Hello,
I'v implemented a OpenLDAP Metadirectory that proxying 2 Microsft AD targets.
Some attributes on Active Directory objects are composed of bitwise flags. Using a bitwise operator is necessary to return only objects that match a particular bit being set.
To query Active Directory for user class objects that are disabled: (UserAccountControl:1.2.840.113556.1.4.803:=2)
I'm trying to create a filter that selects entries for which the object class is a user but not a computer, and for which the account is not flagged as disabled:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
If I connect AD server directly, all is OK, I get a search result. But sending this search to Meta, does not work.
Log:
slapd[22461]: conn=1004 op=3 SRCH base="dc=meta,dc=pov" scope=2 deref=2 filter="(&(?objectClass=user)(!(?objectClass=Computer))(?=error))"
slapd[22461]: conn=1004 op=3 meta_back_search: base="dc=meta,dc=pov" scope=2: no candidate could be selected
slapd[22461]: conn=1004 op=3 SEARCH RESULT tag=101 err=32 nentries=0 text=
slapd[22461]: conn=1004 op=4 UNBIND
My OpenLDAP version: 2.4.26
my config:
database meta
lastmod off
suffix "dc=meta,dc=pov"
rootdn "cn=metaguru,dc=meta,dc=pov"
rootpw xxxxxxxx
uri "ldap://w3kvm.adwal.corporate.net:389/dc=meta,dc=pov"
suffixmassage "dc=meta,dc=pov" "dc=adwal,dc=corporate,dc=net"
idassert-authzFrom "dn:*"
idassert-bind bindmethod=simple
binddn="cn=radiator,cn=Users,dc=adwal,dc=corporate,dc=net"
credentials="xxxxx"
mode=none
uri "ldap://w3kvm02.adwal.corporate.net:389/dc=meta,dc=pov"
suffixmassage "dc=meta,dc=pov" "dc=second,dc=crocus,dc=com"
idassert-authzFrom "dn:*"
idassert-bind bindmethod=simple
binddn="cn=predator,cn=Users,dc=second,dc=crocus,dc=com"
credentials="xxxxxxxx"
mode=none
Where is my mistake ? Can you help me please
Kind regards
Waldemar