[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Help with a referral

To: "Jason Voorhees" <jvoorhees1@gmail.com>
Subject: Re: Help with a referral
From: masarati@aero.polimi.it
Date: Thu, 3 Jun 2010 20:17:21 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <AANLkTikGNsz4ryCNhzPX6KwY4Px9EvHboNWHM5d80a9z@mail.gmail.com>
References: <AANLkTikGNsz4ryCNhzPX6KwY4Px9EvHboNWHM5d80a9z@mail.gmail.com>
User-agent: SquirrelMail/1.4.15

> Hi:
>
> I'm trying to migrate an old LDAP server (that holds an ldap tree for
> Open-Xchange) to a new installation of OpenLDAP 2.3.43.
>
> A lot of users had configured their Outlook in a way that they make a
> base search for ou=Users,ou=OxObjects,dc=domain,dc=com in their LDAP
> address book. But my new LDAP tree won't have
> ou=OxObjects,dc=domain,dc=com entry, i'm creating a new ldap structure
> to be used with GOSA.
>
> So I decide to create a referral like this:
>
> dn: ou=Users,ou=OxObjects,dc=domain,dc=com
> ou: Users
> objectclass: referral
> objectclass: extensibleObject
> ref: ldap://HOSTNAME/ou=people,dc=domain,dc=com
>
> This works fine, now Outlook users can find their contacts using the
> same base search (ou=Users,ou=OxObjects,dc=domain,dc=com) but now GOSA
> got in problems because it finds two administrator users (cn=System
> administrator,ou=people,dc=domain,dc=com) because of the referral.
> I just would like to GOSA doesn't follow referrals or just searches
> for users under ou=people,dc=domain,dc=com instead of the root
> dc=domain,dc=com, but it seem that GOSA isn't good enough to customize
> this yet.
>
> So I think I could modify my referral to return not all attributes,
> just some of them (the attributes commonly used by an address book
> search) like this:
>
> dn: ou=Users,ou=OxObjects,dc=domain,dc=com
> ou: Users
> objectclass: referral
> objectclass: extensibleObject
> ref:
> ldap://HOSTNAME/ou=people,dc=domain,dc=com?cn,sn,givenName,telephoneNumber,mail
>
> After updating my referral and I make an ldapsearch:
>
> # ldapsearch -xLLL "(uid=admin)"
>
> I still get two entries (two administrators) and both of them returns
> all its attributes. Then I tried to modify my referral like this:
>
> dn: ou=Users,ou=OxObjects,dc=domain,dc=com
> ou: Users
> objectclass: referral
> objectclass: extensibleObject
> ref: ldap://HOSTNAME/ou=people,dc=domain,dc=com??sub?(!(uid=admin))
>
> And still get two entries (two administrators). So I suspect that my
> referral URI isn't working. Am using a wrong referral? Or maybe
> OpenLDAP always returns all entries ignoring attributes and filters in
> a URI referral
> (ldap://HOSTNAME/ou=people,dc=domain,dc=com?cn,sn,givenName,telephoneNumber,mail)?
>
> I hope some one can help me because i'm stuck with this since two days
> ago. I just want to limit the entries returned by my referral.

Referrals don't work like that.  Read RFC4511: the <attrs> field is not
mentioned.  It mentions, indeed, the <filter> field, but OpenLDAP does not
handle this.  The behavior you possibly expect is not strictly specified,
AFAIK.

I think you have a couple of options:

1) use ACLs to hide that entry to some specific clients

2) use a dummy proxy instead of a referral; the dummy proxy could massage
the request/response DNs, and the original server could use ACLs to hide
that entry from the results returned to the proxy.

p.

Follow-Ups:
- Re: Help with a referral
  - From: Jason Voorhees <jvoorhees1@gmail.com>
- Re: Help with a referral
  - From: Kurt Zeilenga <Kurt@OpenLDAP.org>

References:
- Help with a referral
  - From: Jason Voorhees <jvoorhees1@gmail.com>

Prev by Date: Help with a referral
Next by Date: Re: Help with a referral
Index(es):
- Chronological
- Thread