From Tomas.Heran at Sun.COM Fri Apr 4 05:23:08 2008 From: Tomas.Heran at Sun.COM (Tomas.Heran at Sun.COM) Date: Fri, 4 Apr 2008 05:23:08 -0700 (PDT) Subject: [Duckwater-discuss] Standalone manual pages. Message-ID: <20080404122308.5ED141222A3@mail.opensolaris.org> Author: Tomas Heran Repository: /hg/duckwater/duckwater-docs Latest revision: 1152d0e604635dd0aa5ccec0eae1583b8abfee3b Total changesets: 1 Log message: Standalone manual pages. Files: create: manpages/standalone_manpages/README create: manpages/standalone_manpages/ldapaddent.1m.diff create: manpages/standalone_manpages/ldapaddent.1m.txt.standalone create: manpages/standalone_manpages/ldaplist.1.diff create: manpages/standalone_manpages/ldaplist.1.txt.standalone From Tomas.Heran at Sun.COM Mon Apr 7 05:56:53 2008 From: Tomas.Heran at Sun.COM (Tomas.Heran at Sun.COM) Date: Mon, 7 Apr 2008 05:56:53 -0700 (PDT) Subject: [Duckwater-discuss] Standalone LDAP tools - FastTrack Message-ID: <20080407125653.B71C912C2C2@mail.opensolaris.org> Author: Tomas Heran Repository: /hg/duckwater/duckwater-docs Latest revision: bd775b0f7f8ed6ab31528136b94731079fa00d2f Total changesets: 1 Log message: Standalone LDAP tools - FastTrack Files: create: standalone_tools_fasttrack.txt From Tomas.Heran at Sun.COM Fri Apr 11 05:15:54 2008 From: Tomas.Heran at Sun.COM (Tomas.Heran at Sun.COM) Date: Fri, 11 Apr 2008 05:15:54 -0700 (PDT) Subject: [Duckwater-discuss] Updated Standalone LDAP Tools FastTrack and manual pages. Message-ID: <20080411121554.BE3F81555A1@mail.opensolaris.org> Author: Tomas Heran Repository: /hg/duckwater/duckwater-docs Latest revision: 6c26b97c00b452b230a91f8b1beb3505f89f97aa Total changesets: 1 Log message: Updated Standalone LDAP Tools FastTrack and manual pages. Files: create: manpages/standalone_manpages/ldapclient.1m.diff create: manpages/standalone_manpages/ldapclient.1m.txt.standalone delete: manpages/standalone_manpages/README update: manpages/standalone_manpages/ldapaddent.1m.diff update: manpages/standalone_manpages/ldapaddent.1m.txt.standalone update: manpages/standalone_manpages/ldaplist.1.diff update: manpages/standalone_manpages/ldaplist.1.txt.standalone update: standalone_tools_fasttrack.txt From Tomas.Heran at Sun.COM Fri Apr 11 08:51:31 2008 From: Tomas.Heran at Sun.COM (Tomas.Heran at Sun.COM) Date: Fri, 11 Apr 2008 08:51:31 -0700 (PDT) Subject: [Duckwater-discuss] Changed the format of diffs. Message-ID: <20080411155131.E4B671523B5@mail.opensolaris.org> Author: Tomas Heran Repository: /hg/duckwater/duckwater-docs Latest revision: cb66cb2e426d4e578b25072767197b0ad5cbddbb Total changesets: 1 Log message: Changed the format of diffs. Files: update: manpages/standalone_manpages/ldapaddent.1m.diff update: manpages/standalone_manpages/ldapclient.1m.diff update: manpages/standalone_manpages/ldaplist.1.diff update: manpages/standalone_manpages/ldaplist.1.txt.standalone From Doug.Leavitt at Sun.COM Fri Apr 11 11:40:38 2008 From: Doug.Leavitt at Sun.COM (Doug.Leavitt at Sun.COM) Date: Fri, 11 Apr 2008 11:40:38 -0700 (PDT) Subject: [Duckwater-discuss] This is the April 11 revision of the NativeLDAP2 document, with Message-ID: <20080411184038.CC08D15C1A3@mail.opensolaris.org> Author: Doug Leavitt Repository: /hg/duckwater/duckwater-docs Latest revision: 3913e89732d107e40fc251eeee94022f77db3205 Total changesets: 1 Log message: This is the April 11 revision of the NativeLDAP2 document, with Sun Specific content redacted, and appropraite warnings inserted. Files: create: NativeLDAP2Arch.odt From Doug.Leavitt at Sun.COM Fri Apr 11 11:48:54 2008 From: Doug.Leavitt at Sun.COM (Doug.Leavitt at Sun.COM) Date: Fri, 11 Apr 2008 11:48:54 -0700 (PDT) Subject: [Duckwater-discuss] Commiting the April 11, 2008 NativeLDAP2Arch.odt document in pdf format as: Message-ID: <20080411184854.1DC4B15C496@mail.opensolaris.org> Author: Doug Leavitt