Bug 476778 - Need support for draft-masarati-ldap-deref-00
Need support for draft-masarati-ldap-deref-00
Product: 389
Classification: Community
Component: Database - General (Show other bugs)
All Linux
low Severity medium
: ---
: ---
Assigned To: Rich Megginson
Viktor Ashirov
Depends On:
Blocks: 389_1.2.1 639035
  Show dependency treegraph
Reported: 2008-12-16 21:43 EST by Andrew Bartlett
Modified: 2015-12-07 11:32 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2015-12-07 11:32:16 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andrew Bartlett 2008-12-16 21:43:56 EST
Description of problem:
Samba4 now uses the draft-masarati-ldap-deref-00 control (implemented by OpenLDAP) to implement 'extended DNs'. 

See the discussion on fedora-directory-devel in Nov 08: How to implement Extended DNs for Samba4?

Version-Release number of selected component (if applicable):

How reproducible:
Every time - no implementation yet present.

Steps to Reproduce:
1.  (fix Samba4 make test with Fedora DS backend, currenetly broken by unrelated changes)
2.  run 'TEST_LDAP=yes FEDORA_DS_ROOT=/path/to/fedora-ds make testenv'
3.  in the xterm, run 'bin/ldbsearch -H ldap://localdc1 cn=administrator --controls=extended_dn:1:1'
Actual results:
Samba4 cannot dereference DN values in the result, causing extended DNs not to be presented to the client.

Expected results:
Samba4 can dereference DN values in the result, causing extended DNs not to be presented to the client.  

Additional info:

OpenLDAP has a client and server implementation, which may aid development and testing. 

Samba4 has other issues (both in Samba and Fedora DS) that prevent Samba4's Fedora DS backend working, but this is one of the more major pieces of development required.
Comment 1 Noriko Hosoi 2009-08-06 17:47:01 EDT
I think this task is done by Rich.

commit 7c52ad591180095b747f08c92a1550d76c9e9532
Author: Rich Megginson <rmeggins@redhat.com>
Date:   Wed Jul 29 11:15:50 2009 -0600

    Dereference support
    This adds support for the newly proposed LDAP Dereference feature (not to
    be confused with alias dereferencing).  The details of the proposed feature
    can be found here:
    This adds a new deref plugin to the directory server.  This is a pre op sear
    plugin.  In order to allow the plugin to rewrite the controls sent back with
    each entry, I changed the way pre-search and pre-entry plugins work.  They n
    have the ability to alter the entry and controls just before being sent back
    to the client.
    This plugin does not currently support internal operations.  It should be ea
    to add a call to register the plugin for internal ops if we need to do that.
    The code supports real, computed (e.g. memberOf), and virtual attributes
    both as the attibute to dereference and in the list of attributes to return
    from each dereferenced entry.  This will allow us to use attributes such as
    nsRole as the derefattr.
    Tested on RHEL5 x86_64 with various openldap 2.4.15+ and Net::LDAP clients.
    valgrind output is clean

Note You need to log in before you can comment on or make changes to this bug.