Notes on Java, Solaris, PHP, LDAP…

August 22, 2008

Limitation of CN length in eDirectory

Filed under: Java — negev @ 8:42 am
Tags: ,

Novell’s eDirectory has limitation of CN length to 64 characters. That is enough for common objects.

However, in my application I auto-generated CN out of some long string. I wanted management groups for user containers of a deep tree (5 levels e.g. ou=Happy Branch,ou=Berline,ou=DE,ou=Europe,o=Company). For some practical and user’s reasons I didn’t want to copy the container tree structure, so I created objects at the same level with CN made out in reverse – e.g. Europe-DE-Berlin-Happy Branch. But for some groups their CN got over 64 letters, and that failed. So I created region containers for them and then I created the groups under those region containers, with CN e.g. DE-Berlin-Happy Branch. Problem solved!


May 13, 2008

Filtering via Perl on commandline to extract values

Filed under: Java — negev @ 3:16 pm
Tags: , , ,

My superb admin showed me two tricks. He invokes perl and passes it the regular expression from the shell. Perl processes standard input and writes to standard output.

The first one collects all user emails and then it gets their unique email domains. The second one collects values of LDAP attribute companyDomains and again gets their unique values.

mysql -h mysql-server -u user -ppassword db-name -e ‘SELECT email FROM users’ | perl -nle ‘/.*@(.*)/;print $1;’ | sort -u | wc

ldapsearch -x -h ldap-server -D “cn=readonly,o=services” -w password -b o= users “(objectClass=organizationalUnit)” companyDomains | grep -P ^companyDomains: | perl -ple ‘s/^companyDomains: //;’ | grep -Pv ‘^\d’ | sort -u

February 14, 2008

Filed under: Java — negev @ 7:12 pm
Tags: ,

I use commandline ldapsearch a lot and today I’ve come across a user who had really weird value of givenName:: S3Vhbmd5YSA=

The weird thing was that his given name was OK in another data source (self-registration DB) and the entries in both the LDAP and DB were populated in one go with same data.

It turns out that’s what you get when your LDAP values starts/ends with a space. It’s base64 or some other encoding, and this way ldapsearch makes sure you don’t miss the leading/trailing spaces – because otherwise you can’t distinguish it in a console window (unless you redirect the output to a file). The value itself looks OK in eDirectory’s ConsoleOne (with the trailing space, of course).

My colleague pointed out that in LDAP, the double colon means the following data is encoded in Base64.
Command line binaries like b64decode can be used to decode the data. Also try

December 4, 2007

eDirectory LDAP – default rights and allowed values

Filed under: Uncategorized — negev @ 7:12 pm
Tags: ,

Due to default behavior of LDAP/eDirectory it also adds an ACL entry
for the user who created a group/container/object, e.g. “ACL: 16#subtree#cn=User
Name,ou=User Container,…,o=top-container#

[Entry Rights]”.


eDirectory (Novell’s LDAP product) suprisingly allows a lot of special characters for string attribute values (such as attribute ‘description’), but it forbids plus + character.

Following characters are OK, although some are not advisable if you want to compare the values in LDAP queries etc: =,#()[]”‘~\@:.-/!&*^ And some of them are not allowed for CN/OU or other special attributes.

November 17, 2007

PHP and LDAP, PHP debuggers

Filed under: Uncategorized — negev @ 11:24 pm
Tags: ,

26 Sep 07
Delete all values of an LDAP attribute in PHP
ldap_mod_del( $connection, $dn, array( 'attrib-name' => array() ) );

Copy a directory recursively and keep the symlinks- use cp -R
- not cp -r

Relative inclusion of files using include/require in PHP
from comments on When I'm dealing with a package that uses relative includes of its own, rather than modify all of their includes, I found it was easier to change PHP's working directory before and after the include, like so:

$wd_was = getcwd();

This way neither my includes nor theirs are affected; they all work as expected. Or:
ini_set(‘include_path’, (ini_get(‘include_path’).’;’.$SITEROOT_PATH));

PHP ldap_mod_del()
– it requires attribute values to be indexed by consecutive int keys starting at 0!

PHP debuggers
— installs OK on Mac OS X 10.4
— if you activate it in php.ini, then commandline PHP stops working!
— error traces refer to PHP sources with lines starting at 0, not starting at 1!

When updating/creating an LDAP object in PHP and you get a funny attribute value
– if the attribute schema is a DN to (any) object
– and if the attrib value shows up as [Root] in ConsoleOne of Novell eDirectory
– and if the attrib values shows as null/empty string in PHP ldap_search and commandline ldapserch
– then you saved/created the object passing PHP null as the value of that attribute to PHP ldap_mod_add()
– solution: remove PHP null values when creating a new LDAP object. If updating an existing LDAP object, remove any existing values of that attribute by ldap_mod_del()

PHP and LDAP, regex and sessions

Filed under: Uncategorized — negev @ 9:54 pm
Tags: ,

8 Aug 07
PHP ldap_search and its search base parameter:
– If you pass null LDAP base to PHP’s ldap_search, then it searches the whole tree – that is, all containers.

