[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
AW: allow to pass on "undefined" filters in meta
> -----Ursprüngliche Nachricht-----
> Von: Howard Chu [mailto:hyc@symas.com]
> Gesendet: Mittwoch, 17. September 2014 18:17
> An: Storm, Markus; openldap-technical@openldap.org
> Betreff: Re: allow to pass on "undefined" filters in meta
>
> Markus.Storm@t-systems.com wrote:
> > Hi
> > I've run into a problem trying to deploy back-meta in front of an
> > Active Directory target.
>
> What is the exact filter you are trying to use?
a filter such as
(&(objectclass=user)
(|(memberOf:1.2.840.113556.1.4.1941:=CN=GRP_AAA_ADM,OU=Groups,OU=AAA,OU=Servers,DC=lab,DC=net)
(memberOf:1.2.840.113556.1.4.1941:=CN=GRP_BBB_ADM,OU=Groups,OU=AAA,OU=Servers,DC=lab,DC=net)))
The problem is with the matching rule to be used :1.2.840.113556.1.4.1941:
That translates into LDAP_MATCHING_RULE_IN_CHAIN which to have the server
recursively check for nested group membership. That's a feature in AD but not
supported in OpenLDAP (or at least not by specifying that matching rule).
>
> > I believe that to resolve it, I need to get a new option implemented.
> > I need to issue a request through a back-meta proxy . That query
> > happens to contain a matching rule which is not implemented in
> > OpenLDAP so slapd does not know to evaluate the query. The target
> that
> > the query will ultimately be passed on to (an Active Directory) does
> know to process the query, though.
> > OpenLDAP, however, considers the filter to be "undefined" and thus on
> > relaying the request to the AD target, back-meta replaces a portion
> of
> > the original query with a "(?=undefined)" filter as documented in
> e.g.
> > slapd-meta manpage "noundeffilter" option.
> > But I need the original query to be passed on. It's in fact a _valid_
> > LDAP request, just OpenLDAP happens to be unable to parse it.
> > But at least in my setup, slapd does not have to do _/anything/_
> > about the query other than to pass it on, so I find it inacceptable
> > that it replaces the query just because it doesn't understand it.
> > Please, can you add an option switch to the code to allow for passing
> > on original queries *without* replacing undefined portions ?
> > I have not found any other solution to my problem. I tried to make
> > OpenLDAP aware of the undefined portion by adding the matching rule
> to
> > the schema but I failed. Seems that would need to be planted into the
> > code, and not being a programmer, that's not as easy as it is with
> > expanding the schema by some new attributes.
> > Also, while of course any parser/feature enhancement will always be
> > appreciated, I would think that to implement the matching rule is
> not
> > the best way of fixing things: I believe there will always be
> > situations where OpenLDAP cannot parse the input while another LDAP
> server can.
> > For a proof of concept, I hacked servers/slapd/back-meta/map.c
> (around
> > line 581as of 2.4.39) and but - again, I'm not a programmer - I
> feel
> > incapable of turning this into a full-blown patch free of side
> > effects, also I want the modification to become available to anyone.
> > So I'm hoping for you to implement the switch mentioned above, maybe
> > as a third possible setting for the "noundeffilter" option.
> > Thanks a lot in advance,
> > best regards
> > Markus Storm
>
>
> --
> -- Howard Chu
> CTO, Symas Corp. http://www.symas.com
> Director, Highland Sun http://highlandsun.com/hyc/
> Chief Architect, OpenLDAP http://www.openldap.org/project/