Hi,
I'm a bit in dead end. Scenario: Active Direcotory & openldap (2.4.33) proxy. Paged search through proxy is not working.
I'm not sure about this OID "1.2.840.113556.1.4.1339". OpenLdap ldap.h tells that this oid is LDAP_CONTROL_X_DOMAIN_SCOPE. According to O'Reilly AD cookbook: "No referrals generated" with longer description "Informs the server not to generate any referrals in a search response". May this be the reason for paged search to fail? Same query runs without any problems directly within Active Directory domain controller's. As i read from google, it should be possible to make paged search work, but i can't figure it out how.
eimar@box: /tmp > ldapsearch -LLL -H ldaps://olp-test.example.ee -P 3 -E pr=500/noprompt -D "CN=ldap-auth,CN=Users,DC=example,DC=ee" -W -b "ou=workers,dc=example,dc=ee" "(objectClass=person)" samaccountname -s sub > results.txt Enter LDAP Password: Size limit exceeded (4)
eimar@box: /tmp > grep dn: results.txt | wc -l 1000
which is the default search limit in AD.
Openldap proxy log: Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10) Feb 20 12:45:27 olp-test slapd[1788]: send_ldap_result: err=0 matched="" text="" Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10) Feb 20 12:45:27 olp-test slapd[1788]: SRCH "ou=workers,dc=example,dc=ee" 2 0 Feb 20 12:45:27 olp-test slapd[1788]: 0 0 0 Feb 20 12:45:27 olp-test slapd[1788]: filter: (objectClass=person) Feb 20 12:45:27 olp-test slapd[1788]: attrs: Feb 20 12:45:27 olp-test slapd[1788]: samaccountname Feb 20 12:45:27 olp-test slapd[1788]: 1.1 Feb 20 12:45:27 olp-test slapd[1788]: sub Feb 20 12:45:27 olp-test slapd[1788]: Feb 20 12:45:27 olp-test slapd[1788]: conn=1007 op=1: non-critical control "1.2.840.113556.1.4.1339" not supported; stripped. Feb 20 12:45:27 olp-test slapd[1788]: => ldap_back_munge_filter "(objectClass=person)" Feb 20 12:45:27 olp-test slapd[1788]: <= ldap_back_munge_filter "(objectClass=person)" (0) Feb 20 12:45:27 olp-test slapd[1788]: send_ldap_result: err=4 matched="" text="" Feb 20 12:45:27 olp-test slapd[1788]: connection_get(10)
And here is my slapd.conf: olp-test /usr/local/etc/openldap # cat slapd.conf include /usr/local/etc/openldap/schema/core.schema include /usr/local/etc/openldap/schema/cosine.schema include /usr/local/etc/openldap/schema/inetorgperson.schema include /usr/local/etc/openldap/schema/nis.schema pidfile /var/run/openldap/slapd.pid argsfile /var/run/openldap/slapd.args sizelimit unlimited #limits * size.pr=unlimited size.prtotal=unlimited
modulepath /usr/local/libexec/openldap moduleload back_bdb moduleload back_ldap loglevel 4 TLSCipherSuite ALL:!ADH:@STRENGTH TLSCACertificateFile /usr/local/etc/openldap/certs/cert.crt TLSCertificateFile /usr/local/etc/openldap/certs/cert.crt TLSCertificateKeyFile /usr/local/etc/openldap/certs/cert.pem TLSVerifyClient try database ldap suffix "dc=example,dc=ee" rootdn "dc=example,dc=ee" uri "ldaps://dc1.example.ee:636/" idassert-bind bindmethod=simple binddn="CN=LDAP-Auth,CN=Users,DC=example,DC=ee" credentials="somepw" mode=anonymous flags=override idassert-authzFrom "dn.regex:.*" overlay pcache readonly on proxycache bdb 3500 1 50 1200 directory /var/db/openldap-data index cn,sn,uid eq,sub index objectclass eq proxycachequeries 400 proxyattrset 0 uid mail cn sn givenName proxytemplate (uid=) 0 600 proxytemplate (mail=) 0 600 proxytemplate (&(uid=)(mail=)) 0 600
Regards -- Eimar Koort ( eimar.koort@gmail.com )