[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-meta: BindRequest to flat name space

To: <michael@stroeder.com>
Subject: Re: back-meta: BindRequest to flat name space
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Thu, 15 May 2003 13:27:03 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <41838.131.175.154.56.1052983861.squirrel@webmail.sys-net.it>
References: <3EC33A16.5070300@stroeder.com> <41838.131.175.154.56.1052983861.squirrel@webmail.sys-net.it>

>
>> HI!
>>
>> Some really weird software assumes a flat name space and does
>> authentication  by doing a BindRequest against
>>
>> uid=<user id>,<search root>
>>
>> instead of searching the for (uid=<user id>) under <search root> and
>> use the  DN in the result as Bind-DN.
>>
>> Is it possible to use back-meta in OpenLDAP 2.1.x to fix this
>> situation? Or  do I have to implement my own LDAP proxy back-end?
>
> Yes, you can.  If you can map <user id> to the DN,
> you can use the rewriteEngine to do the mapping
> for you before binding.  Note that you can use
> back-ldap, which has the same rewriting features
> of back-meta with reduced overhead.
>
> You need to do something like
>
> database ldap
> suffix <search root>
>
> rewriteEngine on
> rewriteContext default
>
> # only if the real naming context is different from search root
> rewriteRule "<search root>$" "<real naming context>" ":"
> rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"
>
> rewriteContext searchResult
> rewriteRule "<real naming context>$" "<search root>" ":"
> rewriteRule "(.*),<real naming context>$" "%1,<search root>" ":"
>
> rewriteContext matchedDN alias searchResult
>
> # this is to have safe defaults
> rewriteContext searchFilter
>
> # this is the real rule ...
> rewriteContext bindDN
> rewriteRule "^uid=([^,]+),<search root>$" "<rule with %1 as the uid>"
> ":" rewriteRule "<search root>$" "<real naming context>" ":"
> rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"
>
> # and that's it.  In slapd-meta(5) there is an example that
> # does something similar to what you're lookinhg for:
> # it defines a LDAP map (e.g. a LDAP search that maps
> # a matched portion of a pattern to the search result)
> # note that match 1 (%1) becomes the filter of the search;
> # the last two rules are caught as a safe fallthru in case
> # the search fails; they simply massage the DN, you don't
> # need them if <search root> and <real naming context> are
> # the same.  The search should be calling the REAL database,
> # e.g. the same server back-ldap is targeting.
> rewriteContext bindDN
> rewriteMap ldap attr2dn "ldap:///<real naming context>?dn?sub"
> rewriteRule "^(uid=[^,]+),<search root>$" "%{attr2dn(%1)}" "@I"
> rewriteRule "<search root>$" "<real naming context>" ":"
> rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"
>
>
>
> Note: I haven't used these features in a while,
> so I'm not sure they still work correctly, so
> feedback would be appreciated.  In case of success,
> you may want to turn it into a FAQ...

I confirm it works with HEAD code, so it should
also with 2.1.X because the basic functionalities
did not change (despite a lot of API reworking).

All that's missing above is the

uri ldap://<smtg>

directive.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- back-meta: BindRequest to flat name space
  - From: Michael Ströder <michael@stroeder.com>
- Re: back-meta: BindRequest to flat name space
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: API Programming questions
Next by Date: Re: Duplicate cn entries
Index(es):
- Chronological
- Thread