LDAP_MATCHING_RULE_IN_CHAIN control
Andrew Bartlett
abartlet at samba.org
Fri Sep 28 21:19:03 MDT 2012
On Sat, 2012-09-29 at 04:10 +0400, Dmitry Khromov wrote:
> Hello.
>
> We have a couple of questions regarding Samba 4.1.0pre1-GIT-aad669b running on Gentoo GNU/Linux
>
> 1) Is MS 1.2.840.113556.1.4.1941 operator support implemented (planned to be implemented) in Samba 4 internal LDAP server? Please compare:
>
> $ ldapsearch -h 192.168.1.32 -x -D 'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b 'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W '(&(info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))' | tail -n2 # Windows 2003 R2 DC
> Enter LDAP Password:
> # numResponses: 2
> # numEntries: 1
> $ ldapsearch -h 192.168.1.31 -x -D 'CN=someadminuser,OU=Administrators,DC=klin,DC=kifato-mk,DC=com' -b 'OU=VLANs,OU=Organizational,DC=klin,DC=kifato-mk,DC=com' -W '(&(info=*)(member:1.2.840.113556.1.4.1941:=CN=dummyuser,OU=IT,OU=Departments,DC=klin,DC=kifato-mk,DC=com))' | tail -n2 # Samba DC
> Enter LDAP Password:
>
> # numResponses: 1
>
> First command returns the correct mebership check result. Second - just silenty returns nothing. Although not that widely used, this operator is quite useful in some cases, when you just can't implement any loop-based logic. For example, for us it breaks IEEE 802.1X VLAN assignment with FreeRADIUS.
>
> Replication is working and this account's membership is correct on both DCs.
No, this operator is not supported, but patches (with tests) to
implement it would be most welcome. It looks rather tricky to implement
however, as it does not just match on a single record, but on multiple
possible records. We would essentially need to implement the chasing of
the chain in an ldb module in the same way that a client would.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
More information about the samba-technical
mailing list