10990 Get UNIX group info. from AD/LDAP with partial RFC2307 schema

Review Request #1862 — Created May 28, 2019 and submitted

gwr
illumos-gate
10990
general

10990 Get UNIX group info. from AD/LDAP with partial RFC2307 schema

As described in the issue.

  • 0
  • 0
  • 1
  • 1
  • 2
Description From Last Updated
gwr
cjr
  1. 
      
  2. I'm trying to understand how the UIDDNFILTER* strings are being used.

    This jumped out at me because LDAP does not have an attribute called "distinguishedname". RFC 5020 defines "entryDN" if you need to use an entry's DN in a search filter.

    However if you do have a DN, and you want to check its objectclass etc, then the much simpler way to do this is to do an LDAP base object search. This uses the DN as the search base, so is a simple "read" inside the LDAP database.

    You then don't need (distinguishedname=...) or (entrydn=...) in the filter, so UIDDNFILTER* can just be "(objectclass=posixaccount)" or "(%%s)".

    1. As described in the issue, this code needs to work in an environment with only parts of the Unix schema (basically straight MS AD schema plus uidNumber and gidNumber attributes on what are otherwise normal AD user and group account objects).
      There is usually no "posixaccount" object class in this environment.

      That string is used for the query run by __ns_ldap_dn2uid, which needs to find an account record even when the object class is the normal user type for AD (sorry, I forget what that class is called just now). This query worked in the environments where we needed it to work. It's designed to work in either a "normal" (unix RFC2307) environment or an AD environment, which is why you see the "or" logic to query for either one.

    2. I'm not sure the envirionment we were using had an "entryDN" attribute. That would take some work to check into (and would require re-testing all of this).
      I'm sure the "distinguishedname" attribute query worked in our testing.

    3. I checked with one of the AD setups we use for testing this stuff. A query like this works OK:

      ldapsearch -h $server -b "cn=users,$dom"  "(&(objectClass=user)(distinguishedname=cn=testuser,cn=users,$dom))"
      

      This one does not work:

      ldapsearch -h $server -b "cn=users,$dom"  "(&(objectClass=user)(entryDN=cn=testuser,cn=users,$dom))"
      

      While "entryDN" is what RFC 5020 recommends, it does not appear to work with AD.

    4. Did you want any additional investigation on this? If not, I'll "drop" this review issue. Thanks.

  3. 
      
cjr
gwr
cjr
  1. 
      
  2. 
      
gwr
Review request changed

Status: Closed (submitted)

Loading...