[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RE: using back-meta to fake group membership an incorrect rootDN
Interesting. It does work now that I have added thos map directives. Is
there a good book or source for information regarding meta-back or overlays.
It seems as if you can do so much with them but I have not found any good
tutorials or how-tos on these subjects. The examples in the source help but
clearly are a small subset of the capabilities.
I do not seem to be able to search at the dc=moneygram,dc=com level. It
works fine if I search a specific DC beneath that level but, as you can see
in the config, dc=moneygram,dc=com does not really exist. Can searches from
that suffix be relayed down to my more specific suffixes?
The backend directory is actually iPlanet 5.2 not OpenLDAP. My config looks
like this:
database ldbm
suffix "ou=corp,dc=moneygram,dc=com"
rootdn "cn=Manager,ou=corp,dc=moneygram,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided. See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw XXX
# rootpw {crypt}ijFYNcSNctBYg
# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory /var/lib/ldap
# Indices to maintain for this database
index objectClass,uidNumber,gidNumber eq
index cn,sn,uid,displayName pres,sub,eq
index memberUid,mail,givenname eq,subinitial
index sambaSID,sambaPrimaryGroupSID,sambaDomainName eq
# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 tls=yes
# bindmethod=sasl saslmech=GSSAPI
# authcId=host/ldap-master.example.com@EXAMPLE.COM
database meta
suffix "dc=temgweb,dc=com"
suffix "ou=b2b,dc=moneygram,dc=com"
dncache-ttl forever
lastmod off
uri "ldap://XXX:@PORT@/dc=temgweb,dc=com"
binddn "cn=Directory Manager"
bindpw "XXX"
pseudorootdn "cn=Manager,ou=b2b,dc=moneygram,dc=com"
pseudorootpw XXX
map objectClass groupOfNames groupOfUniqueNames
map attribute member uniqueMember
rewriteEngine on
rewriteContext default
rewriteRule "(.*)ou=b2b,dc=moneygram,dc=com" "%1dc=temgweb,dc=com"
rewriteContext searchFilter
rewriteRule "(.*)Member=([^)]+),ou=b2b,dc=moneygram,dc=com(.*)"
"%1Member=%2,dc=temgweb,dc=com%3"
rewriteContext searchBase alias default
rewriteContext searchResult
rewriteRule "(.*)dc=temgweb,dc=com" "%1ou=b2b,dc=moneygram,dc=com"
rewriteContext matchedDN alias searchResult
-----Original Message-----
From: Pierangelo Masarati [mailto:ando@sys-net.it]
Sent: Tuesday, January 18, 2005 3:31 PM
To: Neuharth, Steven
Cc: 'openldap-software@OpenLDAP.org'
Subject: Re: using back-meta to fake group membership an incorrect
rootDN
Neuharth, Steven wrote:
> I have an LDAP directory here that has a root of dc=olddomain,dc=com
>and I'd like to use openldap as a proxy to make this directory appear as if
>it was ou=b2b,dc=newdomain,dc=com. I have the rewrite rules mostly working
>in that I can search ou=b2b,dc=newdomain,dc=com and get results but when I
>pull up a group, it's uniqueMembers still have a root of
>dc=olddomain,dc-com.
> Is there a way to use rewriteMap to rewrite the uniqueMember
>attribute to make it appear as if the root was ou=b2b,dc=newdomain,dc=com?
>
>
Not strightforwardly, since uniqueMember has a syntax of
nameAndOptionalUID which is not totally compatible with
distinguishedName (it's essentially a DN plus an optional part
represented by a string representation of a binary number with
limitations, something very odd; that's one of the reasons "member"
should be used instead). However, since most of the users don't add the
trailing binary portion, you should be able to get something by mapping
"uniqueMember" on "member" and "groupOfUniqueNames" on "groupOfNames".
You don't state what version of OpenLDAP you're using; however,
something like
database ldap
suffix "ou=b2b,dc=newdomain,dc=com"
uri ldap://host:port
suffixmassage "ou=b2b,dc=newdomain,dc=com" "dc=olddomain,dc=com"
map objectClass groupOfNames groupOfUniqueNames
map attribute member uniqueMember
should do the trick. This works with 2.2 code; for instance, if you run
test003 and add
database ldap
suffix "dc=test,dc=example,dc=com"
uri "ldap://:9011"
overlay rwm
rwm-suffixmassage "dc=example,dc=com"
rwm-map attribute member uniqueMember
rwm-map objectClass groupOfNames groupOfUniqueNames
right before the "database dbd" directive, you get
[masarati@ando tests]$ ../clients/tools/ldapsearch -x -H ldap://:9011 -b
'o=university of michigan,c=us' -LLL objectClass=groupOfUniqueNames
dn: cn=ITD Staff,ou=Groups,o=University of Michigan,c=US
owner: cn=Manager,o=University of Michigan,c=US
description: All ITD Staff
cn: ITD Staff
objectClass: groupOfUniqueNames
uniqueMember: cn=Manager,o=University of Michigan,c=US
uniqueMember: cn=Bjorn Jensen,ou=Information Technology
Division,ou=PEOPLE,o=U
niversity of Michigan,c=US
uniqueMember: cn=James A Jones 2,ou=Information Technology
Division,ou=PEOPLE,
o=University of Michigan,c=US
uniqueMember: cn=John Doe,ou=Information Technology
Division,ou=People,o=Unive
rsity of Michigan,c=US
[masarati@ando tests]$ ../clients/tools/ldapsearch -x -H ldap://:9011 -b
'ou=Fake,o=university of michigan,c=us' -LLL objectClass=groupOfNames
dn: cn=ITD Staff,ou=Groups,ou=Fake,o=University of Michigan,c=US
owner: cn=Manager,ou=Fake,o=University of Michigan,c=US
description: All ITD Staff
cn: ITD Staff
objectClass: groupOfNames
member: cn=Manager,ou=Fake,o=University of Michigan,c=US
member: cn=Bjorn Jensen,ou=Information Technology
Division,ou=PEOPLE,ou=Fake,o
=University of Michigan,c=US
member: cn=James A Jones 2,ou=Information Technology
Division,ou=PEOPLE,ou=Fak
e,o=University of Michigan,c=US
member: cn=John Doe,ou=Information Technology
Division,ou=People,ou=Fake,o=Uni
versity of Michigan,c=US
A drawback is that you can't any longer access the original
"groupOfNames" and "member" items from the proxy, because all their
occurrences get remapped to "groupOfUniqueNames" and "uniqueMember".
Or, you can hack the code of back-ldap so that when checking for
distinguishedName syntax, nameAndOptionalUID syntaxes are rewritten as well.
p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497