ejabberd - Comments for "How can I make eJabberd correctly use the ldap_filter attribute ?"

Well, in the meantime I

Gemini — Fri, 14 Aug 2009 06:50:29 +0000

Well, in the meantime I explored other tracks that could lead to explain the problem, and I think I have found the real cause which is not related to eJabberd, but to LDAP itself.

The thing is in fact quite simple : what I want to do is just not possible. That is because in the schema file (nis.schema) that defines the uidNumber, this attribute has no ORDERING instruction, thus it is not possible to do a search based on ordering comparisons.

And since this is defined in an RFC, it is not possible to make it change unless the RFC itself is updated, which is quite a heavy process. Finally, this attribute is part of the standard since the X.501 time and it seems like the community is very reluctant in changing any such attributes.

http://www.openldap.org/lists/openldap-software/200203/msg00181.html
http://www.openldap.org/lists/openldap-bugs/200607/msg00081.html

I guess I will have to find another way to do what I wanted to.

1. Here is what I get within

Gemini — Fri, 14 Aug 2009 06:32:20 +0000

1. Here is what I get within the erl interpreter:

# erl
Erlang (BEAM) emulator version 5.6.5 [source] [async-threads:0] [hipe] [kernel-poll:false]
Eshell V5.6.5  (abort with ^G)
1> eldap_filter:parse("(uidNumber>=500)").
{ok,{greaterOrEqual,{'AttributeValueAssertion',"uidNumber",
                                               "500"}}}
2>eldap_filter:parse("(&(uid=gemini)(uidNumber>=500))").
{ok,{'and',[{equalityMatch,{'AttributeValueAssertion',"uid",
                                                      "gemini"}},
            {greaterOrEqual,{'AttributeValueAssertion',"uidNumber",
                                                       "500"}}]}}

2. After setting the log level to 5, I have this as output in the log concerning my login attempt:

=INFO REPORT==== 2009-08-14 06:34:09 ===
D(<0.268.0>:eldap:593) : {searchRequest,
                          {'SearchRequest',
                           "ou=personnes,dc=sanctuaire,dc=fr,dc=eu,dc=org",
                           wholeSubtree,neverDerefAliases,0,0,false,
                           {'and',
                            [{equalityMatch,
                              {'AttributeValueAssertion',"uid","gemini"}},
                             {greaterOrEqual,
                              {'AttributeValueAssertion',"uidNumber","500"}}]},
                           []}}
=INFO REPORT==== 2009-08-14 06:34:09 ===
D(<0.268.0>:eldap:654) : {searchResDone,
                             {'LDAPResult',success,[],[],asn1_NOVALUE}}
=INFO REPORT==== 2009-08-14 06:34:09 ===
I(<0.430.0>:ejabberd_c2s:576) : ({socket_state,tls,{tlssock,#Port<0.1502>,#Port<0.1518>},<0.429.0>}) Failed authentication for gemini@blabla

As for wireshark, I'm really not good at using it ^^

Re: How can I make eJabberd correctly use the ldap_filter

zinid — Fri, 14 Aug 2009 03:46:59 +0000

Seems like a bug, but I can't reproduce it. Could you please run the following tests?

1. Find ejabberd directory with BEAM files. Make sure there is eldap_filter.beam in that directory. cd there and type:

$ erl
1> eldap_filter:parse("(uidNumber>=500)").
2> eldap_filter:parse("(&(uid=gemini)(uidNumber>=500))").

2. Set log level to 5 (debug). Try to authenticate. Show an output of resulting log with LDAP messages.
3. Run "wireshark" and look into LDAP messages. Do you see an incorrect filter there?

If we find a bug we can fix it before 2.1.0 release.