Hi
We have set up an LDAP proxy (slapd-ldap) in front of a NetIQ eDirectory.
The LDAP-client which connects to the proxy uses an extended operation, but the request fails because the proxy is not aware of this extension:
do_extended: unsupported operation "2.16.840.1.113719.1.39.42.100.... RESULT tag=120 err=2 text=unsupported extended operation
# ldapsearch -H ldaps://proxy:port -b '' -s base -D <snip> -W -LLL supportedExtension Enter LDAP Password: dn: supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8
Whereas the NetIQ eDirectory back-end supports lots of custom NetIQ extensions:
# ldapsearch -H ldaps://backend:port -b '' -s base -D <snip> -W -LLL supportedExtension Enter LDAP Password: dn: supportedExtension: 2.16.840.1.113719.1.39.42.100.1 supportedExtension: 2.16.840.1.113719.1.39.42.100.3 supportedExtension: 2.16.840.1.113719.1.39.42.100.5 supportedExtension: 2.16.840.1.113719.1.39.42.100.7 supportedExtension: 2.16.840.1.113719.1.39.42.100.9 supportedExtension: 2.16.840.1.113719.1.39.42.100.11 supportedExtension: 2.16.840.1.113719.1.39.42.100.13 supportedExtension: 2.16.840.1.113719.1.39.42.100.15 supportedExtension: 2.16.840.1.113719.1.39.42.100.17 supportedExtension: 2.16.840.1.113719.1.39.42.100.19 supportedExtension: 2.16.840.1.113719.1.39.42.100.21 supportedExtension: 2.16.840.1.113719.1.39.42.100.23 supportedExtension: 2.16.840.1.113719.1.39.42.100.25 supportedExtension: 2.16.840.1.113719.1.39.42.100.27 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 2.16.840.1.113719.1.39.42.100.29 supportedExtension: 2.16.840.1.113719.1.14.100.1 supportedExtension: 2.16.840.1.113719.1.14.100.3 supportedExtension: 2.16.840.1.113719.1.14.100.5 supportedExtension: 2.16.840.1.113719.1.14.100.7 supportedExtension: 2.16.840.1.113719.1.14.100.9 supportedExtension: 2.16.840.1.113719.1.14.100.11 supportedExtension: 2.16.840.1.113719.1.14.100.13 supportedExtension: 2.16.840.1.113719.1.14.100.15 supportedExtension: 2.16.840.1.113719.1.14.100.17 supportedExtension: 2.16.840.1.113719.1.14.100.21 supportedExtension: 2.16.840.1.113719.1.14.100.23 supportedExtension: 2.16.840.1.113719.1.14.100.25 supportedExtension: 2.16.840.1.113719.1.14.100.27 supportedExtension: 2.16.840.1.113719.1.14.100.29 supportedExtension: 2.16.840.1.113719.1.14.100.31 supportedExtension: 2.16.840.1.113719.1.14.100.33 supportedExtension: 2.16.840.1.113719.1.14.100.35 supportedExtension: 2.16.840.1.113719.1.14.100.37 supportedExtension: 2.16.840.1.113719.1.14.100.39 supportedExtension: 2.16.840.1.113719.1.14.100.41 supportedExtension: 2.16.840.1.113719.1.14.100.43 supportedExtension: 2.16.840.1.113719.1.14.100.45 supportedExtension: 2.16.840.1.113719.1.14.100.47 supportedExtension: 2.16.840.1.113719.1.14.100.49 supportedExtension: 2.16.840.1.113719.1.14.100.51 supportedExtension: 2.16.840.1.113719.1.14.100.53 supportedExtension: 2.16.840.1.113719.1.14.100.55 supportedExtension: 2.16.840.1.113719.1.14.100.57 supportedExtension: 2.16.840.1.113719.1.14.100.59 supportedExtension: 2.16.840.1.113719.1.14.100.61 supportedExtension: 2.16.840.1.113719.1.14.100.63 supportedExtension: 2.16.840.1.113719.1.14.100.65 supportedExtension: 2.16.840.1.113719.1.14.100.67 supportedExtension: 2.16.840.1.113719.1.14.100.69 supportedExtension: 2.16.840.1.113719.1.14.100.71 supportedExtension: 2.16.840.1.113719.1.14.100.73 supportedExtension: 2.16.840.1.113719.1.14.100.75 supportedExtension: 2.16.840.1.113719.1.14.100.77 supportedExtension: 