[Fedora-directory-users] Need to escape space when adding referrals from scripts?

Ryan Braun [ADS] ryan.braun at ec.gc.ca
Wed Sep 24 21:05:00 UTC 2008 

I have a perl script I've been working on to setup replication.  The replication works great for replication from master to master.  But I've been running into problems with dedicated consumers and their referrals.

If I disable the add_replical_referral sub in my script,  and let fds handle the referrals on the fly it works (go figure :) ).  But it doesn't set it up how I want so I need to customize it.  It seems like when I set the referrals manually via perl,  the space in the url of the referal is causing the whole dn of the update to get truncated as soon as it detects a space. Here is what I mean.

The following snippets are from myself updating an object on the consumer and it failing.  All referrals have been created from my script.  Not sure what the nsdisablerole is doing...

On the dedicated consumer
[24/Sep/2008:19:58:50 +0000] conn=14 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[24/Sep/2008:19:58:51 +0000] conn=14 op=0 RESULT err=0 tag=97 nentries=0 etime=1 dn="cn=directory manager"
[24/Sep/2008:19:58:51 +0000] conn=14 op=1 SRCH base="uid=goodgut,ou=People, dc=xxx,dc=ec,dc=gc,dc=ca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="nscpEntryDN nsICQStatusText nsAIMStatusText copiedFrom passwordExpirationTime passwordAllowChangeTime nsICQStatusGraphic hasSubordinates nsRole nsRoleDN aci modifyTimestamp passwordExpWarned nsAccountLock nsAIMStatusGraphic nsds5ReplConflict nsIdleTimeout pwdpolicysubentry nsLookThroughLimit nsSizeLimit entryid nsUniqueId passwordRetryCount dncomp creatorsName nsSchemaCSN passwordGraceUserTime nsYIMStatusGraphic nsTimeLimit entrydn copyingFrom subschemaSubentry accountUnlockTime createTimestamp numSubordinates passwordHistory retryCountResetTime parentid ldapSchemas ldapSyntaxes modifiersName nsYIMStatusText nsBackendSuffix * aci"
[24/Sep/2008:19:58:51 +0000] conn=14 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[24/Sep/2008:19:58:51 +0000] conn=14 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="nsslapd-suffix nsBackendSuffix"
[24/Sep/2008:19:58:51 +0000] conn=14 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[24/Sep/2008:19:58:51 +0000] conn=14 op=3 SRCH base="cn=nsdisabledrole,dc=xxx,dc=ec,dc=gc,dc=ca" scope=0 filter="(|(objectClass=*)(objectClass=ldapsubentry))" attrs="cn userPassword nsRole nsRoleDN objectClass nsAccountLock"
[24/Sep/2008:19:58:51 +0000] conn=14 op=3 RESULT err=32 tag=101 nentries=0 etime=0
[24/Sep/2008:19:58:56 +0000] conn=14 op=4 MOD dn="uid=goodgut,ou=People,dc=xxx,dc=ec,dc=gc,dc=ca"
[24/Sep/2008:19:58:56 +0000] conn=14 op=4 RESULT err=10 tag=103 nentries=0 etime=0


On the MMR server
[24/Sep/2008:19:58:57 +0000] conn=59 fd=70 slot=70 connection from x.x.x.x to x.x.x.x
[24/Sep/2008:19:58:57 +0000] conn=59 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[24/Sep/2008:19:58:57 +0000] conn=59 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[24/Sep/2008:19:58:57 +0000] conn=59 op=1 MOD dn="uid=goodgut,ou=people,dc=xxx,"
[24/Sep/2008:19:58:57 +0000] conn=59 op=1 RESULT err=32 tag=103 nentries=0 etime=0
[24/Sep/2008:19:58:57 +0000] conn=59 op=2 UNBIND
[24/Sep/2008:19:58:57 +0000] conn=59 op=2 fd=70 closed - U1

You can see in the mod request,  it's not getting the whole DN,  it seems to truncate it at the first space it detects.


Here is the referral entries from the consumer
xxxsrvr4:/etc/dirsrv/slapd-xxxsrvr4# ldapsearch -x -h xxxsrvr4 -D "cn=directory manager" -b "cn=config" -W "objectclass=*"|grep dmns
Enter LDAP Password:
nsslapd-referral: ldap://xxxdmns0:389/dc=xxx, dc=ec, dc=gc, dc=ca
nsDS5ReplicaReferral: ldap://xxxdmns0:389/dc=xxx, dc=ec, dc=gc, dc=ca


If I blow away the rep agreement,  and create it from the console,  the referrals work fine and look like so.

