[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP's Backend Rewrite Engine



Thank you, Dieter.  For reasons outside of my control, I can't place a "rootpw" or a "rootdn" attribute in the configuration file.  Suffix massaging works when the bind is for one user with privileges for both DNs.  I have a situation where the user may be different every time a bind is attempted.  For example, when a user attempts to authenticate his/herself they will submit their credentials to "ldap://public.com";. They will attempt a bind on that server using a DN "cn=user1,cn=Administrators,dc=test,dc=com".  I would like the server "ldap://public.com"; to proxy the bind for "ldap://mixedmaster.mixeddomain.com"; using the same credentials but under a different DN "cn=user1,cn=Users,dc=mixeddomain,dc=com".

The server "ldap://mixedmaster.mixeddomain.com"; would then return success or failure to "ldap://public.com"; who would then return success of failure to the client.

Can this be done?  If yes, do the rules I posted earlier (below) make any sense?  I'm certainly missing something, I'm just not sure where to go from here.

Michael

Dieter Kluenter wrote: 

Michael Gale <michaelg@xandros.com> writes:
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
  

So, I decided to try the proxy approach, and I would like to rewrite a
DN from this:

"cn=<user name>,cn=Administrators,dc=test,dc=com"

to this:

"cn=<user name>,cn=Users,dc=mixeddomain,dc=com"

I would like to perform a simple substitution where the user name from
one DN gets copied to another.  I am using a rewrite context for a
client -> server operation, but I'm pretty sure the following is not
right:

database ldap
rewriteEngine On
rewriteContext bindDn
rewriteRule "cn=(.*),cn=Administrators,dc=test,dc=com"
                     "cn=%1,cn=Users,dc=mixeddomain,dc=com"
rebind-as-user
uri ldap://mixedmaster.mixeddomain.com/

I'm a little lost as to what rules/contexts/uris are required in the
"slapd.conf" file. Any help would be greatly appreciated.
    

You didn't mention which version you are referring to.
I my OpenLDAP-2.X.X which is april HEAD I have following lines
,----[ slapd.conf ]
| modulepath /usr/local/libexec/openldap
| moduleload pcache.la
| moduleload rwm.la
| moduleload back-ldap.la
| ...
| database   ldap
| lastmod off
| overlay rwm
| suffix  "dc=virtual,dc=com"
| rwm-suffixmassage "dc=virtual,dc=com" "dc=real,dc=com"
| rootdn cn=admin,dc=virtual,dc=com
| rootpw secret
| binddn cn=updateManager,dc=real,dc=com
| bindpw secret2
| uri ldap://remote.server:389
| ....
| <some proxycache options>
`----
-Dieter