I wish to allow login only to user accounts on my system, through an LDAP base. I expected I could do it with :
{ldap_filter, "(uidNumber>=500)"}.
However, it doesn't work and I have this in the ldap log :
slapd[32127]: conn=9 op=1 SRCH base="ou=personnes,dc=sanctuaire,dc=fr,dc=eu,dc=org" scope=2 deref=0 filter="(&(uid=gemini)(?uidNumber>=500))"
If I change the filter to {ldap_filter, "(uidNumber=500)"}. , then it works (for user 500 of course ;) ), and I have slapd[32127]: conn=13 op=1 SRCH base="ou=personnes,dc=sanctuaire,dc=fr,dc=eu,dc=org" scope=2 deref=0 filter="(&(uid=gemini)(uidNumber=500))", without that wierd ? added by eJabberd this time.
How can I do ?
Re: How can I make eJabberd correctly use the ldap_filter
Seems like a bug, but I can't reproduce it. Could you please run the following tests?
1. Find ejabberd directory with BEAM files. Make sure there is eldap_filter.beam in that directory. cd there and type:
$ erl1> eldap_filter:parse("(uidNumber>=500)").
2> eldap_filter:parse("(&(uid=gemini)(uidNumber>=500))").
2. Set log level to 5 (debug). Try to authenticate. Show an output of resulting log with LDAP messages.
3. Run "wireshark" and look into LDAP messages. Do you see an incorrect filter there?
If we find a bug we can fix it before 2.1.0 release.
1. Here is what I get within
1. Here is what I get within the erl interpreter:
# erlErlang (BEAM) emulator version 5.6.5 [source] [async-threads:0] [hipe] [kernel-poll:false]
Eshell V5.6.5 (abort with ^G)
1> eldap_filter:parse("(uidNumber>=500)").
{ok,{greaterOrEqual,{'AttributeValueAssertion',"uidNumber",
"500"}}}
2>eldap_filter:parse("(&(uid=gemini)(uidNumber>=500))").
{ok,{'and',[{equalityMatch,{'AttributeValueAssertion',"uid",
"gemini"}},
{greaterOrEqual,{'AttributeValueAssertion',"uidNumber",
"500"}}]}}
2. After setting the log level to 5, I have this as output in the log concerning my login attempt:
=INFO REPORT==== 2009-08-14 06:34:09 ===D(<0.268.0>:eldap:593) : {searchRequest,
{'SearchRequest',
"ou=personnes,dc=sanctuaire,dc=fr,dc=eu,dc=org",
wholeSubtree,neverDerefAliases,0,0,false,
{'and',
[{equalityMatch,
{'AttributeValueAssertion',"uid","gemini"}},
{greaterOrEqual,
{'AttributeValueAssertion',"uidNumber","500"}}]},
[]}}
=INFO REPORT==== 2009-08-14 06:34:09 ===
D(<0.268.0>:eldap:654) : {searchResDone,
{'LDAPResult',success,[],[],asn1_NOVALUE}}
=INFO REPORT==== 2009-08-14 06:34:09 ===
I(<0.430.0>:ejabberd_c2s:576) : ({socket_state,tls,{tlssock,#Port<0.1502>,#Port<0.1518>},<0.429.0>}) Failed authentication for gemini@blabla
As for wireshark, I'm really not good at using it ^^
Well, in the meantime I
Well, in the meantime I explored other tracks that could lead to explain the problem, and I think I have found the real cause which is not related to eJabberd, but to LDAP itself.
The thing is in fact quite simple : what I want to do is just not possible. That is because in the schema file (nis.schema) that defines the uidNumber, this attribute has no ORDERING instruction, thus it is not possible to do a search based on ordering comparisons.
And since this is defined in an RFC, it is not possible to make it change unless the RFC itself is updated, which is quite a heavy process. Finally, this attribute is part of the standard since the X.501 time and it seems like the community is very reluctant in changing any such attributes.
I guess I will have to find another way to do what I wanted to.