Repository: /hg/duckwater/duckwater-docs Latest revision: a0dcc75c37ae5c43562a4c06d938aede4d8dd191 Total changesets: 1 Log message: Commiting the April 11, 2008 NativeLDAP2Arch.odt document in pdf format as: NativeLDAP2Arch.pdf Files: create: NativeLDAP2Arch.pdf From nw141292 at sac.sfbay.sun.com Fri Apr 11 12:04:00 2008 From: nw141292 at sac.sfbay.sun.com (Nicolas Williams) Date: Fri, 11 Apr 2008 12:04:00 -0700 (PDT) Subject: [Duckwater-discuss] Native LDAP standalone tools (Duckwater) [PSARC/2008/256 FastTrack timeout 04/18/2008] Message-ID: <200804111904.m3BJ405a021313@sac.sfbay.sun.com> Template Version: @(#)sac_nextcase 1.64 07/13/07 SMI This information is Copyright 2008 Sun Microsystems 1. Introduction 1.1. Project/Component Working Name: Native LDAP standalone tools (Duckwater) 1.2. Name of Document Author/Supplier: Author: Nicolas Williams 1.3 Date of This Document: 11 April, 2008 4. Technical Description I'm sponsoring this fasttrack for Tomas Heran. The timer is set to expire on April 18, 2008. The requested release binding is 'patch'. Duckwater Standalone LDAP naming client utilities BACKGROUND ========== The Duckwater project (see PSARC/2007/694 and PSARC/2006/247) intends to deliver simplified naming services configuration and management by updating old tools, and introducing new tools and components that leverage SMF to store naming configurations, and provide consistent 'SMF-like' cfg/adm interfaces for administrative use. This case provides for separate delivery of a phase 0 sub-component of the duckwater project that has no dependencies on SMF or other duckwater enhancements that are planned for subsequent phases. This separate delivery is needed to address some high call generating CRs and improve some serious approachability issues in LDAP setup and configuration immediately. PROBLEM ======= There are four highly visible issues with LDAP naming services that are documented/tracking by the following CRs: 4880322 TLSv1/SSL support needs to become integrated in all LDAP client programs 4942874 RFE: native ldap client with ssl restricted to ports 636/389 5035244 Make ldapaddent a standalone tool 6227396 *ldaplist* should refer to ldapclient(1M) when ldap not configured These issues can be summarized as: [1] Administrators are unable to upload naming data into directory server using ldapaddent(1M) unless the system running ldapaddent, has first been configured for LDAP naming. This implies that the Initial state of the network repository must be empty, and the client using the repository must be configured to use the empty repository before the repository can be loaded with data from an existing repository (i.e., existing NIS data). ldaplist(1) has same limitation. You can not query a repository to see if it has naming data unless your client is configured to use that naming data. This is a serious administration design flaw and approachability issue in LDAP naming today. [2] The tool used to initialize the client machine ldapclient(1M) has no provision to specify authentication credentials or credential type when initializing a client. This forces all directory servers to support open (port 389 with no security) binds to the directory server to initialize clients. Customers that want to secure a directory server to use only TLS/SSL for all access to the directory server are unable to do so. [3] Related to [2], ldap_cachemgr(1M) currently requires anonymous (open port 389) non-TLS access to the RootDSE of any directory server even if other access is specified as TLS/SSL. [4] Users wishing to use TLS/SSL are required to use port 636 (the default LDAP TLS/SSL port). Even though LDAP servers typically allow other ports to be specified, the current implementation only supports port 636. [Note: The standard method for using TLS with LDAP ("StartTLS") is not supported by