dynlist dynamic attributes (memberof) work and doesnt work in filter querys from some apps
Using slapd 2.5 with dynlist to generate memberof.
We use sssd ldap provider with ldap_user_search_filter parameter and memberof filter and only the user which are memberof=XY are in the sssd cache. So it works as expected, since slapd 2.5
We use ldapsearch with memberof filter and it works as expected, since slapd 2.5
Iam trying out some webapps, configure the ldap filter and iam wondering because the filter with the memberof attribute will be transmitted to slapd but there is no search result in the slapd.log. If i copy the webapp ldap filter from the slapd log and try it out with ldapsearch on the webapp server i get search results.
Could somebody clearify me ?
andreas.ladanyi@kit.edu wrote:
Using slapd 2.5 with dynlist to generate memberof.
We use sssd ldap provider with ldap_user_search_filter parameter and memberof filter and only the user which are memberof=XY are in the sssd cache. So it works as expected, since slapd 2.5
We use ldapsearch with memberof filter and it works as expected, since slapd 2.5
Iam trying out some webapps, configure the ldap filter and iam wondering because the filter with the memberof attribute will be transmitted to slapd but there is no search result in the slapd.log. If i copy the webapp ldap filter from the slapd log and try it out with ldapsearch on the webapp server i get search results.
Could somebody clearify me ?
Read the slapo-dynlist(5) manpage, especially the note about the manageDSAit control. Then check the slapd packet trace and see what controls the webapp is sending with the search request.
Am 24.11.22 um 02:14 schrieb Howard Chu:
andreas.ladanyi@kit.edu wrote:
Using slapd 2.5 with dynlist to generate memberof.
We use sssd ldap provider with ldap_user_search_filter parameter and memberof filter and only the user which are memberof=XY are in the sssd cache. So it works as expected, since slapd 2.5
We use ldapsearch with memberof filter and it works as expected, since slapd 2.5
Iam trying out some webapps, configure the ldap filter and iam wondering because the filter with the memberof attribute will be transmitted to slapd but there is no search result in the slapd.log. If i copy the webapp ldap filter from the slapd log and try it out with ldapsearch on the webapp server i get search results.
Could somebody clearify me ?
Read the slapo-dynlist(5) manpage, especially the note about the manageDSAit control. Then check the slapd packet trace and see what controls the webapp is sending with the search request.
About the controls:
Wireshark told me the managedsait control is not sent by the webapp ldap client and not by the ldapsearch (without -M). I never used -M.
The webapp sends the control "pageresultcontrol" , size 500 to slapd. The slapd response back to the client "pageresultcontrol" size 0.
Andreas Ladanyi wrote:
Am 24.11.22 um 02:14 schrieb Howard Chu:
andreas.ladanyi@kit.edu wrote:
Using slapd 2.5 with dynlist to generate memberof.
We use sssd ldap provider with ldap_user_search_filter parameter and memberof filter and only the user which are memberof=XY are in the sssd cache. So it works as expected, since slapd 2.5
We use ldapsearch with memberof filter and it works as expected, since slapd 2.5
Iam trying out some webapps, configure the ldap filter and iam wondering because the filter with the memberof attribute will be transmitted to slapd but there is no search result in the slapd.log. If i copy the webapp ldap filter from the slapd log and try it out with ldapsearch on the webapp server i get search results.
Could somebody clearify me ?
Read the slapo-dynlist(5) manpage, especially the note about the manageDSAit control. Then check the slapd packet trace and see what controls the webapp is sending with the search request.
About the controls:
Wireshark told me the managedsait control is not sent by the webapp ldap client and not by the ldapsearch (without -M). I never used -M.
The webapp sends the control "pageresultcontrol" , size 500 to slapd. The slapd response back to the client "pageresultcontrol" size 0.
The slapo-dynlist(5) manpage already documents that pagedresults doesn't work with dynlist.
Read the slapo-dynlist(5) manpage, especially the note about the manageDSAit control. Then check the slapd packet trace and see what controls the webapp is sending with the search request.
About the controls:
Wireshark told me the managedsait control is not sent by the webapp ldap client and not by the ldapsearch (without -M). I never used -M.
The webapp sends the control "pageresultcontrol" , size 500 to slapd. The slapd response back to the client "pageresultcontrol" size 0.
The slapo-dynlist(5) manpage already documents that pagedresults doesn't work with dynlist.
I switched off pagedresults control in slapd and get resultcode "adminLimitExceeded" and also 0 search result for the client. So this makes no difference for the client webapp.
Do i have to switch off pagedresults on all client which sent pagedresult control ? Or could i solve this on slapd ?
openldap-technical@openldap.org
-
Andreas Ladanyi -
andreas.ladanyi@kit.edu
-
Howard Chu