Full_Name: Ihar Harbuz Version: 2.4.44 OS: RHEL 7.6 URL: http://ftp.openldap.org/incoming/ Submission from: (NULL) (128.140.241.193)
Good day. I have next configuration: ######################################################################### include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/duaconf.schema include /etc/openldap/schema/dyngroup.schema include /etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args
modulepath /usr/lib64/openldap moduleload back_ldap.la moduleload back_meta.la moduleload dynlist.la moduleload memberof.la moduleload deref.la
overlay dynlist dynlist-attrset posixGroup labeledURI
database meta suffix "dc=main,dc=company,dc=by" uri "ldap://dc1-cont.main.company.by/dc=main,dc=company,dc=by" "ldap://dc2-cont.main.company.by/" idassert-bind bindmethod=simple binddn="CN=ldapproxy,OU=ServiceAccounts,DC=MAIN,DC=company,DC=BY" credentials="XXXXXXXXXXXXXXX" mode=none idassert-authzFrom * rebind-as-user yes subordinate
rewriteEngine on rewriteContext searchFilter rewriteRule "RecursiveMemberOf=(.*),dc=by" "memberOf:1.2.840.113556.1.4.1941:=%1,dc=by" ":"
database meta suffix "dc=external,dc=company,dc=by" uri "ldap://edc1-cont.main.company.by/dc=external,dc=company,dc=by" "ldap://edc2-cont.main.company.by/" idassert-bind bindmethod=simple binddn="CN=ldapproxy,DC=external,DC=company,DC=by" credentials="XXXXXXXXXXXXXXXXXXXX" mode=none idassert-authzFrom * rebind-as-user yes subordinate
rewriteEngine on rewriteContext searchFilter rewriteRule "RecursiveMemberOf=(.*),dc=by" "memberOf:1.2.840.113556.1.4.1941:=%1,dc=by" ":"
database hdb suffix "dc=company,dc=by" directory /var/lib/ldap rootdn cn=ldapadm,dc=company,dc=by rootpw "XXXXXXXXXX" index objectClass eq,pres index ou,cn,mail,surname,givenname eq,pres,sub
database monitor #####################################################################################
Any ldapsearch commands work fine if request doesn't hit into dynlist. If request hit in dynlist then it output information and hanged up.
slapd -d -1 write:
ber_flush2: 1441 bytes to sd 15 0000: 30 82 05 9d 02 01 02 64 82 05 96 04 4c 63 6e 3d 0......d....Lcn= 0010: 53 47 5f 4f 53 5f 53 4f 4c 41 52 49 53 2c 6f 75 SG_OS_SOLARIS,ou 0020: 3d 53 65 63 75 72 69 74 79 20 47 72 6f 75 70 73 =Security Groups ................. ldap_write: want=1441, written=1441 0000: 30 82 05 9d 02 01 02 64 82 05 96 04 4c 63 6e 3d 0......d....Lcn= 0010: 53 47 5f 4f 53 5f 53 4f 4c 41 52 49 53 2c 6f 75 SG_OS_SOLARIS,ou 0020: 3d 53 65 63 75 72 69 74 79 20 47 72 6f 75 70 73 =Security Groups ................. 5ccac7d7 <= send_search_entry: conn 1000 exit. ldap_msgfree
And wait while I interrupt request on client. After it: 5ccac856 daemon: activity on 1 descriptor 5ccac856 daemon: activity on: 15r 5ccac856 daemon: read active on 15 5ccac856 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5ccac856 daemon: epoll: listen=8 active_threads=0 tvp=NULL 5ccac856 connection_get(15) 5ccac856 connection_get(15): got connid=1000 5ccac856 connection_read(15): checking for input on id=1000 ber_get_next ldap_read: want=8, got=0
5ccac856 ber_get_next on fd 15 failed errno=0 (Success) 5ccac856 connection_read(15): input error=-2 id=1000, closing. 5ccac856 connection_closing: readying conn=1000 sd=15 for close 5ccac856 connection_close: deferring conn=1000 sd=15 5ccac856 daemon: activity on 1 descriptor 5ccac856 daemon: activity on: 5ccac856 daemon: epoll: listen=7 active_threads=0 tvp=NULL 5ccac856 daemon: epoll: listen=8 active_threads=0 tvp=NULL 5ccac856 connection_resched: attempting closing conn=1000 sd=15 5ccac856 connection_close: conn=1000 sd=15 5ccac856 =>meta_back_conn_destroy: fetching conn=1000 DN="cn=solaris,dc=company,dc=by" 5ccac856 =>meta_back_conn_destroy: destroying conn 1000 refcnt=0 flags=0x00000100 ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 18 0000: 30 05 02 01 04 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 04 42 00 0....B. ldap_free_connection: actually freed ldap_msgfree ldap_free_connection 1 1 ldap_send_unbind ber_flush2: 7 bytes to sd 17 0000: 30 05 02 01 04 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 04 42 00 0....B. ldap_free_connection: actually freed ldap_msgfree 5ccac856 =>meta_back_conn_destroy: fetching conn=1000 DN="cn=solaris,dc=company,dc=by" 5ccac856 daemon: removing 15 5ccac856 conn=1000 fd=15 closed (connection lost)
In client side it's look like: ldapsearch -b .... ... USERPRINCIPALNAME: test1@MAIN.COMPANY.BY USERPRINCIPALNAME: test2@MAIN.COMPANY.BY ^C