Hi!
How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? I know they should be case insensitive but I had to debug Rocketchat for two hours to find, they use sAMAccountName (case sensitive) and the app crashed because mine was named SAMACCOUNTNAME. (I will open a bug there but I bet there is a lot of broken SW).
Kind regards Kevin
Kevin Olbrich wrote:
Hi!
How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? I know they should be case insensitive but I had to debug Rocketchat for two hours to find, they use sAMAccountName (case sensitive) and the app crashed because mine was named SAMACCOUNTNAME. (I will open a bug there but I bet there is a lot of broken SW).
Read the slapd-ldap(5) manpage. These attributes are shown in all capital letters to make you aware that you have a broken configuration. Fix it and they will return to normal.
Hi!
Thanks for your reply. I don't know what you are referring to on the man page but as far as I know, this indicates, that OpenLDAP doesn't know about the attribute. I know that but I don't care, as OpenLDAP is just a read-only proxy, it does not need to know anything about the schema as it does not need to validate it.
Is this what you mean? Otherwise I might need a hint :-(
Kind regards Kevin
Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu hyc@symas.com:
Kevin Olbrich wrote:
Hi!
How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? I know they should be case insensitive but I had to debug Rocketchat for two hours to find, they use sAMAccountName (case sensitive) and the app crashed because mine was named SAMACCOUNTNAME. (I will open a bug there but I bet there is a lot of broken SW).
Read the slapd-ldap(5) manpage. These attributes are shown in all capital letters to make you aware that you have a broken configuration. Fix it and they will return to normal.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
Kevin Olbrich wrote:
Hi!
Thanks for your reply. I don't know what you are referring to on the man page but as far as I know, this indicates, that OpenLDAP doesn't know about the attribute.
Exactly.
I know that but I don't care, as OpenLDAP is just a read-only proxy, it does not need to know anything about the schema as it does not need to validate it.
If you want the attribute to stop being passed in upper case, fix your schema. Period, end of story.
Is this what you mean? Otherwise I might need a hint :-(
Kind regards Kevin
Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu hyc@symas.com:
Kevin Olbrich wrote:
Hi!
How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? I know they should be case insensitive but I had to debug Rocketchat for two hours to find, they use sAMAccountName (case sensitive) and the app crashed because mine was named SAMACCOUNTNAME. (I will open a bug there but I bet there is a lot of broken SW).
Read the slapd-ldap(5) manpage. These attributes are shown in all capital letters to make you aware that you have a broken configuration. Fix it and they will return to normal.
Am Mo., 30. März 2020 um 18:40 Uhr schrieb Howard Chu hyc@symas.com:
Kevin Olbrich wrote:
Hi!
Thanks for your reply. I don't know what you are referring to on the man page but as far as I know, this indicates, that OpenLDAP doesn't know about the attribute.
Exactly.
I know that but I don't care, as OpenLDAP is just a read-only proxy, it does not need to know anything about the schema as it does not need to validate it.
If you want the attribute to stop being passed in upper case, fix your schema. Period, end of story.
That means I need to define everything again? Both in AD and Slapd? Either I missed something or this is very laborious.
And there is realy no setting to disable this behaviour? The setup where I need this is a simple DMZ (tls enforcing) proxy.
Is this what you mean? Otherwise I might need a hint :-(
Kind regards Kevin
Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu hyc@symas.com:
Kevin Olbrich wrote:
Hi!
How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? I know they should be case insensitive but I had to debug Rocketchat for two hours to find, they use sAMAccountName (case sensitive) and the app crashed because mine was named SAMACCOUNTNAME. (I will open a bug there but I bet there is a lot of broken SW).
Read the slapd-ldap(5) manpage. These attributes are shown in all capital letters to make you aware that you have a broken configuration. Fix it and they will return to normal.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
There is apparently an schema file that you can include in your OpenLDAP configuration to define the AD schema. From an old thread on the subject:
[...] slapd requires part of AD schemas in order to operate back-ldap properly. Thus write a private schema, providing required attribute types and object classes.
The MSUser schema in OpenLDAP master may be useful for this.
--Quanah
-----Original Message----- From: Kevin Olbrich ko@sv01.de Sent: Monday, March 30, 2020 1:46 PM To: openldap-technical@openldap.org Subject: Re: AD proxy / CAPITAL letters in attributes
Am Mo., 30. März 2020 um 18:40 Uhr schrieb Howard Chu hyc@symas.com:
Kevin Olbrich wrote:
Hi!
Thanks for your reply. I don't know what you are referring to on the man page but as far as I know, this indicates, that OpenLDAP doesn't know about the attribute.
