Hi!
How does OpenLDAP behave when it encounters a search filter with an unknown objectClass? From what I've been able to gather, it translates the search filter into (?objectClass=value), thus yielding the rest of the search invalid. What can I do about this? Either just pass the search as it is, or remove it altogether?
The reason I'm asking about this is that I'm setting up OpenLDAP as a proxy for Active Directory. After months of researching I've discovered that the problem lays exactly here - OpenLDAP alters the search filter for object classes it knows nothing about.
Example:
(| (& (objectClass=group) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfNames) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfUniqueNames) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=accessGroup) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=univentionGroup) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) )
Yields no entries. I've looked at the syslog (loglevel = 256) and I see that the last two clauses have been "translated" into "?objectClass=accessGroup" and "?objectClass=univentionGroup". But if I then remove the last two clauses, like so...
(| (& (objectClass=group) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfNames) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfUniqueNames) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) )
... then I get the entries I want back. Problem here is that I'm unable to alter the search filter, since this is generated by a 3rd-party app that I can't change, so I need to fix my OpenLDAP to let this stuff pass through.
Any idea?
- Marius