[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: using openldap as a translation layer.
S James S Stapleton wrote:
> overlay rwm
> rwm-rewriteEngine on
> #left here because it might be useful, to simlpify things later, but not
> currently used
> rwm-rewriteMap
> ldap
> "realBindDNLookup"
> "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub";
I got all of the above lined up in column 1. I hope it's the mailer,
otherwise please read slapd.conf(5) about the syntax, and specifically
about continuation lines.
> # bind DN rewrite rules
> rwm-rewriteContext bindDN
> # extract the username from the incorrect DN, and try to use it
> # as mailbox in a lookup filter "(mail=<mailbox>@domain)" to
> # fetch the corresponding DN
> #original
> # "^uid=([^,]+)?,ou=People,dc=mywork,dc=com$"
> #alt #1
> # "uid=([a-zA-Z-]+\.[\d]+)"
> #alt #2
> # "\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)"
> rwm-rewriteRule
> "\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)"
> "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub(mail=$1@osu.edu)"
I see (at least) four errors here:
1) the URI doesn't have to be here; it must be in the ldap map.
Otherwise it's just treated for what it is: a string.
2) in any case, an LDAP URL needs a "?" to separate the scope ("sub")
from the filter.
3) escapes need to appear twice, because "\" is the escape char for
slapd.conf and for the regex. So using a single escape, like
"\(objectClass=person\)", results in passing "(objectClass=person)" to
regcomp(3), and the "(" ")" are treated as special regex chars. This is
illustrated in slapo-rwm(5).
4) a bindDN will never look like an LDAP filter. So this rule shouldn't
be in the "bindDN" rewrite context.
>
> "@"
> # if the lookup fails, the error is ignored, and thus
> # the original DN is used.
> ============================================================
To obtain what you want, but in the "searchFilter" rewrite context,
something like
rwm-rewriteMap ldap "realBindDNLookup"
"ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub";
rwm-rewriteContext searchFilter
rwm-rewriteRule
"^\\(&\\(objectClass=person\\)\\(uid=([a-zA-Z]+\\.[0-9]+)\\)\\)$"
"${realBindDNLookup(mail=$1@osu.edu)}" ":@"
should work.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------