Notes on Java, Solaris, PHP, LDAP…

August 22, 2008

Limitation of CN length in eDirectory

Filed under: Java — negev @ 8:42 am
Tags: ,

Novell’s eDirectory has limitation of CN length to 64 characters. That is enough for common objects.

However, in my application I auto-generated CN out of some long string. I wanted management groups for user containers of a deep tree (5 levels e.g. ou=Happy Branch,ou=Berline,ou=DE,ou=Europe,o=Company). For some practical and user’s reasons I didn’t want to copy the container tree structure, so I created objects at the same level with CN made out in reverse – e.g. Europe-DE-Berlin-Happy Branch. But for some groups their CN got over 64 letters, and that failed. So I created region containers for them and then I created the groups under those region containers, with CN e.g. DE-Berlin-Happy Branch. Problem solved!


May 13, 2008

Filtering via Perl on commandline to extract values

Filed under: Java — negev @ 3:16 pm
Tags: , , ,

My superb admin showed me two tricks. He invokes perl and passes it the regular expression from the shell. Perl processes standard input and writes to standard output.

The first one collects all user emails and then it gets their unique email domains. The second one collects values of LDAP attribute companyDomains and again gets their unique values.

mysql -h mysql-server -u user -ppassword db-name -e ‘SELECT email FROM users’ | perl -nle ‘/.*@(.*)/;print $1;’ | sort -u | wc

ldapsearch -x -h ldap-server -D “cn=readonly,o=services” -w password -b o= users “(objectClass=organizationalUnit)” companyDomains | grep -P ^companyDomains: | perl -ple ‘s/^companyDomains: //;’ | grep -Pv ‘^\d’ | sort -u

February 14, 2008

Filed under: Java — negev @ 7:12 pm
Tags: ,

I use commandline ldapsearch a lot and today I’ve come across a user who had really weird value of givenName:: S3Vhbmd5YSA=

The weird thing was that his given name was OK in another data source (self-registration DB) and the entries in both the LDAP and DB were populated in one go with same data.

It turns out that’s what you get when your LDAP values starts/ends with a space. It’s base64 or some other encoding, and this way ldapsearch makes sure you don’t miss the leading/trailing spaces – because otherwise you can’t distinguish it in a console window (unless you redirect the output to a file). The value itself looks OK in eDirectory’s ConsoleOne (with the trailing space, of course).

My colleague pointed out that in LDAP, the double colon means the following data is encoded in Base64.
Command line binaries like b64decode can be used to decode the data. Also try

December 4, 2007

eDirectory LDAP – default rights and allowed values

Filed under: Uncategorized — negev @ 7:12 pm
Tags: ,

Due to default behavior of LDAP/eDirectory it also adds an ACL entry
for the user who created a group/container/object, e.g. “ACL: 16#subtree#cn=User
Name,ou=User Container,…,o=top-container#

[Entry Rights]”.


eDirectory (Novell’s LDAP product) suprisingly allows a lot of special characters for string attribute values (such as attribute ‘description’), but it forbids plus + character.

Following characters are OK, although some are not advisable if you want to compare the values in LDAP queries etc: =,#()[]”‘~\@:.-/!&*^ And some of them are not allowed for CN/OU or other special attributes.

November 18, 2007

Notes on MySQL, Novell eDirectory LDAP ACLs, XSLT, Mailtrap

Filed under: Uncategorized — negev @ 12:12 pm
Tags: ,

9 Aug 07
MySQL Select & GROUP records with minimum value of a chosen column
SELECT, disposition, count( num_positions FROM offices, positions WHERE condition-on-office AND GROUP BY ORDER BY num_positions ASC LIMIT 8;

Novell eDirectory
– schema and attribute names
– how to change [ROOT] permissions to more specific permissions:
— When replacing [ROOT] by a specific DN, then remove [] brackets
— so instead of “2#entry#[ROOT]#member” you use “2#entry#o=MyCompanyName#member”

XSLT to concatenate strings
– use concat( first, second…) rather than operator +. + works only for numbers
– don’t concatenate values/expressions with in-XML constants, because it will add spaces etc:
<xsl:value-of select=”$logoName” />.gif

Using JEdit with files that are hard-linked at multiple locations
– then in JEdit’s opetions unset: jEdit > General > Two-stage save (safer but resets file owner on Unix)

novell eDirectory weird ACLs – couldn’t modify LDAP ‘mail’ attribute
– that was because I had ACLs in ConsoleOne to EMail Address, not to ‘Internet EMail Address’ – and the second is NDS attribute respective to LDAP attribute ‘mail’
– so you need to set ACLs to ‘Internet EMail Address’ rather than ‘EMail Address’
– see NDS-LDAP attribute mappings in Console One > tree > Resources > Servers > LDAP Group – my server > Attribute Mappings

23 Oct 2007
Mailtrap – fake SMTP server that traps all emails and saves them to a file
– it uses Ruby

Universal USB Webcam driver for Mac OS X

Create a free website or blog at