[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Question regarding LDAP_SCOPE_ONELEVEL
- To: email@example.com
- Subject: Re: Question regarding LDAP_SCOPE_ONELEVEL
- From: Jose Gonzalez Gomez <firstname.lastname@example.org>
- Date: Fri, 29 Oct 2004 11:48:38 +0200
- In-Reply-To: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAf4ZA+/nf/kGYhooScpLKE8KAAAAQAAAAbWkT1IfXrUuiR3GhkSiohQEAAAAA@st.com>
- References: <!~!UENERkVCMDkAAQACAAAAAAAAAAAAAAAAABgAAAAAAAAAf4ZA+/nf/kGYhooScpLKE8KAAAAQAAAAbWkT1IfXrUuiR3GhkSiohQEAAAAA@st.com>
- Sender: email@example.com
- User-Agent: Mozilla Thunderbird 0.8 (X11/20041004)
Guus LEEUW wrote:
>I am doing a OpenLDAP 2.2.18/Cyrus/Heimdal setup according to http://www.opentechnet.com/auth-howto/ar01s06.html.
>At the point in chapter 6.2 where Jose advises to raise the scope of the ldap KDC database, all works fine.
>(He starts out having ldap:ou=kerberos,dc=example,dc=com, and changes it to ldap:dc=example,dc=com because he stores kerberos only accounts (kadmin/admin, ldapmaster and the likes) in a different subtree than real people with real names (they go in ou=people,dc=example,dc=com). I like this approach, because it keeps the public tree clean.)
>Anyways, after doing that, and starting
>$ kadmin -l
>I get nothing back.
>My slapd server tells me that uidnumber=0+gidnumer=0,ou=kerberos,cn=peercred,cn=auth is looking with scope == 1.
>Now, after digging in the heimdal code, I found that hdb-ldap.c indeed looks with LDAP_SCOPE_ONELEVEL inside LDAP__lookup_princ() and LDAP_firstkey().
>Is there any reason for this, or might it be changed to LDAP_SCOPE_SUBTREE without breaking existing functionality?
>(LDAP_SCOPE_SUBTREE according to www.openldap.org: search the object and all its descendants, LDAP_SCOPE_ONELEVEL: search the object's immediate children. So, as far as I can see, the change to LDAP_SCOPE_SUBTREE cannot do any harm.)
>Are there other spots in the code that I might have missed (find . -type f | xargs grep ldap_search only yields hdb-ldap.c)?
When writing this HOWTO I found the subtree search functionality
missing in the current version of Heimdal. I asked for it in the list
and somebody (don't remember, sorry) told me that this functionality
would be present in the 0.7 version. I needed the functionality, so in
the meantime I created a bug report in Gentoo to add the LDAP support,
including this functionality, to the current version (>0.6.2). You may
find the patches in http://bugs.gentoo.org/show_bug.cgi?id=58799. I did
this some time ago, so I don't remember exactly the places that I
changed, but I think LDAP_SCOPE_ONELEVEL was only present in two places
in the file you mention (hdb-ldap.c). I changed them, and haven't
experienced any functionality breakage. I'm able to list and modify all
the principals using kadmin, and authentication works as expected.