[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RWM and bind using mail address

To: ando@sys-net.it
Subject: Re: RWM and bind using mail address
From: "Mikael M. Hansen" <mhansen@cs.aau.dk>
Date: Thu, 06 Apr 2006 11:38:44 +0200
Cc: openldap-software@OpenLDAP.org
In-reply-to: <42292.131.175.154.56.1143818625.squirrel@131.175.154.56>
Organization: Department of Computer Science, Aalborg University
References: <442D27D9.7080800@cs.aau.dk> <42292.131.175.154.56.1143818625.squirrel@131.175.154.56>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8) Gecko/20051201 Thunderbird/1.5 Mnenhy/0.7.3.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi

Thanks for the reply

Pierangelo Masarati wrote:
>>
>> I need to bind - using an email address - to an backend ldap using a
>> frontend meta/proxy server. So I've used the example from the slapo-rwm
>> man page (the DN made up of single email) example. But I cannot get it
>> to work. When I do a
>>
>> ldapsearch -h proxymetaldap.somewhere.com -x -b "dc=somewhere,dc=com"
>> "(mail=someone@somewhere.com)"
>>
>> it returns the entry including the mail attribute - from the backend
>> ldap (somehost.somewhere.com) - as expected. But when trying to bind
>> using the mail address (mail=someone@somewhere.com) it (the
>> proxymetaldap server) doesn't contact the backend server
>> (someserver.somewhere.com).
> 
> because "mail=someone@somewhere.com", although being a perfectly valid DN,
> does not match the suffix of any database, so no database can be selected.
>  Set the suffix of the ldap database to "" and it will work.
> 
It doesn't. Let me try to explain what I intend to do:

Take an email as input to the meta LDAP. someone@a.somewhere.com

Based on the suffix (a.somewhere.com) determine the proper backend
database to query (dc=a,dc=somewhere,dc=com) and rewrite the postfix
(someone) to a value specific for the choosen backend. E.g. uid=someone
or cn=someone. Now find the dn for the value (uid=someone) in the
backend and do a bind. Naturally there should be several backend defined
b.somewhere.com, c.somewhere.com etc.

Is this not possible?

> 
>> I expect it to not even use the rewrite rule when binding as anonymous
>> (so it just queries all database that are defined),
> 
> nope.  anonymous doesn't even get to databases, because the frontend knows
> how to handle it.

So if I have several backends and connect to the meta anonymously I
cannot get the anonymously available data from all backends in one search?

> 
>> but that it does
>> match the rule when binding with the email address.
>>
>> In my config below is would expect it to:
>>
>> 1  Match the rule when given mail=someone@somewhere.com
>> 2  Do an anonymous search for the DN in somehost.somewhere.com
>> 3. Bind with the found DN
>>
>> Is this not possible?
>>
>> My config is as follows:
>>
>> ############### Begin config ##############################
>>
>> include         /q/disk_0/openldap/etc/openldap/schema/core.schema
>> include         /q/disk_0/openldap/etc/openldap/schema/cosine.schema
>> include
>> /q/disk_0/openldap/etc/openldap/schema/inetorgperson.schema
>> include         /q/disk_0/openldap/etc/openldap/schema/nis.schema
>> loglevel 256
>> pidfile         /q/disk_0/openldap/var/run/slapd.pid
>> argsfile        /q/disk_0/openldap/var/run/slapd.args
>>
>> database        ldap
>> suffix          "dc=somewhere,dc=com"
>> uri             ldap://somehost.somewhere.com/
>>
>> overlay rwm
>> rwm-rewriteEngine on
>> rwm-rewriteMap ldap csattr2dn
>> "ldap://somehost.somewhere.com/ou=People,ou=Accounts,dc=somewhere,dc=com?dn?sub";
>> rwm-rewriteContext bindDN
>> rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${csattr2dn($0)}" ":@I"
>>
>> lastmod off
>>
>> ################# End config ########################
>>
>> For some servers an anonymous bind might not be possible so I just
>> expect it bind with a given username and password to do the search
>> (pseudorootdn). Is this a suitable option?
> 
> not with the pseudorootdn.  All you can do in this case is use the
> identity assertion feature so that it binds with a given identity
> regardless of the identity of the client.  This requires a bit of work and
> in general it's not recommended.
> 
> p.
> 
> 
> 
> 
> Ing. Pierangelo Masarati
> Responsabile Open Solution
> OpenLDAP Core Team
> 
> SysNet s.n.c.
> Via Dossi, 8 - 27100 Pavia - ITALIA
> http://www.sys-net.it
> ------------------------------------------
> Office:   +39.02.23998309          
> Mobile:   +39.333.4963172
> Email:    pierangelo.masarati@sys-net.it
> ------------------------------------------
> 

- --
MVH / Best regards

Mikael M. Hansen             	
IT-administrator
Computer Science Dept.       		Email: mhansen@cs.aau.dk	
Aalborg University           		Phone: +45 9635 8905
Fredrik Bajers Vej 7E			Room: E2-121
DK-9220 Aalborg, Denmark		
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFENOGk1ZklRSLjnxgRArrfAJ9gQnhqOMYOmhfYCDw0rVJi70jPhwCdECYH
Lsa+T2MGlz+K7tjjrl/JYfk=
=NZ1Y
-----END PGP SIGNATURE-----

Follow-Ups:
- Re: RWM and bind using mail address
  - From: "Pierangelo Masarati" <ando@sys-net.it>

Prev by Date: Re: upgrade 2.2.x -> 2.3.x, sync repl replica compatibility?
Next by Date: Problems with ldapsearch
Index(es):
- Chronological
- Thread