3

I am having some issues with OpenLDAP and Spring security, where the latter does a search with the whole path in dn (filter), and an empty base. OpenLDAP does not like this, and the query fails. The problem is that I have no control over the query, so I am thus wondering if it is possible to configure OpenLDAP to allow such queries.

Some details on how this works:

Spring first does a search for a user, with something like this:

base:ou=something,ou=something,dc=oh,dc=my,dc=god
filter:cn=someUsername

Then, it gets back a result, where the whole dn is put in, and base is an empty String, like this:

base:
filter:cn=someUsername,ou=something,ou=something,dc=oh,dc=my,dc=god

Then, it uses this result for a new search against the LDAP, which then fails.

Tobb
  • 543

1 Answers1

2

OpenLDAP needs to know the base DN so that it could choose which database to read from. I couldn't find any support for "global" searching across all databases.

However, you can add a new database with an empty base DN. With the relay backend it can forward all queries to your main database. See slapd-relay(5) for more elaborate examples (including even rewriting), but the general usage is:

database  relay
suffix    ""
relay     "dc=example,dc=org"

dn: olcDatabase=relay,cn=config
objectClass: olcDatabaseConfig
objectClass: olcHdbConfig
olcSuffix:
olcRelay: dc=example,dc=org

(Also, I wonder if Spring really uses the empty base for all searches? Some programs obtain the Root DSE this way (located at base "", scope 'base'), in order to auto-discover the real base DNs and/or server capabilities.)

After the update, it seems that the real problem is Spring using a bad filter. It does not make sense to just send a DN as a filter, because you will actually end up searching for a cn that contains someUsername,ou=something,dc=something.

Instead, Spring should have used the DN as base:

base: cn=someUsername,ou=something,ou=something,dc=oh,dc=my,dc=god
scope: base
filter: (objectClass=*)

If it ever becomes necessary to filter by DN, I think a working way would be (entryDN=dn), e.g. (entryDN=cn=foo,ou=bar,ou=baz), though it varies between servers (entryDN is OpenLDAP-specific, while AD has distinguishedName, and so on).

grawity
  • 501,077