Novell’s eDirectory has limitation of CN length to 64 characters. That is enough for common objects.
However, in my application I auto-generated CN out of some long string. I wanted management groups for user containers of a deep tree (5 levels e.g. ou=Happy Branch,ou=Berline,ou=DE,ou=Europe,o=Company). For some practical and user’s reasons I didn’t want to copy the container tree structure, so I created objects at the same level with CN made out in reverse – e.g. Europe-DE-Berlin-Happy Branch. But for some groups their CN got over 64 letters, and that failed. So I created region containers for them and then I created the groups under those region containers, with CN e.g. DE-Berlin-Happy Branch. Problem solved!
My superb admin showed me two tricks. He invokes perl and passes it the regular expression from the shell. Perl processes standard input and writes to standard output.
The first one collects all user emails and then it gets their unique email domains. The second one collects values of LDAP attribute companyDomains and again gets their unique values.
mysql -h mysql-server -u user -ppassword db-name -e ‘SELECT email FROM users’ | perl -nle ‘/.*@(.*)/;print $1;’ | sort -u | wc
ldapsearch -x -h ldap-server -D “cn=readonly,o=services” -w password -b o= users “(objectClass=organizationalUnit)” companyDomains | grep -P ^companyDomains: | perl -ple ‘s/^companyDomains: //;’ | grep -Pv ‘^\d’ | sort -u
I use commandline ldapsearch a lot and today I’ve come across a user who had really weird value of givenName:: S3Vhbmd5YSA=
The weird thing was that his given name was OK in another data source (self-registration DB) and the entries in both the LDAP and DB were populated in one go with same data.
It turns out that’s what you get when your LDAP values starts/ends with a space. It’s base64 or some other encoding, and this way ldapsearch makes sure you don’t miss the leading/trailing spaces – because otherwise you can’t distinguish it in a console window (unless you redirect the output to a file). The value itself looks OK in eDirectory’s ConsoleOne (with the trailing space, of course).
My colleague pointed out that in LDAP, the double colon means the following data is encoded in Base64.
Command line binaries like b64decode can be used to decode the data. Also try http://www.fourmilab.ch/webtools/base64/
Due to default behavior of LDAP/eDirectory it also adds an ACL entry
for the user who created a group/container/object, e.g. “ACL: 16#subtree#cn=User
eDirectory (Novell’s LDAP product) suprisingly allows a lot of special characters for string attribute values (such as attribute ‘description’), but it forbids plus + character.
Following characters are OK, although some are not advisable if you want to compare the values in LDAP queries etc: =,#()”‘~\@:.-/!&*^ And some of them are not allowed for CN/OU or other special attributes.
9 Aug 07
MySQL Select & GROUP records with minimum value of a chosen column
SELECT offices.id, disposition, count(positions.id) num_positions FROM offices, positions WHERE condition-on-office AND offices.id=positions.office_id GROUP BY offices.id ORDER BY num_positions ASC LIMIT 8;
– schema and attribute names
– how to change [ROOT] permissions to more specific permissions:
— When replacing [ROOT] by a specific DN, then remove  brackets
— so instead of “2#entry#[ROOT]#member” you use “2#entry#o=MyCompanyName#member”
XSLT to concatenate strings
– use concat( first, second…) rather than operator +. + works only for numbers
– don’t concatenate values/expressions with in-XML constants, because it will add spaces etc:
<xsl:value-of select=”$logoName” />.gif
Using JEdit with files that are hard-linked at multiple locations
– then in JEdit’s opetions unset: jEdit > General > Two-stage save (safer but resets file owner on Unix)
novell eDirectory weird ACLs – couldn’t modify LDAP ‘mail’ attribute
– that was because I had ACLs in ConsoleOne to EMail Address, not to ‘Internet EMail Address’ – and the second is NDS attribute respective to LDAP attribute ‘mail’
– so you need to set ACLs to ‘Internet EMail Address’ rather than ‘EMail Address’
– see NDS-LDAP attribute mappings in Console One > tree > Resources > Servers > LDAP Group – my server > Attribute Mappings
23 Oct 2007
Mailtrap – fake SMTP server that traps all emails and saves them to a file
– it uses Ruby
Universal USB Webcam driver for Mac OS X