Full_Name: Steffen Krahl Version: 2.4-2 OS: Ubuntu 16.04.3 LTS URL: ftp://ftp.openldap.org/incoming/ Submission from: (NULL) (84.168.136.108) I'm using OpenLDAP with LDAP-backend as proxy for ActiveDirectory It's working well so far, only LDAP-queries which should exclude deactivated users don't work. It seems slapd does not accept queries like (attribute:OID:=value) in particular (&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2))) fails due to the part ":1.2.840.113556.1.4.803:". The query itself works fine for ActiveDirectory itself. to make blind test: (userAccountControl:1.2.840.113556.1.4.803:=2) will not get any object back (but should) I'm quite new to OpenLDAP, but it seems an issue. performing upper query gets: Oct 1 00:45:33 nxld01 slapd[3002]: str2filter "(&(sAMAccountType= 805306368)(?=error))" Oct 1 00:45:33 nxld01 kernel: [49436.933735] slapd[3005]: segfault at 18 ip 00007ff4f783d512 sp 00007ff4f1afc810 error 4 in libc-2.23.so[7ff4f77b9000+1c0000] performing the following query (&(objectClass=*)(userAccountControl:1.2.840.113556.1.4.803:=2)) will get following log wntry: Oct 1 00:49:07 nxld01 slapd[3033]: str2filter "(&(objectClass=*)(!(objectClass=*)))" seems a little bit strange BR Steffen
steffen.krahl@nexio.de wrote: > I'm using OpenLDAP with LDAP-backend as proxy for ActiveDirectory > It's working well so far, only LDAP-queries which should exclude > deactivated users don't work. It seems slapd does not accept queries > like (attribute:OID:=value) OpenLDAP does support extended filters with a matching rule. But only with matching rules implemented in OpenLDAP. > in particular > (!(userAccountControl:1.2.840.113556.1.4.803:=2))) The matching rule defined by 1.2.840.113556.1.4.803 is a proprietary matching rule defined by Microsoft for bit-wise matching. AFAICS they never wrote a public formal spec for it. So this particular matching rule is not implemented in OpenLDAP. > performing upper query gets: Oct 1 00:45:33 nxld01 slapd[3002]: > str2filter "(&(sAMAccountType= 805306368)(?=error))" Oct 1 00:45:33 > nxld01 kernel: [49436.933735] slapd[3005]: segfault at 18 ip > 00007ff4f783d512 sp 00007ff4f1afc810 error 4 in > libc-2.23.so[7ff4f77b9000+1c0000] Does that mean slapd seg faults? It shouldn't. > performing the following query > (&(objectClass=*)(userAccountControl:1.2.840.113556.1.4.803:=2)) > will get following log wntry: > Oct 1 00:49:07 nxld01 slapd[3033]: str2filter > "(&(objectClass=*)(!(objectClass=*)))" IMO it makes perfect sense to treat extended filter part with a non-supported matching rule as a filter which always evaluates to False. Ciao, Michael.
Dear Michael, many thanks for your explaination. Regarding segmentation fault: that's true, but I have to investigate further BR Steffen -----Ursprüngliche Nachricht----- Von: Michael Ströder [mailto:michael@stroeder.com] Gesendet: Sonntag, 1. Oktober 2017 10:25 An: Krahl, Steffen; openldap-its@OpenLDAP.org Betreff: Re: (ITS#8749) Proxy: LDAP-querry doesn't work for e.g (userAccountControl:1.2.840.113556.1.4.803:=2) steffen.krahl@nexio.de wrote: > I'm using OpenLDAP with LDAP-backend as proxy for ActiveDirectory > It's working well so far, only LDAP-queries which should exclude > deactivated users don't work. It seems slapd does not accept queries > like (attribute:OID:=value) OpenLDAP does support extended filters with a matching rule. But only with matching rules implemented in OpenLDAP. > in particular > (!(userAccountControl:1.2.840.113556.1.4.803:=2))) The matching rule defined by 1.2.840.113556.1.4.803 is a proprietary matching rule defined by Microsoft for bit-wise matching. AFAICS they never wrote a public formal spec for it. So this particular matching rule is not implemented in OpenLDAP. > performing upper query gets: Oct 1 00:45:33 nxld01 slapd[3002]: > str2filter "(&(sAMAccountType= 805306368)(?=error))" Oct 1 00:45:33 > nxld01 kernel: [49436.933735] slapd[3005]: segfault at 18 ip > 00007ff4f783d512 sp 00007ff4f1afc810 error 4 in > libc-2.23.so[7ff4f77b9000+1c0000] Does that mean slapd seg faults? It shouldn't. > performing the following query > (&(objectClass=*)(userAccountControl:1.2.840.113556.1.4.803:=2)) > will get following log wntry: > Oct 1 00:49:07 nxld01 slapd[3033]: str2filter > "(&(objectClass=*)(!(objectClass=*)))" IMO it makes perfect sense to treat extended filter part with a non-supported matching rule as a filter which always evaluates to False. Ciao, Michael. Sitz der Gesellschaft: Nieder-Olm Amtsgericht Mainz, HRB 7185 USt.-ID: DE 208 303 666 Geschäftsführer: Andrea Mandanici Diese E-Mail enthält vertrauliche oder rechtlich geschützte Informationen. Wenn Sie nicht der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben, informieren Sie bitte sofort den Absender und vernichten Sie diese E-Mail. Das unerlaubte Kopieren sowie die unbefugte Weitergabe dieser E-Mail ist nicht gestattet. This E-Mail may contain confidential and/or privileged information. If you are not the intended recipient (or have received this E-Mail in error) please notify the sender immediately and destroy this E-Mail. Any unauthorised copying, disclosure or distribution of the material in this E-Mail is strictly forbidden.
steffen.krahl@nexio.de wrote: > Regarding segmentation fault: that's true, but I have to investigate > further Please make sure to install with debug symbols and read how to use gdb to obtain a stack back trace: https://www.openldap.org/faq/data/cache/59.html Ciao, Michael.
No further information on the crash provided, suspending.