[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rewriting (invalid) bindDN ?



> Hi list,
>
> I've just set up a ldap proxy on witch I wish users may bind with their cn
> instead of dn.
> Some reading let me say it's possible
>  - slapo-rwm (5)
>  - http://blogs.turmzimmer.net/2008/06/26#ldap-3
>  - http://www.openldap.org/lists/openldap-software/201004/msg00065.html
> and some more
>
> I run slapd 2.4.11 from Debian Lenny. Here is slapd.conf :
>
> slapd.conf>
> ##################################################################
> slapd.conf> # Global Directives:
> slapd.conf> disallow bind_anon
> slapd.conf> require authc
> slapd.conf> include         /etc/ldap/schema/core.schema
> slapd.conf> include         /etc/ldap/schema/cosine.schema
> slapd.conf> include         /etc/ldap/schema/nis.schema
> slapd.conf> include         /etc/ldap/schema/inetorgperson.schema
> slapd.conf> pidfile         /var/run/slapd/slapd.pid
> slapd.conf> argsfile        /var/run/slapd/slapd.args
> slapd.conf> loglevel        -1
> slapd.conf> modulepath      /usr/lib/ldap
> slapd.conf> moduleload      back_ldap
> slapd.conf> moduleload      rwm
> slapd.conf> sizelimit 500
> slapd.conf> tool-threads 1
> slapd.conf>
> ##################################################################
> slapd.conf> # Specific Directives for database #1
> slapd.conf>
> slapd.conf> database        ldap
> slapd.conf> suffix          "o=MyO"
> slapd.conf> uri             "ldap://MyLDAP";
> slapd.conf> readonly        on
> slapd.conf> overlay         rwm
> slapd.conf> rwm-rewriteEngine       on
> slapd.conf> rwm-rewriteContext      bindDN
> slapd.conf> rwm-rewriteRule "(.*)"  "cn=$1,ou=SubOU,ou=OU,o=MyO" ":"
>
> When trying to bind from Thunderbird as client with just "MyCN",
> connection fail
> with "invalid dn". I expected some info about rwm rewriting
>
> syslog> slapd[11027]: conn=5 op=0 do_bind
> syslog> slapd[11027]: >>> dnPrettyNormal: <MyCN>
> syslog> slapd[11027]: conn=5 op=0 do_bind: invalid dn (glachenal)

^^^ The error comes from do_bind(); so the invalid DN is rejected before
slapo-rwm comes into play.  p.

> syslog> slapd[11027]: send_ldap_result: conn=5 op=0 p=3
> syslog> slapd[11027]: send_ldap_result: err=34 matched="" text="invalid
> DN"
> syslog> slapd[11027]: send_ldap_response: msgid=1 tag=97 err=34
> syslog> slapd[11027]: conn=5 op=0 RESULT tag=97 err=34 text=invalid DN
>
> When trying to bind with a valid DN, rwm works as expected. (And of course
> bind
> failed because of unexistent rewritten DN)
>
> syslog> slapd[11135]: >>> dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>
> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>,
> <cn=MyCN,ou=SubOU,ou=OU,o=MyO>
> syslog> slapd[11135]: conn=1 op=0 BIND dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO"
> method=128
> syslog> slapd[11135]: do_bind: version=3 dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO"
> method=128
> syslog> slapd[11135]: [rw] bindDN: "cn=MyCN,ou=SubOU,ou=OU,o=MyO" ->
> "cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO"
> syslog> slapd[11135]: >>> dnPrettyNormal:
> <cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>
> syslog> slapd[11135]: <<< dnPrettyNormal:
> <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>,
> <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>
>
> So, why isn't rwm not used when supplying an invalid dn ?
>
> Regards,
>
>  -G.-
>
>
>