Solaris' libldap5.so. More on this below.] SOLUTION ======== To address problems [1] and [2], ldapclient(1M), ldapaddent(1M) and ldaplist(1) will be updated to support a common set of command line options that are both consistent amongst all three programs and also consistent with the other LDAP tool interfaces delivered by the Solaris and directory server product lines. [I.e., the ldapsearch(1), ldapadd(1), ldapdelete(1), ldapmodify(1), ldapmodrdn(1) command line APIs]. The following command line options to be supported are: -h LDAP_server[:serverPort] An address (or a name) and a port of the LDAP server in which the entries will be stored. The current naming service specified in the nsswitch.conf file is used. The default value for the port is 389, except when TLS is specified in the authentication method. In this case, the default LDAP server port number is 636. -M domainName The name of a domain served by the specified server. If not specified, the default domain name will be used. This is used to derive a base DN for searches. -N profileName Specify the DUAProfile name. A profile with such a name is supposed to exist on the server specified by -h option. Otherwise, a default DUAProfile will be used. The default value is default. -P certifPath The certificate path for the location of the certificate database. The value is the path where security database files reside. This is used for TLS support, which is specified in the authenticationMethod and serviceAuthen- ticationMethod attributes. The default is /var/ldap. -D bindDN Specifies an entry which has read (and write in case of ldapaddent(1M)) permission to appropriate part of the DIT. -w bind_password Password to be used for authenticating the bindDN. If this parameter is missing, the command will prompt for a password. NULL passwords are not supported in LDAP. When you use -w bind_password to specify the password to be used for authentication, the password is visible to other users of the system by means of the ps command, in script files or in shell history. If the value of "-" is supplied as a password, the command will prompt for a password. -j filename Specify a file containing the password for the bind DN or the password for the SSL client's key database. To protect the password, use this option in scripts and place the password in a secure file. This option is mutually exclusive of the -w opt- ion. Man page diffs listing which of the commands ldaplist(1), ldapaddent(1M) and ldapclient(1M) will receive which new command line options are provided in the materials directory. The interface stability level of ldapaddent(1M), ldaplist(1) and ldapclient(1M) remain Committed. In addition to modifying the command line tools, internal enhancements will be made to the Contracted Consolidation Private private interfaces in the libsldap library and in ldap_cachemgr(1M) to support the new command line options of the modified tools and to address the problems in [3] and [4]. Enhancements to libsldap will not affect existing contracted interfaces. All new enhancements will be considered Contracted Consolidation private. All existing contracts with libsldap will remain in effect. The specific enhancements are provided in the revised libsldap API document and provided in the case materials for reference. Currently libldap.so.5, the default libldap in Solaris, lacks the necessary ldap TLS APIs, that allow a TLS session to be enabled after a unsecured LDAP connection has been made (START-TLS). These APIs will be delivered when the current Mozilla libldap, libldap.so.6, currently delivered by the directory server team (Directory Server 6 [WSARC/2005/285] and later) is integrated into Solaris, replacing libldap.so.5. A future project will address this limitation once the new TLS APIs from libldap.so.6 are available. 