[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-meta: BindRequest to flat name space

To: <michael@stroeder.com>
Subject: Re: back-meta: BindRequest to flat name space
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 15 May 2003 09:31:01 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <3EC33A16.5070300@stroeder.com>
References: <3EC33A16.5070300@stroeder.com>

> HI!
>
> Some really weird software assumes a flat name space and does
> authentication  by doing a BindRequest against
>
> uid=<user id>,<search root>
>
> instead of searching the for (uid=<user id>) under <search root> and use
> the  DN in the result as Bind-DN.
>
> Is it possible to use back-meta in OpenLDAP 2.1.x to fix this situation?
> Or  do I have to implement my own LDAP proxy back-end?

Yes, you can.  If you can map <user id> to the DN,
you can use the rewriteEngine to do the mapping
for you before binding.  Note that you can use
back-ldap, which has the same rewriting features
of back-meta with reduced overhead.

You need to do something like

database ldap
suffix <search root>

rewriteEngine on
rewriteContext default

# only if the real naming context is different from search root
rewriteRule "<search root>$" "<real naming context>" ":"
rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"

rewriteContext searchResult
rewriteRule "<real naming context>$" "<search root>" ":"
rewriteRule "(.*),<real naming context>$" "%1,<search root>" ":"

rewriteContext matchedDN alias searchResult

# this is to have safe defaults
rewriteContext searchFilter

# this is the real rule ...
rewriteContext bindDN
rewriteRule "^uid=([^,]+),<search root>$" "<rule with %1 as the uid>" ":"
rewriteRule "<search root>$" "<real naming context>" ":"
rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"

# and that's it.  In slapd-meta(5) there is an example that
# does something similar to what you're lookinhg for:
# it defines a LDAP map (e.g. a LDAP search that maps
# a matched portion of a pattern to the search result)
# note that match 1 (%1) becomes the filter of the search;
# the last two rules are caught as a safe fallthru in case
# the search fails; they simply massage the DN, you don't
# need them if <search root> and <real naming context> are
# the same.  The search should be calling the REAL database,
# e.g. the same server back-ldap is targeting.
rewriteContext bindDN
rewriteMap ldap attr2dn "ldap:///<real naming context>?dn?sub"
rewriteRule "^(uid=[^,]+),<search root>$" "%{attr2dn(%1)}" "@I"
rewriteRule "<search root>$" "<real naming context>" ":"
rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"



Note: I haven't used these features in a while,
so I'm not sure they still work correctly, so
feedback would be appreciated.  In case of success,
you may want to turn it into a FAQ...

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: back-meta: BindRequest to flat name space
  - From: "Pierangelo Masarati" <ando@sys-net.it>
- Re: back-meta: BindRequest to flat name space
  - From: Michael Ströder <michael@stroeder.com>

References:
- back-meta: BindRequest to flat name space
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: back-meta: BindRequest to flat name space
Next by Date: Re: Help with dcObject
Index(es):
- Chronological
- Thread