[Date Prev][Date Next] [Chronological] [Thread] [Top]

using the deref control

Hi list,

First off, best wishes for 2014.

I've been looking into the deref control that was pointed out here (in
the Oracle OpenLDAP PPolicy ppolicy and the hierarchy thread).

With some trail and error I got things working so I thought to document
what I did in the hopes that it may be useful for other people wanting
to use this control.

First of all, get a slapd instance running with the deref overlay. With
older versions (at least 2.4.31) it was sufficient to load the module to
have the relevant control being shown in the root DSE. However, due to
ITS#7436 this didn't actually do anything.

With later slapd versions (at least 2.4.38) loading the overlay
apparently isn't sufficient but you have to also configure it for each

dn: olcOverlay={1}deref,olcDatabase={1}bdb,cn=config
objectClass: olcOverlayConfig
olcOverlay: {1}deref

In terms of using the API you have to first create a control with
ldap_create_deref_control() and pass it along with ldap_search_ext().
After the call to search, free the control again with

The control is built up of an array of LDAPDerefSpec structs that
contains the attribute name that contains the link and a list of
attributes to retrieve from the linked entry (just like you would pass
to ldap_search()).

A bump in the road here was that ldap_create_deref_control() was broken
(reported earlier and already fixed in Git) but
ldap_create_deref_control_value() seems to work.

Any response entries will have a control available that can be extracted
with ldap_get_entry_controls() and parsed with
ldap_parse_derefresponse_control() (and freed with

The returned control data is a linked list of LDAPDerefRes structs, one
per link attribute value. Each struct contains the attribute name, the
original value and a linked list of LDAPDerefVal structs. The DerefVal
structs contain per requested attribute from the linked entry (if the
entry has the attribute) the attribute name and a list of values.

This has been implemented in the development branch of nss-pam-ldapd and
will probably land in the next 0.9 release.
- adding the request control:
- parsing the response control information:
- complete functionality (merge commit):

Hope this is helpful for someone.

-- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --

Attachment: signature.asc
Description: This is a digitally signed message part