Correction: -w <passwd> or -w - instead of -W
On Thu, Oct 28, 2010 at 15:02, Benjamin Griese der.darude@gmail.com wrote:
Hello Günther,
sorry for my late reply, I hate sun cluster panics after patching those beasts. :(
Here is the content of solaris_profile:
dn: cn=solaris_profile,ou=profile,dc=example,dc=de objectClass: DUAConfigProfile objectClass: top cn: solaris_profile authenticationMethod: simple bindTimeLimit: 10 credentialLevel: proxy defaultSearchBase: dc=example,dc=de defaultSearchScope: sub defaultServerList: exampleldap01 exampleldap02 (syncrepl, configured to mirrormode) followReferrals: FALSE profileTTL: 3600 searchTimeLimit: 30 serviceSearchDescriptor: sudoers:ou=SUDOers,dc=example,dc=de?sub serviceSearchDescriptor: group:ou=groups,dc=example,dc=de?sub serviceSearchDescriptor: passwd:ou=people,dc=example,dc=de?sub
Regarding to the sorting I found this in man ldapsearch:
"-F sep
Use sep as the field separator between attribute names and values. If this option has been specified, the -L option is ignored.
-S [-]attribute
Specify an attribute for sorting the entries returned by the search. The sort criteria is alphabetical on the attribute's value or reverse alphabetical with the form -attribute. You can give multiple -S options to refine the sorting, For example:
-S sn -S givenname
By default, the entries are not sorted. Use the -x option to perform server-side sorting."
If I use -x for server side sorting, I get the complete list of uid-Objects, but not sorted in any obvious way: # ldapsearch -v -x -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:16:49 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) version: 1
If I use this string I get the complete list of uid-objects sorted by uidNumber # ldapsearch -v -S uidnumber -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:37:11 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) version: 1
If I try to search with -x and -S uidnumber I get the same message that appears in the OpenLDAP logfile: # ldapsearch -v -x -S uidNumber -b dc=example,dc=de -h exampleldap01 -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)'
ldapsearch: started Thu Oct 28 12:25:50 2010 ldap_init( exampleldap01, 389 ) filter pattern: (uid=*) returning: ALL filter is: (uid=*) ldap_search: Inappropriate matching ldap_search: additional info: serverSort control: No ordering rule ldap_parse_sort_control: Requested LDAP control not found
Finally I still have no clue how to prevent the client from doing these kinds of searches. And I couldn't find any templates regarding the ldapclient on my test machine.
Any other clues or ideas?
Bye, Benjamin.
On Sat, Oct 23, 2010 at 19:17, Dieter Kluenter dieter@dkluenter.de wrote:
Benjamin Griese der.darude@gmail.com writes:
Hey thanks for quick reply,
I put the config of the ldapclient on the ML some days ago, but I can't figure out how I may have set such a rule on client side. Probably it is something hardcoded.
ldapclient config: NS_LDAP_FILE_VERSION= 2.0 NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de NS_LDAP_BINDPASSWD= secret NS_LDAP_SERVERS= ldap01 NS_LDAP_SEARCH_BASEDN= dc=example,dc=de NS_LDAP_AUTH= simple NS_LDAP_SEARCH_REF= FALSE NS_LDAP_SEARCH_SCOPE= sub NS_LDAP_SEARCH_TIME= 30 NS_LDAP_CACHETTL= 60 NS_LDAP_PROFILE= solaris_profile NS_LDAP_CREDENTIAL_LEVEL= proxy NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub
That's all I setup, its like defaultest of the defaultest I guess :)
And thanks for describing EQUALITY.
I must admit I am not that familiar with old netscape tools, but the openldap log ist quite clear, there is a request for a Server Side Sorting extended operation, which in fact is quite unusual. You really should check Solaris 10 setup for appropriate templates, i.e. what is the content of solaris_profile? By the way, AFAIR the flag for sss is -F so you may check any templates, Redhat provides these in /usr/share/dirsrv, Solaris might be different.
-Dieter
-- Dieter Klünter | Systemberatung sip: 7770535@sipgate.de http://www.dpunkt.de/buecher/2104.html GPG Key ID:8EF7B6C6
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra