[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Unknown objectClass in search filter alters the filter?
- To: openldap-technical@openldap.org
- Subject: Unknown objectClass in search filter alters the filter?
- From: Marius Flage <marius@flage.org>
- Date: Tue, 24 Aug 2010 15:20:59 +0200
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; nb-NO; rv:1.9.2.8) Gecko/20100802 Lightning/1.0b2 Thunderbird/3.1.2
Hi!
How does OpenLDAP behave when it encounters a search filter with an
unknown objectClass? From what I've been able to gather, it translates
the search filter into (?objectClass=value), thus yielding the rest of
the search invalid. What can I do about this? Either just pass the
search as it is, or remove it altogether?
The reason I'm asking about this is that I'm setting up OpenLDAP as a
proxy for Active Directory. After months of researching I've discovered
that the problem lays exactly here - OpenLDAP alters the search filter
for object classes it knows nothing about.
Example:
(|
(&
(objectClass=group)
(member=cn=username,ou=test,dc=example,dc=com)
)
(&
(objectClass=groupOfNames)
(member=cn=username,ou=test,dc=example,dc=com)
)
(&
(objectClass=groupOfUniqueNames)
(uniqueMember=cn=username,ou=test,dc=example,dc=com)
)
(&
(objectClass=accessGroup)
(member=cn=username,ou=test,dc=example,dc=com)
)
(&
(objectClass=univentionGroup)
(uniqueMember=cn=username,ou=test,dc=example,dc=com)
)
)
Yields no entries. I've looked at the syslog (loglevel = 256) and I see
that the last two clauses have been "translated" into
"?objectClass=accessGroup" and "?objectClass=univentionGroup". But if I
then remove the last two clauses, like so...
(|
(&
(objectClass=group)
(member=cn=username,ou=test,dc=example,dc=com)
)
(&
(objectClass=groupOfNames)
(member=cn=username,ou=test,dc=example,dc=com)
)
(&
(objectClass=groupOfUniqueNames)
(uniqueMember=cn=username,ou=test,dc=example,dc=com)
)
)
... then I get the entries I want back. Problem here is that I'm unable
to alter the search filter, since this is generated by a 3rd-party app
that I can't change, so I need to fix my OpenLDAP to let this stuff pass
through.
Any idea?
- Marius