Exactly.
I know that but I don't care, as OpenLDAP is just a read-only proxy, it does not need to know anything about the schema as it does not need to validate it.
If you want the attribute to stop being passed in upper case, fix your schema. Period, end of story.
That means I need to define everything again? Both in AD and Slapd? Either I missed something or this is very laborious.
And there is realy no setting to disable this behaviour? The setup where I need this is a simple DMZ (tls enforcing) proxy.
Is this what you mean? Otherwise I might need a hint :-(
Kind regards Kevin
Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu hyc@symas.com:
Kevin Olbrich wrote:
Hi!
How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? I know they should be case insensitive but I had to debug Rocketchat for two hours to find, they use sAMAccountName (case sensitive) and the app crashed because mine was named SAMACCOUNTNAME. (I will open a bug there but I bet there is a lot of broken SW).
Read the slapd-ldap(5) manpage. These attributes are shown in all capital letters to make you aware that you have a broken configuration. Fix it and they will return to normal.
-- -- Howard Chu CTO, Symas Corp. https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%... Director, Highland Sun https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%... Chief Architect, OpenLDAP https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http% 3a%2f%2fwww.openldap.org%2fproject%2f&umid=8E0ADA3C-A221-9905-BC8C-5F2 773CA2777&auth=19120be9529b25014b618505cb01789c5433dae7-62363daa58ac2c 8dfb02409d8f32b817d1a5b870
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
Awesome! That works! :-)
Thank you so much!
Kind regards Kevin
Am Di., 31. März 2020 um 18:27 Uhr schrieb Vandenburgh, Steve Y Steve.Vandenburgh@centurylink.com:
There is apparently an schema file that you can include in your OpenLDAP configuration to define the AD schema. From an old thread on the subject:
[...] slapd requires part of AD schemas in order to operate back-ldap properly. Thus write a private schema, providing required attribute types and object classes.
The MSUser schema in OpenLDAP master may be useful for this.
--Quanah
-----Original Message----- From: Kevin Olbrich ko@sv01.de Sent: Monday, March 30, 2020 1:46 PM To: openldap-technical@openldap.org Subject: Re: AD proxy / CAPITAL letters in attributes
Am Mo., 30. März 2020 um 18:40 Uhr schrieb Howard Chu hyc@symas.com:
Kevin Olbrich wrote:
Hi!
Thanks for your reply. I don't know what you are referring to on the man page but as far as I know, this indicates, that OpenLDAP doesn't know about the attribute.
Exactly.
I know that but I don't care, as OpenLDAP is just a read-only proxy, it does not need to know anything about the schema as it does not need to validate it.
If you want the attribute to stop being passed in upper case, fix your schema. Period, end of story.
That means I need to define everything again? Both in AD and Slapd? Either I missed something or this is very laborious.
And there is realy no setting to disable this behaviour? The setup where I need this is a simple DMZ (tls enforcing) proxy.
Is this what you mean? Otherwise I might need a hint :-(
Kind regards Kevin
Am Sa., 28. März 2020 um 18:06 Uhr schrieb Howard Chu hyc@symas.com:
Kevin Olbrich wrote:
Hi!
How can I disable the behavior of CAPITAL letters when OpenLDAP proxies an AD? I know they should be case insensitive but I had to debug Rocketchat for two hours to find, they use sAMAccountName (case sensitive) and the app crashed because mine was named SAMACCOUNTNAME. (I will open a bug there but I bet there is a lot of broken SW).
Read the slapd-ldap(5) manpage. These attributes are shown in all capital letters to make you aware that you have a broken configuration. Fix it and they will return to normal.
-- -- Howard Chu CTO, Symas Corp. https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%... Director, Highland Sun https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http%3a%2f%... Chief Architect, OpenLDAP https://imss91-ctp.trendmicro.com:443/wis/clicktime/v1/query?url=http% 3a%2f%2fwww.openldap.org%2fproject%2f&umid=8E0ADA3C-A221-9905-BC8C-5F2 773CA2777&auth=19120be9529b25014b618505cb01789c5433dae7-62363daa58ac2c 8dfb02409d8f32b817d1a5b870
This communication is the property of CenturyLink and may contain confidential or privileged information. Unauthorized use of this communication is strictly prohibited and may be unlawful. If you have received this communication in error, please immediately notify the sender by reply e-mail and destroy all copies of the communication and any attachments.
openldap-technical@openldap.org
-
Howard Chu -
Kevin Olbrich -
Vandenburgh, Steve Y