[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-ldap proxying group membership lookups result in "No such attribute"



Looks like the back-ldap compare code has gotten broken somewhere along the
line. A fix is now in CVS. You should get back-ldap/compare.c from the
OPENLDAP_REL_ENG_2_1 branch to get the patch.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Michael Dean
> Sent: Sunday, April 06, 2003 7:27 PM
> To: openldap-software@OpenLDAP.org
> Subject: back-ldap proxying group membership lookups result
> in "No such
> attribute"
>
>
>
>
> Hi
>
> I'm connecting to an openldap2.1.17 running on solaris which has been
> configured to proxy off to three NDS servers, at first this would only
> return values defined in the openldap schema's when I did an
> 'ldapsearch cn=username' ie. it didn't have any of the NDS values like
> 'lockedByIntruder' 'passwordExpirationTime' etc.. but when I did an
> 'ldapsearch cn=username "*"' the values were displayed but were listed
> in uppercase 'LOCKEDBYINTRUDER PASSWORDEXPIRATIONTIME' etc..
> but wouldn't
> show up when I did 'ldapsearch cn=username LOCKEDBYINTRUDER'
>
> so I built an NDS schema for openldap by hand by referring to
> developer.novell.com
> (guessed mainly) and added a reference in slapd.conf (nds500.schema)
>
> #--------------------------------
> include         /usr/local/etc/openldap/schema/core.schema
> include         /usr/local/etc/openldap/schema/misc.schema
> include         /usr/local/etc/openldap/schema/cosine.schema
> include         /usr/local/etc/openldap/schema/inetorgperson.schema
> include         /usr/local/etc/openldap/schema/nds500.schema
>
> defaultsearchbase "o=NDS"
> idletimeout       600
>
> database          ldap
> uri               "ldap://nds1/o=NDS ldap://nds2/o=NDS
> ldap://nds3/o=NDS";
> suffix            "o=NDS"
> rootdn            "cn=admin,o=NDS"
> rootpw            "passwd"
> lastmod           off
> rebind-as-user
> #--------------------------------
>
> and now I get all the attributes that are in NDS (at least
> the ones we are
> interested in) but when I try to check the group membership
> of a user it
> doesn't work ... ie..
>
> spinner:~ # ldapcompare -h localhost cn=thisgroup,o=NDS
> member:cn=DeanMW,o=NDS
> ldap_compare: No such attribute (16)
> spinner:~ # ldapcompare -h nds1 cn=thisgroup,o=NDS
> member:cn=DeanMW,o=NDS
> TRUE
>
>
> any ideas?
>
>
> regards
> mike
>
>
> ps. here's the NDS schema which is probably wrong on some level
> (built by hand to conform to openldap schema syntax)
>
> spinner:/usr/local/etc/openldap/schema 20401 # cat nds500.schema
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.25
>         NAME    'groupMembership'
>         DESC    'groupMembership'
>         SUP  distinguishedName )
>
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.39
>         NAME    'loginAllowedTimeMap'
>         DESC    'loginAllowedTimeMap'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.40 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.40
>         NAME    'loginDisabled'
>         DESC    'loginDisabled'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.41
>         NAME    'loginExpirationTime'
>         DESC    'loginExpirationTime'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.42
>         NAME    'loginGraceLimit'
>         DESC    'loginGraceLimit'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.43
>         NAME    'loginGraceRemaining'
>         DESC    'loginGraceRemaining'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.44
>         NAME    'loginIntruderAddress'
>         DESC    'loginIntruderAddress'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.45
>         NAME    'loginIntruderAttempts'
>         DESC    'loginIntruderAttempts'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.47
>         NAME    'loginIntruderResetTime'
>         DESC    'loginIntruderResetTime'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.48
>         NAME    'loginMaximumSimultaneous'
>         DESC    'loginMaximumSimultaneous'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.49
>         NAME    'loginScript'
>         DESC    'loginScript'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.5  )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.50
>         NAME    'loginTime'
>         DESC    'loginTime'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.56
>         NAME    'networkAddressRestriction'
>         DESC    'networkAddressRestriction'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.55
>         NAME    'networkAddress'
>         DESC    'networkAddress'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.65
>         NAME    'passwordsUsed'
>         DESC    'passwordsUsed'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.66
>         NAME    'passwordAllowChange'
>         DESC    'passwordAllowChange'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.67
>         NAME    'passwordExpirationInterval'
>         DESC    'passwordExpirationInterval'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.68
>         NAME    'passwordExpirationTime'
>         DESC    'passwordExpirationTime'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.69
>         NAME    'passwordMinimumLength'
>         DESC    'passwordMinimumLength'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.27 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.70
>         NAME    'passwordRequired'
>         DESC    'passwordRequired'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.71
>         NAME    'passwordUniqueRequired'
>         DESC    'passwordUniqueRequired'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.82
>         NAME    'privateKey'
>         DESC    'privateKey'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.83
>         NAME    'profile'
>         DESC    'profile'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.84
>         NAME    'publicKey'
>         DESC    'publicKey'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.92
>         NAME    'securityEquals'
>         DESC    'securityEquals'
>         EQUALITY distinguishedNameMatch
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.12 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.1
>         NAME    'accountBalance'
>         DESC    'accountBalance'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.4
>         NAME    'allowUnlimitedCredit'
>         DESC    'allowUnlimitedCredit'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.54
>         NAME    'minimumAccountBalance'
>         DESC    'minimumAccountBalance'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.34
>         NAME    'language'
>         DESC    'language'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.37
>         NAME    'lockedByIntruder'
>         DESC    'lockedByIntruder'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.7  )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.96
>         NAME    'serverHolds'
>         DESC    'serverHolds'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.35
>         NAME    'lastLoginTime'
>         DESC    'lastLoginTime'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.24 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.116
>         NAME    'higherPrivileges'
>         DESC    'higherPrivileges'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.165
>         NAME    'securityFlags'
>         DESC    'securityFlags'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.171
>         NAME    'profileMembership'
>         DESC    'profileMembership'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> attributetype   ( 2.16.840.1.113719.1.1.4.1.178
>         NAME    'timezone'
>         DESC    'timezone'
>         SYNTAX  1.3.6.1.4.1.1466.115.121.1.26 )
>
> objectclass     ( 2.16.840.1.113719.1.1.6.1.33
>    NAME 'ndsLoginProperties'
>    DESC 'ndsLoginProperties'
>    SUP Top
>    MAY ( groupMembership $ loginAllowedTimeMap $
>          loginDisabled $ loginExpirationTime $
>          loginGraceLimit $ loginGraceRemaining $
>          loginIntruderAddress $ loginIntruderAttempts $
>          loginIntruderResetTime $ loginMaximumSimultaneous $
>          loginScript $ loginTime $ networkAddressRestriction $
>          networkAddress $ passwordsUsed $ passwordAllowChange $
>          passwordExpirationInterval $ passwordExpirationTime $
>          passwordMinimumLength $ passwordRequired $
>          passwordUniqueRequired  $ privateKey $ profile $
>          publicKey $ securityEquals $ accountBalance $
>          allowUnlimitedCredit $ minimumAccountBalance $
>          language $ lockedByIntruder $ serverHolds $
>          lastLoginTime $ higherPrivileges $ securityFlags $
>          profileMembership $ timezone ) )
>
>