Hi,
I'm a bit in dead end.
Scenario: Active Direcotory & openldap (2.4.33) proxy. Paged search
through proxy is not working.
I'm not sure about this OID "1.2.840.113556.1.4.1339". OpenLdap ldap.h
tells that this oid is LDAP_CONTROL_X_DOMAIN_SCOPE. According to
O'Reilly AD cookbook: "No referrals generated" with longer description
"Informs the server not to generate any referrals in a search
response".
May this be the reason for paged search to fail?
Same query runs without any problems directly within Active Directory
domain controller's.
As i read from google, it should be possible to make paged search
work, but i can't figure it out how.
eimar@box: /tmp > ldapsearch -LLL -H ldaps://olp-test.example.ee -P 3
-E pr=500/noprompt -D "CN=ldap-auth,CN=Users,DC=example,DC=ee" -W -b
"ou=workers,dc=example,dc=ee" "(objectClass=person)" samaccountname -s
sub > results.txt
Enter LDAP Password:
Size limit exceeded (4)
eimar@box: /tmp > grep dn\: results.txt | wc -l
1000
which is the default search limit in AD.
Openldap proxy log:
Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10)
Feb 20 12:45:27 olp-test slapd[1788]: send_ldap_result: err=0 matched="" text=""
Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10)
Feb 20 12:45:27 olp-test slapd[1788]: SRCH "ou=workers,dc=example,dc=ee" 2 0
Feb 20 12:45:27 olp-test slapd[1788]: 0 0 0
Feb 20 12:45:27 olp-test slapd[1788]: filter: (objectClass=person)
Feb 20 12:45:27 olp-test slapd[1788]: attrs:
Feb 20 12:45:27 olp-test slapd[1788]: samaccountname
Feb 20 12:45:27 olp-test slapd[1788]: 1.1
Feb 20 12:45:27 olp-test slapd[1788]: sub
Feb 20 12:45:27 olp-test slapd[1788]:
Feb 20 12:45:27 olp-test slapd[1788]: conn=1007 op=1: non-critical
control "1.2.840.113556.1.4.1339" not supported; stripped.
Feb 20 12:45:27 olp-test slapd[1788]: => ldap_back_munge_filter
"(objectClass=person)"
Feb 20 12:45:27 olp-test slapd[1788]: <= ldap_back_munge_filter
"(objectClass=person)" (0)
Feb 20 12:45:27 olp-test slapd[1788]: send_ldap_result: err=4 matched="" text=""
Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10)
And here is my slapd.conf:
olp-test /usr/local/etc/openldap # cat slapd.conf
include /usr/local/etc/openldap/schema/core.schema
include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
include /usr/local/etc/openldap/schema/nis.schema
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
sizelimit unlimited
#limits * size.pr=unlimited size.prtotal=unlimited
modulepath /usr/local/libexec/openldap
moduleload back_bdb
moduleload back_ldap
loglevel 4
TLSCipherSuite ALL:!ADH:@STRENGTH
TLSCACertificateFile /usr/local/etc/openldap/certs/cert.crt
TLSCertificateFile /usr/local/etc/openldap/certs/cert.crt
TLSCertificateKeyFile /usr/local/etc/openldap/certs/cert.pem
TLSVerifyClient try
database ldap
suffix "dc=example,dc=ee"
rootdn "dc=example,dc=ee"
uri "ldaps://dc1.example.ee:636/"
idassert-bind bindmethod=simple
binddn="CN=LDAP-Auth,CN=Users,DC=example,DC=ee"
credentials="somepw"
mode=anonymous
flags=override
idassert-authzFrom "dn.regex:.*"
overlay pcache
readonly on
proxycache bdb 3500 1 50 1200
directory /var/db/openldap-data
index cn,sn,uid eq,sub
index objectclass eq
proxycachequeries 400
proxyattrset 0 uid mail cn sn givenName
proxytemplate (uid=) 0 600
proxytemplate (mail=) 0 600
proxytemplate (&(uid=)(mail=)) 0 600
Regards
--
Eimar Koort
( eimar.koort(a)gmail.com )