[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: allow to pass on "undefined" filters in meta

To: Markus.Storm@t-systems.com, openldap-technical@openldap.org
Subject: Re: allow to pass on "undefined" filters in meta
From: Howard Chu <hyc@symas.com>
Date: Wed, 17 Sep 2014 17:16:31 +0100
In-reply-to: <09E8EA871577004B916BD1FB8573F3F6011B99AA8808@HE111542.emea1.cds.t-internal.com>
References: <09E8EA871577004B916BD1FB8573F3F6011B99AA8808@HE111542.emea1.cds.t-internal.com>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:30.0) Gecko/20100101 Firefox/30.0 SeaMonkey/2.27a1

Markus.Storm@t-systems.com wrote:

Hi
I've run into a problem trying to deploy back-meta in front of an Active
Directory target.


What is the exact filter you are trying to use?

I believe that to resolve it, I need to get a new option implemented.
I need to issue a request through a back-meta proxy . That query happens to
contain a matching rule which is not implemented in OpenLDAP so slapd does not
know to evaluate the query. The target that the query will ultimately be
passed on to (an Active Directory) does know to process the query, though.
OpenLDAP, however, considers the filter to be "undefined" and thus on relaying
the request to the AD target, back-meta replaces a portion of the original
query with a “(?=undefined)” filter as documented in e.g. slapd-meta manpage
"noundeffilter" option.
But I need the original query to be passed on. It's in fact a _valid_ LDAP
request, just OpenLDAP happens to be unable to parse it.
But at least in my setup,  slapd does not have to do _/anything/_ about the
query other than to pass it on, so I find it inacceptable that it replaces the
query just because it doesn’t understand it.
Please, can you add an option switch to the code to allow for passing on
original queries *without* replacing undefined portions ?
I have not found any other solution to my problem. I tried to make OpenLDAP
aware of the undefined portion by adding the matching rule to the schema but I
failed. Seems that would need to be planted into the code, and not being a
programmer, that’s not as easy as it is with expanding the schema by some new
attributes.
Also, while of course any parser/feature enhancement will always be
appreciated,  I would think that to implement the matching rule is not the
best way of fixing things: I believe there will always be situations where
OpenLDAP cannot parse the input while another LDAP server can.
For a proof of concept, I hacked servers/slapd/back-meta/map.c (around line
581as of 2.4.39) and  but  - again, I’m not a programmer – I feel incapable of
turning this into a full-blown patch free of side effects, also I want the
modification to become available to anyone.
So I'm hoping for you to implement the switch mentioned above, maybe as a
third possible setting for the "noundeffilter" option.
Thanks a lot in advance,
best regards
Markus Storm



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- AW: allow to pass on "undefined" filters in meta
  - From: <Markus.Storm@t-systems.com>

References:
- allow to pass on "undefined" filters in meta
  - From: <Markus.Storm@t-systems.com>

Prev by Date: allow to pass on "undefined" filters in meta
Next by Date: Antw: Re: Issues with Ppolicy Overlay and chaining (master/slave)
Index(es):
- Chronological
- Thread