Le 05/11/2014 10:39, Howard Chu a écrit :
Nicolas RENAULT wrote:
Hello,
I already post some question about this but without succes, perhaps because i made a mistake and replys in another question thread. So I restart here.
testing env so i can make all that i want.
openldap 2.4.40 build on opensuse 13.1. try to make a proxy ldap, with use of meta to relay informations from one AD , one EDir and one openLDAP. (just use openLDAP for now)
I create a database to get locally the root "dc=example,dc=fr" and firstlevel OU : "ou=TOUT,dc=example,dc=fr" , "ou=TEST,dc=example,dc=fr" I bind the openLDAP on "ou=LDAP,ou=TOUT,dc=example,dc=fr" I add users on the local ou "TEST"
simple requests are working without problem. (on "TEST" and on "TOUT" )
activate sssvlv on slapd.conf (because of meta)
back-meta supports dynamic config, this is not a reason to use slapd.conf.
globally (ie before the statement for the meta database)
overlay sssvlvjust this line.
when a try this search
ldapsearch -E 'sss=displayName' -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -b "ou=TEST,dc=example,dc=fr" -w xxxx -s sub "(&(objectClass=user)(displayName=ag*))" displayName
I got the user list sort by display name ( they are local user)
when i try this :
ldapsearch -E 'sss=displayName' -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -b "ou=LDAP,ou=TOUT,dc=example,dc=fr" -w xxxx -s sub "(&(objectClass=user)(displayName=ag*))" displayName
I got this :
# extended LDIF # # LDAPv3 # base <ou=LDAP,ou=TOUT,dc=example,dc=fr> with scope subtree # filter: (&(objectClass=user)(displayName=ag*)) # requesting: displayName # with server side sorting control #
# search result search: 2 result: 0 Success control: 1.2.840.113556.1.4.474 false MAMKAQA= sortResult: (0) Success
# numResponses: 1
I understand that the request as been successfull but whitout any results ?
any idea ?
I'm thinking of a problem with :
- bad place for "overlay ssvlv" in slapd.conf (actually it take place
juste after moduleload section and just before the ACL statements
Then test with the overlay moved somewhere else.
try lot of place with no luck
- problem with remap attribute when asking the distant LDAP
Then test without remapping.
test with this slapd.conf :
include /etc/openldap/schema/contrib/MySchema.schema defaultsearchbase dc=example,dc=fr pidfile /usr/local/var/openldap-run/slapd.pid argsfile /usr/local/var/openldap-run/slapd.args loglevel 256 access to * by self write by * read # The rootdn is not subject to any limits. limits * size=10000 sizelimit 40000 ################### # Open LDAP # ################### database meta suffix "dc=example,dc=fr" rootdn "cn=Manager,dc=example,dc=fr" rootpw "123" network-timeout 5 timeout 10 bind-timeout 100000 sizelimit 40000 overlay sssvlv uri "ldaps://<IP>:636/dc=example,dc=fr" lastmod off idassert-bind bindmethod=simple binddn="cn=adm,dc=example,dc=fr" credentials="xxxxxxxx" mode=none idassert-authzFrom "dn.regex:.*" -----------------------------------------------------------------------------------------------------------------------------------------
ldapsearch -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -w 123 -b "dc=example,dc=fr" "(&(objectClass=*)(cn=test*))" displayName
without sort : OK I see 4 users
ldapsearch -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -w 123 -b "dc=example,dc=fr" -E "sss=displayName" "(&(objectClass=*)(cn=test*))" displayName
just get the success output.
just question : I start in debug mode (-d 255) and see that if I request all object from the distant database , they are printed to the standard output immediatly(directly?) when they are received by the proxy. so after that I do again my ldapsearch with sorting (in debug mode) , I see that the server get the 4 answers from the distant ldap but I think that they have to be store somewhere to be sort after the end of the distant requests. can see nothinks append after reception. did some part of the debug messages can be helpfull ?
- overlay sssvlv not working with meta ?
Then test without sssvlv.
as you can see above on the slapd.conf I provide, if I remove "overlay sssvlv" line , it's work (but without any server side sorting ).
but need some clues to find where is the problem.
Regards
-- Nicolas
I can do more tests if you want.
Regards