Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Highlighted
6423241 Respected Contributor.
Respected Contributor.
188 views

LDAP query fails in loopback driver

I have a rule configured in a loopback driver whose purpose is to search for all users whose access expires on a given day, but I can't get it to work. I'm targeting the local server's LDAP interface. NDStrace shows the query and returns "0:0".  The same query against the same LDAP works fine in Apache Directory Studio.

Here is the query:

[CODE]

<do-set-local-variable name="ldap-filter" scope="policy">
<arg-string>
<token-text xml:space="preserve">(&amp;(OSUrelationshipExpires>=</token-text>
<token-convert-time dest-format="YYYYMMdd000000'Z'" offset-unit="day" src-format="!CTIME" src-tz="UTC">
<token-time format="!CTIME" tz="UTC"/>
</token-convert-time>
<token-text xml:space="preserve">)(OSUrelationshipExpires&lt;=</token-text>
<token-convert-time dest-format="YYYYMMdd235959'Z'" offset-unit="hour" src-format="!CTIME" src-tz="UTC">
<token-time format="!CTIME" tz="UTC"/>
</token-convert-time>
<token-text xml:space="preserve">)(!(OSUmedcenterPrimaryOrg=*)</token-text>
<token-text xml:space="preserve">))</token-text>
</arg-string>
</do-set-local-variable>

[CODE]

Is there anything obviously wrong with this?  I can upload the entire driver export to pastebin if that would help.

 

Thanks

 

Labels (1)
0 Likes
11 Replies
Knowledge Partner
Knowledge Partner

Re: LDAP query fails in loopback driver

Edirectory provides the best on the market option to troubleshoot LDAP.

I can recommend to enable LDAP trace, make a query from Apache, make the query from your policy and compare trace results.

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP query fails in loopback driver

And if you enable +RECM you will see the indexes it uses in each case, whihc can sometimes be helpful. 

 

So run the test in the engine and in an LDAP browser and compare the Dstrace output.

Post some of it here.

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP query fails in loopback driver

Do you use the same credentials in Directory Studio and the driver?
______________________________________________
https://www.is4it.de/identity-access-management
0 Likes
6423241 Respected Contributor.
Respected Contributor.

Re: LDAP query fails in loopback driver

 Yes, the creds are the same.  Here is some ndstrace output. 

Failed query via IDM loopback connection was at 11:40, successful query via Apache Directory Studio was at 11:48.

 

 

904021760 LDAP: [2019/11/12 11:40:11.750] New cleartext connection 0x12dc49c0 from 10.127.0.174:55192, monitor = 0xfb26700, index = 14

262297344 LDAP: [2019/11/12 11:40:11.755] DoBind on connection 0x12dc49c0

262297344 LDAP: [2019/11/12 11:40:11.755] Bind name:cn=loopbackproxy,o=osumc, version:3, authentication:simple

262297344 LDAP: [2019/11/12 11:40:11.768] Sending operation result 0:"":"" to connection 0x12dc49c0

880862976 LDAP: [2019/11/12 11:40:11.769] DoSearch on connection 0x12dc49c0

880862976 LDAP: [2019/11/12 11:40:11.769] Search request:

               base: "o=osumc"

               scope:1  dereference:0  sizelimit:1000  timelimit:0  attrsonly:0

               filter: "(&(OSUrelationshipExpires>=20191112000000Z)(OSUrelationshipExpires<=20191112235959Z)(!(OSUmedcenterPrimaryOrg=*)))"

               attribute: "cn"

880862976 RECM: [2019/11/12 11:40:11.769] Iter #1120db90 query ((Flags&1)==1) && (ParentID==32781) && (((OSUrelationshipExpires$3911A$.Flags&8>=1573516800) &&  <++

880862976 RECM: [2019/11/12 11:40:11.769] Iter #1120db90 query ++> (OSUrelationshipExpires$3911A$.Flags&8<=1573603199) && (!((((( <++

880862976 RECM: [2019/11/12 11:40:11.769] Iter #1120db90 query ++> OSUmedcenterPrimaryOrg$3926A$.Flags&8)==8) && OSUmedcenterPrimaryOrg$3926A$.Flags&8))))))

880862976 RECM: [2019/11/12 11:40:11.770] Iter #1120db90 index = ParentID+CTS_IX

880862976 RECM: [2019/11/12 11:40:11.770] Iter #1120db90 first( ID_INVALID)

880862976 LDAP: [2019/11/12 11:40:11.770] Sending operation result 0:"":"" to connection 0x12dc49c0

881915648 LDAP: [2019/11/12 11:40:11.771] DoUnbind on connection 0x12dc49c0

881915648 LDAP: [2019/11/12 11:40:11.771] Connection 0x12dc49c0 closed

 

 

