[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using openldap as a translation layer.



S James S Stapleton wrote:
> Can I use open-ldap as a translation layer for queries with a ldap
> client with minimal configuration potential?
> 
> Right now the client (which cannot be trivially modified), can use LDAP
> authentication, sort-of. What it does, is it takes your user name, and
> assignes it to the 'uid' attribute, and then tacks on whatever string is
> in the config to form a distinguished name. For example, if I used
> 'stapleton' as my username and the config had
> 'ou=People,dc=domain,dc=tld', it would query for
> 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people
> usernames are everything before the '@' sign in their email, and this is
> not their uid. The uid is a number, that is used nowhere else. The
> standard process that we use is to take their user name and perform an
> ldap query to get the uid from the email, and then use the uid to verify
> if the user is correct.
> 
> Example:
> ldap://server:389/uid=441068,ou=People,dc=mydomain,dc=tld
> pulls up my information
> 
> Now, if I want to get my uid, I'd do this:
> ldap://server:389/ou=People,dc=mydomain,dc=tld?uid?sub?(mail=stapleton@mydomain.tld)
> 
> 
> 
> The client, as described cannot do that, if a user attempts to use what
> they expect their user name to be, it will send:
> uid=stapleton,ou=People,dc=mydomain,dc=tld
> or
> uid=stapleton@mydomain.tld,ou=People,dc=mydomain,dc=tld
> 
> 
> Neither of which will authenticate. Is there a way to make OpenLDAP
> provide a middle layer to handle this?

Yes.  I did not clearly get if OpenLDAP is the database that contains
the information, or if you plan to stack an instance of OpenLDAP in
between your current directory server and the (braindead?) client.

In the first case, I assume you have some thing like

database	bdb
suffix		"dc=mydomain,dc=tld"
#...

while in the second case you would create an instance of slapd containing

database	ldap
suffix		"dc=mydomain,dc=tld"
uri		"ldap://the.real.server/";

In either case, after all database specific directives you need to add

overlay		rwm
# turn on rewriting (set to "off" to temporarily disable)
rwm-rewriteEngine	on
# LDAP map that looks up the real DN for binds; add options as needed
# (see slapo-rwm(5) for details)
rwm-rewriteMap
	ldap
	"realBindDNLookup"
	"ldap://server/ou=People,dc=mydomain,dc=tld?entryDN?sub";
# The actual bind DN rewrite rules
rwm-rewriteContext	bindDN
# extract the username from the incorrect DN, and try to use it
# as mailbox in a lookup filter "(mail=<mailbox>@domain)" to
# fetch the corresponding DN
rwm-rewriteRule
	"^uid=([^,]+),ou=People,dc=mydomain,dc=tld$"
	"${realBindDNLookup(mail=$1@mydomain.tld)}" ":@I"
# if the lookup fails, the error is ignored, and thus
# the original DN is used.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------