[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (ITS#4602) rwm-rewriteMap - Parameter "map type": allowed values not documented



christian.epkenhans@telefonica.de wrote:
> I would suggest to enhance the relevant Manpages to give information about
> further maptypes, and maybe to give more information about the "ldap"-maptype,
> if there are features not covered by the example.
>
> Personally I would be thankful if you provide me with this information (or hints
> where to search) directly (maybe by answering by mail), if an update of the
> Manpages fails to appear or has a significant delay.
>   

That feature has a long and troubled history, and it was never 
documented because it had problems and might need some reworking.  I 
happened to rework it recently (but it needs more) and I took that 
chance to add some documentation (to HEAD) in the slapo-rwm(5) man 
page.  There are few differences between up to 2.3 and HEAD, which I'll 
discuss in the mail below.

The syntax is

    rewriteMap <map name> <map type> <args> [...]

The only available map right now seems to be the LDAP map.  Its syntax 
in OpenLDAP 2.3 is:

    <URI> [bindwhen=<when>] [binddn=<DN>] [bindpw=<pw>]

so, for example,

    rewriteMap mymap LDAP "ldaps://host/dc=example,dc=com?entryDN?sub"
       bindwhen=later
       binddn="cn=Proxy,ou=Admin,dc=example,dc=com"
       bindpw=secret

would lookup the DN of an entry matching the filter passed to the map as 
argument using the identity indicated above.  Note that OpenLDAP 2.3 up 
to 2.3.27 has a tiny bug that causes a crash if you use the "bindpw" 
parameter; this is now fixed in CVS for both HEAD and re23.

The code in HEAD has been cleaned up a little bit; now more stringent 
checks occur on the values parsed.  The syntax changed a little but as 
well, but full backwards compatibility has been preserved.  Yet only 
simple bind is possible; I plan to make this fully compatible with, for 
example, all special binds internally performed by slapd, i.e. to allow 
SASL bind and so, reusing the helpers already available, for example, 
for replication, for the proxies and so.

The new syntax is

    <URI> [bindwhen=<when>] [binddn=<DN>] [credentials=<pw>] [version={2,3}]

which is basically consistent with what's now parsed by the 
slap_bindconf related stuff.  Note that version defaults to LDAPv3, 
while in OpenLDAP 2.3 no version can be set before binding, so it 
defaults to the library's default, which is LDAPv2+; this requires, for 
example, to allow bind_v2 on the DSA used to map values.

Hope this helps.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------