6. Resources and Schedule 6.4. Steering Committee requested information 6.4.1. Consolidation C-team Name: ONNV 6.5. ARC review type: FastTrack 6.6. ARC Exposure: open From gww at eng.sun.com Tue Apr 15 15:06:01 2008 From: gww at eng.sun.com (Gary Winiger) Date: Tue, 15 Apr 2008 15:06:01 -0700 (PDT) Subject: [Duckwater-discuss] Native LDAP standalone tools (Duckwater) [PSARC/2008/256 FastTrack timeout 04/18/2008] Message-ID: <200804152206.m3FM61av011858@marduk.eng.sun.com> Nico, << off list >> > The specific enhancements are provided in the revised libsldap API > document and provided in the case materials for reference. I've move the pdf to the SCCS subdirectory so it will not be viewable. It contains Sun Confidential: Internal Only If you want, put a new copy without confidential information in the case directory, or close the case and rexpose this. Gary.. / From Doug.Leavitt at Sun.COM Tue Apr 15 15:24:16 2008 From: Doug.Leavitt at Sun.COM (Doug.Leavitt at Sun.COM) Date: Tue, 15 Apr 2008 15:24:16 -0700 (PDT) Subject: [Duckwater-discuss] remove Sun confidential line from header page Message-ID: <20080415222416.06EC014C606@mail.opensolaris.org> Author: Doug Leavitt Repository: /hg/duckwater/duckwater-docs Latest revision: cb783ec790c374578fa4565ef1a2a433f6fc805f Total changesets: 1 Log message: remove Sun confidential line from header page Files: update: NativeLDAP2Arch.odt update: NativeLDAP2Arch.pdf From Nicolas.Williams at sun.com Tue Apr 15 15:27:47 2008 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Tue, 15 Apr 2008 17:27:47 -0500 Subject: [Duckwater-discuss] Native LDAP standalone tools (Duckwater) [PSARC/2008/256 FastTrack timeout 04/18/2008] In-Reply-To: <200804152206.m3FM61av011858@marduk.eng.sun.com> References: <200804152206.m3FM61av011858@marduk.eng.sun.com> Message-ID: <20080415222747.GR8027@Sun.COM> On Tue, Apr 15, 2008 at 03:06:01PM -0700, Gary Winiger wrote: > << off list >> Back on-list. > > The specific enhancements are provided in the revised libsldap API > > document and provided in the case materials for reference. > > I've move the pdf to the SCCS subdirectory so it will not > be viewable. It contains > Sun Confidential: Internal Only > > If you want, put a new copy without confidential information > in the case directory, or close the case and rexpose this. This was an editing error. Doug meant to remove that text from all pages but accidentally left it in on page 1. I'll add new versions to the case materials as soon as Doug sends them to me. From gww at eng.sun.com Tue Apr 15 15:54:02 2008 From: gww at eng.sun.com (Gary Winiger) Date: Tue, 15 Apr 2008 15:54:02 -0700 (PDT) Subject: [Duckwater-discuss] Native LDAP standalone tools (Duckwater) [PSARC/2008/256 FastTrack timeout 04/18/2008] Message-ID: <200804152254.m3FMs20H011993@marduk.eng.sun.com> > -w bind_password Password to be used for > authenticating the bindDN. If > this parameter is missing, the > command will prompt for a > password. NULL passwords are not > supported in LDAP. > Man page diffs listing which of the commands ldaplist(1), > ldapaddent(1M) and ldapclient(1M) will receive which new command > line options are provided in the materials directory. Thanks for making this optional. From the man pages it wasn't in the previous code. > The interface stability level of ldapaddent(1M), ldaplist(1) and > ldapclient(1M) remain Committed. Nit, please update the man pages to say Committed when they are putback into the man gate. The one in the case directory say Evolving. Architectural comment: IIRC, at one time the iPlanet Directory Server delivered its own copy of these commands. If my recollection is correct: will the iDS commands be updated as well? will this case allow iDS to not deliver its own set of commands? how will the differing set of commands relate? will there be some future project to harmonize the commands? Gary.. From