2.16.840.1.113719.1.14.100.79 supportedExtension: 2.16.840.1.113719.1.14.100.81 supportedExtension: 2.16.840.1.113719.1.14.100.19 supportedExtension: 2.16.840.1.113719.1.14.100.83 supportedExtension: 2.16.840.1.113719.1.14.100.85 supportedExtension: 2.16.840.1.113719.1.14.100.87 supportedExtension: 2.16.840.1.113719.1.14.100.89 supportedExtension: 2.16.840.1.113719.1.14.100.91 supportedExtension: 2.16.840.1.113719.1.14.100.93 supportedExtension: 2.16.840.1.113719.1.148.100.1 supportedExtension: 2.16.840.1.113719.1.148.100.3 supportedExtension: 2.16.840.1.113719.1.148.100.5 supportedExtension: 2.16.840.1.113719.1.148.100.7 supportedExtension: 2.16.840.1.113719.1.148.100.9 supportedExtension: 2.16.840.1.113719.1.148.100.11 supportedExtension: 2.16.840.1.113719.1.148.100.13 supportedExtension: 2.16.840.1.113719.1.148.100.15 supportedExtension: 2.16.840.1.113719.1.148.100.17 supportedExtension: 2.16.840.1.113719.1.27.100.1 supportedExtension: 2.16.840.1.113719.1.27.100.3 supportedExtension: 2.16.840.1.113719.1.27.100.5 supportedExtension: 2.16.840.1.113719.1.27.100.7 supportedExtension: 2.16.840.1.113719.1.27.100.11 supportedExtension: 2.16.840.1.113719.1.27.100.13 supportedExtension: 2.16.840.1.113719.1.27.100.15 supportedExtension: 2.16.840.1.113719.1.27.100.17 supportedExtension: 2.16.840.1.113719.1.27.100.19 supportedExtension: 2.16.840.1.113719.1.27.100.21 supportedExtension: 2.16.840.1.113719.1.27.100.23 supportedExtension: 2.16.840.1.113719.1.27.100.25 supportedExtension: 2.16.840.1.113719.1.27.100.27 supportedExtension: 2.16.840.1.113719.1.27.100.29 supportedExtension: 2.16.840.1.113719.1.27.100.31 supportedExtension: 2.16.840.1.113719.1.27.100.33 supportedExtension: 2.16.840.1.113719.1.27.100.35 supportedExtension: 2.16.840.1.113719.1.27.100.37 supportedExtension: 2.16.840.1.113719.1.27.100.39 supportedExtension: 2.16.840.1.113719.1.27.100.41 supportedExtension: 2.16.840.1.113719.1.27.100.96 supportedExtension: 2.16.840.1.113719.1.27.100.98 supportedExtension: 2.16.840.1.113719.1.27.100.101 supportedExtension: 2.16.840.1.113719.1.27.100.103 supportedExtension: 2.16.840.1.113719.1.142.100.1 supportedExtension: 2.16.840.1.113719.1.142.100.4 supportedExtension: 2.16.840.1.113719.1.142.100.6 supportedExtension: 2.16.840.1.113719.1.27.100.9 supportedExtension: 2.16.840.1.113719.1.27.100.43 supportedExtension: 2.16.840.1.113719.1.27.100.45 supportedExtension: 2.16.840.1.113719.1.27.100.47 supportedExtension: 2.16.840.1.113719.1.27.100.49 supportedExtension: 2.16.840.1.113719.1.27.100.51 supportedExtension: 2.16.840.1.113719.1.27.100.53 supportedExtension: 2.16.840.1.113719.1.27.100.55 supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 2.16.840.1.113719.1.27.100.79 supportedExtension: 2.16.840.1.113719.1.27.100.84 supportedExtension: 2.16.840.1.113719.1.27.103.1 supportedExtension: 2.16.840.1.113719.1.27.103.2
Is there a way to allow these extensions on the proxy?
Thx,
Philip
--On Thursday, January 03, 2019 3:15 PM +0100 Philip Brusten philip.brusten@kuleuven.be wrote:
Hi
We have set up an LDAP proxy (slapd-ldap) in front of a NetIQ eDirectory.
The LDAP-client which connects to the proxy uses an extended operation, but the request fails because the proxy is not aware of this extension:
Is there a way to allow these extensions on the proxy?
Hi Philip,
Is this perhaps ITS#8845? It might be worth seeing if c29542c41885b56066c66046ca1f690251265c09 resolves the issue.
