[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Strange slapd-meta search problem
- To: OpenLDAP Technical <openldap-technical@openldap.org>
- Subject: Strange slapd-meta search problem
- From: Liam Gretton <liam.gretton@leicester.ac.uk>
- Date: Tue, 06 Dec 2011 14:58:11 +0000
- Organization: IT Services, University Of Leicester
- User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:8.0) Gecko/20111105 Thunderbird/8.0
Hi,
I have a meta DB pointing to an Active Directory backend. This is used by SASL for authentication.
The meta DB does not contain a schema definition for the AD.
I've configured SASL to lookup sAMAccountName in AD, but this always fails until a lookup against the meta DB has first been performed against an attribute that the meta DB does understand (e.g. cn). Once that's been done, the system is rock solid and can be searched on any attribute.
Looking at the debug output it seems that any initial search does not honour the specified filter unless the attribute being searched for is defined in the schema, but after one successful search, the LDAP server is happy to search for these attributes.
I can work around this by doing a dummy search when the LDAP server starts, but I'd like to understand the cause of the problem properly.
Any suggestions as to the cause of this? I'm using 2.4.20 on SLES 11.
Here's how to reproduce the problem. Meta LDAP server is listening on a socket /var/run/slapd/slapd (configuration at end), providing dc=meta. AD is dc=ad,dc=org,dc=uk.
After startup:
ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta -x -D "cn=administrator,dc=meta" -b dc=meta -w secret sAMAccountName=user1
<nothing returned>
Try again with cn:
ldapsearch -H ldapi://%2Fvar%2Frun%2Fslapd%2Fldapi-meta -x -D "cn=administrator,dc=meta" -b dc=meta -w secret cn=user1
<AD record returned successfully>
After this, the original search on sAMAccountName or any other attribute will also be successful.
Debug output from slapd shows an incorrect filter on objectClass with the original failed search:
==> rewrite_context_apply [depth=1] string='ou=ad.org.uk,dc=meta'
==> rewrite_rule_apply rule='((.+),)?ou=ad.org.uk,[ ]?dc=meta$' string='ou=ad.org.uk,dc=meta' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'dc=ad,dc=org,dc=uk'}
==> rewrite_context_apply [depth=1] string='(!(objectClass=*))'
==> rewrite_context_apply [depth=1] res={0,'NULL'}
ldap_search_ext
put_filter: "(!(objectClass=*))"
put_filter: NOT
put_filter_list "(objectClass=*)"
put_filter: "(objectClass=*)"
put_filter: simple
put_simple_filter: "objectClass=*"
ldap_send_initial_request
ldap_send_server_request
A successful search with cn shows the following:
==> rewrite_context_apply [depth=1] string='ou=ad.org.uk,dc=meta'
==> rewrite_rule_apply rule='((.+),)?ou=ad.org.uk,[ ]?dc=meta$' string='ou=ad.org.uk,dc=meta' [1 pass(es)]
==> rewrite_context_apply [depth=1] res={0,'dc=ad,dc=org,dc=uk'}
==> rewrite_context_apply [depth=1] string='(cn=user1)'
==> rewrite_context_apply [depth=1] res={0,'NULL'}
ldap_search_ext
put_filter: "(cn=user1)"
put_filter: simple
put_simple_filter: "cn=user1"
ldap_send_initial_request
ldap_send_server_request
Here's the minimal slapd.conf file:
include /etc/openldap/schema/core.schema
modulepath /usr/lib/openldap/modules
moduleload back_meta.so
argsfile /var/run/slapd/slapd.args
pidfile /var/run/slapd/slapd.pid
#################################################################
#
# Meta DB config
#
# dc=meta
#
#################################################################
database meta
suffix dc=meta
rootdn cn=administrator,dc=meta
rootpw secret
uri ldap://ad.org.uk:3268/ou=ad.org.uk,dc=meta
suffixmassage "ou=ad.org.uk,dc=meta" "dc=ad,dc=org,dc=uk"
lastmod off
idassert-bind bindmethod=simple
binddn="cn=adldap,dc=ad,dc=org,dc=uk
credentials="password"
flags=non-prescriptive
idassert-authzFrom "dn.exact:cn=administrator,dc=meta"
Thanks for any help offered.
--
Liam Gretton liam.gretton@le.ac.uk
HPC Architect http://www.le.ac.uk/its
IT Services Tel: +44 (0)116 2522254
University of Leicester, University Road
Leicestershire LE1 7RH, United Kingdom