[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: rewrite rule in slapd.conf
- To: openldap-software@OpenLDAP.org
- Subject: Re: rewrite rule in slapd.conf
- From: Dmitriy Kirhlarov <dkirhlarov@oilspace.com>
- Date: Fri, 5 May 2006 16:24:50 +0400
- Content-disposition: inline
- In-reply-to: <53926.131.175.154.56.1145518492.squirrel@131.175.154.56>
- References: <20060419093016.GH3279@dimma.mow.oilspace.com> <53926.131.175.154.56.1145518492.squirrel@131.175.154.56>
- User-agent: mutt-ng/devel-r581 (FreeBSD)
Hi!
On Thu, Apr 20, 2006 at 09:34:52AM +0200, Pierangelo Masarati wrote:
> > I need "rewrite rule". For example, when client try authorize as
> > uid=A,ou=all-users,o=org I want check this uid in two containers:
> > uid=A,ou=local-users,o=org and uid=A,ou=ext-users,o=org. Is it
> > possible?
> >
> > I read about referral and subordinate. But I want use it on one server
> > and in one database. Is it possible?
>
> Yes, although not trivial. You should try something like
>
> database <any>
> suffix "ou=local-users,o=org"
>
> # ...
>
> database <any>
> suffix "ou=ext-users,o=org"
>
> # ...
>
> database meta
> suffix "ou=all-users,o=org"
>
> uri "ldap:///ou=all-users,o=org";
> suffixmassage "ou=all-users,o=org" "ou=local-users,o=org"
>
> uri "ldap:///ou=all-users,o=org";
> suffixmassage "ou=all-users,o=org" "ou=ext-users,o=org"
I try to play with meta backend, but not get result.
My current config:
...
access to
dn.regex="^(.+)o=oil([^,]+)$"
attrs=userPassword,sambaLMPassword,sambaNTPassword
by anonymous auth
by self write
by dn.exact,expand="uid=ldap-sync,ou=virtusers,o=oil$2" read
by dn.exact,expand="uid=fbsd-samba-admin,ou=virtusers,o=oil$2" read
by * none
access to * by * read
database bdb
suffix "o=oilspace"
...
syncrepl rid=001
...
database bdb
suffix "o=oil-space"
overlay ppolicy
overlay accesslog
overlay syncprov
...
database meta
suffix "o=oilspace-all"
rebind-as-user yes
lastmod off
uri ldap://fbsd/o=oilspace-all
suffixmassage "o=oilspace-all" "o=oilspace"
uri ldap://fbsd/o=oilspace-all
suffixmassage "o=olspace-all" "o=oil-space"
Config litle complex -- it's my experimental sandbox, but, may be,
detailed description of config can be important for help.
When I try:
$ ldapsearch -ZxD uid=dkirhlarov,ou=users,o=oilspace -H ldap://fbsd -s one -Wb ou=users,o=oilspace-all -vvLLL 'uid=...' 'cn'
I have two scenarios:
1. When record present in both backend databases I get:
dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy
dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy
dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy
dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy
dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy
dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy
....
It work very slow (some internal timeouts?) and look like as loop.
2. record present in second database.
In this case I never get result.
In both cases connection to ldap server not closed.
I'm continue re-reading slapd-meta(5), but it not help now. :)
My system is:
FreeBSD 6.1-PRERELEASE
openldap-server-2.3.21
Can somebody help me?
WBR
--
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 495 105 7247 ext.203 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com