[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter

To: openldap-technical@openldap.org
Subject: Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
From: Charles Bueche <cblists@bueche.ch>
Date: Thu, 05 Jun 2014 15:55:13 +0200
In-reply-to: <53906F20.8060409@symas.com>
References: <538DDA7C.1060305@bueche.ch> <538DE129.1070203@polimi.it> <538F1BBE.8060902@bueche.ch> <53905A65.9020906@bueche.ch> <53906F20.8060409@symas.com>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

On 05.06.14 15:22, Howard Chu wrote:
> Charles Bueche wrote:
>>> On the other side, what do you mean with "define a module that
>>> registers
>>> a dummy matching rule with that OID" ?
>>> Is this a module like back_meta, rwn and friends ? Do you have any
>>> pointer like a dummy module to show where to begin ?
>>>
>>> As you see, I'm pretty much at the beginning of the learning curve
>>> and I
>>> am very happy to get your help.
>>>
>>> Regards,
>>> Charles
>>
>> ok, it did cost me a lot of brain power, but I do have a workaround. I
>> mention it here because I'm quite sure someone else will hit the same
>> problem one day.
>>
>> 1. the recursive search filter passed to the proxy should use a filter
>> supported by the proxy, eg
>>
>> filter='(RecursiveMemberOf=cn=ls-msp-app2,OU=App,DC=extra,DC=proxy,DC=stuff,DC=ch)'
>>
>>
>> 2. the proxy gasp it, accept it, and pass it to the rewrite module
>>
>> 3. use a rewrite rule to massage the filter:
>>
>> rewriteRule
>>      "RecursiveMemberOf=cn=(.*),dc=extra,dc=proxy,dc=stuff,dc=ch"
>>      "memberOf:1.2.840.113556.1.4.1941:=cn=%1,dc=ad,dc=stuff,dc=ch"
>>      ":"
>>
>> back_meta then pass the rewritten filter to the back-end AD.
>
> Nice work.
>
>> To the developers: as mentioned by Pierangelo above, it should be
>> possible to disable the filter sanity check when it is passed to a LDAP
>> back-end. If the filter is insane, the back-end will complain soon
>> enough.
>
> That will never be done. The docs clearly state that when operating as
> a proxy, slapd must have schema definitions for anything passing
> through it. 

After all the musings into doc, code and debug log, this is now more
clear. What I still don't understand is why including a schema with the
desired OIDs is not enough to make them ok for filtering.

> Many sites use OpenLDAP as a frontend proxy specifically because these
> sanity checks protect their backend servers (that are from other
> vendors and more fragile).
I can well understand your position.
>
> Pierangelo already gave the right answer here - write a piece of C
> code that registers OIDs for the matching rules you want and load it
> as a dynamic module. There are many modules in contrib/slapd-modules
> in the source tree.

thanks for the pointer. The last time I wrote C code was probably around
1992 or so... I will check what I can do, but as said, the learning
curve (especially understanding the openldap code, libs and layers) is
steep, even with the examples. Anyway, as soon as I get some time to do
something, I will have a go. As I undertand, the slapd-modules/dsaschema
is probably close to what I need.

Anyway it's great to have your support within this list, thx again !
Charles

References:
- back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Howard Chu <hyc@symas.com>

Prev by Date: Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
Next by Date: Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
Index(es):
- Chronological
- Thread