[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unknown objectClass in search filter alters the filter?

To: "Marius Flage" <marius@flage.org>
Subject: Re: Unknown objectClass in search filter alters the filter?
From: masarati@aero.polimi.it
Date: Tue, 24 Aug 2010 16:35:01 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <4C73C73B.3090306@flage.org>
References: <4C73C73B.3090306@flage.org>
User-agent: SquirrelMail/1.4.15

> Hi!
>
> How does OpenLDAP behave when it encounters a search filter with an
> unknown objectClass? From what I've been able to gather, it translates
> the search filter into (?objectClass=value), thus yielding the rest of
> the search invalid. What can I do about this? Either just pass the
> search as it is, or remove it altogether?
>
> The reason I'm asking about this is that I'm setting up OpenLDAP as a
> proxy for Active Directory. After months of researching I've discovered
> that the problem lays exactly here - OpenLDAP alters the search filter
> for object classes it knows nothing about.
>
> Example:
>
> (|
>   (&
>     (objectClass=group)
>     (member=cn=username,ou=test,dc=example,dc=com)
>   )
>   (&
>     (objectClass=groupOfNames)
>     (member=cn=username,ou=test,dc=example,dc=com)
>   )
>   (&
>     (objectClass=groupOfUniqueNames)
>     (uniqueMember=cn=username,ou=test,dc=example,dc=com)
>   )
>   (&
>     (objectClass=accessGroup)
>     (member=cn=username,ou=test,dc=example,dc=com)
>   )
>   (&
>     (objectClass=univentionGroup)
>     (uniqueMember=cn=username,ou=test,dc=example,dc=com)
>   )
> )
>
> Yields no entries. I've looked at the syslog (loglevel = 256) and I see
> that the last two clauses have been "translated" into
> "?objectClass=accessGroup" and "?objectClass=univentionGroup". But if I
> then remove the last two clauses, like so...
>
> (|
>   (&
>     (objectClass=group)
>     (member=cn=username,ou=test,dc=example,dc=com)
>   )
>   (&
>     (objectClass=groupOfNames)
>     (member=cn=username,ou=test,dc=example,dc=com)
>   )
>   (&
>     (objectClass=groupOfUniqueNames)
>     (uniqueMember=cn=username,ou=test,dc=example,dc=com)
>   )
> )
>
> ... then I get the entries I want back. Problem here is that I'm unable
> to alter the search filter, since this is generated by a 3rd-party app
> that I can't change, so I need to fix my OpenLDAP to let this stuff pass
> through.
>
> Any idea?

Define those objectclasses in slapd's schema, that's the wisest thing to
do.  I'd note that in recent releases the filter is passed thru as is even
when unknown.  Unfortunately, you don't state what version you're using.

p.

Follow-Ups:
- Re: Unknown objectClass in search filter alters the filter?
  - From: Marius Flage <marius@flage.org>

References:
- Unknown objectClass in search filter alters the filter?
  - From: Marius Flage <marius@flage.org>

Prev by Date: openldap-2.4.23 Segfault with Error number: 0xffffffffffffffff ()
Next by Date: Re: Unknown objectClass in search filter alters the filter?
Index(es):
- Chronological
- Thread