Hi
I've run into a problem trying to deploy back-meta in front of an Active Directory target.
I believe that to resolve it, I need to get a new option implemented.
I need to issue a request through a back-meta proxy . That query happens to contain a matching rule which is not implemented in OpenLDAP so slapd does not know to evaluate the query. The target that the query will ultimately be passed on to (an Active
Directory) does know to process the query, though. OpenLDAP, however, considers the filter to be "undefined" and thus on relaying the request to the AD target, back-meta replaces a portion of the original query with a “(?=undefined)” filter as documented in
e.g. slapd-meta manpage "noundeffilter" option.
But I need the original query to be passed on. It's in fact a _valid_ LDAP request, just OpenLDAP happens to be unable to parse it.
But at least in my setup, slapd does not have to do _anything_ about the query other than to pass it on, so I find it inacceptable that it replaces the query just because it doesn’t understand it.
Please, can you add an option switch to the code to allow for passing on original queries *without* replacing undefined portions ?
I have not found any other solution to my problem. I tried to make OpenLDAP aware of the undefined portion by adding the matching rule to the schema but I failed. Seems that would need to be planted into the code, and not being a programmer, that’s not
as easy as it is with expanding the schema by some new attributes.
Also, while of course any parser/feature enhancement will always be appreciated, I would think that to implement the matching rule is not the best way of fixing things: I believe there will always be situations where OpenLDAP cannot parse the input while
another LDAP server can.
For a proof of concept, I hacked servers/slapd/back-meta/map.c (around line 581 as of 2.4.39)
and but - again, I’m not a programmer – I feel incapable of turning this into a full-blown patch free of side effects, also I want the modification to become available to anyone.
So I'm hoping for you to implement the switch mentioned above, maybe as a third possible setting for the "noundeffilter" option.
Thanks a lot in advance,
best regards
Markus Storm