Re: Rewriting BindDN?

[Pierangelo Masarati <ando@sys-net.it>]

Allen S. Rout wrote:
> [apologies if this gets duped:  I appear to be having GMANE problems]
>
> Greetings.  I'm trying to duplicate the docs on rewriting BindDN
> before twiddling them to my actual goals.  I'm using 2.3.35 on linux
> (gentoo).
>
> I've tried to strip the twiddling I'm doing down as far as I can:
>
> moduleload rwm
> overlay rwm
> rwm-rewriteEngine on
> rwm-rewriteMap LDAP attr2dn "ldap://localhost/ou=People,dc=ufl,dc=edu?dn?sub";
> rwm-rewriteContext bindDN
> rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
>
>
> which is, I think, straight out of the docs. 
>
> Jul 19 10:44:12 misc01 slapd[15708]: line 2 (moduleload rwm) 
> Jul 19 10:44:12 misc01 slapd[15708]: loaded module rwm 
> Jul 19 10:44:12 misc01 slapd[15708]: module rwm: null module registered 
> Jul 19 10:44:12 misc01 slapd[15708]: line 3 (overlay rwm) 
> Jul 19 10:44:12 misc01 slapd[15708]: line 5 (rwm-rewriteEngine on) 
> Jul 19 10:44:12 misc01 slapd[15708]: line 7 (rwm-rewriteMap LDAP attr2dn "ldap://localhost/ou=People,dc=ufl,dc=edu?dn?sub";) 
> Jul 19 10:44:12 misc01 slapd[15708]: line 9 (rwm-rewriteContext bindDN) 
> Jul 19 10:44:12 misc01 slapd[15708]: line 10 (rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I") 
>
> I think that the module is getting loaded. The 'null module' confuses
> me.  But if I take out the moduleload, the overlay declaration fails,
> so -something- is getting loaded, and if I take out the overlay
> statement then the directives are undefined.  I can't come up with a
> scenario where the module would be loaded and define all the entry
> points, but not actually do anything. :) 
>
>
> But when I connect, I get invalid credentials, and: 
>
> Jul 19 10:44:33 misc01 slapd[15721]: connection_read(12): checking for input on id=0 
> Jul 19 10:44:33 misc01 slapd[15721]: daemon: epoll: listen=7 active_threads=1 tvp=zero 
> Jul 19 10:44:33 misc01 slapd[15721]: daemon: epoll: listen=8 active_threads=1 tvp=zero 
> Jul 19 10:44:33 misc01 slapd[15721]: do_bind 
> Jul 19 10:44:33 misc01 slapd[15721]: >>> dnPrettyNormal: <mail=asr@ufl.edu> 
> Jul 19 10:44:33 misc01 slapd[15721]: <<< dnPrettyNormal: <mail=asr@ufl.edu>, <mail=asr@ufl.edu> 
> Jul 19 10:44:33 misc01 slapd[15721]: do_bind: version=3 dn="mail=asr@ufl.edu" method=128 
> Jul 19 10:44:33 misc01 slapd[15721]: conn=0 op=0 BIND dn="mail=asr@ufl.edu" method=128 
> Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_result: conn=0 op=0 p=3 
> Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_result: err=49 matched="" text="" 
> Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_response: msgid=1 tag=97 err=49 
> Jul 19 10:44:33 misc01 slapd[15721]: conn=0 op=0 RESULT tag=97 err=49 text= 
> Jul 19 10:44:33 misc01 slapd[15721]: daemon: activity on 1 descriptor 
>
> what I find frustrating about this is that I don't even see an attempt
> to (say) apply the bindDN rewrite rule.  Should I be expecting to see
> that?  What config entries do I need to get some visibility into this
> process?  I'm already doing loglevel -1: is there more? :)

You don't provide enough information (e.g. the rest of your slapd.conf). 
 Apparently, no attempt to rewrite the bind DN ever takes place.  I 
guess there's no database that can handle that request and pass it to 
the rwm overlay.

p.




Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------