[Date Prev][Date Next] [Chronological] [Thread] [Top]

back-ldap proxying group membership lookups result in "No such attribute"




Hi

I'm connecting to an openldap2.1.17 running on solaris which has been
configured to proxy off to three NDS servers, at first this would only
return values defined in the openldap schema's when I did an
'ldapsearch cn=username' ie. it didn't have any of the NDS values like
'lockedByIntruder' 'passwordExpirationTime' etc.. but when I did an
'ldapsearch cn=username "*"' the values were displayed but were listed
in uppercase 'LOCKEDBYINTRUDER PASSWORDEXPIRATIONTIME' etc.. but wouldn't
show up when I did 'ldapsearch cn=username LOCKEDBYINTRUDER'

so I built an NDS schema for openldap by hand by referring to developer.novell.com
(guessed mainly) and added a reference in slapd.conf (nds500.schema)

#--------------------------------
include         /usr/local/etc/openldap/schema/core.schema
include         /usr/local/etc/openldap/schema/misc.schema
include         /usr/local/etc/openldap/schema/cosine.schema
include         /usr/local/etc/openldap/schema/inetorgperson.schema
include         /usr/local/etc/openldap/schema/nds500.schema

defaultsearchbase "o=NDS"
idletimeout       600

database          ldap
uri               "ldap://nds1/o=NDS ldap://nds2/o=NDS ldap://nds3/o=NDS";
suffix            "o=NDS"
rootdn            "cn=admin,o=NDS"
rootpw            "passwd"
lastmod           off
rebind-as-user
#--------------------------------

and now I get all the attributes that are in NDS (at least the ones we are
interested in) but when I try to check the group membership of a user it
doesn't work ... ie..

spinner:~ # ldapcompare -h localhost cn=thisgroup,o=NDS member:cn=DeanMW,o=NDS
ldap_compare: No such attribute (16)
spinner:~ # ldapcompare -h nds1 cn=thisgroup,o=NDS member:cn=DeanMW,o=NDS
TRUE


any ideas?


regards
mike


ps. here's the NDS schema which is probably wrong on some level
(built by hand to conform to openldap schema syntax)

spinner:/usr/local/etc/openldap/schema 20401 # cat nds500.schema

attributetype   ( 2.16.840.1.113719.1.1.4.1.25
        NAME    'groupMembership'
        DESC    'groupMembership'
        SUP  distinguishedName )


attributetype   ( 2.16.840.1.113719.1.1.4.1.39
        NAME    'loginAllowedTimeMap'
        DESC    'loginAllowedTimeMap'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.40 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.40
        NAME    'loginDisabled'
        DESC    'loginDisabled'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )

attributetype   ( 2.16.840.1.113719.1.1.4.1.41
        NAME    'loginExpirationTime'
        DESC    'loginExpirationTime'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.42
        NAME    'loginGraceLimit'
        DESC    'loginGraceLimit'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.43
        NAME    'loginGraceRemaining'
        DESC    'loginGraceRemaining'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.44
        NAME    'loginIntruderAddress'
        DESC    'loginIntruderAddress'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.45
        NAME    'loginIntruderAttempts'
        DESC    'loginIntruderAttempts'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.47
        NAME    'loginIntruderResetTime'
        DESC    'loginIntruderResetTime'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.48
        NAME    'loginMaximumSimultaneous'
        DESC    'loginMaximumSimultaneous'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.49
        NAME    'loginScript'
        DESC    'loginScript'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.5  )

attributetype   ( 2.16.840.1.113719.1.1.4.1.50
        NAME    'loginTime'
        DESC    'loginTime'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.56
        NAME    'networkAddressRestriction'
        DESC    'networkAddressRestriction'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.55
        NAME    'networkAddress'
        DESC    'networkAddress'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.65
        NAME    'passwordsUsed'
        DESC    'passwordsUsed'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.66
        NAME    'passwordAllowChange'
        DESC    'passwordAllowChange'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )

attributetype   ( 2.16.840.1.113719.1.1.4.1.67
        NAME    'passwordExpirationInterval'
        DESC    'passwordExpirationInterval'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.68
        NAME    'passwordExpirationTime'
        DESC    'passwordExpirationTime'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.69
        NAME    'passwordMinimumLength'
        DESC    'passwordMinimumLength'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.70
        NAME    'passwordRequired'
        DESC    'passwordRequired'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )

attributetype   ( 2.16.840.1.113719.1.1.4.1.71
        NAME    'passwordUniqueRequired'
        DESC    'passwordUniqueRequired'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )

attributetype   ( 2.16.840.1.113719.1.1.4.1.82
        NAME    'privateKey'
        DESC    'privateKey'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.83
        NAME    'profile'
        DESC    'profile'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.84
        NAME    'publicKey'
        DESC    'publicKey'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.92
        NAME    'securityEquals'
        DESC    'securityEquals'
        EQUALITY distinguishedNameMatch
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.12 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.1
        NAME    'accountBalance'
        DESC    'accountBalance'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.4
        NAME    'allowUnlimitedCredit'
        DESC    'allowUnlimitedCredit'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )

attributetype   ( 2.16.840.1.113719.1.1.4.1.54
        NAME    'minimumAccountBalance'
        DESC    'minimumAccountBalance'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.34
        NAME    'language'
        DESC    'language'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.37
        NAME    'lockedByIntruder'
        DESC    'lockedByIntruder'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )

attributetype   ( 2.16.840.1.113719.1.1.4.1.96
        NAME    'serverHolds'
        DESC    'serverHolds'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.35
        NAME    'lastLoginTime'
        DESC    'lastLoginTime'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.116
        NAME    'higherPrivileges'
        DESC    'higherPrivileges'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.165
        NAME    'securityFlags'
        DESC    'securityFlags'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.171
        NAME    'profileMembership'
        DESC    'profileMembership'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

attributetype   ( 2.16.840.1.113719.1.1.4.1.178
        NAME    'timezone'
        DESC    'timezone'
        SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )

objectclass     ( 2.16.840.1.113719.1.1.6.1.33
   NAME 'ndsLoginProperties'
   DESC 'ndsLoginProperties'
   SUP Top
   MAY ( groupMembership $ loginAllowedTimeMap $
         loginDisabled $ loginExpirationTime $
         loginGraceLimit $ loginGraceRemaining $
         loginIntruderAddress $ loginIntruderAttempts $
         loginIntruderResetTime $ loginMaximumSimultaneous $
         loginScript $ loginTime $ networkAddressRestriction $
         networkAddress $ passwordsUsed $ passwordAllowChange $
         passwordExpirationInterval $ passwordExpirationTime $
         passwordMinimumLength $ passwordRequired $
         passwordUniqueRequired  $ privateKey $ profile $
         publicKey $ securityEquals $ accountBalance $
         allowUnlimitedCredit $ minimumAccountBalance $
         language $ lockedByIntruder $ serverHolds $
         lastLoginTime $ higherPrivileges $ securityFlags $
         profileMembership $ timezone ) )