[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
back-ldap proxying group membership lookups result in "No such attribute"
Hi
I'm connecting to an openldap2.1.17 running on solaris which has been
configured to proxy off to three NDS servers, at first this would only
return values defined in the openldap schema's when I did an
'ldapsearch cn=username' ie. it didn't have any of the NDS values like
'lockedByIntruder' 'passwordExpirationTime' etc.. but when I did an
'ldapsearch cn=username "*"' the values were displayed but were listed
in uppercase 'LOCKEDBYINTRUDER PASSWORDEXPIRATIONTIME' etc.. but wouldn't
show up when I did 'ldapsearch cn=username LOCKEDBYINTRUDER'
so I built an NDS schema for openldap by hand by referring to developer.novell.com
(guessed mainly) and added a reference in slapd.conf (nds500.schema)
#--------------------------------
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/misc.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nds500.schema
defaultsearchbase "o=NDS"
idletimeout 600
database ldap
uri "ldap://nds1/o=NDS ldap://nds2/o=NDS ldap://nds3/o=NDS";
suffix "o=NDS"
rootdn "cn=admin,o=NDS"
rootpw "passwd"
lastmod off
rebind-as-user
#--------------------------------
and now I get all the attributes that are in NDS (at least the ones we are
interested in) but when I try to check the group membership of a user it
doesn't work ... ie..
spinner:~ # ldapcompare -h localhost cn=thisgroup,o=NDS member:cn=DeanMW,o=NDS
ldap_compare: No such attribute (16)
spinner:~ # ldapcompare -h nds1 cn=thisgroup,o=NDS member:cn=DeanMW,o=NDS
TRUE
any ideas?
regards
mike
ps. here's the NDS schema which is probably wrong on some level
(built by hand to conform to openldap schema syntax)
spinner:/usr/local/etc/openldap/schema 20401 # cat nds500.schema
attributetype ( 2.16.840.1.113719.1.1.4.1.25
NAME 'groupMembership'
DESC 'groupMembership'
SUP distinguishedName )
attributetype ( 2.16.840.1.113719.1.1.4.1.39
NAME 'loginAllowedTimeMap'
DESC 'loginAllowedTimeMap'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
attributetype ( 2.16.840.1.113719.1.1.4.1.40
NAME 'loginDisabled'
DESC 'loginDisabled'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( 2.16.840.1.113719.1.1.4.1.41
NAME 'loginExpirationTime'
DESC 'loginExpirationTime'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 2.16.840.1.113719.1.1.4.1.42
NAME 'loginGraceLimit'
DESC 'loginGraceLimit'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.113719.1.1.4.1.43
NAME 'loginGraceRemaining'
DESC 'loginGraceRemaining'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.113719.1.1.4.1.44
NAME 'loginIntruderAddress'
DESC 'loginIntruderAddress'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.45
NAME 'loginIntruderAttempts'
DESC 'loginIntruderAttempts'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.47
NAME 'loginIntruderResetTime'
DESC 'loginIntruderResetTime'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 2.16.840.1.113719.1.1.4.1.48
NAME 'loginMaximumSimultaneous'
DESC 'loginMaximumSimultaneous'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.49
NAME 'loginScript'
DESC 'loginScript'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
attributetype ( 2.16.840.1.113719.1.1.4.1.50
NAME 'loginTime'
DESC 'loginTime'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 2.16.840.1.113719.1.1.4.1.56
NAME 'networkAddressRestriction'
DESC 'networkAddressRestriction'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.55
NAME 'networkAddress'
DESC 'networkAddress'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.65
NAME 'passwordsUsed'
DESC 'passwordsUsed'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.66
NAME 'passwordAllowChange'
DESC 'passwordAllowChange'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( 2.16.840.1.113719.1.1.4.1.67
NAME 'passwordExpirationInterval'
DESC 'passwordExpirationInterval'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.113719.1.1.4.1.68
NAME 'passwordExpirationTime'
DESC 'passwordExpirationTime'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 2.16.840.1.113719.1.1.4.1.69
NAME 'passwordMinimumLength'
DESC 'passwordMinimumLength'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
attributetype ( 2.16.840.1.113719.1.1.4.1.70
NAME 'passwordRequired'
DESC 'passwordRequired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( 2.16.840.1.113719.1.1.4.1.71
NAME 'passwordUniqueRequired'
DESC 'passwordUniqueRequired'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( 2.16.840.1.113719.1.1.4.1.82
NAME 'privateKey'
DESC 'privateKey'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.83
NAME 'profile'
DESC 'profile'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.84
NAME 'publicKey'
DESC 'publicKey'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.92
NAME 'securityEquals'
DESC 'securityEquals'
EQUALITY distinguishedNameMatch
SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
attributetype ( 2.16.840.1.113719.1.1.4.1.1
NAME 'accountBalance'
DESC 'accountBalance'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.4
NAME 'allowUnlimitedCredit'
DESC 'allowUnlimitedCredit'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( 2.16.840.1.113719.1.1.4.1.54
NAME 'minimumAccountBalance'
DESC 'minimumAccountBalance'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.34
NAME 'language'
DESC 'language'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.37
NAME 'lockedByIntruder'
DESC 'lockedByIntruder'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
attributetype ( 2.16.840.1.113719.1.1.4.1.96
NAME 'serverHolds'
DESC 'serverHolds'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.35
NAME 'lastLoginTime'
DESC 'lastLoginTime'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
attributetype ( 2.16.840.1.113719.1.1.4.1.116
NAME 'higherPrivileges'
DESC 'higherPrivileges'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.165
NAME 'securityFlags'
DESC 'securityFlags'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.171
NAME 'profileMembership'
DESC 'profileMembership'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
attributetype ( 2.16.840.1.113719.1.1.4.1.178
NAME 'timezone'
DESC 'timezone'
SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
objectclass ( 2.16.840.1.113719.1.1.6.1.33
NAME 'ndsLoginProperties'
DESC 'ndsLoginProperties'
SUP Top
MAY ( groupMembership $ loginAllowedTimeMap $
loginDisabled $ loginExpirationTime $
loginGraceLimit $ loginGraceRemaining $
loginIntruderAddress $ loginIntruderAttempts $
loginIntruderResetTime $ loginMaximumSimultaneous $
loginScript $ loginTime $ networkAddressRestriction $
networkAddress $ passwordsUsed $ passwordAllowChange $
passwordExpirationInterval $ passwordExpirationTime $
passwordMinimumLength $ passwordRequired $
passwordUniqueRequired $ privateKey $ profile $
publicKey $ securityEquals $ accountBalance $
allowUnlimitedCredit $ minimumAccountBalance $
language $ lockedByIntruder $ serverHolds $
lastLoginTime $ higherPrivileges $ securityFlags $
profileMembership $ timezone ) )