[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP's Backend Rewrite Engine

To: Dieter Kluenter <dieter@dkluenter.de>
Subject: Re: OpenLDAP's Backend Rewrite Engine
From: Michael Gale <michaelg@xandros.com>
Date: Thu, 16 Jun 2005 09:19:02 -0400
Cc: openldap-software@OpenLDAP.org
In-reply-to: <871x72u8va.fsf@rubin.l4b.de>
References: <12a001c570d6$41f0f5b0$1702320a@tbsolutions.com> <42AEF03A.4090608@xandros.com> <42B0349D.2090305@xandros.com> <871x72u8va.fsf@rubin.l4b.de>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041124 Debian/1.7.3.x.1-37

Thank you, Dieter.  For reasons outside of my control, I can't place a "rootpw" or a "rootdn" attribute in the configuration file.  Suffix massaging works when the bind is for one user with privileges for both DNs.  I have a situation where the user may be different every time a bind is attempted.  For example, when a user attempts to authenticate his/herself they will submit their credentials to "ldap://public.com";. They will attempt a bind on that server using a DN "cn=user1,cn=Administrators,dc=test,dc=com".  I would like the server "ldap://public.com"; to proxy the bind for "ldap://mixedmaster.mixeddomain.com"; using the same credentials but under a different DN "cn=user1,cn=Users,dc=mixeddomain,dc=com".

The server "ldap://mixedmaster.mixeddomain.com"; would then return success or failure to "ldap://public.com"; who would then return success of failure to the client.

Can this be done?  If yes, do the rules I posted earlier (below) make any sense?  I'm certainly missing something, I'm just not sure where to go from here.

Michael

Dieter Kluenter wrote: 

Michael Gale <michaelg@xandros.com> writes:
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
  

So, I decided to try the proxy approach, and I would like to rewrite a
DN from this:

"cn=<user name>,cn=Administrators,dc=test,dc=com"

to this:

"cn=<user name>,cn=Users,dc=mixeddomain,dc=com"

I would like to perform a simple substitution where the user name from
one DN gets copied to another.  I am using a rewrite context for a
client -> server operation, but I'm pretty sure the following is not
right:

database ldap
rewriteEngine On
rewriteContext bindDn
rewriteRule "cn=(.*),cn=Administrators,dc=test,dc=com"
                     "cn=%1,cn=Users,dc=mixeddomain,dc=com"
rebind-as-user
uri ldap://mixedmaster.mixeddomain.com/

I'm a little lost as to what rules/contexts/uris are required in the
"slapd.conf" file. Any help would be greatly appreciated.
    

You didn't mention which version you are referring to.
I my OpenLDAP-2.X.X which is april HEAD I have following lines
,----[ slapd.conf ]
| modulepath /usr/local/libexec/openldap
| moduleload pcache.la
| moduleload rwm.la
| moduleload back-ldap.la
| ...
| database   ldap
| lastmod off
| overlay rwm
| suffix  "dc=virtual,dc=com"
| rwm-suffixmassage "dc=virtual,dc=com" "dc=real,dc=com"
| rootdn cn=admin,dc=virtual,dc=com
| rootpw secret
| binddn cn=updateManager,dc=real,dc=com
| bindpw secret2
| uri ldap://remote.server:389
| ....
| <some proxycache options>
`----
-Dieter

Follow-Ups:
- Re: OpenLDAP's Backend Rewrite Engine
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- Proxy support?
  - From: "Pablo J Royo" <royop@tb-solutions.com>
- OpenLDAP and Active Directory
  - From: Michael Gale <michaelg@xandros.com>
- OpenLDAP's Backend Rewrite Engine
  - From: Michael Gale <michaelg@xandros.com>
- Re: OpenLDAP's Backend Rewrite Engine
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: to many established TCP/IP connection to LDAP backend
Next by Date: Re: OpenLDAP's Backend Rewrite Engine
Index(es):
- Chronological
- Thread