[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter

On 06/03/2014 04:23 PM, Charles Bueche wrote:

Hi,

I'm running the latest openldap stable 2.4.39 on Ubuntu.
My openldap server is configured as a LDAP proxy to MS-AD using
back-meta. It works nicely, as long as I don't use OID in filters.

Specifically, I need LDAP_MATCHING_RULE_IN_CHAIN
(http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx) to
search recursive groups in MS-AD.

If I use that special filter directly against AD, I get my group list.
filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)'

Or if I use a "normal" filter across my proxy, I get my group list as well.
filter='(memberOf=cn=gs-msp-report,OU=Customers,DC=ad,DC=stuff,DC=ch)'

BROKEN: If I use the special filter across my LDAP proxy's back-meta, I
get no results and filter="(?=undefined)" in my debug log.
filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)'

So my guess is that my filter syntax with OID is not accepted by back-meta.

When using -d -1, I see this:

...
538dd110 begin get_filter
538dd110 EXTENSIBLE
...
538dd110 end get_filter 0
538dd110     filter: (?=undefined)
...

I have looked at the code of openldap-2.4.39/servers/slapd/filter.c but
I don't really see what's wrong.
Without looking at the code, I think OpenLDAP's slapd doesn't like filters with unknown OIDs, that's it. The request doesn't even get to back-meta.
On a side note, since the filter is supposed to be passed through to the remote server, slapd should not worry about it; however, AFAIK there's no way, so far, to disable such check. The easiest way is to define a module that registers a dummy matching rule with that OID, although it won't likely be that straightforward. 

p.

--
Pierangelo Masarati
Associate Professor
Dipartimento di Scienze e Tecnologie Aerospaziali
Politecnico di Milano