[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: rewriting (invalid) bindDN ?
> Hi list,
>
> I've just set up a ldap proxy on witch I wish users may bind with their cn
> instead of dn.
> Some reading let me say it's possible
> - slapo-rwm (5)
> - http://blogs.turmzimmer.net/2008/06/26#ldap-3
> - http://www.openldap.org/lists/openldap-software/201004/msg00065.html
> and some more
>
> I run slapd 2.4.11 from Debian Lenny. Here is slapd.conf :
>
> slapd.conf>
> ##################################################################
> slapd.conf> # Global Directives:
> slapd.conf> disallow bind_anon
> slapd.conf> require authc
> slapd.conf> include /etc/ldap/schema/core.schema
> slapd.conf> include /etc/ldap/schema/cosine.schema
> slapd.conf> include /etc/ldap/schema/nis.schema
> slapd.conf> include /etc/ldap/schema/inetorgperson.schema
> slapd.conf> pidfile /var/run/slapd/slapd.pid
> slapd.conf> argsfile /var/run/slapd/slapd.args
> slapd.conf> loglevel -1
> slapd.conf> modulepath /usr/lib/ldap
> slapd.conf> moduleload back_ldap
> slapd.conf> moduleload rwm
> slapd.conf> sizelimit 500
> slapd.conf> tool-threads 1
> slapd.conf>
> ##################################################################
> slapd.conf> # Specific Directives for database #1
> slapd.conf>
> slapd.conf> database ldap
> slapd.conf> suffix "o=MyO"
> slapd.conf> uri "ldap://MyLDAP"
> slapd.conf> readonly on
> slapd.conf> overlay rwm
> slapd.conf> rwm-rewriteEngine on
> slapd.conf> rwm-rewriteContext bindDN
> slapd.conf> rwm-rewriteRule "(.*)" "cn=$1,ou=SubOU,ou=OU,o=MyO" ":"
>
> When trying to bind from Thunderbird as client with just "MyCN",
> connection fail
> with "invalid dn". I expected some info about rwm rewriting
>
> syslog> slapd[11027]: conn=5 op=0 do_bind
> syslog> slapd[11027]: >>> dnPrettyNormal: <MyCN>
> syslog> slapd[11027]: conn=5 op=0 do_bind: invalid dn (glachenal)
^^^ The error comes from do_bind(); so the invalid DN is rejected before
slapo-rwm comes into play. p.
> syslog> slapd[11027]: send_ldap_result: conn=5 op=0 p=3
> syslog> slapd[11027]: send_ldap_result: err=34 matched="" text="invalid
> DN"
> syslog> slapd[11027]: send_ldap_response: msgid=1 tag=97 err=34
> syslog> slapd[11027]: conn=5 op=0 RESULT tag=97 err=34 text=invalid DN
>
> When trying to bind with a valid DN, rwm works as expected. (And of course
> bind
> failed because of unexistent rewritten DN)
>
> syslog> slapd[11135]: >>> dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>
> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>,
> <cn=MyCN,ou=SubOU,ou=OU,o=MyO>
> syslog> slapd[11135]: conn=1 op=0 BIND dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO"
> method=128
> syslog> slapd[11135]: do_bind: version=3 dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO"
> method=128
> syslog> slapd[11135]: [rw] bindDN: "cn=MyCN,ou=SubOU,ou=OU,o=MyO" ->
> "cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO"
> syslog> slapd[11135]: >>> dnPrettyNormal:
> <cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>
> syslog> slapd[11135]: <<< dnPrettyNormal:
> <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>,
> <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>
>
> So, why isn't rwm not used when supplying an invalid dn ?
>
> Regards,
>
> -G.-
>
>
>