Bug 476778

Summary: Need support for draft-masarati-ldap-deref-00
Product: [Retired] 389 Reporter: Andrew Bartlett <abartlet>
Component: Database - GeneralAssignee: Rich Megginson <rmeggins>
Status: CLOSED CURRENTRELEASE QA Contact: Viktor Ashirov <vashirov>
Severity: medium Docs Contact:
Priority: low    
Version: 7.1CC: nhosoi, nkinder, rmeggins
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
URL: http://tools.ietf.org/html/draft-masarati-ldap-deref-00
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-12-07 16:32:16 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 517385, 639035    

Description Andrew Bartlett 2008-12-17 02:43:56 UTC 
Description of problem:
Samba4 now uses the draft-masarati-ldap-deref-00 control (implemented by OpenLDAP) to implement 'extended DNs'. 

See the discussion on fedora-directory-devel in Nov 08: How to implement Extended DNs for Samba4?

Version-Release number of selected component (if applicable):
all

How reproducible:
Every time - no implementation yet present.

Steps to Reproduce:
1.  (fix Samba4 make test with Fedora DS backend, currenetly broken by unrelated changes)
2.  run 'TEST_LDAP=yes FEDORA_DS_ROOT=/path/to/fedora-ds make testenv'
3.  in the xterm, run 'bin/ldbsearch -H ldap://localdc1 cn=administrator --controls=extended_dn:1:1'
  
Actual results:
Samba4 cannot dereference DN values in the result, causing extended DNs not to be presented to the client.

Expected results:
Samba4 can dereference DN values in the result, causing extended DNs not to be presented to the client.  

Additional info:

OpenLDAP has a client and server implementation, which may aid development and testing. 

Samba4 has other issues (both in Samba and Fedora DS) that prevent Samba4's Fedora DS backend working, but this is one of the more major pieces of development required.
Comment 1 Noriko Hosoi 2009-08-06 21:47:01 UTC 
I think this task is done by Rich.

commit 7c52ad591180095b747f08c92a1550d76c9e9532
Author: Rich Megginson <rmeggins>
Date:   Wed Jul 29 11:15:50 2009 -0600

    Dereference support
    This adds support for the newly proposed LDAP Dereference feature (not to
    be confused with alias dereferencing).  The details of the proposed feature
    can be found here:
    http://www.openldap.org/devel/cvsweb.cgi/~checkout~/doc/drafts/draft-masarat
    This adds a new deref plugin to the directory server.  This is a pre op sear
    plugin.  In order to allow the plugin to rewrite the controls sent back with
    each entry, I changed the way pre-search and pre-entry plugins work.  They n
    have the ability to alter the entry and controls just before being sent back
    to the client.
    This plugin does not currently support internal operations.  It should be ea
    to add a call to register the plugin for internal ops if we need to do that.
    The code supports real, computed (e.g. memberOf), and virtual attributes
    both as the attibute to dereference and in the list of attributes to return
    from each dereferenced entry.  This will allow us to use attributes such as
    nsRole as the derefattr.
    Tested on RHEL5 x86_64 with various openldap 2.4.15+ and Net::LDAP clients.
    valgrind output is clean