[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter

To: openldap-technical@openldap.org, pierangelo.masarati@polimi.it
Subject: Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
From: Charles Bueche <cblists@bueche.ch>
Date: Wed, 04 Jun 2014 15:14:38 +0200
In-reply-to: <538DE129.1070203@polimi.it>
References: <538DDA7C.1060305@bueche.ch> <538DE129.1070203@polimi.it>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

On 03.06.14 16:52, Pierangelo Masarati wrote:
> On 06/03/2014 04:23 PM, Charles Bueche wrote:
>> Hi,
>>
>> I'm running the latest openldap stable 2.4.39 on Ubuntu.
>> My openldap server is configured as a LDAP proxy to MS-AD using
>> back-meta. It works nicely, as long as I don't use OID in filters.
>>
>> Specifically, I need LDAP_MATCHING_RULE_IN_CHAIN
>> (http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx) to
>> search recursive groups in MS-AD.
>>
>> If I use that special filter directly against AD, I get my group list.
>> filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)'
>>
>>
>> Or if I use a "normal" filter across my proxy, I get my group list as
>> well.
>> filter='(memberOf=cn=gs-msp-report,OU=Customers,DC=ad,DC=stuff,DC=ch)'
>>
>> BROKEN: If I use the special filter across my LDAP proxy's back-meta, I
>> get no results and filter="(?=undefined)" in my debug log.
>> filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)'
>>
>>
>> So my guess is that my filter syntax with OID is not accepted by
>> back-meta.
>>
>> When using -d -1, I see this:
>>
>> ...
>> 538dd110 begin get_filter
>> 538dd110 EXTENSIBLE
>> ...
>> 538dd110 end get_filter 0
>> 538dd110     filter: (?=undefined)
>> ...
>>
>> I have looked at the code of openldap-2.4.39/servers/slapd/filter.c but
>> I don't really see what's wrong.
>
> Without looking at the code, I think OpenLDAP's slapd doesn't like
> filters with unknown OIDs, that's it.  The request doesn't even get to
> back-meta.
>
> On a side note, since the filter is supposed to be passed through to
> the remote server, slapd should not worry about it; however, AFAIK
> there's no way, so far, to disable such check.  The easiest way is to
> define a module that registers a dummy matching rule with that OID,
> although it won't likely be that straightforward.
>
> p.
>

Hi Pierangelo and list,

thanks for your answer, I'm very unsure now how to continue. I studied
the code of get_filter() and get_mra() without really understanding at
what time my filter is classified as invalid.

The ideas is to implement a workaround in form of a list of white-listed
OID's (only 4 are needed from
http://msdn.microsoft.com/en-us/library/cc223367.aspx), where should I
put this in the code ?

I do compile my own openldap package anyway, so I can well put some
#ifdef around this, at least to be able to continue my project. I'm now
stopped by this problem and as usual I do have to deliver rsn.

On the other side, what do you mean with "define a module that registers
a dummy matching rule with that OID" ?
Is this a module like back_meta, rwn and friends ? Do you have any
pointer like a dummy module to show where to begin ?

As you see, I'm pretty much at the beginning of the learning curve and I
am very happy to get your help.

Regards,
Charles

Follow-Ups:
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>

References:
- back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>

Prev by Date: RE: LDAP Proxy Timeout Values
Next by Date: Re: ACL inconsistency
Index(es):
- Chronological
- Thread