Nicolas.Williams at sun.com Tue Apr 15 16:18:16 2008 From: Nicolas.Williams at sun.com (Nicolas Williams) Date: Tue, 15 Apr 2008 18:18:16 -0500 Subject: [Duckwater-discuss] Native LDAP standalone tools (Duckwater) [PSARC/2008/256 FastTrack timeout 04/18/2008] In-Reply-To: <200804152254.m3FMs20H011993@marduk.eng.sun.com> References: <200804152254.m3FMs20H011993@marduk.eng.sun.com> Message-ID: <20080415231815.GV8027@Sun.COM> On Tue, Apr 15, 2008 at 03:54:02PM -0700, Gary Winiger wrote: > > -w bind_password Password to be used for > > authenticating the bindDN. If > > this parameter is missing, the > > command will prompt for a > > password. NULL passwords are not > > supported in LDAP. > > > Man page diffs listing which of the commands ldaplist(1), > > ldapaddent(1M) and ldapclient(1M) will receive which new command > > line options are provided in the materials directory. > > Thanks for making this optional. From the man pages it > wasn't in the previous code. And there's the -j option too. I'd go so far as to make it so it prompts or reads it from a file, but never from the command line arguments. However, I'm happy enough as it is. > > The interface stability level of ldapaddent(1M), ldaplist(1) and > > ldapclient(1M) remain Committed. > > Nit, please update the man pages to say Committed when they > are putback into the man gate. The one in the case directory > say Evolving. Good catch. We'll do so. > Architectural comment: > > IIRC, at one time the iPlanet Directory Server delivered its own > copy of these commands. I don't know if this is the case. Tomas? Doug? > If my recollection is correct: > will the iDS commands be updated as well? > will this case allow iDS to not deliver its own > set of commands? > how will the differing set of commands relate? > will there be some future project to harmonize the > commands? I don't know the answers to these questions either. Tomas? Doug? Nico -- From Tomas.Heran at Sun.COM Wed Apr 16 01:56:13 2008 From: Tomas.Heran at Sun.COM (Tomas.Heran at Sun.COM) Date: Wed, 16 Apr 2008 01:56:13 -0700 (PDT) Subject: [Duckwater-discuss] Evolving -> Committed Message-ID: <20080416085613.BBFCE1624E3@mail.opensolaris.org> Author: Tomas Heran Repository: /hg/duckwater/duckwater-docs Latest revision: 9bf5f37348b0f54518a98edfcb3abc4f041afc3f Total changesets: 1 Log message: Evolving -> Committed Files: update: manpages/standalone_manpages/ldapaddent.1m.diff update: manpages/standalone_manpages/ldapaddent.1m.txt.standalone update: manpages/standalone_manpages/ldapclient.1m.diff update: manpages/standalone_manpages/ldapclient.1m.txt.standalone update: manpages/standalone_manpages/ldaplist.1.diff update: manpages/standalone_manpages/ldaplist.1.txt.standalone From Tomas.Heran at Sun.COM Wed Apr 16 03:10:00 2008 From: Tomas.Heran at Sun.COM (Tomas Heran) Date: Wed, 16 Apr 2008 12:10:00 +0200 Subject: [Duckwater-discuss] Native LDAP standalone tools (Duckwater) [PSARC/2008/256 FastTrack timeout 04/18/2008] In-Reply-To: <20080415231815.GV8027@Sun.COM> References: <200804152254.m3FMs20H011993@marduk.eng.sun.com> <20080415231815.GV8027@Sun.COM> Message-ID: <4805D078.7050804@sun.com> Nicolas Williams wrote: > On Tue, Apr 15, 2008 at 03:54:02PM -0700, Gary Winiger wrote: >>> The interface stability level of ldapaddent(1M), ldaplist(1) and >>> ldapclient(1M) remain Committed. >> Nit, please update the man pages to say Committed when they >> are putback into the man gate. The one in the case directory >> say Evolving. > > Good catch. We'll do so. Done and copy of updated man pages sent to Nico. > >> Architectural comment: >> >> IIRC, at one time the iPlanet Directory Server delivered its own >> copy of these commands. > > I don't know if this is the case. Tomas? Doug? > I just checked with Serge D. and he confirmed my assumption (though I didn't know for sure) that only