Le 11 mai 10 à 09:37, masarati@aero.polimi.it a écrit :
Hi list,I've just set up a ldap proxy on witch I wish users may bind with their cninstead of dn. Some reading let me say it's possible - slapo-rwm (5) - http://blogs.turmzimmer.net/2008/06/26#ldap-3- http://www.openldap.org/lists/openldap-software/201004/ msg00065.htmland some more I run slapd 2.4.11 from Debian Lenny. Here is slapd.conf : slapd.conf> ################################################################## slapd.conf> # Global Directives: slapd.conf> disallow bind_anon slapd.conf> require authc slapd.conf> include /etc/ldap/schema/core.schema slapd.conf> include /etc/ldap/schema/cosine.schema slapd.conf> include /etc/ldap/schema/nis.schema slapd.conf> include /etc/ldap/schema/inetorgperson.schema slapd.conf> pidfile /var/run/slapd/slapd.pid slapd.conf> argsfile /var/run/slapd/slapd.args slapd.conf> loglevel -1 slapd.conf> modulepath /usr/lib/ldap slapd.conf> moduleload back_ldap slapd.conf> moduleload rwm slapd.conf> sizelimit 500 slapd.conf> tool-threads 1 slapd.conf> ################################################################## slapd.conf> # Specific Directives for database #1 slapd.conf> slapd.conf> database ldap slapd.conf> suffix "o=MyO" slapd.conf> uri "ldap://MyLDAP"; slapd.conf> readonly on slapd.conf> overlay rwm slapd.conf> rwm-rewriteEngine on slapd.conf> rwm-rewriteContext bindDN slapd.conf> rwm-rewriteRule "(.*)" "cn=$1,ou=SubOU,ou=OU,o=MyO" ":" When trying to bind from Thunderbird as client with just "MyCN", connection fail with "invalid dn". I expected some info about rwm rewriting syslog> slapd[11027]: conn=5 op=0 do_bind syslog> slapd[11027]: >>> dnPrettyNormal: <MyCN> syslog> slapd[11027]: conn=5 op=0 do_bind: invalid dn (glachenal)^^^ The error comes from do_bind(); so the invalid DN is rejected beforeslapo-rwm comes into play. p.
Yes, I didn't object what the logs say :) Is there a way to accept this invalid DN then rewrite it ? Thanks in advance. Regards, -G.-
syslog> slapd[11027]: send_ldap_result: conn=5 op=0 p=3syslog> slapd[11027]: send_ldap_result: err=34 matched="" text="invalidDN" syslog> slapd[11027]: send_ldap_response: msgid=1 tag=97 err=34syslog> slapd[11027]: conn=5 op=0 RESULT tag=97 err=34 text=invalid DNWhen trying to bind with a valid DN, rwm works as expected. (And of coursebind failed because of unexistent rewritten DN)syslog> slapd[11135]: >>> dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>,<cn=MyCN,ou=SubOU,ou=OU,o=MyO>syslog> slapd[11135]: conn=1 op=0 BIND dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO"method=128syslog> slapd[11135]: do_bind: version=3 dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO"method=128 syslog> slapd[11135]: [rw] bindDN: "cn=MyCN,ou=SubOU,ou=OU,o=MyO" -> "cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO" syslog> slapd[11135]: >>> dnPrettyNormal: <cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>, <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO> So, why isn't rwm not used when supplying an invalid dn ? Regards, -G.-