[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Transparent proxy, (objectClass=user) not being relayed. Schema issue?

2.3.43 included with CentOS. I'll try the latest package. Thanks!

On Mon, Jan 31, 2011 at 11:16 AM, Pierangelo Masarati <masarati@aero.polimi.it> wrote:
Christopher Cprek wrote:
Thank you!

Unfortunately, I'm seeing the same issue with back-meta.

What version?  I checkd with HEAD, so my test might not be representative.  In any case, this issue should now be fixed in back-ldap.

p.


The simple configuration:

database meta
suffix  "dc=ad,dc=mydomain,dc=edu"
uri  "ldap://ldapadlb.mydomain.edu/dc=ad,dc=mydomain,dc=edu"

When using this configuration I still have to use my hacked AD schema for
correct relaying. Example case of a filter without including the custom
schema "(&(objectClass=user)(sAMAccountName=user01))"... Still results in
this:

conn=0 op=1: meta_back_getconn[0]
conn=0 op=1 meta_back_getconn: candidates=1 conn=0 fetched
conn=0 op=1 >>> meta_back_search_start[0]
conn=0 op=1 >>> meta_search_dobind_init[0]
conn=0 op=1 <<< meta_search_dobind_init[0]=1
ldap_search_ext
put_filter: "(&(!(objectClass=*))(!(objectClass=*)))"
put_filter: AND
put_filter_list "(!(objectClass=*))(!(objectClass=*))"
put_filter: "(!(objectClass=*))"
put_filter: NOT
put_filter_list "(objectClass=*)"
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
put_filter: "(!(objectClass=*))"
put_filter: NOT
put_filter_list "(objectClass=*)"
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
ldap_send_initial_request
ldap_send_server_request
ber_scanf fmt ({it) ber:
ber_scanf fmt ({) ber:
ber_flush: 111 bytes to sd 10
conn=0 op=1 <<< meta_back_search_start[0]=1
conn=0 op=1 meta_back_search: ncandidates=1 cnd="*"
ldap_result ld 0x2b5e683de880 msgid 2
wait4msg ld 0x2b5e683de880 msgid 2 (timeout 0 usec)
wait4msg continue ld 0x2b5e683de880 msgid 2 all 2

Including the hacked schema corrects the problem, but it is only a subset of
possible search filters that could fail.

Am I missing something in the back-meta configuration?

Thanks again!

/Chris

On Sat, Jan 29, 2011 at 4:34 AM, <masarati@aero.polimi.it> wrote:

I would appreciate any guidance to help resolve my problem. All I want is
the filter (objectClass=user) to be relayed correctly from the slapd
service
to the LDAP proxy backend.
back-ldap/search.c 1.273 -> 1.274, related to ITS#6814, should fix your
problem.  Back-meta does not suffer from this problem, as it correctly
relays undefined objectClasses in search filters.

p.