RSS feed

disable masarati deref at run time?

[Date Prev][Date Next] [Thread Prev][Thread Next]

disable masarati deref at run time?

Regarding commit c6c317e[0], can I tell nslcd
"don't bother asking for deref, the server doesn't have it"?

I want to avoid the mildly irritating logs:
    slapd: slap_global_control: unrecognized control:

I get around 3000 per day.

I *can* just enable deref in slapd (I'm not using RFC2307bis anyway),
or just whitelist that log message in logcheck;
I'm just exploring alternatives.

I looked at compat/derefctl.c &c as at 0.9.4-3;
it looks like deref is always on iff available at ./configure time.

(Please don't add a nslcd.conf knob just for me --
 I'm quite happy to solve this on the server side :-)

[0] [c6c317e] : Implement deref control handling

    This uses the LDAP_CONTROL_X_DEREF control as described in
    draft-masarati-ldap-deref-00 to request the LDAP server to
    dereference group member attribute values to uid attribute values.

    This should reduce the number of searches that are required for
    expanding group members that use the member attribute.

    This mechanism could also be used to extract information on
    nested groups but the gains are less clear there.

    Not all LDAP servers support this control. In OpenLDAP, load the
    (currently undocumented) deref overlay and enable it for the
    database to take advantage of this improvement.

    There is a functional difference when using this control. Any
    returned deferred uid value returned by the LDAP server is accepted
    as a member.  No checks are performed to see if the user matches
    the search base and search filters set for passwd entries.
To unsubscribe send an email to or see