[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter

To: Charles Bueche <cblists@bueche.ch>, openldap-technical@openldap.org
Subject: Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
From: Howard Chu <hyc@symas.com>
Date: Thu, 05 Jun 2014 06:22:40 -0700
In-reply-to: <53905A65.9020906@bueche.ch>
References: <538DDA7C.1060305@bueche.ch> <538DE129.1070203@polimi.it> <538F1BBE.8060902@bueche.ch> <53905A65.9020906@bueche.ch>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:29.0) Gecko/20100101 Firefox/29.0 SeaMonkey/2.26a1

Charles Bueche wrote:

On the other side, what do you mean with "define a module that registers
a dummy matching rule with that OID" ?
Is this a module like back_meta, rwn and friends ? Do you have any
pointer like a dummy module to show where to begin ?

As you see, I'm pretty much at the beginning of the learning curve and I
am very happy to get your help.

Regards,
Charles


ok, it did cost me a lot of brain power, but I do have a workaround. I
mention it here because I'm quite sure someone else will hit the same
problem one day.

1. the recursive search filter passed to the proxy should use a filter
supported by the proxy, eg

filter='(RecursiveMemberOf=cn=ls-msp-app2,OU=App,DC=extra,DC=proxy,DC=stuff,DC=ch)'

2. the proxy gasp it, accept it, and pass it to the rewrite module

3. use a rewrite rule to massage the filter:

rewriteRule
     "RecursiveMemberOf=cn=(.*),dc=extra,dc=proxy,dc=stuff,dc=ch"
     "memberOf:1.2.840.113556.1.4.1941:=cn=%1,dc=ad,dc=stuff,dc=ch"
     ":"

back_meta then pass the rewritten filter to the back-end AD.


Nice work.

To the developers: as mentioned by Pierangelo above, it should be
possible to disable the filter sanity check when it is passed to a LDAP
back-end. If the filter is insane, the back-end will complain soon enough.

That will never be done. The docs clearly state that when operating as aproxy, slapd must have schema definitions for anything passing through it.Many sites use OpenLDAP as a frontend proxy specifically because these sanitychecks protect their backend servers (that are from other vendors and morefragile).

Pierangelo already gave the right answer here - write a piece of C code thatregisters OIDs for the matching rules you want and load it as a dynamicmodule. There are many modules in contrib/slapd-modules in the source tree.


Thanks for writing this great software !
Charles



--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/

Follow-Ups:
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Michael Ströder <michael@stroeder.com>

References:
- back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Pierangelo Masarati <pierangelo.masarati@polimi.it>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>
- Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
  - From: Charles Bueche <cblists@bueche.ch>

Prev by Date: Re: LDAP Proxy Timeout Values
Next by Date: Re: back_meta does not like my LDAP_MATCHING_RULE_IN_CHAIN filter
Index(es):
- Chronological
- Thread