897705728 LDAP: [2019/11/12 11:48:12.023] DoSearch on connection 0x1121e080

897705728 LDAP: [2019/11/12 11:48:12.023] Search request:

               base: "o=OSUMC"

               scope:2  dereference:3  sizelimit:10000  timelimit:0  attrsonly:0

               filter: "(&(OSUrelationshipExpires>=20191111000000Z)(OSUrelationshipExpires<=20191111235959Z)(!(OSUmedcenterPrimaryOrg=*)))"

               attribute: "objectClass"

897705728 RECM: [2019/11/12 11:48:12.024] Iter #14c7e010 query ((Flags&1)==1) && (((OSUrelationshipExpires$3911A$.Flags&8>=1573430400) && ( <++

897705728 RECM: [2019/11/12 11:48:12.024] Iter #14c7e010 query ++> OSUrelationshipExpires$3911A$.Flags&8<=1573516799) && (!(((((OSUmedcenterPrimaryOrg$3926A$.Flags <++

897705728 RECM: [2019/11/12 11:48:12.024] Iter #3581af00 query (Aliased_Object_Name$209A$>0)

897705728 RECM: [2019/11/12 11:48:12.024] Iter #3581af00 index = Aliased Object Name$IX$210

897705728 RECM: [2019/11/12 11:48:12.024] Iter #3581af00 first( eid=58162)

897705728 RECM: [2019/11/12 11:48:12.024] Iter #14c7e010 query ++> &8)==8) && OSUmedcenterPrimaryOrg$3926A$.Flags&8))))) && (AncestorID==32781))

897705728 RECM: [2019/11/12 11:48:12.026] Iter #14c7e010 index = #4864

897705728 RECM: [2019/11/12 11:48:12.026] Iter #14c7e010 first( eid=183525)

880862976 RECM: [2019/11/12 11:48:13.214] Iter #3480d710 setIndex( 261)

880862976 RECM: [2019/11/12 11:48:13.214] Iter #3480d710 query PartID==5 && Obituary$257A$

880862976 RECM: [2019/11/12 11:48:13.214] Iter #3480d710 index = Obituary$IX$261

880862976 RECM: [2019/11/12 11:48:13.214] Iter #3480d710 first( ID_INVALID)

897705728 LDAP: [2019/11/12 11:48:13.248] Sending search result entry "cn=USER_REDACTED,ou=users,o=OSUMC" to connection 0x1121e080

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 query ((Flags&1)==1) && (32171==34254) && (((OSUrelationshipExpires$3911A$.Flags&8>=1573430400) && ( <++

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 query ++> OSUrelationshipExpires$3911A$.Flags&8<=1573516799) && (!(((((OSUmedcenterPrimaryOrg$3926A$.Flags <++

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 query ++> &8)==8) && OSUmedcenterPrimaryOrg$3926A$.Flags&8))))))

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 NO INDEX USED

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 first( ID_INVALID)

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 query ((Flags&1)==1) && (32171==36227) && (((OSUrelationshipExpires$3911A$.Flags&8>=1573430400) && ( <++

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 query ++> OSUrelationshipExpires$3911A$.Flags&8<=1573516799) && (!(((((OSUmedcenterPrimaryOrg$3926A$.Flags <++

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 query ++> &8)==8) && OSUmedcenterPrimaryOrg$3926A$.Flags&8))))))

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 NO INDEX USED

897705728 RECM: [2019/11/12 11:48:13.249] Iter #14c7e010 first( ID_INVALID)

897705728 LDAP: [2019/11/12 11:48:13.249] Sending operation result 0:"":"" to connection 0x1121e080

880862976 RECM: [2019/11/12 11:48:14.086] Iter #3480d710 setIndex( 261)

880862976 RECM: [2019/11/12 11:48:14.086] Iter #3480d710 query PartID==5 && Obituary$257A$

880862976 RECM: [2019/11/12 11:48:14.086] Iter #3480d710 index = Obituary$IX$261

880862976 RECM: [2019/11/12 11:48:14.086] Iter #3480d710 first( ID_INVALID)

879810304 RECM: [2019/11/12 11:48:14.157] Iter #3470c710 setIndex( 261)

879810304 RECM: [2019/11/12 11:48:14.157] Iter #3470c710 query PartID==5 && Obituary$257A$

879810304 RECM: [2019/11/12 11:48:14.157] Iter #3470c710 index = Obituary$IX$261

879810304 RECM: [2019/11/12 11:48:14.157] Iter #3470c710 first( ID_INVALID)

0 Likes
6423241 Respected Contributor.
Respected Contributor.

Re: LDAP query fails in loopback driver

I ran two queries, one with IDM and the other with Apache Directory Studio. NDSTRACE output is here: https://pastebin.com/FCVt1FMp

 

 

Thanks

 

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP query fails in loopback driver

Scope is different:

Working query:

