> Hi: > > I'm trying to migrate an old LDAP server (that holds an ldap tree for > Open-Xchange) to a new installation of OpenLDAP 2.3.43. > > A lot of users had configured their Outlook in a way that they make a > base search for ou=Users,ou=OxObjects,dc=domain,dc=com in their LDAP > address book. But my new LDAP tree won't have > ou=OxObjects,dc=domain,dc=com entry, i'm creating a new ldap structure > to be used with GOSA. > > So I decide to create a referral like this: > > dn: ou=Users,ou=OxObjects,dc=domain,dc=com > ou: Users > objectclass: referral > objectclass: extensibleObject > ref: ldap://HOSTNAME/ou=people,dc=domain,dc=com > > This works fine, now Outlook users can find their contacts using the > same base search (ou=Users,ou=OxObjects,dc=domain,dc=com) but now GOSA > got in problems because it finds two administrator users (cn=System > administrator,ou=people,dc=domain,dc=com) because of the referral. > I just would like to GOSA doesn't follow referrals or just searches > for users under ou=people,dc=domain,dc=com instead of the root > dc=domain,dc=com, but it seem that GOSA isn't good enough to customize > this yet. > > So I think I could modify my referral to return not all attributes, > just some of them (the attributes commonly used by an address book > search) like this: > > dn: ou=Users,ou=OxObjects,dc=domain,dc=com > ou: Users > objectclass: referral > objectclass: extensibleObject > ref: > ldap://HOSTNAME/ou=people,dc=domain,dc=com?cn,sn,givenName,telephoneNumber,mail > > After updating my referral and I make an ldapsearch: > > # ldapsearch -xLLL "(uid=admin)" > > I still get two entries (two administrators) and both of them returns > all its attributes. Then I tried to modify my referral like this: > > dn: ou=Users,ou=OxObjects,dc=domain,dc=com > ou: Users > objectclass: referral > objectclass: extensibleObject > ref: ldap://HOSTNAME/ou=people,dc=domain,dc=com??sub?(!(uid=admin)) > > And still get two entries (two administrators). So I suspect that my > referral URI isn't working. Am using a wrong referral? Or maybe > OpenLDAP always returns all entries ignoring attributes and filters in > a URI referral > (ldap://HOSTNAME/ou=people,dc=domain,dc=com?cn,sn,givenName,telephoneNumber,mail)? > > I hope some one can help me because i'm stuck with this since two days > ago. I just want to limit the entries returned by my referral.
Referrals don't work like that. Read RFC4511: the <attrs> field is not mentioned. It mentions, indeed, the <filter> field, but OpenLDAP does not handle this. The behavior you possibly expect is not strictly specified, AFAIK. I think you have a couple of options: 1) use ACLs to hide that entry to some specific clients 2) use a dummy proxy instead of a referral; the dummy proxy could massage the request/response DNs, and the original server could use ACLs to hide that entry from the results returned to the proxy. p.
