[Date Prev][Date Next] [Chronological] [Thread] [Top]

back-meta

To: openLDAP-software@OpenLDAP.org
Subject: back-meta
From: Christian Jung <Christian.Jung@wanadoo.fr>
Date: Tue, 04 Mar 2003 21:10:07 +0100
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130

Hi!

I've got a question concerning the Meta-backend. But first I have to explain my current configuration:

I've got an OpenLDAP running on Linux which was compiled with the option "--with-kpasswd". It holds the user-data used by Linux and other OSs and has got the following structure:

dc=saarstahl,dc=de
  |
  +--ou=test
       |
       +--ou=users
       |    |
       |    +--uid=cju
       |    |
       |    *
       |
       +--ou=racf
       |
       *

The other LDAP-server runs on an IBM Mainframe (OS/390) and serves as an nice interface to the security-system of the mainframe (RACF). With the current version of OS/390 it only can authenticate users with simple authentication but it supports SSL. I'll call this server RACF-LDAP in the following.

The RACF-LDAP has got very restricted ACLs. Only a super-user can view/modify all accounts and the other users may only view their own account. It has got the following structure:

ou=test,dc=saarstahl,dc=de
  |
  +--ou=racf
       |
       +--profileType=USER
       |     |
       |     +--racfid=cju
       |     |
       |     *
       *

On the Mainframe runs a Kerberos-server, which uses RACF as backend too. Currently I don't use it. Instead I've created the same user on my OpenLDAP with the same password (saved in plaintext in the userPassword-attribute).

Now I want to fit the RACF-LDAP-tree to the tree of my OpenLDAP with the help of back-meta. I configured my OpenLDAP and defined a rewriting-rule for the BindDN. Looking at /var/log/messages shows that the rewriting works very well (e.g.

"uid=cju,ou=users,ou=test,dc=saarstahl,dc=de"

is rewritten to

"racfid=cju,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de").

A search only works, if I make a bind to

"racfid=cju,profileType=USER,ou=racf,ou=testdc=saarstahl,dc=de"

and the same BindDN. But if I try to bind as

"uid=cju,ou=users,ou=test,dc=saarstahl,dc=de"

and make a search on

"racfid=cju,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de"

it fails.

As I've taken a look at /var/log/messages, I saw that back-meta only makes anonymous-binds when binding to e.g. dc=saarstahl,dc=de and making a search underneath ou=racf,ou=test,dc=saarstahl,dc=de.

Is there any possibility to get this stuff working without using referrals?

I'm sorry, that I can't support you with my configuration-files but I'm currently at home. It seems that the guys at work have some problems with our provider regarding their mail-server. It was impossible to register for this mailing-list from work.


regards
Christian Jung


PS The configuration should look like this:

database meta suffix ou=racf,ou=test,dc=saarstahl,dc=de subordinate uri ldap://mvstest.saarstahl.de/ou=racf,ou=test,dc=saarstahl,dc=de rebind-as-user lastmod off rewriteEngine on rewriteContext binddn rewriteRule "uid=(.+),ou=users,ou=test,dc=saarstahl,dc=de" "racfid=%1,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de" ":"

database ldbm
suffix "dc=saarstahl,dc=de"
rootdn "cn=Manager,dc=saarstahl,dc=de"
rootpw ****
directory /var/lib/ldap

Follow-Ups:
- Re: back-meta
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: OpenLDAP Config Question
Next by Date: RE: linux slapadd: backend_startup: bi_db_open failed! (-1)
Index(es):
- Chronological
- Thread