[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: sldapd-meta / SearchFilter rewriting does not work - any hints?



Actually, current filter rewrite
simply addresses those attributes
in filters of type distinguishedName.

This change slipped in a while ago,
but I admit it would be nice to have
the old one back.  I'm happy you
brought the problem to attention.

I think we could allow both, making
the searchFilterDn rewriting a default,
and the searchFilterString rewriting
an option that must be explicitly
required.

I suggest you file an ITS so that
we can easily keep track of this
change.

In your specific case, you could
simply use a rewrite rule that
addresses DN valued attributes, e.g.

rewriteContext  searchFilter
rewriteRule     "([^)]+),dc=foo,[ ]?dc=bar(.*)"
    "%1,dc=foo%2"

p.

> Hello OpenLDAP Gurus,
>
> I worked with openldap some time ago and now came back
> when I heard that openldap supports meta-functionality.
>
> meta setup works rather fine but I don't succeed in
> rewriting the SearchFilter.
>
> My (simplified) setup
> ---------------------
> local BDB database Suffix dc=bar
> Subordinate META database Suffix dc=foo, dc=bar
>     proxying remote suffix which is just dc=foo
>
>   dc=bar
>    +- cn=Manager,dc=bar
>    +- dc=foo,dc=bar => meta to other ldap server
>
>   dc=foo
>    +- uid=test,dc=foo
>    +- cn=testgroup,dc=foo
>
> config
> ------
> # OpenLDAP 2.2.6 on Solaris.
> database        meta
> suffix          "dc=foo,dc=bar"
> subordinate
> uri             "ldap://otherhost/dc=foo,dc=bar";
> binddn          "*******"
> bindpw          "*******"
> rebind-as-user
> rewriteEngine   on
> rewriteContext  default
> rewriteRule     "(.*)dc=foo,[ ]?dc=bar" "%1dc=foo"
> rewriteContext  searchFilter
> rewriteRule     "(.*)member=([^)]+),dc=foo,[ ]?dc=bar(.*)"
> "%1member=%2,dc=foo%3"
> rewriteContext  searchResult
> rewriteRule     "(.*)dc=foo" "%1dc=foo,dc=bar"
>
> database        bdb
> suffix          "dc=bar"
> rootdn          "********"
> rootpw          {MD5}*********
> directory       /data/openldap/bar
> index   objectClass     eq
>
> problem(s)
> ----------
> I can browse everything pretty fine (local and meta).
>
> When I do a simple search for
>    (uid=test)
> the result below is OK (searchResult rewritten)
> Result: dn:uid=test,dc=foo,dc=bar
>         (original dn is just uid=test,dc=foo)
>
> But when I search for the group using:
>    (uniquemember=uid=test,dc=foo,dc=bar)
> I don't get a result.
> Tcpdump showed me that the following search is carried out:
>   BaseDN:  dc=foo (that's correct!)
>   Filter:  (uniquemember=uid=test,dc=foo,dc=bar) (incorrect!)
> No rewriting takes place.
>
> Trace (command line option "-d 1") also shows me that the rewrite
> for searchResult is called but never the one for searchFilter.
>
> ?? Any hints ??
> Has anybody got a similar setup which works ? Which version of openldap?
> I searched bug database but didn't find a corresponding entry - so I'm
> asking the mailing list first ...
> Could it be a difference in schema?
> What are the requirements for searchFilter being applied?
>
> rgds,
> michael


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it