[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
RWM and bind using mail address
- To: openldap-software@OpenLDAP.org
- Subject: RWM and bind using mail address
- From: "Mikael M. Hansen" <mhansen@cs.aau.dk>
- Date: Fri, 31 Mar 2006 15:00:09 +0200
- Organization: Department of Computer Science, Aalborg University
- User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051201 Thunderbird/1.5 Mnenhy/0.7.3.0
Hi
I have some problems with the rwm overlay and a ldap backend on an
OpenLDAP 2.3.20 server that I hope someone can shed some light upon.
I need to bind - using an email address - to an backend ldap using a
frontend meta/proxy server. So I've used the example from the slapo-rwm
man page (the DN made up of single email) example. But I cannot get it
to work. When I do a
ldapsearch -h proxymetaldap.somewhere.com -x -b "dc=somewhere,dc=com"
"(mail=someone@somewhere.com)"
it returns the entry including the mail attribute - from the backend
ldap (somehost.somewhere.com) - as expected. But when trying to bind
using the mail address (mail=someone@somewhere.com) it (the
proxymetaldap server) doesn't contact the backend server
(someserver.somewhere.com).
I expect it to not even use the rewrite rule when binding as anonymous
(so it just queries all database that are defined), but that it does
match the rule when binding with the email address.
In my config below is would expect it to:
1 Match the rule when given mail=someone@somewhere.com
2 Do an anonymous search for the DN in somehost.somewhere.com
3. Bind with the found DN
Is this not possible?
My config is as follows:
############### Begin config ##############################
include /q/disk_0/openldap/etc/openldap/schema/core.schema
include /q/disk_0/openldap/etc/openldap/schema/cosine.schema
include /q/disk_0/openldap/etc/openldap/schema/inetorgperson.schema
include /q/disk_0/openldap/etc/openldap/schema/nis.schema
loglevel 256
pidfile /q/disk_0/openldap/var/run/slapd.pid
argsfile /q/disk_0/openldap/var/run/slapd.args
database ldap
suffix "dc=somewhere,dc=com"
uri ldap://somehost.somewhere.com/
overlay rwm
rwm-rewriteEngine on
rwm-rewriteMap ldap csattr2dn
"ldap://somehost.somewhere.com/ou=People,ou=Accounts,dc=somewhere,dc=com?dn?sub";
rwm-rewriteContext bindDN
rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${csattr2dn($0)}" ":@I"
lastmod off
################# End config ########################
For some servers an anonymous bind might not be possible so I just
expect it bind with a given username and password to do the search
(pseudorootdn). Is this a suitable option?
--
MVH / Best regards
Mikael M. Hansen