[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter

To: openldap-technical@openldap.org
Subject: Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
From: Charles Bueche <cblists@bueche.ch>
Date: Fri, 06 Jun 2014 15:59:02 +0200
In-reply-to: <53919BB9.1080508@polimi.it>
References: <538DDA7C.1060305@bueche.ch> <538DE129.1070203@polimi.it> <538F1BBE.8060902@bueche.ch> <53905A65.9020906@bueche.ch> <5390BAA0.5060604@polimi.it> <539195EF.6050607@bueche.ch> <53919BB9.1080508@polimi.it>
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:24.0) Gecko/20100101 Thunderbird/24.5.0

On 06.06.14 12:45, Pierangelo Masarati wrote:
> On 06/06/2014 12:20 PM, Charles Bueche wrote:
>>
>> On 05.06.14 20:44, Pierangelo Masarati wrote:
>>> On 06/05/2014 01:54 PM, Charles Bueche wrote:
>>>>
>>>> On 04.06.14 15:14, Charles Bueche wrote:
>>>>> On 03.06.14 16:52, Pierangelo Masarati wrote:
>>>>>> On 06/03/2014 04:23 PM, Charles Bueche wrote:
>>>>>>> Hi,
>>>>>>>
>>>>>>> I'm running the latest openldap stable 2.4.39 on Ubuntu.
>>>>>>> My openldap server is configured as a LDAP proxy to MS-AD using
>>>>>>> back-meta. It works nicely, as long as I don't use OID in filters.
>>>>>>>
>>>>>>> Specifically, I need LDAP_MATCHING_RULE_IN_CHAIN
>>>>>>> (http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx) to
>>>>>>> search recursive groups in MS-AD.
>>>>>>>
>>>>>>> If I use that special filter directly against AD, I get my group
>>>>>>> list.
>>>>>>> filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)'
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> Or if I use a "normal" filter across my proxy, I get my group
>>>>>>> list as
>>>>>>> well.
>>>>>>> filter='(memberOf=cn=gs-msp-report,OU=Customers,DC=ad,DC=stuff,DC=ch)'
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> BROKEN: If I use the special filter across my LDAP proxy's
>>>>>>> back-meta, I
>>>>>>> get no results and filter="(?=undefined)" in my debug log.
>>>>>>> filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)'
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>>
>>>>>>> So my guess is that my filter syntax with OID is not accepted by
>>>>>>> back-meta.
>>>>>>>
>>>>>>> When using -d -1, I see this:
>>>>>>>
>>>>>>> ...
>>>>>>> 538dd110 begin get_filter
>>>>>>> 538dd110 EXTENSIBLE
>>>>>>> ...
>>>>>>> 538dd110 end get_filter 0
>>>>>>> 538dd110     filter: (?=undefined)
>>>>>>> ...
>>>>>>>
>>>>>>> I have looked at the code of
>>>>>>> openldap-2.4.39/servers/slapd/filter.c but
>>>>>>> I don't really see what's wrong.
>>>>>> Without looking at the code, I think OpenLDAP's slapd doesn't like
>>>>>> filters with unknown OIDs, that's it.  The request doesn't even
>>>>>> get to
>>>>>> back-meta.
>>>>>>
>>>>>> On a side note, since the filter is supposed to be passed through to
>>>>>> the remote server, slapd should not worry about it; however, AFAIK
>>>>>> there's no way, so far, to disable such check.  The easiest way
>>>>>> is to
>>>>>> define a module that registers a dummy matching rule with that OID,
>>>>>> although it won't likely be that straightforward.
>>>>>>
>>>>>> p.
>>>>>>
>>>>> Hi Pierangelo and list,
>>>>>
>>>>> thanks for your answer, I'm very unsure now how to continue. I
>>>>> studied
>>>>> the code of get_filter() and get_mra() without really
>>>>> understanding at
>>>>> what time my filter is classified as invalid.
>>>>>
>>>>> The ideas is to implement a workaround in form of a list of
>>>>> white-listed
>>>>> OID's (only 4 are needed from
>>>>> http://msdn.microsoft.com/en-us/library/cc223367.aspx), where
