Charles Bueche wrote:
On the other side, what do you mean with "define a module that registers
a dummy matching rule with that OID" ?
Is this a module like back_meta, rwn and friends ? Do you have any
pointer like a dummy module to show where to begin ?
As you see, I'm pretty much at the beginning of the learning curve and I
am very happy to get your help.
Regards,
Charles
ok, it did cost me a lot of brain power, but I do have a workaround. I
mention it here because I'm quite sure someone else will hit the same
problem one day.
1. the recursive search filter passed to the proxy should use a filter
supported by the proxy, eg
filter='(RecursiveMemberOf=cn=ls-msp-app2,OU=App,DC=extra,DC=proxy,DC=stuff,DC=ch)'
2. the proxy gasp it, accept it, and pass it to the rewrite module
3. use a rewrite rule to massage the filter:
rewriteRule
"RecursiveMemberOf=cn=(.*),dc=extra,dc=proxy,dc=stuff,dc=ch"
"memberOf:1.2.840.113556.1.4.1941:=cn=%1,dc=ad,dc=stuff,dc=ch"
":"
back_meta then pass the rewritten filter to the back-end AD.
Nice work.
To the developers: as mentioned by Pierangelo above, it should be
possible to disable the filter sanity check when it is passed to a LDAP
back-end. If the filter is insane, the back-end will complain soon enough.
That will never be done. The docs clearly state that when operating as a
proxy, slapd must have schema definitions for anything passing through it.
Many sites use OpenLDAP as a frontend proxy specifically because these sanity
checks protect their backend servers (that are from other vendors and more
fragile).
Pierangelo already gave the right answer here - write a piece of C code that
registers OIDs for the matching rules you want and load it as a dynamic
module. There are many modules in contrib/slapd-modules in the source tree.
Thanks for writing this great software !
Charles
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
