[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rewriting BindDN?

To: "Allen S. Rout" <asr@ufl.edu>
Subject: Re: Rewriting BindDN?
From: Pierangelo Masarati <ando@sys-net.it>
Date: Fri, 27 Jul 2007 21:35:52 +0200
Cc: openldap-software@openldap.org
In-reply-to: <200707271922.l6RJMIKK1196134@nersp.osg.ufl.edu>
References: <200707271922.l6RJMIKK1196134@nersp.osg.ufl.edu>
User-agent: Mail/News 1.5.0.8 (X11/20061210)

Allen S. Rout wrote:

> My apologies: I was trying not to include too much data.  But that may
> be an aspect I just missed: I've been focusing on the rewrite
> mechanics. The examples in slapo-rwm don't seem to specify an
> enclosing database, including the example I'm trying to duplicate. I'm
> not sure how to work out what is required.
> 
>  # Then we need to detect DN made up of a single email,
>  # e.g. `mail=someone@example.com'; note that the rule
>  # in case of match stops rewriting; in case of error,
>  # it is ignored.  In case we are mapping virtual
>  # to real naming contexts, we also need to rewrite
>  # regular DNs, because the definition of a bindDN
>  # rewrite context overrides the default definition.
>  rwm-rewriteContext bindDN
>  rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
> 
> That seems to be talking about a DN without any suffix at all;  i.e. 
> 
> ldapsearch -x -D "mail=someone@example.com" -W 
> 
> bare. 

Exactly.

> I infer from your comment that I need to define a database with
> a blank suffix, and express this rewrite rule within that? 

Either this, or place the rwm overlay __before__ any database, so that
it intercepts bind requests __before__ ever getting to database
selection.  So both

<slapd.conf: database>
database	bdb
suffix		""
# ...
overlay		rwm
rwm-...
# ...
</slapd.conf: database>

and

<slapd.conf: global>
# before any database...
overlay		rwm
rwm-...
# ...

database	bdb
suffix		"dc=example,dc=com"
# ...
</slapd.conf: global>

should give the expected behavior, with the noticeable difference that
the former will only affect requests related to the "" database, while
the latter would affect requests to any database configured within that
instance of slapd.

> I'll set
> about attempting this.
> 
> 
> If there's some better FM which I should be Ring, I'll be more than
> content with a pointer to it. I googled rather a lot before getting to
> this point, and the slapo-rwm man page appears to be the most detailed
> document available.
> 
> 
> If I get it working, would the Lords of LDAP entertain a doc patch?

Well, IMHO the current documentation covers what's required to set up
what you want to accomplish.  However, if you feel it's not clear
enough, please feel free to submit patches (to the man pages, to the
Admin Guide or so) using the Issue Tracking System
<http://www.openldap.org/its/>.

Perhaps, since the use you're trying to set up seems to be very
specialistic, you may want to start with a FAQ entry.  In this case, the
FAQ is interactive, so you are welcome to add contributions.

p.

Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------

References:
- Re: Rewriting BindDN?
  - From: "Allen S. Rout" <asr@ufl.edu>

Prev by Date: Re: Rewriting BindDN?
Next by Date: Slapd doesn't start after update
Index(es):
- Chronological
- Thread