>>>>> should I
>>>>> put this in the code ?
>>>>>
>>>>> I do compile my own openldap package anyway, so I can well put some
>>>>> #ifdef around this, at least to be able to continue my project.
>>>>> I'm now
>>>>> stopped by this problem and as usual I do have to deliver rsn.
>>>>>
>>>>> On the other side, what do you mean with "define a module that
>>>>> registers
>>>>> a dummy matching rule with that OID" ?
>>>>> Is this a module like back_meta, rwn and friends ? Do you have any
>>>>> pointer like a dummy module to show where to begin ?
>>>>>
>>>>> As you see, I'm pretty much at the beginning of the learning curve
>>>>> and I
>>>>> am very happy to get your help.
>>>>>
>>>>> Regards,
>>>>> Charles
>>>>
>>>> ok, it did cost me a lot of brain power, but I do have a workaround. I
>>>> mention it here because I'm quite sure someone else will hit the same
>>>> problem one day.
>>>>
>>>> 1. the recursive search filter passed to the proxy should use a filter
>>>> supported by the proxy, eg
>>>>
>>>> filter='(RecursiveMemberOf=cn=ls-msp-app2,OU=App,DC=extra,DC=proxy,DC=stuff,DC=ch)'
>>>>
>>>>
>>>>
>>>> 2. the proxy gasp it, accept it, and pass it to the rewrite module
>>>>
>>>> 3. use a rewrite rule to massage the filter:
>>>>
>>>> rewriteRule
>>>>       "RecursiveMemberOf=cn=(.*),dc=extra,dc=proxy,dc=stuff,dc=ch"
>>>>       "memberOf:1.2.840.113556.1.4.1941:=cn=%1,dc=ad,dc=stuff,dc=ch"
>>>>       ":"
>>>>
>>>> back_meta then pass the rewritten filter to the back-end AD.
>>>>
>>>>
>>>> To the developers: as mentioned by Pierangelo above, it should be
>>>> possible to disable the filter sanity check when it is passed to a
>>>> LDAP
>>>> back-end. If the filter is insane, the back-end will complain soon
>>>> enough.
>>>
>>> This does the trick in your specific case; you should be able to
>>> modify it to add more matching rule definitions.
>> Hi Pierangelo,
>>
>> Thanks for the code. I have been able to compile and install it, and
>> load it in my slapd.conf. I see as well it's loaded in the debug output.
>>
>> 5391911a line 36 (moduleload    mr_passthru.so)
>> 5391911a loaded module mr_passthru.so
>> 5391911a register_matching_rule: passthru : 0 (that's from a new DEBUG
>> call I added)
>> 5391911a module mr_passthru.so: null module registered
>>
>> However, my recursive filter search still fail, I still get "filter:
>> (?=undefined" and the filter is still recognized as EXTENSIBLE.
>> My filter is
>> "(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)"
>>
>
> Is slapo-memberof loaded?  It declares the "memberOf" attribute
> (otherwise unknown to OpenLDAP's slapd).
>
>>
>> Looking at the code, I somewhat understand mr_passthru_initialize(), but
>> then what is the role of okMatch(), never used ?
>
> Not needed.

Pierangelo you are my angel :-)

I have a working setup without the rewrite "kludge", with all my
recursive group search working. I have allowed myself to create some
documentation for it in form of a README, plus a Makefile copied over
from another contrib module. The whole stuff is located in

    https://github.com/cbueche/openldap-passthru

Feel free to fix correct my documentation. It would probably be nice to
copy all this stuff in contrib/slapd-modules/mr_passthru/ so the next
release will have it as well.

Thanks again !
Charles

References:
- back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>

Prev by Date: Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
Next by Date: AD pass through to Openladp?
Index(es):
- Chronological
- Thread