On 05.06.14 20:44, Pierangelo Masarati wrote: > On 06/05/2014 01:54 PM, Charles Bueche wrote: >> >> On 04.06.14 15:14, Charles Bueche wrote: >>> On 03.06.14 16:52, Pierangelo Masarati wrote: >>>> On 06/03/2014 04:23 PM, Charles Bueche wrote: >>>>> Hi, >>>>> >>>>> I'm running the latest openldap stable 2.4.39 on Ubuntu. >>>>> My openldap server is configured as a LDAP proxy to MS-AD using >>>>> back-meta. It works nicely, as long as I don't use OID in filters. >>>>> >>>>> Specifically, I need LDAP_MATCHING_RULE_IN_CHAIN >>>>> (http://msdn.microsoft.com/en-us/library/aa746475(v=vs.85).aspx) to >>>>> search recursive groups in MS-AD. >>>>> >>>>> If I use that special filter directly against AD, I get my group >>>>> list. >>>>> filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)' >>>>> >>>>> >>>>> >>>>> Or if I use a "normal" filter across my proxy, I get my group list as >>>>> well. >>>>> filter='(memberOf=cn=gs-msp-report,OU=Customers,DC=ad,DC=stuff,DC=ch)' >>>>> >>>>> >>>>> BROKEN: If I use the special filter across my LDAP proxy's >>>>> back-meta, I >>>>> get no results and filter="(?=undefined)" in my debug log. >>>>> filter='(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)' >>>>> >>>>> >>>>> >>>>> So my guess is that my filter syntax with OID is not accepted by >>>>> back-meta. >>>>> >>>>> When using -d -1, I see this: >>>>> >>>>> ... >>>>> 538dd110 begin get_filter >>>>> 538dd110 EXTENSIBLE >>>>> ... >>>>> 538dd110 end get_filter 0 >>>>> 538dd110 filter: (?=undefined) >>>>> ... >>>>> >>>>> I have looked at the code of >>>>> openldap-2.4.39/servers/slapd/filter.c but >>>>> I don't really see what's wrong. >>>> Without looking at the code, I think OpenLDAP's slapd doesn't like >>>> filters with unknown OIDs, that's it. The request doesn't even get to >>>> back-meta. >>>> >>>> On a side note, since the filter is supposed to be passed through to >>>> the remote server, slapd should not worry about it; however, AFAIK >>>> there's no way, so far, to disable such check. The easiest way is to >>>> define a module that registers a dummy matching rule with that OID, >>>> although it won't likely be that straightforward. >>>> >>>> p. >>>> >>> Hi Pierangelo and list, >>> >>> thanks for your answer, I'm very unsure now how to continue. I studied >>> the code of get_filter() and get_mra() without really understanding at >>> what time my filter is classified as invalid. >>> >>> The ideas is to implement a workaround in form of a list of >>> white-listed >>> OID's (only 4 are needed from >>> http://msdn.microsoft.com/en-us/library/cc223367.aspx), where should I >>> put this in the code ? >>> >>> I do compile my own openldap package anyway, so I can well put some >>> #ifdef around this, at least to be able to continue my project. I'm now >>> stopped by this problem and as usual I do have to deliver rsn. >>> >>> On the other side, what do you mean with "define a module that >>> registers >>> a dummy matching rule with that OID" ? >>> Is this a module like back_meta, rwn and friends ? Do you have any >>> pointer like a dummy module to show where to begin ? >>> >>> As you see, I'm pretty much at the beginning of the learning curve >>> and I >>> am very happy to get your help. >>> >>> Regards, >>> Charles >> >> ok, it did cost me a lot of brain power, but I do have a workaround. I >> mention it here because I'm quite sure someone else will hit the same >> problem one day. >> >> 1. the recursive search filter passed to the proxy should use a filter >> supported by the proxy, eg >> >> filter='(RecursiveMemberOf=cn=ls-msp-app2,OU=App,DC=extra,DC=proxy,DC=stuff,DC=ch)' >> >> >> 2. the proxy gasp it, accept it, and pass it to the rewrite module >> >> 3. use a rewrite rule to massage the filter: >> >> rewriteRule >> "RecursiveMemberOf=cn=(.*),dc=extra,dc=proxy,dc=stuff,dc=ch" >> "memberOf:1.2.840.113556.1.4.1941:=cn=%1,dc=ad,dc=stuff,dc=ch" >> ":" >> >> back_meta then pass the rewritten filter to the back-end AD. >> >> >> To the developers: as mentioned by Pierangelo above, it should be >> possible to disable the filter sanity check when it is passed to a LDAP >> back-end. If the filter is insane, the back-end will complain soon >> enough. > > This does the trick in your specific case; you should be able to > modify it to add more matching rule definitions. Hi Pierangelo,
Thanks for the code. I have been able to compile and install it, and load it in my slapd.conf. I see as well it's loaded in the debug output. 5391911a line 36 (moduleload mr_passthru.so) 5391911a loaded module mr_passthru.so 5391911a register_matching_rule: passthru : 0 (that's from a new DEBUG call I added) 5391911a module mr_passthru.so: null module registered However, my recursive filter search still fail, I still get "filter: (?=undefined" and the filter is still recognized as EXTENSIBLE. My filter is "(memberOf:1.2.840.113556.1.4.1941:=cn=ls-msp-app1,OU=App,DC=ad,DC=stuff,DC=ch)" Looking at the code, I somewhat understand mr_passthru_initialize(), but then what is the role of okMatch(), never used ? I think I do miss something important, but not sure what. Thanks again for your help ! Charles
