[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using back-meta to fake group membership an incorrect rootDN



Neuharth, Steven wrote:

I have an LDAP directory here that has a root of dc=olddomain,dc=com
and I'd like to use openldap as a proxy to make this directory appear as if
it was ou=b2b,dc=newdomain,dc=com. I have the rewrite rules mostly working
in that I can search ou=b2b,dc=newdomain,dc=com and get results but when I
pull up a group, it's uniqueMembers still have a root of
dc=olddomain,dc-com.
Is there a way to use rewriteMap to rewrite the uniqueMember
attribute to make it appear as if the root was ou=b2b,dc=newdomain,dc=com?


Not strightforwardly, since uniqueMember has a syntax of nameAndOptionalUID which is not totally compatible with distinguishedName (it's essentially a DN plus an optional part represented by a string representation of a binary number with limitations, something very odd; that's one of the reasons "member" should be used instead). However, since most of the users don't add the trailing binary portion, you should be able to get something by mapping "uniqueMember" on "member" and "groupOfUniqueNames" on "groupOfNames". You don't state what version of OpenLDAP you're using; however, something like

database        ldap
suffix          "ou=b2b,dc=newdomain,dc=com"
uri             ldap://host:port
suffixmassage   "ou=b2b,dc=newdomain,dc=com" "dc=olddomain,dc=com"
map             objectClass groupOfNames groupOfUniqueNames
map             attribute member uniqueMember

should do the trick. This works with 2.2 code; for instance, if you run test003 and add

database        ldap
suffix          "dc=test,dc=example,dc=com"
uri             "ldap://:9011";
overlay         rwm
rwm-suffixmassage       "dc=example,dc=com"
rwm-map         attribute member uniqueMember
rwm-map         objectClass groupOfNames groupOfUniqueNames

right before the "database dbd" directive, you get

[masarati@ando tests]$ ../clients/tools/ldapsearch -x -H ldap://:9011 -b 'o=university of michigan,c=us' -LLL objectClass=groupOfUniqueNames
dn: cn=ITD Staff,ou=Groups,o=University of Michigan,c=US
owner: cn=Manager,o=University of Michigan,c=US
description: All ITD Staff
cn: ITD Staff
objectClass: groupOfUniqueNames
uniqueMember: cn=Manager,o=University of Michigan,c=US
uniqueMember: cn=Bjorn Jensen,ou=Information Technology Division,ou=PEOPLE,o=U
niversity of Michigan,c=US
uniqueMember: cn=James A Jones 2,ou=Information Technology Division,ou=PEOPLE,
o=University of Michigan,c=US
uniqueMember: cn=John Doe,ou=Information Technology Division,ou=People,o=Unive
rsity of Michigan,c=US


[masarati@ando tests]$ ../clients/tools/ldapsearch -x -H ldap://:9011 -b 'ou=Fake,o=university of michigan,c=us' -LLL objectClass=groupOfNames
dn: cn=ITD Staff,ou=Groups,ou=Fake,o=University of Michigan,c=US
owner: cn=Manager,ou=Fake,o=University of Michigan,c=US
description: All ITD Staff
cn: ITD Staff
objectClass: groupOfNames
member: cn=Manager,ou=Fake,o=University of Michigan,c=US
member: cn=Bjorn Jensen,ou=Information Technology Division,ou=PEOPLE,ou=Fake,o
=University of Michigan,c=US
member: cn=James A Jones 2,ou=Information Technology Division,ou=PEOPLE,ou=Fak
e,o=University of Michigan,c=US
member: cn=John Doe,ou=Information Technology Division,ou=People,ou=Fake,o=Uni
versity of Michigan,c=US


A drawback is that you can't any longer access the original "groupOfNames" and "member" items from the proxy, because all their occurrences get remapped to "groupOfUniqueNames" and "uniqueMember". Or, you can hack the code of back-ldap so that when checking for distinguishedName syntax, nameAndOptionalUID syntaxes are rewritten as well.

p.



   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497