generic LDAP tools - e.g. ldapsearch(1) - were ever delivered by iPlanet DS. We're not proposing to modify those. This case proposes to modify only name services related LDAP tools - ldaplist(1), ldapaddent(1M) and ldapclient(1M). Tomas From gww at eng.sun.com Wed Apr 16 10:44:23 2008 From: gww at eng.sun.com (Gary Winiger) Date: Wed, 16 Apr 2008 10:44:23 -0700 (PDT) Subject: [Duckwater-discuss] Native LDAP standalone tools (Duckwater) [PSARC/2008/256 FastTrack timeout 04/18/2008] Message-ID: <200804161744.m3GHiN3u013463@marduk.eng.sun.com> > >> Architectural comment: > >> > >> IIRC, at one time the iPlanet Directory Server delivered its own > >> copy of these commands. > > > > I don't know if this is the case. Tomas? Doug? > > > > I just checked with Serge D. and he confirmed my assumption (though I > didn't know for sure) that only generic LDAP tools - e.g. ldapsearch(1) > - were ever delivered by iPlanet DS. We're not proposing to modify > those. This case proposes to modify only name services related LDAP > tools - ldaplist(1), ldapaddent(1M) and ldapclient(1M). So, do I parse this correctly: there is no overlap between the tools delivered from iPlanet DS and those from the Native LDAP project(s)? If so great ;-) thanks. Gary.. From Tomas.Heran at Sun.COM Wed Apr 16 10:50:45 2008 From: Tomas.Heran at Sun.COM (Tomas Heran) Date: Wed, 16 Apr 2008 19:50:45 +0200 Subject: [Duckwater-discuss] Native LDAP standalone tools (Duckwater) [PSARC/2008/256 FastTrack timeout 04/18/2008] In-Reply-To: <200804161744.m3GHiN3u013463@marduk.eng.sun.com> References: <200804161744.m3GHiN3u013463@marduk.eng.sun.com> Message-ID: <48063C75.7030009@sun.com> Gary Winiger wrote: >>>> Architectural comment: >>>> >>>> IIRC, at one time the iPlanet Directory Server delivered its own >>>> copy of these commands. >>> I don't know if this is the case. Tomas? Doug? >>> >> I just checked with Serge D. and he confirmed my assumption (though I >> didn't know for sure) that only generic LDAP tools - e.g. ldapsearch(1) >> - were ever delivered by iPlanet DS. We're not proposing to modify >> those. This case proposes to modify only name services related LDAP >> tools - ldaplist(1), ldapaddent(1M) and ldapclient(1M). > > So, do I parse this correctly: there is no overlap between the > tools delivered from iPlanet DS and those from the Native LDAP > project(s)? If so great ;-) thanks. You do parse it correctly - there is no overlap. Tomas From Tomas.Heran at Sun.COM Fri Apr 25 06:13:57 2008 From: Tomas.Heran at Sun.COM (Tomas.Heran at Sun.COM) Date: Fri, 25 Apr 2008 06:13:57 -0700 (PDT) Subject: [Duckwater-discuss] Missed ] Message-ID: <20080425131357.767F0140B2D@mail.opensolaris.org> Author: Tomas Heran Repository: /hg/duckwater/duckwater-docs Latest revision: fdd9b6e0ebf3e4c76b7dd1083d6f0f24491ab989 Total changesets: 1 Log message: Missed ] Files: update: manpages/standalone_manpages/ldaplist.1.diff update: manpages/standalone_manpages/ldaplist.1.txt.standalone From Tomas.Heran at Sun.COM Fri Apr 25 10:49:58 2008 From: Tomas.Heran at Sun.COM (Tomas.Heran at Sun.COM) Date: Fri, 25 Apr 2008 10:49:58 -0700 (PDT) Subject: [Duckwater-discuss] bind_password -> bindPassword Message-ID: <20080425174958.6DFED149AD6@mail.opensolaris.org> Author: Tomas Heran Repository: /hg/duckwater/duckwater-docs Latest revision: 27792e332328efdbac960869127ec002fea29f30 Total changesets: 1 Log message: bind_password -> bindPassword -j filename -> -j passwdFile -y filename -> -y passwdFile Files: update: manpages/standalone_manpages/ldapaddent.1m.diff update: manpages/standalone_manpages/ldapaddent.1m.txt.standalone update: manpages/standalone_manpages/ldapclient.1m.diff update: manpages/standalone_manpages/ldapclient.1m.txt.standalone update: manpages/standalone_manpages/ldaplist.1.diff update: manpages/standalone_manpages/ldaplist.1.txt.standalone