On 06/03/2014 04:23 PM, Charles Bueche wrote:
Hi,
I'm running the latest openldap stable 2.4.39 on Ubuntu. My openldap server is configured as a LDAP proxy to MS-AD using back-meta. It works nicely, as long as I don't use OID in filters.
Specifically, I need LDAP_MATCHING_RULE_IN_CHAIN (http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx) to search recursive groups in MS-AD.
If I use that special filter directly against AD, I get my group list. filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)'
Or if I use a "normal" filter across my proxy, I get my group list as well. filter='(memberOf=cn=gs-msp-report,OU=Customers,DC=ad,DC=stuff,DC=ch)'
BROKEN: If I use the special filter across my LDAP proxy's back-meta, I get no results and filter="(?=undefined)" in my debug log. filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)'
So my guess is that my filter syntax with OID is not accepted by back-meta.
When using -d -1, I see this:
... 538dd110 begin get_filter 538dd110 EXTENSIBLE ... 538dd110 end get_filter 0 538dd110 filter: (?=undefined) ...
I have looked at the code of openldap-2.4.39/servers/slapd/filter.c but I don't really see what's wrong.
Without looking at the code, I think OpenLDAP's slapd doesn't like filters with unknown OIDs, that's it. The request doesn't even get to back-meta.
On a side note, since the filter is supposed to be passed through to the remote server, slapd should not worry about it; however, AFAIK there's no way, so far, to disable such check. The easiest way is to define a module that registers a dummy matching rule with that OID, although it won't likely be that straightforward.
p.