This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Never dereference

Hello Community,

there is a product, that has a strange behaviour. Although I set the "never follow" option for aliases, it keeps following them, and this results in multiple hits for the same user object. I try to workaround this problem by modifying the ldap query on the LDAP Proxy side. I would like to force the dereference=never option to every ldap query. This is a simple policy that I wrote for this purpose:

<policy-search-request id-policy="derefalias-never">
        <rule>
                <comment>
                Set deref alias to never
                </comment>
                <conditions>
                <if-srch-scope op="equal">sub-tree</if-srch-scope>
                </conditions>
                <actions>
                <do-modify-search>
                <derefalias-reset>0</derefalias-reset>
                </do-modify-search>
                </actions>
                <actions-default>
                <do-allow/>
                </actions-default>
        </rule>
</policy-search-request>

In a nutshell: if the search scope is sub-tree, then modify the derefalias to 0 which means never dereference. xml validation is fine, ldaproxy starts up. There is an ou=ASDF,o=TOP and an alias for ASDF: ou=QWER,o=TOP. When I do an ldapsearch for a user with "-b o=TOP -a always -s sub" then it returns two results for the same user. This means, that ldapproxy is not modifying the query. I tried many different conditions, none of them works, so I think that I am missing something. Maybe I misplace the policy in the xml? Is it even possible to do what i need?

Thanks,

Gellert

Tags:

  • Suggested Answer

    0

    Hello Community,

    I've found my mistake. I forgot to tell ldap proxy to actually use the new policy in the connection route policy :)

    It works now like a charm.

    Regards,

    Gellert