[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: using back-meta to fake group membership an incorrect rootDN
Neuharth, Steven wrote:
I have an LDAP directory here that has a root of dc=olddomain,dc=com
and I'd like to use openldap as a proxy to make this directory appear as if
it was ou=b2b,dc=newdomain,dc=com. I have the rewrite rules mostly working
in that I can search ou=b2b,dc=newdomain,dc=com and get results but when I
pull up a group, it's uniqueMembers still have a root of
dc=olddomain,dc-com.
Is there a way to use rewriteMap to rewrite the uniqueMember
attribute to make it appear as if the root was ou=b2b,dc=newdomain,dc=com?
Not strightforwardly, since uniqueMember has a syntax of
nameAndOptionalUID which is not totally compatible with
distinguishedName (it's essentially a DN plus an optional part
represented by a string representation of a binary number with
limitations, something very odd; that's one of the reasons "member"
should be used instead). However, since most of the users don't add the
trailing binary portion, you should be able to get something by mapping
"uniqueMember" on "member" and "groupOfUniqueNames" on "groupOfNames".
You don't state what version of OpenLDAP you're using; however,
something like
database ldap
suffix "ou=b2b,dc=newdomain,dc=com"
uri ldap://host:port
suffixmassage "ou=b2b,dc=newdomain,dc=com" "dc=olddomain,dc=com"
map objectClass groupOfNames groupOfUniqueNames
map attribute member uniqueMember
should do the trick. This works with 2.2 code; for instance, if you run
test003 and add
database ldap
suffix "dc=test,dc=example,dc=com"
uri "ldap://:9011"
overlay rwm
rwm-suffixmassage "dc=example,dc=com"
rwm-map attribute member uniqueMember
rwm-map objectClass groupOfNames groupOfUniqueNames
right before the "database dbd" directive, you get
[masarati@ando tests]$ ../clients/tools/ldapsearch -x -H ldap://:9011 -b
'o=university of michigan,c=us' -LLL objectClass=groupOfUniqueNames
dn: cn=ITD Staff,ou=Groups,o=University of Michigan,c=US
owner: cn=Manager,o=University of Michigan,c=US
description: All ITD Staff
cn: ITD Staff
objectClass: groupOfUniqueNames
uniqueMember: cn=Manager,o=University of Michigan,c=US
uniqueMember: cn=Bjorn Jensen,ou=Information Technology
Division,ou=PEOPLE,o=U
niversity of Michigan,c=US
uniqueMember: cn=James A Jones 2,ou=Information Technology
Division,ou=PEOPLE,
o=University of Michigan,c=US
uniqueMember: cn=John Doe,ou=Information Technology
Division,ou=People,o=Unive
rsity of Michigan,c=US
[masarati@ando tests]$ ../clients/tools/ldapsearch -x -H ldap://:9011 -b
'ou=Fake,o=university of michigan,c=us' -LLL objectClass=groupOfNames
dn: cn=ITD Staff,ou=Groups,ou=Fake,o=University of Michigan,c=US
owner: cn=Manager,ou=Fake,o=University of Michigan,c=US
description: All ITD Staff
cn: ITD Staff
objectClass: groupOfNames
member: cn=Manager,ou=Fake,o=University of Michigan,c=US
member: cn=Bjorn Jensen,ou=Information Technology
Division,ou=PEOPLE,ou=Fake,o
=University of Michigan,c=US
member: cn=James A Jones 2,ou=Information Technology
Division,ou=PEOPLE,ou=Fak
e,o=University of Michigan,c=US
member: cn=John Doe,ou=Information Technology
Division,ou=People,ou=Fake,o=Uni
versity of Michigan,c=US
A drawback is that you can't any longer access the original
"groupOfNames" and "member" items from the proxy, because all their
occurrences get remapped to "groupOfUniqueNames" and "uniqueMember".
Or, you can hack the code of back-ldap so that when checking for
distinguishedName syntax, nameAndOptionalUID syntaxes are rewritten as well.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497