[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: back-ldap proxying group membership lookups result in "No such attribute"
Looks like the back-ldap compare code has gotten broken somewhere along the
line. A fix is now in CVS. You should get back-ldap/compare.c from the
OPENLDAP_REL_ENG_2_1 branch to get the patch.
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
http://www.symas.com http://highlandsun.com/hyc
Symas: Premier OpenSource Development and Support
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Michael Dean
> Sent: Sunday, April 06, 2003 7:27 PM
> To: openldap-software@OpenLDAP.org
> Subject: back-ldap proxying group membership lookups result
> in "No such
> attribute"
>
>
>
>
> Hi
>
> I'm connecting to an openldap2.1.17 running on solaris which has been
> configured to proxy off to three NDS servers, at first this would only
> return values defined in the openldap schema's when I did an
> 'ldapsearch cn=username' ie. it didn't have any of the NDS values like
> 'lockedByIntruder' 'passwordExpirationTime' etc.. but when I did an
> 'ldapsearch cn=username "*"' the values were displayed but were listed
> in uppercase 'LOCKEDBYINTRUDER PASSWORDEXPIRATIONTIME' etc..
> but wouldn't
> show up when I did 'ldapsearch cn=username LOCKEDBYINTRUDER'
>
> so I built an NDS schema for openldap by hand by referring to
> developer.novell.com
> (guessed mainly) and added a reference in slapd.conf (nds500.schema)
>
> #--------------------------------
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/misc.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
> include /usr/local/etc/openldap/schema/nds500.schema
>
> defaultsearchbase "o=NDS"
> idletimeout 600
>
> database ldap
> uri "ldap://nds1/o=NDS ldap://nds2/o=NDS
> ldap://nds3/o=NDS"
> suffix "o=NDS"
> rootdn "cn=admin,o=NDS"
> rootpw "passwd"
> lastmod off
> rebind-as-user
> #--------------------------------
>
> and now I get all the attributes that are in NDS (at least
> the ones we are
> interested in) but when I try to check the group membership
> of a user it
> doesn't work ... ie..
>
> spinner:~ # ldapcompare -h localhost cn=thisgroup,o=NDS
> member:cn=DeanMW,o=NDS
> ldap_compare: No such attribute (16)
> spinner:~ # ldapcompare -h nds1 cn=thisgroup,o=NDS
> member:cn=DeanMW,o=NDS
> TRUE
>
>
> any ideas?
>
>
> regards
> mike
>
>
> ps. here's the NDS schema which is probably wrong on some level
> (built by hand to conform to openldap schema syntax)
>
> spinner:/usr/local/etc/openldap/schema 20401 # cat nds500.schema
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.25
> NAME 'groupMembership'
> DESC 'groupMembership'
> SUP distinguishedName )
>
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.39
> NAME 'loginAllowedTimeMap'
> DESC 'loginAllowedTimeMap'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.40
> NAME 'loginDisabled'
> DESC 'loginDisabled'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.41
> NAME 'loginExpirationTime'
> DESC 'loginExpirationTime'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.42
> NAME 'loginGraceLimit'
> DESC 'loginGraceLimit'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.43
> NAME 'loginGraceRemaining'
> DESC 'loginGraceRemaining'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.44
> NAME 'loginIntruderAddress'
> DESC 'loginIntruderAddress'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.45
> NAME 'loginIntruderAttempts'
> DESC 'loginIntruderAttempts'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.47
> NAME 'loginIntruderResetTime'
> DESC 'loginIntruderResetTime'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.48
> NAME 'loginMaximumSimultaneous'
> DESC 'loginMaximumSimultaneous'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.49
> NAME 'loginScript'
> DESC 'loginScript'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.5 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.50
> NAME 'loginTime'
> DESC 'loginTime'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.56
> NAME 'networkAddressRestriction'
> DESC 'networkAddressRestriction'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.55
> NAME 'networkAddress'
> DESC 'networkAddress'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.65
> NAME 'passwordsUsed'
> DESC 'passwordsUsed'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.66
> NAME 'passwordAllowChange'
> DESC 'passwordAllowChange'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.67
> NAME 'passwordExpirationInterval'
> DESC 'passwordExpirationInterval'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.68
> NAME 'passwordExpirationTime'
> DESC 'passwordExpirationTime'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.69
> NAME 'passwordMinimumLength'
> DESC 'passwordMinimumLength'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.27 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.70
> NAME 'passwordRequired'
> DESC 'passwordRequired'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.71
> NAME 'passwordUniqueRequired'
> DESC 'passwordUniqueRequired'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.82
> NAME 'privateKey'
> DESC 'privateKey'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.83
> NAME 'profile'
> DESC 'profile'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.84
> NAME 'publicKey'
> DESC 'publicKey'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.92
> NAME 'securityEquals'
> DESC 'securityEquals'
> EQUALITY distinguishedNameMatch
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.12 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.1
> NAME 'accountBalance'
> DESC 'accountBalance'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.4
> NAME 'allowUnlimitedCredit'
> DESC 'allowUnlimitedCredit'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.54
> NAME 'minimumAccountBalance'
> DESC 'minimumAccountBalance'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.34
> NAME 'language'
> DESC 'language'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.37
> NAME 'lockedByIntruder'
> DESC 'lockedByIntruder'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.7 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.96
> NAME 'serverHolds'
> DESC 'serverHolds'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.35
> NAME 'lastLoginTime'
> DESC 'lastLoginTime'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.116
> NAME 'higherPrivileges'
> DESC 'higherPrivileges'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.165
> NAME 'securityFlags'
> DESC 'securityFlags'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.171
> NAME 'profileMembership'
> DESC 'profileMembership'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype ( 2.16.840.1.113719.1.1.4.1.178
> NAME 'timezone'
> DESC 'timezone'
> SYNTAX 1.3.6.1.4.1.1466.115.121.1.26 )
>
> objectclass ( 2.16.840.1.113719.1.1.6.1.33
> NAME 'ndsLoginProperties'
> DESC 'ndsLoginProperties'
> SUP Top
> MAY ( groupMembership $ loginAllowedTimeMap $
> loginDisabled $ loginExpirationTime $
> loginGraceLimit $ loginGraceRemaining $
> loginIntruderAddress $ loginIntruderAttempts $
> loginIntruderResetTime $ loginMaximumSimultaneous $
> loginScript $ loginTime $ networkAddressRestriction $
> networkAddress $ passwordsUsed $ passwordAllowChange $
> passwordExpirationInterval $ passwordExpirationTime $
> passwordMinimumLength $ passwordRequired $
> passwordUniqueRequired $ privateKey $ profile $
> publicKey $ securityEquals $ accountBalance $
> allowUnlimitedCredit $ minimumAccountBalance $
> language $ lockedByIntruder $ serverHolds $
> lastLoginTime $ higherPrivileges $ securityFlags $
> profileMembership $ timezone ) )
>
>