Hi, i apologize that i am revisiting this topic yet again but as we found out, double quoted distinguished names are no longer possible in 1.2.0. We initially discovered the problem for the aliasedobjectname class but it later turned out its a fault with double quoted dns in general and the schema violation we got for aliasedobjectname was because a doublequoted dn always leads for some bizare reason to the creation of an attribute with the double quoted part as the attr/value pair, so the schema violation was effect rather than cause.. we are also fairly certain they worked prior to this as we initially did some tests with 1.1.0, 1.1.2 and 1.1.3 without encountering into any problems with this. I was told in another thread that the double quoted syntax is deprecated and that escapes should be used instead. Is it then safe to assume that double quoted style will not be fixed (or at least have extremely low priority)? We have some clients who sometimes give us LDIFs for adding to the directory and they prefer the double quoted syntax as more easily readable. I can write convert script for them easily enough to handle the obvious cases but I won''t go through the effort if there is a chance this will be fixed one minor version down the road.
On Wed, 3 Jun 2009, tamarin p wrote:> Hi, > > i apologize that i am revisiting this topic yet again but as we found out, > double quoted distinguished names are no longer possible in 1.2.0. We > initially discovered the problem for the aliasedobjectname class but it > later turned out its a fault with double quoted dns in general and the > schema violation we got for aliasedobjectname was because a doublequoted dn > always leads for some bizare reason to the creation of an attribute with the > double quoted part as the attr/value pair, so the schema violation was > effect rather than cause.. we are also fairly certain they worked prior to > this as we initially did some tests with 1.1.0, 1.1.2 and 1.1.3 without > encountering into any problems with this. > > I was told in another thread that the double quoted syntax is deprecated and > that escapes should be used instead. Is it then safe to assume that double > quoted style will not be fixed (or at least have extremely low priority)? We > have some clients who sometimes give us LDIFs for adding to the directory > and they prefer the double quoted syntax as more easily readable. I can > write convert script for them easily enough to handle the obvious cases but > I won''t go through the effort if there is a chance this will be fixed one > minor version down the road.I just ran into the same problem, actually, and found one of your old mailing list posts on it; I''d been meaning to ask about it on the mailing list, so thanks for reminding me. :) The ns-newpwpolicy.pl script creates double-quoted DNs, which are then impossible (AFAICT) to modify. In other words, if you follow the documented procedure for creating per-user or per-subtree password policies, it doesn''t work because the policy container is created with a double-quoted DN. In addition to the OP''s question, what''s the Right Thing to do with password policies? Will it work if I create the policy containers by hand with the hex escape syntax? Or do I need to create them by hand and populate them at creation time (since it''s apparently still possible to _add_ entries with double-quoted DNs, just not modify them), and delete-and-recreate if I need to modify my policy? Thanks! Chris St. Pierre Unix Systems Administrator Nebraska Wesleyan University
2009/6/3 Chris St. Pierre <stpierre@nebrwesleyan.edu>> On Wed, 3 Jun 2009, tamarin p wrote: > > Hi, >> >> i apologize that i am revisiting this topic yet again but as we found out, >> double quoted distinguished names are no longer possible in 1.2.0. >> > > I just ran into the same problem, actually, and found one of your old > mailing list posts on it; I''d been meaning to ask about it on the > mailing list, so thanks for reminding me. :) > > The ns-newpwpolicy.pl script creates double-quoted DNs, which are then > impossible (AFAICT) to modify. In other words, if you follow the > documented procedure for creating per-user or per-subtree password > policies, it doesn''t work because the policy container is created with > a double-quoted DN.yes. fedora-idm-console does the same thing if you try to use that to manage policies. In addition to the OP''s question, what''s the Right Thing to do with> password policies? Will it work if I create the policy containers by > hand with the hex escape syntax? Or do I need to create them by hand > and populate them at creation time (since it''s apparently still > possible to _add_ entries with double-quoted DNs, just not modify > them), and delete-and-recreate if I need to modify my policy? >I dont know if this answers your question but you don''t really need the container entry at all. if you create a policy manually you can call the policy entry or container anything you want or just skip the container. It wont be managable with the console then (or pl script its probably safe to assume) which may be undesirable for you, but the policy itself will work. the only requirement is to set pwdpolicysubentry=... to point to your custom policy for your your users who wont use the default in cn=config, either directly on each user or more likely for the whole subtree using CoS pointers the same way the fedora-idm-console does it when you click on a subtree and choose to create a policy there. I guess you could try to create a policy with the pl script or console, then export the policy entries to LDIF and modify to use escaping instead of double quotes then readd with ldapmodify after deleting the original entries, and see if the console/script can still "see" the policy. i would actually expect this to work if "cn=foo,dc=test,dc=com",dc=test,dc=com should be considered equal with dn: cn\=foo\,dc\=test\,dc\=com,dc=test,dc=com
2009/6/4 tamarin p <tamarinp@gmail.com>> > > 2009/6/3 Chris St. Pierre <stpierre@nebrwesleyan.edu> > >> On Wed, 3 Jun 2009, tamarin p wrote: >> >> Hi, >>> >>> i apologize that i am revisiting this topic yet again but as we found >>> out, >>> double quoted distinguished names are no longer possible in 1.2.0. >> >>Any word on this? should I file a bug in bugzilla for it or just are double quoted dn gone forever?
tamarin p wrote:> 2009/6/4 tamarin p <tamarinp@gmail.com <mailto:tamarinp@gmail.com>> > > > > 2009/6/3 Chris St. Pierre <stpierre@nebrwesleyan.edu > <mailto:stpierre@nebrwesleyan.edu>> > > On Wed, 3 Jun 2009, tamarin p wrote: > > Hi, > > i apologize that i am revisiting this topic yet again but > as we found out, > double quoted distinguished names are no longer possible > in 1.2.0. > > > Any word on this? should I file a bug in bugzilla for it or just are > double quoted dn gone forever?Please file a bug. But note that the double quoted behavior has been deprecated in LDAP for a long time.> > ------------------------------------------------------------------------ > > -- > 389 users mailing list > 389-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >