> Date: Fri, 10 Feb 2006 12:05:52 -0700 > From: Richard Megginson <rmeggins@redhat.com> > > Glenn W. Bach wrote: > > >>>> I''m replacing an ldap server with Fedora Directory. The old one >>>> allows searches with >>>> the base dn empty. Is there a way to allow searches with a blank >>>> base dn in Fedora >>>> Directory? >>>> >>> I''m assuming you mean the ability to perform a subtree search with a >>> base dn of "". No, >>> you cannot do this with Fedora DS. What is your old directory server? >>> Does it do this >>> by default or do you have to configure it to do so? >>> >> Yes, -b '''' >> >> We are actually replacing an Exchange 5.5 system that is pretending to >> be an ldap server. >> The unfortunate thing is that hundreds of users have their base dn >> blank, which is >> something Exchange can apparently deal with. I am not sure if it had >> to be specifically configured to allow this. >> > > No, that explains it. > > >> So the bottom line sounds like we need to touch several hundred >> desktops if we want to transition away from Exchange. Sigh... >> > > Perhaps not. OpenLDAP has the ability to act as an LDAP proxy and > rewrite the base DN. I''m not sure how to do this, but probably someone > on the openldap lists would know. >OpenLDAP has a more relevant solution here: you can set a defaultsearchbase on slapd that is used when a search request comes in with an empty baseDN and non-base scope. This feature exists in OpenLDAP precisely because of all those misconfigured clients in the world.> Alternately, you could write a plug-in (datainterop) that maps incoming > requests for base "" and sub scope to your real suffix. >-- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/
Richard Megginson
2006-Feb-13 02:04 UTC
Re: [Fedora-directory-users] Search w/ empty base dn
Howard Chu wrote:> >> Date: Fri, 10 Feb 2006 12:05:52 -0700 >> From: Richard Megginson <rmeggins@redhat.com> >> >> Glenn W. Bach wrote: >> >> >> >>>>> I''m replacing an ldap server with Fedora Directory. The old one >>>>> allows searches with >>>>> the base dn empty. Is there a way to allow searches with a blank >>>>> base dn in Fedora >>>>> Directory? >>>>> >>>> >>>> I''m assuming you mean the ability to perform a subtree search with >>>> a base dn of "". No, >>>> you cannot do this with Fedora DS. What is your old directory >>>> server? Does it do this >>>> by default or do you have to configure it to do so? >>>> >>> >>> Yes, -b '''' >>> >>> We are actually replacing an Exchange 5.5 system that is pretending >>> to be an ldap server. >>> The unfortunate thing is that hundreds of users have their base dn >>> blank, which is >>> something Exchange can apparently deal with. I am not sure if it had >>> to be specifically configured to allow this. >>> >> >> >> No, that explains it. >> >> >> >>> So the bottom line sounds like we need to touch several hundred >>> desktops if we want to transition away from Exchange. Sigh... >>> >> >> >> Perhaps not. OpenLDAP has the ability to act as an LDAP proxy and >> rewrite the base DN. I''m not sure how to do this, but probably >> someone on the openldap lists would know. >> > > > OpenLDAP has a more relevant solution here: you can set a > defaultsearchbase on slapd that is used when a search request comes in > with an empty baseDN and non-base scope. This feature exists in > OpenLDAP precisely because of all those misconfigured clients in the > world.Oh, well you can do that with Fedora DS as well: 1) stop-slapd 2) edit config/dse.ldif - in the first entry, the one with dn: (the empty dn), just add objectclass: extensibleObject defaultsearchbase: yoursuffix 3) start-slapd> >> Alternately, you could write a plug-in (datainterop) that maps >> incoming requests for base "" and sub scope to your real suffix. >> >