Hi!
How does OpenLDAP behave when it encounters a search filter with an unknown objectClass? From what I've been able to gather, it translates the search filter into (?objectClass=value), thus yielding the rest of the search invalid. What can I do about this? Either just pass the search as it is, or remove it altogether?
The reason I'm asking about this is that I'm setting up OpenLDAP as a proxy for Active Directory. After months of researching I've discovered that the problem lays exactly here - OpenLDAP alters the search filter for object classes it knows nothing about.
Example:
(| (& (objectClass=group) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfNames) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfUniqueNames) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=accessGroup) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=univentionGroup) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) )
Yields no entries. I've looked at the syslog (loglevel = 256) and I see that the last two clauses have been "translated" into "?objectClass=accessGroup" and "?objectClass=univentionGroup". But if I then remove the last two clauses, like so...
(| (& (objectClass=group) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfNames) (member=cn=username,ou=test,dc=example,dc=com) ) (& (objectClass=groupOfUniqueNames) (uniqueMember=cn=username,ou=test,dc=example,dc=com) ) )
... then I get the entries I want back. Problem here is that I'm unable to alter the search filter, since this is generated by a 3rd-party app that I can't change, so I need to fix my OpenLDAP to let this stuff pass through.
Any idea?
Define those objectclasses in slapd's schema, that's the wisest thing to do. I'd note that in recent releases the filter is passed thru as is even when unknown. Unfortunately, you don't state what version you're using.
p.