PHP and regex – regular expressions
– Perl-like pcre functions are faster than Posix ereg functions
– use str-replace if you don’t need regex

Clearing PHP sessions
echo “Session destroyed OK.”;
The following doesn’t clear the session – don’t use session_id() to test whether there
is any out-of-date data in the session. You need to call session_start() first.

if( session_id() ) {
echo “Session destroyed OK.”;
else {
echo “There was no previous session or it timed out already.”;

PHP LDAP search by groupMembership or attributes of ‘Distinguished Name’ syntax
There are situations when you want to have a DN in the search *filter* – e.g. when you search by groupMembership attribute or by an attribute whose syntax is Distinguished Name. Then you need to escape all occurrences of ‘=’ in that attribute’s value by a backslash and its hexadecimal code – i.e. ‘\3D’.

Example: Following works with unix/Mac OS ldap_search command – you use apostrophes to separate the DN part of the filter:

ldap_search -x -h my-server -D ‘cn=my-user,ou=my-container,o=users’ -w my-password -b ou=my-search-container,o=users groupMembership=’cn=my-admin-group,ou=MyApplication,ou=Applications,o=services’

But if you need a similar search in PHP, then you need to pass the following filter to ldap_seach() and its alternatives:

<? ‘groupMembership=cn\3Dmy-admin-group,ou\3DMyApplication,ou\3DApplications,o\3Dservices’


Filed under: Uncategorized — negev @ 9:33 pm
Tags: , , ,

4 July 07

Unix/CRON output redirection
my-command >/my_log_dir/my_file 2>&1

LDAP search expressions
– need to have parenthesis both outside & inside operator-based expressions:

Subversion on Novell SLES 10
— don’t use David Summer’s – it complained about libraries even when they were up to date (for SVN 1.4.0)
– use CollabNet commandline client

Subversion on Mac OS X
— use DMG from Metissian 1.3.1 or newer

Grep filtering of Java/C multi-line comments
pcregrep -r -M -f ~/comments.regex
– comments.regex is:
– don’t use \w – that doesn’t include new line in pcregrep
– \n doesn’t represent new line
-l = Instead of printing lines from the files, just print the names of the files
-c = Do not print individual lines; instead just print a count of the number of lines
-n = Precede each line by its line number in the file

Backslash problems when connecting via rdesktop from a Linux box to Windows VM:
Set Windows (VM) to use US keyboard

PortableApps – packaging/’virtualization’ of MS Windows applications – it makes a package you can run from USB; open-source
Thinstall – same but commercial

MySQL on Mac OS X 10.4 Intel
– install DMG from Mysql site and also follow

Cross-platform presentational SW:
– generates Flash
– audio+screenshots

JavaOne 2007 – Open Source mobile OS:
Freedom also means that you have to let other people be free to make choices that you might not…

Test Units – abstract of Tapestry testing @JavaOne 2007
– it helps if there a single class that has responsibility for all task of a given process
– test-driven dev = change detection (regression tests) + more
– tests
— isolated, thorough
— easy to debug, frequently run (i.e. fast) => out-of-server, or out-of-container
— test the ‘hard stuff’
— tests document design decisions – expectations/requirements


Filed under: Uncategorized — negev @ 9:30 pm
Tags: ,

10 July 07

PHP ldap_next_entry(link, res)
— res is a resource result from previous call of ldap_first_entry(..) or ldap_next_entry(..)!

10 July 07
PHP ldap_next_entry(link, res)
— res is a resource result from previous call of ldap_first_entry(..) or ldap_next_entry(..)!

LDAP searches – based on scope:
ldap_read, ldap_list, ldap_search
Clarification of the ldap_read command syntax:

If you just want to pull certain attributes from an object and you already know it's dn, the ldap_read command can do this as illustrated below.  It will be less overhead than ldap_search.

  $dn = "cn=username,o=My Company, c=US"; //the object itself instead of the top search level as in ldap_search
$filter="(objectclass=*)"; // this command requires some filter
$justthese = array("ou", "sn", "givenname", "mail"); //the attributes to pull, which is much more efficient than pulling all attributes if you don't do this
$sr=ldap_read($ds, $dn, $filter, $justthese);


Filed under: Uncategorized — negev @ 9:02 pm
Tags: ,

15 June 07
Mysterious empty entries (rows) coming from PHP originating from LDAP
– check for how LDAP raw results are handled
– following causes the above error:

if( !is_array( $result[ ‘myMultivaluedAttrib’ ] ) ) {
$result[ ‘myMultivaluedAttrib’ ]= array( $result[ ‘myMultivaluedAttrib’ ] );

Fix: add the following code before the above block:
if( !isset( $result[ ‘myMultivaluedAttrib’ ] ) ) {
$result[ ‘myMultivaluedAttrib’ ]= array();

LDAP in PHP: ldap_get_entries(..) – it returns single-valued attributes the same way as multi-valued (so you have to access the only value of a single-valued attribute the same way as 1st value of a multi-valued attrib) – except for DN which is returned at the ‘top’ level:
[count] => 4
[dn] => cn=Peter Kehl,ou=…,o=users

PHP and SQL notes

Filed under: Uncategorized — negev @ 8:04 pm
Tags: , ,

Installing PHP on Mac OS X:
./configure –with-ldap –with-apxs
sudo make install

Getting unique values from an array – PHP
use: array_keys( array_flip($arr) )
array_flip() – it switches keys and values
array_reverse() – it returns the array in reverse order, optionally preserving the keys

27 Mar 07
When opening a MySQL/SSH connection to another box takes really long (c.a. 6-7sec)
-> set skip-name-resolve=true in my.cnf

Sun LDAP and related-products:

  • Open DS. An community building an open source directory service.
  • Open SSO. A community working on an open source implementation of single sign on.

PHP arrays – items are kept in order they were added in, rather than sorted by values of keys!

Create a free website or blog at