Univention Bugzilla – Bug 48196
Enable more LDAP filters for listener modules
Last modified: 2021-05-03 21:54:54 CEST
Currently only LDAP filters using equal matches are allowed for listener modules. See https://docs.software-univention.de/developer-reference.html#listener:handler filter (required) Defines a LDAP filter which is used to match the objects the listener is interested in. This filter is similar to the LDAP search filter as defined in RFC 2254, but more restricted: it is case sensitive it only supports equal matches It would be nice to be able to use more filters as described in the RFC: https://tools.ietf.org/html/rfc2254#section-4 I recently wanted to use an extensible filter for example.
This is probably not really possible due to the architecture of Listener/Notifier replication. Here the catch: The "LDAP-like" filters in listener modules are not really evaluated by an actual LDAP server (or library). The filtering is only "simulated". To implement an actual LDAP filtering of the objects, the code would have to know the LDAP schema and be capable to actually use the correct per attribute matching rules. In an ideal world we would change the Listener to use an (additional) LDAP server as caching backend (preferably embedded as a library, but nobody implemented such a thing until now). If we would have that, the Listener could offload the LDAP filtering process to his LDAP server backend. I would love to see this implemented, but I'm afraid the benefit/cost ratio is not good enough, as yet.