On 05.06.14 15:22, Howard Chu wrote: > Charles Bueche wrote: >>> On the other side, what do you mean with "define a module that >>> registers >>> a dummy matching rule with that OID" ? >>> Is this a module like back_meta, rwn and friends ? Do you have any >>> pointer like a dummy module to show where to begin ? >>> >>> As you see, I'm pretty much at the beginning of the learning curve >>> and I >>> am very happy to get your help. >>> >>> Regards, >>> Charles >> >> ok, it did cost me a lot of brain power, but I do have a workaround. I >> mention it here because I'm quite sure someone else will hit the same >> problem one day. >> >> 1. the recursive search filter passed to the proxy should use a filter >> supported by the proxy, eg >> >> filter='(RecursiveMemberOf=cn=ls-msp-app2,OU=App,DC=extra,DC=proxy,DC=stuff,DC=ch)' >> >> >> 2. the proxy gasp it, accept it, and pass it to the rewrite module >> >> 3. use a rewrite rule to massage the filter: >> >> rewriteRule >> "RecursiveMemberOf=cn=(.*),dc=extra,dc=proxy,dc=stuff,dc=ch" >> "memberOf:1.2.840.113556.1.4.1941:=cn=%1,dc=ad,dc=stuff,dc=ch" >> ":" >> >> back_meta then pass the rewritten filter to the back-end AD. > > Nice work. > >> To the developers: as mentioned by Pierangelo above, it should be >> possible to disable the filter sanity check when it is passed to a LDAP >> back-end. If the filter is insane, the back-end will complain soon >> enough. > > That will never be done. The docs clearly state that when operating as > a proxy, slapd must have schema definitions for anything passing > through it.
After all the musings into doc, code and debug log, this is now more clear. What I still don't understand is why including a schema with the desired OIDs is not enough to make them ok for filtering. > Many sites use OpenLDAP as a frontend proxy specifically because these > sanity checks protect their backend servers (that are from other > vendors and more fragile). I can well understand your position. > > Pierangelo already gave the right answer here - write a piece of C > code that registers OIDs for the matching rules you want and load it > as a dynamic module. There are many modules in contrib/slapd-modules > in the source tree. thanks for the pointer. The last time I wrote C code was probably around 1992 or so... I will check what I can do, but as said, the learning curve (especially understanding the openldap code, libs and layers) is steep, even with the examples. Anyway, as soon as I get some time to do something, I will have a go. As I undertand, the slapd-modules/dsaschema is probably close to what I need. Anyway it's great to have your support within this list, thx again ! Charles
