retrieving information about deleted objects

Discussion:

Matthias Apitz

2015-11-02 11:54:59 UTC

Content preview: Hello, We produce for production environments an IDMsystem
which is able to publish/dublicate changes in OpenLDAP/LDAP directories to
other management databases and vice versa. This works fine in most of the
cases of changes in LDAP. The only problem we see, is get information about
deletion of objects (users) which were done while the IDMsystem was either
down or network not available. [...]

Content analysis details: (-2.6 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low
trust
[178.254.4.101 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: unixarea.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Hello,

We produce for production environments an IDMsystem which is able to
publish/dublicate changes in OpenLDAP/LDAP directories to other management
databases and vice versa. This works fine in most of the cases of changes in
LDAP. The only problem we see, is get information about deletion of
objects (users) which were done while the IDMsystem was either down or
network not available.

What is the correct way to search for deleted objects. We have read about
a filter search, based on 'isDeleted=*' or 'isDeleted=TRUE. But we can
not get any result with this.

Thanks for some hints about this.

matthias

--
Matthias Apitz, ✉ ***@unixarea.de, 🌐 http://www.unixarea.de/ ☎ +49-176-38902045

Howard Chu

2015-11-02 12:21:27 UTC

Permalink

Content preview: Matthias Apitz wrote: > > > Hello, > > We produce for production
environments an IDMsystem which is able to > publish/dublicate changes in
OpenLDAP/LDAP directories to other management > databases and vice versa.
This works fine in most of the cases of changes in > LDAP. The only problem
we see, is get information about deletion of > objects (users) which were
done while the IDMsystem was either down or > network not available. > >
What is the correct way to search for deleted objects. We have read about

a filter search, based on 'isDeleted=*' or 'isDeleted=TRUE. But we can >

not get any result with this. [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[69.43.206.106 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Hello,
We produce for production environments an IDMsystem which is able to
publish/dublicate changes in OpenLDAP/LDAP directories to other management
databases and vice versa. This works fine in most of the cases of changes in
LDAP. The only problem we see, is get information about deletion of
objects (users) which were done while the IDMsystem was either down or
network not available.
What is the correct way to search for deleted objects. We have read about
a filter search, based on 'isDeleted=*' or 'isDeleted=TRUE. But we can
not get any result with this.

There is no isDeleted attribute in OpenLDAP.

Read RFC4533.

--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

Ulrich Windl

2015-11-02 14:55:38 UTC

Permalink

Content preview: >>> Howard Chu <***@symas.com> schrieb am 02.11.2015 um 13:21
in Nachricht <***@symas.com>: > Matthias Apitz wrote: >> >> >>
Hello, >> >> We produce for production environments an IDMsystem which is
able to >> publish/dublicate changes in OpenLDAP/LDAP directories to other
management >> databases and vice versa. This works fine in most of the cases
of changes in >> LDAP. The only problem we see, is get information about
deletion of >> objects (users) which were done while the IDMsystem was either
down or >> network not available. >> >> What is the correct way to search
for deleted objects. We have read about >> a filter search, based on 'isDeleted=*'
or 'isDeleted=TRUE. But we can >> not get any result with this. [...]

Content analysis details: (-4.2 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
-2.3 RCVD_IN_DNSWL_MED RBL: Sender listed at http://www.dnswl.org/, medium
trust
[194.94.155.52 listed in list.dnswl.org]
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: highlandsun.com]
0.0 RP_MATCHES_RCVD Envelope sender domain matches handover relay domain
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Post by Howard Chu

Post by Matthias Apitz
Hello,
We produce for production environments an IDMsystem which is able to
publish/dublicate changes in OpenLDAP/LDAP directories to other management
databases and vice versa. This works fine in most of the cases of changes in
LDAP. The only problem we see, is get information about deletion of
objects (users) which were done while the IDMsystem was either down or
network not available.
What is the correct way to search for deleted objects. We have read about
a filter search, based on 'isDeleted=*' or 'isDeleted=TRUE. But we can
not get any result with this.

accesslog also logs delete operations.

Post by Howard Chu
There is no isDeleted attribute in OpenLDAP.
Read RFC4533.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/

Dieter Klünter

2015-11-02 13:18:49 UTC

Permalink

Hello, > > We produce for production environments an IDMsystem which

is able to > publish/dublicate changes in OpenLDAP/LDAP directories to other

management databases and vice versa. This works fine in most of the > cases

of changes in LDAP. The only problem we see, is get information > about deletion
of objects (users) which were done while the IDMsystem > was either down
or network not available. > > What is the correct way to search for deleted
objects. We have read > about a filter search, based on 'isDeleted=*' or
'isDeleted=TRUE. But > we can not get any result with this. > > Thanks for
some hints about this. [...]

Content analysis details: (-1.9 points, 5.0 required)

pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: unixarea.de]
-1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1%
[score: 0.0000]

Am Mon, 2 Nov 2015 12:54:59 +0100

Hello,
We produce for production environments an IDMsystem which is able to
publish/dublicate changes in OpenLDAP/LDAP directories to other
management databases and vice versa. This works fine in most of the
cases of changes in LDAP. The only problem we see, is get information
about deletion of objects (users) which were done while the IDMsystem
was either down or network not available.
What is the correct way to search for deleted objects. We have read
about a filter search, based on 'isDeleted=*' or 'isDeleted=TRUE. But
we can not get any result with this.
Thanks for some hints about this.

You may set up slapdo-accesslog(5) and have your clients checking this
database.

-Dieter

--
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E