[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using back-meta to fake group membership an incorrect rootDN

To: "Neuharth, Steven" <SNeuharth@moneygram.com>
Subject: Re: using back-meta to fake group membership an incorrect rootDN
From: Pierangelo Masarati <ando@sys-net.it>
Date: Wed, 19 Jan 2005 16:44:53 +0100
Cc: "'openldap-software@openldap.org'" <openldap-software@OpenLDAP.org>
References: <288FAF5565A1A74EA5E35C39E7EE1D421696EF53@mail.temgweb.com>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.0.1) Gecko/20021003

Neuharth, Steven wrote:

Interesting. It does work now that I have added thos map directives. Is there a good book or source for information regarding meta-back or overlays. It seems as if you can do so much with them but I have not found any good tutorials or how-tos on these subjects. The examples in the source help but clearly are a small subset of the capabilities.

No, all that I'm aware of is the slapd-meta(5) in 2.2 and slapo-rwm(5) in HEAD/2.3, plus a bunch of emails.

I do not seem to be able to search at the dc=moneygram,dc=com level. It
works fine if I search a specific DC beneath that level but, as you can see
in the config, dc=moneygram,dc=com does not really exist. Can searches from
that suffix be relayed down to my more specific suffixes?

Because in your slapd.conf there's no database serving that suffix. Moreover, I don't know how back-meta works with multiple suffixes, it's something I haven't considered for a long time. I suggest you use back-ldap instead of back-meta, and you split it in two databases each serving a naming context; moreover, you should use a back-ldbm (why aren't you using back-bdb yet?) rooted at "dc=moneygram,dc=com" that glues the two subtrees of "dc=moneygram,dc=com" together (see the "subordinate" directive in slapd.conf(5), which in 2.3 will move into the glue overlay, described in slapo-glue(5)). Something like

database        ldbm
suffix          "ou=corp,dc=moneygram,dc=com"
subordinate
# ...

database        ldap
suffix          "ou=b2b,dc=moneygram,dc=com"
suffixmassage   "ou=b2b,dc=moneygram,dc=com" "dc=temgweb,dc=com"
map             objectClass groupOfNames groupOfUniqueNames
map             attribute member uniqueMember
subordinate
# ...

database        ldbm
suffix          "dc=moneygram,dc=com"
# ...

database        ldap
suffix          "dc=temgweb,dc=com"
# ...

so that direct searches for "dc=temgweb,dc=com" do not even pass thru remapping, while other searches are glued together thru the superior database rooted at "dc=moneygram,dc=com". By means of ACLs you should prevent any writes below the root entry of this database. I note that with your current setup, operations with the "dc=temgweb,dc=com" naming context are rewritten in the "dc=b2b,dc=moneygram,dc=com"; is this the intended behavior? If this is the case, then you should omit the second instance of back-ldap, and add the "dc=temgweb,dc=com" suffix to the first instance.

p.

The backend directory is actually iPlanet 5.2 not OpenLDAP. My config looks
like this:

database        ldbm
suffix          "ou=corp,dc=moneygram,dc=com"
rootdn          "cn=Manager,ou=corp,dc=moneygram,dc=com"
# Cleartext passwords, especially for the rootdn, should
# be avoided.  See slappasswd(8) and slapd.conf(5) for details.
# Use of strong authentication encouraged.
rootpw          XXX
# rootpw                {crypt}ijFYNcSNctBYg

# The database directory MUST exist prior to running slapd AND
# should only be accessible by the slapd and slap tools.
# Mode 700 recommended.
directory       /var/lib/ldap

# Indices to maintain for this database
index      objectClass,uidNumber,gidNumber                  eq
index      cn,sn,uid,displayName                            pres,sub,eq
index      memberUid,mail,givenname                 eq,subinitial
index      sambaSID,sambaPrimaryGroupSID,sambaDomainName    eq

# Replicas of this database
#replogfile /var/lib/ldap/openldap-master-replog
#replica host=ldap-1.example.com:389 tls=yes
#     bindmethod=sasl saslmech=GSSAPI
#     authcId=host/ldap-master.example.com@EXAMPLE.COM

database        meta
suffix          "dc=temgweb,dc=com"
suffix          "ou=b2b,dc=moneygram,dc=com"
dncache-ttl     forever
lastmod         off
uri             "ldap://XXX:@PORT@/dc=temgweb,dc=com";
binddn          "cn=Directory Manager"
bindpw          "XXX"
pseudorootdn    "cn=Manager,ou=b2b,dc=moneygram,dc=com"
pseudorootpw    XXX
map             objectClass groupOfNames groupOfUniqueNames
map             attribute member uniqueMember

rewriteEngine   on

rewriteContext  default
rewriteRule     "(.*)ou=b2b,dc=moneygram,dc=com" "%1dc=temgweb,dc=com"
rewriteContext  searchFilter
rewriteRule     "(.*)Member=([^)]+),ou=b2b,dc=moneygram,dc=com(.*)"
"%1Member=%2,dc=temgweb,dc=com%3"
rewriteContext  searchBase alias default

rewriteContext  searchResult
rewriteRule     "(.*)dc=temgweb,dc=com" "%1ou=b2b,dc=moneygram,dc=com"
rewriteContext  matchedDN alias searchResult

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497

References:
- RE: using back-meta to fake group membership an incorrect rootDN
  - From: "Neuharth, Steven" <SNeuharth@moneygram.com>

Prev by Date: Re: LDAP slurp problem [auf Viren überprüft]
Next by Date: RE: using back-meta to fake group membership an incorrect rootDN
Index(es):
- Chronological
- Thread