897705728 LDAP: [2019/11/12 11:48:12.023] Search request:
               base: "o=OSUMC"
               scope:2  dereference:3  sizelimit:10000  timelimit:0  attrsonly:0

               filter: "(&(OSUrelationshipExpires>=20191111000000Z)(OSUrelationshipExpires<=20191111235959Z)(!(OSUmedcenterPrimaryOrg=*)))"

 

Failing query:

880862976 LDAP: [2019/11/12 11:40:11.769] Search request:
               base: "o=osumc"
               scope:1  dereference:0  sizelimit:1000  timelimit:0  attrsonly:0
               filter: "(&(OSUrelationshipExpires>=20191112000000Z)(OSUrelationshipExpires<=20191112235959Z)(!(OSUmedcenterPrimaryOrg=*)))"

               attribute: "cn"

 

I forget what scope of 1 vs 2 is but 2 is probably subtree, and 1 is probably container and 0 is probably entry.

Also, what objectclass are you searching?  Is CN actually a value there? ObjectClass in working query, must be there of course. CN usually so,not always though.

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP query fails in loopback driver

I can see differences in you Apache query and Driver query and the definitely different query will generate different results.

Query use different scope, derefence, sizelimit and return attribute

Apache:

base: "o=osumc"
scope:1 dereference:0 sizelimit:1000 timelimit:0 attrsonly:0
filter: "(&(OSUrelationshipExpires>=20191112000000Z)(OSUrelationshipExpires<=20191112235959Z)(!(OSUmedcenterPrimaryOrg=*)))"
attribute: "cn" 

 

Driver:

base: "o=OSUMC"
scope:2 dereference:3 sizelimit:10000 timelimit:0 attrsonly:0
filter: "(&(OSUrelationshipExpires>=20191111000000Z)(OSUrelationshipExpires<=20191111235959Z)(!(OSUmedcenterPrimaryOrg=*)))"
attribute: "objectClass"

Scope definitions:

baseObject base 0 IESG RFC 4516 RFC 4511
singleLevel one 1 IESG RFC 4516 RFC 4511
wholeSubtree sub 2 IESG RFC 4516 RFC 4511

derefence definitions:
neverDerefAliases (0) - Do not dereference aliases in searching or in locating the base object of the Search.
derefInSearching (1) -
While searching subordinates of the base object, dereference any alias within the search scope.
Dereferenced objects become the vertices of further search scopes where the Search operation is also applied.
If the search scope is wholeSubtree, the Search continues in the subtree(s) of any dereferenced object.
If the search scope is singleLevel, the search is applied to any dereferenced objects and is not applied to their subordinates.
Servers SHOULD eliminate duplicate entries that arise due to alias dereferencing while searching.
derefFindingBaseObj (2) - Dereference aliases in locating the base object of the Search, but not when searching subordinates of the base object.
derefAlways (3) - Dereference aliases both in searching and in locating the base object of the Search.


Info from the great site https://ldapwiki.com maintained by Jim Willeke

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP query fails in loopback driver

Nice, when I looked for a good explanations, Geoffrey already replied to the post. 🙂

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP query fails in loopback driver

Alex, but you found the real meanings, I guessed from memory.  Value to both. Thanks for looking it up for us.

0 Likes
6423241 Respected Contributor.
Respected Contributor.

Re: LDAP query fails in loopback driver

The base for both queries is (or should be) o=osumc.  The scope for both is subtree.  I did not specify object class in either case (well, not intentionally) so I don’t know where that’s coming from.

I posted the query language earlier. Here’s the XPath expression:

<do-clone-xpath dest-expression="ExpiredGuests" src-expression="es:ldapSearch('~NOVLLIBLDAP.host~','~NOVLLIBLDAP.port~','~NOVLLIBLDAP.user~','~NOVLLIBLDAP.password~','~NOVLLIBLDAP.base~','~NOVLLIBLDAP.scope~',$ldap-filter,'cn')"/>

And here are the GCVs referenced:

LDAP Host: 10.127.0.174

LDAP Port: 389

LDAP User: cn=loopbackproxy,o=osumc

LDAP password: <redacted>

LDAP Base: o=osumc

LDAP Scope: subtree

 

Where do I specify the dereferencing behavior in IDM? 

 

Thanks

 

0 Likes
Knowledge Partner
Knowledge Partner

Re: LDAP query fails in loopback driver

LDAP Scope: subtree defined in your GCV ~NOVLLIBLDAP.scope~, but it looks different from your Apache query (when you use scope: single-level (1))

I can see that you passing to ECMAScript attribute name 'cn', but doesn't look like function used it.

base: "o=OSUMC"
scope:2 dereference:3 sizelimit:10000 timelimit:0 attrsonly:0
filter: "(&(OSUrelationshipExpires>=20191111000000Z)(OSUrelationshipExpires<=20191111235959Z)(!(OSUmedcenterPrimaryOrg=*)))"
attribute: "objectClass"

I use in my code Lothar's version of ECMA ldapSearch (included in Password Notification driver) 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.