Hi all!
I am trying to setup the simplest possible LDAP proxy with OpenLDAP. Actually, I do have a machine with one interface on a public IP address and the other one on the private network. So all I want is a pass-through of any LDAP query 1:1 from the proxy which sits on the public IP to an LDAP server which can be reached only through a private IP on our internal network.
Here is my config:
database ldap suffix "o=top" uri "ldap://192.168.12.34/"
My problem is: The query sent to the backend server always contains a (?=undefined) condition, which leads to no objects found.
In other words, the query I send to the proxy is for example:
(&(?objectClass=mailalias)(dc=xxxx.yy))
The back_ldap will send to the backend server:
(&(&(?objectClass=mailalias)(dc=xxxx.yy))(?=undefined))
Any idea?
Regards, Torsten
--On Monday, September 12, 2011 6:37 PM +0000 "Torsten Schlabach (Tascel eG)" tschlabach@tascel.net wrote:
Any idea?
Your schemas have to match. ?=undefined means that you are sending in attributes that the server knows nothing about.
--Quanah
--
Quanah Gibson-Mount Sr. Member of Technical Staff Zimbra, Inc A Division of VMware, Inc. -------------------- Zimbra :: the leader in open source messaging and collaboration
Torsten Schlabach (Tascel eG) wrote:
Hi all!
I am trying to setup the simplest possible LDAP proxy with OpenLDAP. Actually, I do have a machine with one interface on a public IP address and the other one on the private network. So all I want is a pass-through of any LDAP query 1:1 from the proxy which sits on the public IP to an LDAP server which can be reached only through a private IP on our internal network.
Here is my config:
database ldap suffix "o=top" uri "ldap://192.168.12.34/"
My problem is: The query sent to the backend server always contains a (?=undefined) condition, which leads to no objects found.
In other words, the query I send to the proxy is for example:
(&(?objectClass=mailalias)(dc=xxxx.yy))
The back_ldap will send to the backend server:
(&(&(?objectClass=mailalias)(dc=xxxx.yy))(?=undefined))
Any idea?
Turn up debug on slapd and see what filter it actually received. Also, what version of OpenLDAP is this?
Quanah Gibson-Mount wrote:
--On Monday, September 12, 2011 6:37 PM +0000 "Torsten Schlabach (Tascel eG)"tschlabach@tascel.net wrote:
Any idea?
Your schemas have to match. ?=undefined means that you are sending in attributes that the server knows nothing about.
On recent versions of OpenLDAP it's more specific than that, this only shows up for unknown filter operators (which usually means a broken client). Which is why I asked what version he's running.
Hi!
Which is why I asked what version he's running.
It's 2.4.23; both on the proxy as well as on the backend.
Regards, Torsten
On Mon, 12 Sep 2011 12:19:38 -0700, Howard Chu hyc@symas.com wrote:
Quanah Gibson-Mount wrote:
--On Monday, September 12, 2011 6:37 PM +0000 "Torsten Schlabach
(Tascel
eG)"tschlabach@tascel.net wrote:
Any idea?
Your schemas have to match. ?=undefined means that you are sending in attributes that the server knows nothing about.
On recent versions of OpenLDAP it's more specific than that, this only shows up for unknown filter operators (which usually means a broken client). Which is why I asked what version he's running.
-- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
openldap-technical@openldap.org