[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: RWM and bind using mail address
- To: ando@sys-net.it
- Subject: Re: RWM and bind using mail address
- From: "Mikael M. Hansen" <mhansen@cs.aau.dk>
- Date: Thu, 06 Apr 2006 11:38:44 +0200
- Cc: openldap-software@OpenLDAP.org
- In-reply-to: <42292.131.175.154.56.1143818625.squirrel@131.175.154.56>
- Organization: Department of Computer Science, Aalborg University
- References: <442D27D9.7080800@cs.aau.dk> <42292.131.175.154.56.1143818625.squirrel@131.175.154.56>
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051201 Thunderbird/1.5 Mnenhy/0.7.3.0
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi
Thanks for the reply
Pierangelo Masarati wrote:
>>
>> I need to bind - using an email address - to an backend ldap using a
>> frontend meta/proxy server. So I've used the example from the slapo-rwm
>> man page (the DN made up of single email) example. But I cannot get it
>> to work. When I do a
>>
>> ldapsearch -h proxymetaldap.somewhere.com -x -b "dc=somewhere,dc=com"
>> "(mail=someone@somewhere.com)"
>>
>> it returns the entry including the mail attribute - from the backend
>> ldap (somehost.somewhere.com) - as expected. But when trying to bind
>> using the mail address (mail=someone@somewhere.com) it (the
>> proxymetaldap server) doesn't contact the backend server
>> (someserver.somewhere.com).
>
> because "mail=someone@somewhere.com", although being a perfectly valid DN,
> does not match the suffix of any database, so no database can be selected.
> Set the suffix of the ldap database to "" and it will work.
>
It doesn't. Let me try to explain what I intend to do:
Take an email as input to the meta LDAP. someone@a.somewhere.com
Based on the suffix (a.somewhere.com) determine the proper backend
database to query (dc=a,dc=somewhere,dc=com) and rewrite the postfix
(someone) to a value specific for the choosen backend. E.g. uid=someone
or cn=someone. Now find the dn for the value (uid=someone) in the
backend and do a bind. Naturally there should be several backend defined
b.somewhere.com, c.somewhere.com etc.
Is this not possible?
>
>> I expect it to not even use the rewrite rule when binding as anonymous
>> (so it just queries all database that are defined),
>
> nope. anonymous doesn't even get to databases, because the frontend knows
> how to handle it.
So if I have several backends and connect to the meta anonymously I
cannot get the anonymously available data from all backends in one search?
>
>> but that it does
>> match the rule when binding with the email address.
>>
>> In my config below is would expect it to:
>>
>> 1 Match the rule when given mail=someone@somewhere.com
>> 2 Do an anonymous search for the DN in somehost.somewhere.com
>> 3. Bind with the found DN
>>
>> Is this not possible?
>>
>> My config is as follows:
>>
>> ############### Begin config ##############################
>>
>> include /q/disk_0/openldap/etc/openldap/schema/core.schema
>> include /q/disk_0/openldap/etc/openldap/schema/cosine.schema
>> include
>> /q/disk_0/openldap/etc/openldap/schema/inetorgperson.schema
>> include /q/disk_0/openldap/etc/openldap/schema/nis.schema
>> loglevel 256
>> pidfile /q/disk_0/openldap/var/run/slapd.pid
>> argsfile /q/disk_0/openldap/var/run/slapd.args
>>
>> database ldap
>> suffix "dc=somewhere,dc=com"
>> uri ldap://somehost.somewhere.com/
>>
>> overlay rwm
>> rwm-rewriteEngine on
>> rwm-rewriteMap ldap csattr2dn
>> "ldap://somehost.somewhere.com/ou=People,ou=Accounts,dc=somewhere,dc=com?dn?sub"
>> rwm-rewriteContext bindDN
>> rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${csattr2dn($0)}" ":@I"
>>
>> lastmod off
>>
>> ################# End config ########################
>>
>> For some servers an anonymous bind might not be possible so I just
>> expect it bind with a given username and password to do the search
>> (pseudorootdn). Is this a suitable option?
>
> not with the pseudorootdn. All you can do in this case is use the
> identity assertion feature so that it binds with a given identity
> regardless of the identity of the client. This requires a bit of work and
> in general it's not recommended.
>
> p.
>
>
>
>
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> OpenLDAP Core Team
>
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office: +39.02.23998309
> Mobile: +39.333.4963172
> Email: pierangelo.masarati@sys-net.it
> ------------------------------------------
>
- --
MVH / Best regards
Mikael M. Hansen
IT-administrator
Computer Science Dept. Email: mhansen@cs.aau.dk
Aalborg University Phone: +45 9635 8905
Fredrik Bajers Vej 7E Room: E2-121
DK-9220 Aalborg, Denmark
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFENOGk1ZklRSLjnxgRArrfAJ9gQnhqOMYOmhfYCDw0rVJi70jPhwCdECYH
Lsa+T2MGlz+K7tjjrl/JYfk=
=NZ1Y
-----END PGP SIGNATURE-----