[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rewriting (invalid) bindDN ?




Le 11 mai 10 à 09:37, masarati@aero.polimi.it a écrit :

Hi list,

I've just set up a ldap proxy on witch I wish users may bind with their cn
instead of dn.
Some reading let me say it's possible
- slapo-rwm (5)
- http://blogs.turmzimmer.net/2008/06/26#ldap-3
- http://www.openldap.org/lists/openldap-software/201004/ msg00065.html
and some more

I run slapd 2.4.11 from Debian Lenny. Here is slapd.conf :

slapd.conf>
##################################################################
slapd.conf> # Global Directives:
slapd.conf> disallow bind_anon
slapd.conf> require authc
slapd.conf> include         /etc/ldap/schema/core.schema
slapd.conf> include         /etc/ldap/schema/cosine.schema
slapd.conf> include         /etc/ldap/schema/nis.schema
slapd.conf> include         /etc/ldap/schema/inetorgperson.schema
slapd.conf> pidfile         /var/run/slapd/slapd.pid
slapd.conf> argsfile        /var/run/slapd/slapd.args
slapd.conf> loglevel        -1
slapd.conf> modulepath      /usr/lib/ldap
slapd.conf> moduleload      back_ldap
slapd.conf> moduleload      rwm
slapd.conf> sizelimit 500
slapd.conf> tool-threads 1
slapd.conf>
##################################################################
slapd.conf> # Specific Directives for database #1
slapd.conf>
slapd.conf> database        ldap
slapd.conf> suffix          "o=MyO"
slapd.conf> uri             "ldap://MyLDAP";
slapd.conf> readonly        on
slapd.conf> overlay         rwm
slapd.conf> rwm-rewriteEngine       on
slapd.conf> rwm-rewriteContext      bindDN
slapd.conf> rwm-rewriteRule "(.*)"  "cn=$1,ou=SubOU,ou=OU,o=MyO" ":"

When trying to bind from Thunderbird as client with just "MyCN",
connection fail
with "invalid dn". I expected some info about rwm rewriting

syslog> slapd[11027]: conn=5 op=0 do_bind
syslog> slapd[11027]: >>> dnPrettyNormal: <MyCN>
syslog> slapd[11027]: conn=5 op=0 do_bind: invalid dn (glachenal)

^^^ The error comes from do_bind(); so the invalid DN is rejected before
slapo-rwm comes into play.  p.

Yes, I didn't object what the logs say :)
Is there a way to accept this invalid DN then rewrite it ?

Thanks in advance.

Regards,

 -G.-

syslog> slapd[11027]: send_ldap_result: conn=5 op=0 p=3
syslog> slapd[11027]: send_ldap_result: err=34 matched="" text="invalid
DN"
syslog> slapd[11027]: send_ldap_response: msgid=1 tag=97 err=34
syslog> slapd[11027]: conn=5 op=0 RESULT tag=97 err=34 text=invalid DN

When trying to bind with a valid DN, rwm works as expected. (And of course
bind
failed because of unexistent rewritten DN)

syslog> slapd[11135]: >>> dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>,
<cn=MyCN,ou=SubOU,ou=OU,o=MyO>
syslog> slapd[11135]: conn=1 op=0 BIND dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO"
method=128
syslog> slapd[11135]: do_bind: version=3 dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO"
method=128
syslog> slapd[11135]: [rw] bindDN: "cn=MyCN,ou=SubOU,ou=OU,o=MyO" ->
"cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO"
syslog> slapd[11135]: >>> dnPrettyNormal:
<cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>
syslog> slapd[11135]: <<< dnPrettyNormal:
<cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>,
<cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>

So, why isn't rwm not used when supplying an invalid dn ?

Regards,

-G.-