[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: sldapd-meta / SearchFilter rewriting does not work - any hints?
Actually, current filter rewrite
simply addresses those attributes
in filters of type distinguishedName.
This change slipped in a while ago,
but I admit it would be nice to have
the old one back. I'm happy you
brought the problem to attention.
I think we could allow both, making
the searchFilterDn rewriting a default,
and the searchFilterString rewriting
an option that must be explicitly
required.
I suggest you file an ITS so that
we can easily keep track of this
change.
In your specific case, you could
simply use a rewrite rule that
addresses DN valued attributes, e.g.
rewriteContext searchFilter
rewriteRule "([^)]+),dc=foo,[ ]?dc=bar(.*)"
"%1,dc=foo%2"
p.
> Hello OpenLDAP Gurus,
>
> I worked with openldap some time ago and now came back
> when I heard that openldap supports meta-functionality.
>
> meta setup works rather fine but I don't succeed in
> rewriting the SearchFilter.
>
> My (simplified) setup
> ---------------------
> local BDB database Suffix dc=bar
> Subordinate META database Suffix dc=foo, dc=bar
> proxying remote suffix which is just dc=foo
>
> dc=bar
> +- cn=Manager,dc=bar
> +- dc=foo,dc=bar => meta to other ldap server
>
> dc=foo
> +- uid=test,dc=foo
> +- cn=testgroup,dc=foo
>
> config
> ------
> # OpenLDAP 2.2.6 on Solaris.
> database meta
> suffix "dc=foo,dc=bar"
> subordinate
> uri "ldap://otherhost/dc=foo,dc=bar"
> binddn "*******"
> bindpw "*******"
> rebind-as-user
> rewriteEngine on
> rewriteContext default
> rewriteRule "(.*)dc=foo,[ ]?dc=bar" "%1dc=foo"
> rewriteContext searchFilter
> rewriteRule "(.*)member=([^)]+),dc=foo,[ ]?dc=bar(.*)"
> "%1member=%2,dc=foo%3"
> rewriteContext searchResult
> rewriteRule "(.*)dc=foo" "%1dc=foo,dc=bar"
>
> database bdb
> suffix "dc=bar"
> rootdn "********"
> rootpw {MD5}*********
> directory /data/openldap/bar
> index objectClass eq
>
> problem(s)
> ----------
> I can browse everything pretty fine (local and meta).
>
> When I do a simple search for
> (uid=test)
> the result below is OK (searchResult rewritten)
> Result: dn:uid=test,dc=foo,dc=bar
> (original dn is just uid=test,dc=foo)
>
> But when I search for the group using:
> (uniquemember=uid=test,dc=foo,dc=bar)
> I don't get a result.
> Tcpdump showed me that the following search is carried out:
> BaseDN: dc=foo (that's correct!)
> Filter: (uniquemember=uid=test,dc=foo,dc=bar) (incorrect!)
> No rewriting takes place.
>
> Trace (command line option "-d 1") also shows me that the rewrite
> for searchResult is called but never the one for searchFilter.
>
> ?? Any hints ??
> Has anybody got a similar setup which works ? Which version of openldap?
> I searched bug database but didn't find a corresponding entry - so I'm
> asking the mailing list first ...
> Could it be a difference in schema?
> What are the requirements for searchFilter being applied?
>
> rgds,
> michael
--
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it