Correction: -w <passwd> or -w - instead of -W On Thu, Oct 28, 2010 at 15:02, Benjamin Griese <[email protected]> wrote: > Hello Günther, > > sorry for my late reply, I hate sun cluster panics after patching > those beasts. :( > > Here is the content of solaris_profile: > > dn: cn=solaris_profile,ou=profile,dc=example,dc=de > objectClass: DUAConfigProfile > objectClass: top > cn: solaris_profile > authenticationMethod: simple > bindTimeLimit: 10 > credentialLevel: proxy > defaultSearchBase: dc=example,dc=de > defaultSearchScope: sub > defaultServerList: exampleldap01 exampleldap02 (syncrepl, configured > to mirrormode) > followReferrals: FALSE > profileTTL: 3600 > searchTimeLimit: 30 > serviceSearchDescriptor: sudoers:ou=SUDOers,dc=example,dc=de?sub > serviceSearchDescriptor: group:ou=groups,dc=example,dc=de?sub > serviceSearchDescriptor: passwd:ou=people,dc=example,dc=de?sub > > > Regarding to the sorting I found this in man ldapsearch: > > "-F sep > > Use sep as the field separator between attribute names > and values. If this option has been specified, the -L > option is ignored. > > > -S [-]attribute > > Specify an attribute for sorting the entries returned by > the search. The sort criteria is alphabetical on the > attribute's value or reverse alphabetical with the form > -attribute. You can give multiple -S options to refine > the sorting, For example: > > -S sn -S givenname > > By default, the entries are not sorted. Use the -x > option to perform server-side sorting." > > If I use -x for server side sorting, I get the complete list of > uid-Objects, but not sorted in any obvious way: > # ldapsearch -v -x -b dc=example,dc=de -h exampleldap01 -D > cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)' > > ldapsearch: started Thu Oct 28 12:16:49 2010 > ldap_init( exampleldap01, 389 ) > filter pattern: (uid=*) > returning: ALL > filter is: (uid=*) > version: 1 > > If I use this string I get the complete list of uid-objects sorted by > uidNumber > # ldapsearch -v -S uidnumber -b dc=example,dc=de -h exampleldap01 -D > cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)' > > ldapsearch: started Thu Oct 28 12:37:11 2010 > ldap_init( exampleldap01, 389 ) > filter pattern: (uid=*) > returning: ALL > filter is: (uid=*) > version: 1 > > If I try to search with -x and -S uidnumber I get the same message > that appears in the OpenLDAP logfile: > # ldapsearch -v -x -S uidNumber -b dc=example,dc=de -h exampleldap01 > -D cn=proxyuser,ou=system,ou=people,dc=example,dc=de -W '(uid=*)' > > ldapsearch: started Thu Oct 28 12:25:50 2010 > ldap_init( exampleldap01, 389 ) > filter pattern: (uid=*) > returning: ALL > filter is: (uid=*) > ldap_search: Inappropriate matching > ldap_search: additional info: serverSort control: No ordering rule > ldap_parse_sort_control: Requested LDAP control not found > > Finally I still have no clue how to prevent the client from doing > these kinds of searches. > And I couldn't find any templates regarding the ldapclient on my test machine. > > Any other clues or ideas? > > Bye, Benjamin. > > On Sat, Oct 23, 2010 at 19:17, Dieter Kluenter <[email protected]> wrote: >> Benjamin Griese <[email protected]> writes: >> >>> Hey thanks for quick reply, >>> >>> I put the config of the ldapclient on the ML some days ago, >>> but I can't figure out how I may have set such a rule on client side. >>> Probably it is something hardcoded. >>> >>> ldapclient config: >>> NS_LDAP_FILE_VERSION= 2.0 >>> NS_LDAP_BINDDN= cn=proxyuser,ou=system,ou=people,dc=example,dc=de >>> NS_LDAP_BINDPASSWD= secret >>> NS_LDAP_SERVERS= ldap01 >>> NS_LDAP_SEARCH_BASEDN= dc=example,dc=de >>> NS_LDAP_AUTH= simple >>> NS_LDAP_SEARCH_REF= FALSE >>> NS_LDAP_SEARCH_SCOPE= sub >>> NS_LDAP_SEARCH_TIME= 30 >>> NS_LDAP_CACHETTL= 60 >>> NS_LDAP_PROFILE= solaris_profile >>> NS_LDAP_CREDENTIAL_LEVEL= proxy >>> NS_LDAP_SERVICE_SEARCH_DESC= passwd: ou=people,dc=example,dc=de?sub >>> NS_LDAP_SERVICE_SEARCH_DESC= group: ou=groups,dc=example,dc=de?sub >>> NS_LDAP_SERVICE_SEARCH_DESC= sudoers: ou=SUDOers,dc=example,dc=de?sub >>> >>> That's all I setup, its like defaultest of the defaultest I guess :) >>> >>> And thanks for describing EQUALITY. >> >> I must admit I am not that familiar with old netscape tools, but the >> openldap log ist quite clear, there is a request for a Server Side >> Sorting extended operation, which in fact is quite unusual. You really >> should check Solaris 10 setup for appropriate templates, i.e. what is >> the content of solaris_profile? By the way, AFAIR the flag for sss is >> -F so you may check any templates, Redhat provides these in >> /usr/share/dirsrv, Solaris might be different. >> >> -Dieter >> >> -- >> Dieter Klünter | Systemberatung >> sip: [email protected] >> http://www.dpunkt.de/buecher/2104.html >> GPG Key ID:8EF7B6C6 >> > > > > -- > To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To > be is to do -- Sartre | Do be do be do -- Sinatra >
-- To be or not to be -- Shakespeare | To do is to be -- Nietzsche | To be is to do -- Sartre | Do be do be do -- Sinatra
