Red Hat Bugzilla – Bug 476778
Need support for draft-masarati-ldap-deref-00
Last modified: 2015-12-07 11:32:16 EST
Description of problem:
Samba4 now uses the draft-masarati-ldap-deref-00 control (implemented by OpenLDAP) to implement 'extended DNs'.
See the discussion on fedora-directory-devel in Nov 08: How to implement Extended DNs for Samba4?
Version-Release number of selected component (if applicable):
Every time - no implementation yet present.
Steps to Reproduce:
1. (fix Samba4 make test with Fedora DS backend, currenetly broken by unrelated changes)
2. run 'TEST_LDAP=yes FEDORA_DS_ROOT=/path/to/fedora-ds make testenv'
3. in the xterm, run 'bin/ldbsearch -H ldap://localdc1 cn=administrator --controls=extended_dn:1:1'
Samba4 cannot dereference DN values in the result, causing extended DNs not to be presented to the client.
Samba4 can dereference DN values in the result, causing extended DNs not to be presented to the client.
OpenLDAP has a client and server implementation, which may aid development and testing.
Samba4 has other issues (both in Samba and Fedora DS) that prevent Samba4's Fedora DS backend working, but this is one of the more major pieces of development required.
I think this task is done by Rich.
Author: Rich Megginson <firstname.lastname@example.org>
Date: Wed Jul 29 11:15:50 2009 -0600
This adds support for the newly proposed LDAP Dereference feature (not to
be confused with alias dereferencing). The details of the proposed feature
can be found here:
This adds a new deref plugin to the directory server. This is a pre op sear
plugin. In order to allow the plugin to rewrite the controls sent back with
each entry, I changed the way pre-search and pre-entry plugins work. They n
have the ability to alter the entry and controls just before being sent back
to the client.
This plugin does not currently support internal operations. It should be ea
to add a call to register the plugin for internal ops if we need to do that.
The code supports real, computed (e.g. memberOf), and virtual attributes
both as the attibute to dereference and in the list of attributes to return
from each dereferenced entry. This will allow us to use attributes such as
nsRole as the derefattr.
Tested on RHEL5 x86_64 with various openldap 2.4.15+ and Net::LDAP clients.
valgrind output is clean