[Date Prev][Date Next] [Chronological] [Thread] [Top]

Allow to pass on "undefined" filters in back-perl

Hi all,
I have now the same problem, but with back-perl. We have so one kind of LDAP broker implemented. Reason is to split authentication and authorization by sending the LDAP-bind to one server(Authentication) and LDAP-search for group membership to another (Authorization).
Unfortunately  one of 6 authorization server is a Microsoft Active Directory, expects LDAP_MATCHING_RULE_IN_CHAIN, and so I get “Bad filter, "(?=undefined)".
It is possible to implement a similar workaround as in the back-meta bellow?
I think a generally config option to deactivate the filters sanity check were very useful, not for me only.
Kind regards
Hi all,
I had exactly the same problem last June. Pierangelo Masarati helped me
understanding the problem. He even provided the code for a contrib
module to solve this issue. You can search the list for the subject
"back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter".
I have "packed" all of it into a github repo at
https://github.com/cbueche/openldap-passthru and announced it to the
list on 6.6.2014. It would be nice if the maintainer take it over to the
official openldap tarball within contrib/slapd-modules/mr_passthru/ so
future needs are "officially" covered. I think the
LDAP_MATCHING_RULE_IN_CHAIN filters will find their use for many other
Markus: I can help you for the implementation if needed. Feel free to
provide for more functionality.
On 23.10.14 08:17, Markus.Storm@t-systems.com wrote:
> Hi Howard,
> have you had a chance to look into this?
> We're a bit desperate over here, short of alternative solutions.
> Regards
> Markus
>> -----Original Message-----
>> From: Storm, Markus
>> Sent: Thursday, September 18, 2014 8:44 AM
>> To: 'Howard Chu'; openldap-technical@openldap.org
>> Subject: AW: allow to pass on "undefined" filters in meta
>>> -----Ursprüngliche Nachricht-----
>>> Von: Howard Chu [mailto:hyc@symas.com]
>>> Gesendet: Mittwoch, 17. September 2014 18:17
>>> An: Storm, Markus; openldap-technical@openldap.org
>>> Betreff: Re: allow to pass on "undefined" filters in meta
>>> Markus.Storm@t-systems.com wrote:
>>>> Hi
>>>> I've run into a problem trying to deploy back-meta in front of an
>>>> Active Directory target.
>>> What is the exact filter you are trying to use?
>> a filter such as
>> (&(objectclass=user)
>> (|(memberOf:1.2.840.113556.1.4.1941:=CN=GRP_AAA_ADM,OU=Groups,OU=AAA,OU=Se
>> rvers,DC=lab,DC=net)
>> (memberOf:1.2.840.113556.1.4.1941:=CN=GRP_BBB_ADM,OU=Groups,OU=AAA,OU=Serv
>> ers,DC=lab,DC=net)))
>> The problem is with the matching rule to be used :1.2.840.113556.1.4.1941:
>> That translates into LDAP_MATCHING_RULE_IN_CHAIN which makes the server
>> recursively check for nested group membership. That's a feature in AD but
>> not supported in OpenLDAP (or at least not by simply specifying that matching
>> rule, and to rework the query is no option).
>>>> I believe that to resolve it, I need to get a new option implemented.
>>>> I need to issue a request through a back-meta proxy . That query
>>>> happens to contain a matching rule which is not implemented in
>>>> OpenLDAP so slapd does not know to evaluate the query. The target
>>> that
>>>> the query will ultimately be passed on to (an Active Directory) does
>>> know to process the query, though.
>>>> OpenLDAP, however, considers the filter to be "undefined" and thus
>>>> on relaying the request to the AD target, back-meta replaces a
>>>> portion
>>> of
>>>> the original query with a "(?=undefined)" filter as documented in
>>> e.g.
>>>> slapd-meta manpage "noundeffilter" option.
>>>> But I need the original query to be passed on. It's in fact a
>>>> _valid_ LDAP request, just OpenLDAP happens to be unable to parse it.
>>>> But at least in my setup,  slapd does not have to do _/anything/_
>>>> about the query other than to pass it on, so I find it inacceptable
>>>> that it replaces the query just because it doesn't understand it.
>>>> Please, can you add an option switch to the code to allow for
>>>> passing on original queries *without* replacing undefined portions ?
>>>> I have not found any other solution to my problem. I tried to make
>>>> OpenLDAP aware of the undefined portion by adding the matching rule
>>> to
>>>> the schema but I failed. Seems that would need to be planted into
>>>> the code, and not being a programmer, that's not as easy as it is
>>>> with expanding the schema by some new attributes.
>>>> Also, while of course any parser/feature enhancement will always be
>>>> appreciated,  I would think that to implement the matching rule is
>>> not
>>>> the best way of fixing things: I believe there will always be
>>>> situations where OpenLDAP cannot parse the input while another LDAP
>>> server can.
>>>> For a proof of concept, I hacked servers/slapd/back-meta/map.c
>>> (around
>>>> line 581as of 2.4.39) and  but  - again, I'm not a programmer - I
>>> feel
>>>> incapable of turning this into a full-blown patch free of side
>>>> effects, also I want the modification to become available to anyone.
>>>> So I'm hoping for you to implement the switch mentioned above, maybe
>>>> as a third possible setting for the "noundeffilter" option.
>>>> Thanks a lot in advance,
>>>> best regards
>>>> Markus Storm