[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: questions on overlay sssvlv
- To: openldap-technical@openldap.org
- Subject: Re: questions on overlay sssvlv
- From: Nicolas RENAULT <nicolas_renault@yahoo.fr>
- Date: Thu, 13 Nov 2014 10:15:07 +0100
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.fr; s=s2048; t=1415870112; bh=cz/zJwWxi8zV88aj+zKOLRBczQWRSke3lz6MMpyE0iY=; h=Date:From:To:Subject:References:In-Reply-To:From:Subject; b=q3O8kEEixesixc/nQBUS4h4HWwq2Cr0EI9s1xKw19tUWbQrT6ZOLv40IUTSoYRwD1FDYmCxyOAsEOzs4g9Lj+Ri+1EcgRnim0JjG55SLJyJaUi7ebTPVlZFoVwDuwtwbtCJ+ZZ/eykUusUXgaoTX95cqFZUChYvTB3jfFxY51WvMd499/2vKlFZoJMtyj1F8EKf0ssYSCMQm4Cx7wUlH04dWhGyOWAL0RjWAoLt9Pjv478g5R1hT+m0lBh2bNGeDwHthqdzKJMquK3LfF9V0K5tjdH92K4Hhgj9QnhwleDWgLjZK+nnMFDpyUaSK2/TMFzgalM8SU2EvZ/JY0z+pLA==
- Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s2048; d=yahoo.fr; b=GyW3KlAI9R8HKp5wprKnjb7Hya5aK1hB+nYBHktQAJ6piF9EtHqnyltVSfkvf3ES9GhC3tt779fUr75JthLkljW8+lfGLJqruIp4giiMf1Qr3IB1tHPTz0lX2GC3a3jBW2o/ocBKa3TF14wBxHbLP85CTcv7ShzMaIbRwh4q6RfLyD1Rhj6gFvfkKL2ZcjLbgQI4+rp0moNQznluPPPdqeVd2qDZDc8xwu8upyUMgj44PnrRIj2JvhTbytF9yVZItDdIzFgmzKLbC4ej17Pjq3/+fNXgw9DyrIcWdVqzaT/V3qruusz48dsIvsZChiNaq+VnFYJ3bL4zBg1A/GUWiw==;
- In-reply-to: <5459F06A.2070906@symas.com>
- References: <5459ED48.4090202@yahoo.fr> <5459F06A.2070906@symas.com>
- User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:31.0) Gecko/20100101 Thunderbird/31.2.0
Le 05/11/2014 10:39, Howard Chu a écrit :
Nicolas RENAULT wrote:
Hello,
I already post some question about this but without succes, perhaps
because i
made a mistake and replys in another question thread.
So I restart here.
testing env so i can make all that i want.
openldap 2.4.40 build on opensuse 13.1.
try to make a proxy ldap, with use of meta to relay informations from
one AD ,
one EDir and one openLDAP. (just use openLDAP for now)
I create a database to get locally the root "dc=example,dc=fr" and
firstlevel
OU : "ou=TOUT,dc=example,dc=fr" , "ou=TEST,dc=example,dc=fr"
I bind the openLDAP on "ou=LDAP,ou=TOUT,dc=example,dc=fr"
I add users on the local ou "TEST"
simple requests are working without problem. (on "TEST" and on "TOUT" )
activate sssvlv on slapd.conf (because of meta)
back-meta supports dynamic config, this is not a reason to use
slapd.conf.
globally (ie before the statement for the meta database)
overlay sssvlv
just this line.
when a try this search
ldapsearch -E 'sss=displayName' -H ldap://localhost -x -D
"cn=Manager,dc=example,dc=fr" -b "ou=TEST,dc=example,dc=fr" -w xxxx
-s sub
"(&(objectClass=user)(displayName=ag*))" displayName
I got the user list sort by display name ( they are local user)
when i try this :
ldapsearch -E 'sss=displayName' -H ldap://localhost -x -D
"cn=Manager,dc=example,dc=fr" -b "ou=LDAP,ou=TOUT,dc=example,dc=fr"
-w xxxx -s
sub "(&(objectClass=user)(displayName=ag*))" displayName
I got this :
# extended LDIF
#
# LDAPv3
# base <ou=LDAP,ou=TOUT,dc=example,dc=fr> with scope subtree
# filter: (&(objectClass=user)(displayName=ag*))
# requesting: displayName
# with server side sorting control
#
# search result
search: 2
result: 0 Success
control: 1.2.840.113556.1.4.474 false MAMKAQA=
sortResult: (0) Success
# numResponses: 1
I understand that the request as been successfull but whitout any
results ?
any idea ?
I'm thinking of a problem with :
* bad place for "overlay ssvlv" in slapd.conf (actually it take place
juste
after moduleload section and just before the ACL statements
Then test with the overlay moved somewhere else.
try lot of place with no luck
* problem with remap attribute when asking the distant LDAP
Then test without remapping.
test with this slapd.conf :
include /etc/openldap/schema/contrib/MySchema.schema
defaultsearchbase dc=example,dc=fr
pidfile /usr/local/var/openldap-run/slapd.pid
argsfile /usr/local/var/openldap-run/slapd.args
loglevel 256
access to *
by self write
by * read
# The rootdn is not subject to any limits.
limits * size=10000
sizelimit 40000
###################
# Open LDAP #
###################
database meta
suffix "dc=example,dc=fr"
rootdn "cn=Manager,dc=example,dc=fr"
rootpw "123"
network-timeout 5
timeout 10
bind-timeout 100000
sizelimit 40000
overlay sssvlv
uri "ldaps://<IP>:636/dc=example,dc=fr"
lastmod off
idassert-bind bindmethod=simple
binddn="cn=adm,dc=example,dc=fr" credentials="xxxxxxxx" mode=none
idassert-authzFrom "dn.regex:.*"
-----------------------------------------------------------------------------------------------------------------------------------------
ldapsearch -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -w
123 -b "dc=example,dc=fr" "(&(objectClass=*)(cn=test*))" displayName
without sort : OK I see 4 users
ldapsearch -H ldap://localhost -x -D "cn=Manager,dc=example,dc=fr" -w
123 -b "dc=example,dc=fr" -E "sss=displayName"
"(&(objectClass=*)(cn=test*))" displayName
just get the success output.
just question : I start in debug mode (-d 255) and see that if I
request all object from the distant database , they are printed to the
standard output immediatly(directly?) when they are received by the proxy.
so after that I do again my ldapsearch with sorting (in debug mode) , I
see that the server get the 4 answers from the distant ldap but I think
that they have to be store somewhere to be sort after the end of the
distant requests. can see nothinks append after reception. did some part
of the debug messages can be helpfull ?
* overlay sssvlv not working with meta ?
Then test without sssvlv.
as you can see above on the slapd.conf I provide, if I remove "overlay
sssvlv" line , it's work (but without any server side sorting ).
but need some clues to find where is the problem.
Regards
--
Nicolas
I can do more tests if you want.
Regards
--
Nicolas