Regards, Quanah
--
Quanah Gibson-Mount Product Architect Symas Corporation Packaged, certified, and supported LDAP solutions powered by OpenLDAP: http://www.symas.com
Philip Brusten wrote:
Hi
We have set up an LDAP proxy (slapd-ldap) in front of a NetIQ eDirectory.
The LDAP-client which connects to the proxy uses an extended operation, but the request fails because the proxy is not aware of this extension:
do_extended: unsupported operation "2.16.840.1.113719.1.39.42.100.... RESULT tag=120 err=2 text=unsupported extended operation
# ldapsearch -H ldaps://proxy:port -b '' -s base -D <snip> -W -LLL supportedExtension Enter LDAP Password: dn: supportedExtension: 1.3.6.1.4.1.1466.20037 supportedExtension: 1.3.6.1.4.1.4203.1.11.1 supportedExtension: 1.3.6.1.4.1.4203.1.11.3 supportedExtension: 1.3.6.1.1.8
Whereas the NetIQ eDirectory back-end supports lots of custom NetIQ extensions:
# ldapsearch -H ldaps://backend:port -b '' -s base -D <snip> -W -LLL supportedExtension Enter LDAP Password: dn: supportedExtension: 2.16.840.1.113719.1.39.42.100.1
Is there a way to allow these extensions on the proxy?
Write yourself a dynamic module to register those extension OIDs in back-ldap.
On 3/01/2019 18:09, Howard Chu wrote:
Philip Brusten wrote:
Is there a way to allow these extensions on the proxy?
Write yourself a dynamic module to register those extension OIDs in back-ldap.
So there is no current way to support these extensions via configuration?
Philip Brusten wrote:
On 3/01/2019 18:09, Howard Chu wrote:
Philip Brusten wrote:
Is there a way to allow these extensions on the proxy?
Write yourself a dynamic module to register those extension OIDs in back-ldap.
So there is no current way to support these extensions via configuration?
Extensions, by their very nature, require code to implement them. So no, you cannot configure new functionality into existence without writing your own module.
On 7/01/2019 17:59, Howard Chu wrote:
Philip Brusten wrote:
On 3/01/2019 18:09, Howard Chu wrote:
Philip Brusten wrote:
Is there a way to allow these extensions on the proxy?
Write yourself a dynamic module to register those extension OIDs in back-ldap.
So there is no current way to support these extensions via configuration?
Extensions, by their very nature, require code to implement them. So no, you cannot configure new functionality into existence without writing your own module.
In the context of a proxy this is a big overhead. IMHO this should be possible via configuration in case of an LDAP-proxy. It just needs to allow the extension to passthrough, not to implement the logic behind it, or is this too short-sighted?
Philip Brusten wrote:
On 7/01/2019 17:59, Howard Chu wrote:
Philip Brusten wrote:
On 3/01/2019 18:09, Howard Chu wrote:
Philip Brusten wrote:
Is there a way to allow these extensions on the proxy?
Write yourself a dynamic module to register those extension OIDs in back-ldap.
So there is no current way to support these extensions via configuration?
Extensions, by their very nature, require code to implement them. So no, you cannot configure new functionality into existence without writing your own module.
In the context of a proxy this is a big overhead. IMHO this should be possible via configuration in case of an LDAP-proxy. It just needs to allow the extension to passthrough, not to implement the logic behind it, or is this too short-sighted?
It's not that simple. Advertising a supportedExtension in the rootDSE implies that the entire server supports them. slapd allows multiple backends to operate at once, and what you're talking about would only be valid for a single specific back-ldap instance.
The standard format for extended ops doesn't include a DN, and slapd uses the DN to determine which backend should process an incoming op. So there's no generic way for slapd to correctly forward an incoming exop to the correct backend, or the proxy backend. Every op must be handled explicitly and must be at least parsed in order for slapd to be able to route it.
On 9/01/2019 15:28, Howard Chu wrote:
It's not that simple. Advertising a supportedExtension in the rootDSE implies that the entire server supports them. slapd allows multiple backends to operate at once, and what you're talking about would only be valid for a single specific back-ldap instance.
The standard format for extended ops doesn't include a DN, and slapd uses the DN to determine which backend should process an incoming op. So there's no generic way for slapd to correctly forward an incoming exop to the correct backend, or the proxy backend. Every op must be handled explicitly and must be at least parsed in order for slapd to be able to route it.
Okay, that makes sense. Thank you for the explanation
Philip
openldap-technical@openldap.org