[24/Sep/2008:20:17:29 +0000] conn=60 fd=70 slot=70 connection from x.x.x.x to x.x.x.x
[24/Sep/2008:20:17:29 +0000] conn=60 op=0 BIND dn="cn=Directory Manager" method=128 version=3
[24/Sep/2008:20:17:29 +0000] conn=60 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="cn=directory manager"
[24/Sep/2008:20:17:29 +0000] conn=60 op=1 MOD dn="uid=goodgut,ou=People,dc=xxx,dc=ec,dc=gc,dc=ca"
[24/Sep/2008:20:17:29 +0000] conn=60 op=1 RESULT err=0 tag=103 nentries=0 etime=0 csn=48daa05a000000010000
[24/Sep/2008:20:17:29 +0000] conn=61 fd=71 slot=71 connection from x.x.x.x to x.x.x.x
[24/Sep/2008:20:17:29 +0000] conn=61 op=0 BIND dn="uid=RManager,cn=config" method=128 version=3
[24/Sep/2008:20:17:29 +0000] conn=61 op=0 RESULT err=0 tag=97 nentries=0 etime=0 dn="uid=rmanager,cn=config"
[24/Sep/2008:20:17:29 +0000] conn=61 op=1 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[24/Sep/2008:20:17:29 +0000] conn=61 op=1 RESULT err=0 tag=101 nentries=1 etime=0
[24/Sep/2008:20:17:29 +0000] conn=61 op=2 SRCH base="" scope=0 filter="(objectClass=*)" attrs="supportedControl supportedExtension"
[24/Sep/2008:20:17:29 +0000] conn=61 op=2 RESULT err=0 tag=101 nentries=1 etime=0
[24/Sep/2008:20:17:29 +0000] conn=61 op=3 EXT oid="2.16.840.1.113730.3.5.3" name="Netscape Replication Start Session"
[24/Sep/2008:20:17:29 +0000] conn=61 op=3 RESULT err=0 tag=120 nentries=0 etime=0
[24/Sep/2008:20:17:29 +0000] conn=61 op=4 EXT oid="2.16.840.1.113730.3.5.5" name="Netscape Replication End Session"
[24/Sep/2008:20:17:29 +0000] conn=61 op=4 RESULT err=0 tag=120 nentries=0 etime=0
[24/Sep/2008:20:17:29 +0000] conn=60 op=2 UNBIND

But the referals look like they've been added with ascii codes in the console.

xxxsrvr4:/etc/dirsrv/slapd-xxxsrvr4# ldapsearch -x -h xxxsrvr4 -D "cn=directory manager" -b "cn=config" -W "objectclass=*"|grep dmns
Enter LDAP Password:
nsslapd-referral: ldap://xxxdmns0.xxx.ec.gc.ca:389/dc%3Dxxx%2C%20dc%3Dec%2C%20
nsslapd-referral: ldap://xxxdmns1.xxx.ec.gc.ca:389/dc%3Dxxx%2C%20dc%3Dec%2C%20
xxxrvr4:/etc/dirsrv/slapd-xxxsrvr4#         

So my question,  is do I need to convert the spaces in my referral entries to ascii codes before creating the referral entries?

Here is the sub I use for reference.

sub add_replica_referral
{
	# adds referral to the multivalued attribute  nsDS5ReplicaReferral in dn: cn=replica,cn="$config{BASE_DN}",cn=mapping tree,cn=config
	# should only need to add this to a read only consumer!!
	# the first entry will be created automatically by the add_rep_object,  this will add more referrals

	# TODO add check to make sure the replica object exists,  otherwise it will fail silently and throw and err=32 no such object 
	# in the servers log.
	my ($server, $server_port, $referral, $referral_port, $bind_pw) = @_;
	my ($ldap, $msg);

	if ( ($ldap = conn_bind($server,$server_port,$passwd)) eq 0 ) {
		print "\t*********** bind/connect failed to $server on port $server_port ***************\n";
		return 0;
	}
	print "Adding referral on $server back to $referral\n";

	# dn: cn=replica,cn="$config{BASE_DN}",cn=mapping tree,cn=config
	# nsDS5ReplicaReferral: ldap://xxxx:389/dc=xxx,dc=ec,dc=gc,dc=ca
	$msg = $ldap->modify("cn=replica,cn=\"$config{BASE_DN}\",cn=mapping tree,cn=config",
			add	=> { 'nsDS5ReplicaReferral' => "ldap://$referral:$referral_port/$config{BASE_DN}" });
	
	if ($msg->code == LDAP_ALREADY_EXISTS)
	{
		print "\t -> already exists\n\n";
	}


	disconnect($ldap);
}

Ryan

More information about the 389-users mailing list