[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: back-meta: BindRequest to flat name space
>
>> HI!
>>
>> Some really weird software assumes a flat name space and does
>> authentication by doing a BindRequest against
>>
>> uid=<user id>,<search root>
>>
>> instead of searching the for (uid=<user id>) under <search root> and
>> use the DN in the result as Bind-DN.
>>
>> Is it possible to use back-meta in OpenLDAP 2.1.x to fix this
>> situation? Or do I have to implement my own LDAP proxy back-end?
>
> Yes, you can. If you can map <user id> to the DN,
> you can use the rewriteEngine to do the mapping
> for you before binding. Note that you can use
> back-ldap, which has the same rewriting features
> of back-meta with reduced overhead.
>
> You need to do something like
>
> database ldap
> suffix <search root>
>
> rewriteEngine on
> rewriteContext default
>
> # only if the real naming context is different from search root
> rewriteRule "<search root>$" "<real naming context>" ":"
> rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"
>
> rewriteContext searchResult
> rewriteRule "<real naming context>$" "<search root>" ":"
> rewriteRule "(.*),<real naming context>$" "%1,<search root>" ":"
>
> rewriteContext matchedDN alias searchResult
>
> # this is to have safe defaults
> rewriteContext searchFilter
>
> # this is the real rule ...
> rewriteContext bindDN
> rewriteRule "^uid=([^,]+),<search root>$" "<rule with %1 as the uid>"
> ":" rewriteRule "<search root>$" "<real naming context>" ":"
> rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"
>
> # and that's it. In slapd-meta(5) there is an example that
> # does something similar to what you're lookinhg for:
> # it defines a LDAP map (e.g. a LDAP search that maps
> # a matched portion of a pattern to the search result)
> # note that match 1 (%1) becomes the filter of the search;
> # the last two rules are caught as a safe fallthru in case
> # the search fails; they simply massage the DN, you don't
> # need them if <search root> and <real naming context> are
> # the same. The search should be calling the REAL database,
> # e.g. the same server back-ldap is targeting.
> rewriteContext bindDN
> rewriteMap ldap attr2dn "ldap:///<real naming context>?dn?sub"
> rewriteRule "^(uid=[^,]+),<search root>$" "%{attr2dn(%1)}" "@I"
> rewriteRule "<search root>$" "<real naming context>" ":"
> rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"
>
>
>
> Note: I haven't used these features in a while,
> so I'm not sure they still work correctly, so
> feedback would be appreciated. In case of success,
> you may want to turn it into a FAQ...
I confirm it works with HEAD code, so it should
also with 2.1.X because the basic functionalities
did not change (despite a lot of API reworking).
All that's missing above is the
uri ldap://<smtg>
directive.
p.
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it