Hi list, First off, best wishes for 2014. I've been looking into the deref control that was pointed out here (in the Oracle OpenLDAP PPolicy ppolicy and the hierarchy thread). With some trail and error I got things working so I thought to document what I did in the hopes that it may be useful for other people wanting to use this control. First of all, get a slapd instance running with the deref overlay. With older versions (at least 2.4.31) it was sufficient to load the module to have the relevant control being shown in the root DSE. However, due to ITS#7436 this didn't actually do anything. With later slapd versions (at least 2.4.38) loading the overlay apparently isn't sufficient but you have to also configure it for each database: dn: olcOverlay={1}deref,olcDatabase={1}bdb,cn=config objectClass: olcOverlayConfig olcOverlay: {1}deref In terms of using the API you have to first create a control with ldap_create_deref_control() and pass it along with ldap_search_ext(). After the call to search, free the control again with ldap_control_free(). The control is built up of an array of LDAPDerefSpec structs that contains the attribute name that contains the link and a list of attributes to retrieve from the linked entry (just like you would pass to ldap_search()). A bump in the road here was that ldap_create_deref_control() was broken (reported earlier and already fixed in Git) but ldap_create_deref_control_value() seems to work. Any response entries will have a control available that can be extracted with ldap_get_entry_controls() and parsed with ldap_parse_derefresponse_control() (and freed with ldap_derefresponse_free()). The returned control data is a linked list of LDAPDerefRes structs, one per link attribute value. Each struct contains the attribute name, the original value and a linked list of LDAPDerefVal structs. The DerefVal structs contain per requested attribute from the linked entry (if the entry has the attribute) the attribute name and a list of values. This has been implemented in the development branch of nss-pam-ldapd and will probably land in the next 0.9 release. - adding the request control: http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=547e4792c580b67ec14595e23a08836825424171 - parsing the response control information: http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=c973834328baa69dbd3352182431421b2b9a2319 - complete functionality (merge commit): http://arthurdejong.org/git/nss-pam-ldapd/commit/?id=c6c317ec9efb8190bdc1834091c4761b60637e7f Hope this is helpful for someone. -- -- arthur - arthur@arthurdejong.org - http://arthurdejong.org/ --
Attachment:
signature.asc
Description: This is a digitally signed message part