[Date Prev][Date Next] [Chronological] [Thread] [Top]
RE: using back-meta to fake group membership an incorrect rootDN

To: "'Pierangelo Masarati'" <ando@sys-net.it>
Subject: RE: using back-meta to fake group membership an incorrect rootDN
From: "Neuharth, Steven" <SNeuharth@moneygram.com>
Date: Wed, 19 Jan 2005 08:18:42 -0600
Cc: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
Interesting. It does work now that I have added thos map directives. Is
there a good book or source for information regarding meta-back or overlays.
It seems as if you can do so much with them but I have not found any good
tutorials or how-tos on these subjects. The examples in the source help but
clearly are a small subset of the capabilities.

I do not seem to be able to search at the dc=moneygram,dc=com level. It
works fine if I search a specific DC beneath that level but, as you can see
in the config, dc=moneygram,dc=com does not really exist. Can searches from
that suffix be relayed down to my more specific suffixes?

The backend directory is actually iPlanet 5.2 not OpenLDAP. My config looks
like this:

database        ldbm
suffix          "ou=corp,dc=moneygram,dc=com"
rootdn          "cn=Manager,ou=corp,dc=moneygram,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          XXX
# rootpw                {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                 eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 tls=yes
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM

database        meta
suffix          "dc=temgweb,dc=com"
suffix          "ou=b2b,dc=moneygram,dc=com"
dncache-ttl     forever
lastmod         off
uri             "ldap://XXX:@PORT@/dc=temgweb,dc=com";
binddn          "cn=Directory Manager"
bindpw          "XXX"
pseudorootdn    "cn=Manager,ou=b2b,dc=moneygram,dc=com"
pseudorootpw    XXX
map             objectClass groupOfNames groupOfUniqueNames
map             attribute member uniqueMember

rewriteEngine   on

rewriteContext  default
rewriteRule     "(.*)ou=b2b,dc=moneygram,dc=com" "%1dc=temgweb,dc=com"
rewriteContext  searchFilter
rewriteRule     "(.*)Member=([^)]+),ou=b2b,dc=moneygram,dc=com(.*)"
"%1Member=%2,dc=temgweb,dc=com%3"
rewriteContext  searchBase alias default

rewriteContext  searchResult
rewriteRule     "(.*)dc=temgweb,dc=com" "%1ou=b2b,dc=moneygram,dc=com"
rewriteContext  matchedDN alias searchResult

-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it]
Sent: Tuesday, January 18, 2005 3:31 PM
To: Neuharth, Steven
Cc: 'openldap-software@OpenLDAP.org'
Subject: Re: using back-meta to fake group membership an incorrect
rootDN


Neuharth, Steven wrote:

>	I have an LDAP directory here that has a root of dc=olddomain,dc=com
>and I'd like to use openldap as a proxy to make this directory appear as if
>it was ou=b2b,dc=newdomain,dc=com. I have the rewrite rules mostly working
>in that I can search ou=b2b,dc=newdomain,dc=com and get results but when I
>pull up a group, it's uniqueMembers still have a root of
>dc=olddomain,dc-com.
>	Is there a way to use rewriteMap to rewrite the uniqueMember
>attribute to make it appear as if the root was ou=b2b,dc=newdomain,dc=com?
>  
>
Not strightforwardly, since uniqueMember has a syntax of 
nameAndOptionalUID which is not totally compatible with 
distinguishedName (it's essentially a DN plus an optional part 
represented by a string representation of a binary number with 
limitations, something very odd; that's one of the reasons "member" 
should be used instead).  However, since most of the users don't add the 
trailing binary portion, you should be able to get something by mapping 
"uniqueMember" on "member" and "groupOfUniqueNames" on "groupOfNames". 
 You don't state what version of OpenLDAP you're using; however, 
something like

database        ldap
suffix          "ou=b2b,dc=newdomain,dc=com"
uri             ldap://host:port
suffixmassage   "ou=b2b,dc=newdomain,dc=com" "dc=olddomain,dc=com"
map             objectClass groupOfNames groupOfUniqueNames
map             attribute member uniqueMember

should do the trick.  This works with 2.2 code; for instance, if you run 
test003 and add

database        ldap
suffix          "dc=test,dc=example,dc=com"
uri             "ldap://:9011";
overlay         rwm
rwm-suffixmassage       "dc=example,dc=com"
rwm-map         attribute member uniqueMember
rwm-map         objectClass groupOfNames groupOfUniqueNames

right before the "database dbd" directive, you get

[masarati@ando tests]$ ../clients/tools/ldapsearch -x -H ldap://:9011 -b 
'o=university of michigan,c=us' -LLL objectClass=groupOfUniqueNames
dn: cn=ITD Staff,ou=Groups,o=University of Michigan,c=US
owner: cn=Manager,o=University of Michigan,c=US
description: All ITD Staff
cn: ITD Staff
objectClass: groupOfUniqueNames
uniqueMember: cn=Manager,o=University of Michigan,c=US
uniqueMember: cn=Bjorn Jensen,ou=Information Technology 
Division,ou=PEOPLE,o=U
 niversity of Michigan,c=US
uniqueMember: cn=James A Jones 2,ou=Information Technology 
Division,ou=PEOPLE,
 o=University of Michigan,c=US
uniqueMember: cn=John Doe,ou=Information Technology 
Division,ou=People,o=Unive
 rsity of Michigan,c=US

[masarati@ando tests]$ ../clients/tools/ldapsearch -x -H ldap://:9011 -b 
'ou=Fake,o=university of michigan,c=us' -LLL objectClass=groupOfNames
dn: cn=ITD Staff,ou=Groups,ou=Fake,o=University of Michigan,c=US
owner: cn=Manager,ou=Fake,o=University of Michigan,c=US
description: All ITD Staff
cn: ITD Staff
objectClass: groupOfNames
member: cn=Manager,ou=Fake,o=University of Michigan,c=US
member: cn=Bjorn Jensen,ou=Information Technology 
Division,ou=PEOPLE,ou=Fake,o
 =University of Michigan,c=US
member: cn=James A Jones 2,ou=Information Technology 
Division,ou=PEOPLE,ou=Fak
 e,o=University of Michigan,c=US
member: cn=John Doe,ou=Information Technology 
Division,ou=People,ou=Fake,o=Uni
 versity of Michigan,c=US

A drawback is that you can't any longer access the original 
"groupOfNames" and "member" items from the proxy, because all their 
occurrences get remapped to "groupOfUniqueNames" and "uniqueMember". 
 Or, you can hack the code of back-ldap so that when checking for 
distinguishedName syntax, nameAndOptionalUID syntaxes are rewritten as well.

p.



    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
Follow-Ups:
- Re: using back-meta to fake group membership an incorrect rootDN
  - From: Pierangelo Masarati <ando@sys-net.it>
Prev by Date: Re: using back-meta to fake group membership an incorrect rootDN
Next by Date: Compatibility query
Index(es):
- Chronological
- Thread