[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Question regarding LDAP_SCOPE_ONELEVEL

Guus LEEUW wrote:

>I am doing a OpenLDAP 2.2.18/Cyrus/Heimdal setup according to http://www.opentechnet.com/auth-howto/ar01s06.html.
>At the point in chapter 6.2 where Jose advises to raise the scope of the ldap KDC database, all works fine.
>(He starts out having ldap:ou=kerberos,dc=example,dc=com, and changes it to ldap:dc=example,dc=com because he stores kerberos only accounts (kadmin/admin, ldapmaster and the likes) in a different subtree than real people with real names (they go in ou=people,dc=example,dc=com). I like this approach, because it keeps the public tree clean.)
>Anyways, after doing that, and starting
>$ kadmin -l
>>list *
>I get nothing back.
>My slapd server tells me that uidnumber=0+gidnumer=0,ou=kerberos,cn=peercred,cn=auth is looking with scope == 1.
>Now, after digging in the heimdal code, I found that hdb-ldap.c indeed looks with LDAP_SCOPE_ONELEVEL inside LDAP__lookup_princ() and LDAP_firstkey().
>Is there any reason for this, or might it be changed to LDAP_SCOPE_SUBTREE without breaking existing functionality?
>(LDAP_SCOPE_SUBTREE according to www.openldap.org: search the object and all its descendants, LDAP_SCOPE_ONELEVEL: search the object's immediate children. So, as far as I can see, the change to LDAP_SCOPE_SUBTREE cannot do any harm.)
>Are there other spots in the code that I might have missed (find . -type f | xargs grep ldap_search only yields hdb-ldap.c)?
    When writing this HOWTO I found the subtree search functionality 
missing in the current version of Heimdal. I asked for it in the list 
and somebody (don't remember, sorry) told me that this functionality 
would be present in the 0.7 version. I needed the functionality, so in 
the meantime I created a bug report in Gentoo to add the LDAP support, 
including this functionality, to the current version (>0.6.2). You may 
find the patches in http://bugs.gentoo.org/show_bug.cgi?id=58799. I did 
this some time ago, so I don't remember exactly the places that I 
changed, but I think LDAP_SCOPE_ONELEVEL was only present in two places 
in the file you mention (hdb-ldap.c). I changed them, and haven't 
experienced any functionality breakage. I'm able to list and modify all 
the principals using kadmin, and authentication works as expected.

    Best regards