the bind info on the connection that I used the same cut and paste for both those examples. Oh well. Life's tough. :-) And I need to get back to work. At least I can listen to snarly music on the headphones while shooting myself in the foot with hypoallergenic plastic pellets. No real damage is done, but I keep thinking "gee, if only I was doing something a bit more productive with my time". That'll come later, when we give the marketing folks their dogfood and send them off to play in traffic. All our dreams have melted down, hiding in the bushes... dead men doing Douglas Fairbanks stunts. We can't paint any pictures as the moon had all our brushes... extracting wasps from stings in flight, who killed Mr. Moonlight? ...in the shadow of his smile..." _SRC


Post a Comment

<< Home