[Date Prev][Date Next] [Chronological] [Thread] [Top]

Inherit attributes

To: openldap-technical@openldap.org
Subject: Inherit attributes
From: Alexander Sulfrian <alexander@sulfrian.net>
Date: Mon, 03 Sep 2012 17:22:52 +0200

Hi,

I have some special requirements for a ldap installation. I want to use
a central ldap for a group of users having access to different services.
The user should be able to set a different password for each service. I
try to keep the effort low, therefor I particularly do not want to
modify each of the services. (They all authenticate via ldap-bind.)

To archive the desired features I tried to use the following entity
tree.

dn: uid=alex,ou=People,dc=example,dc=com
dn: cn=service1,uid=alex,ou=People,dc=example,dc=com
dn: cn=service2,uid=alex,ou=People,dc=example,dc=com

The uid=alex entity is the real account. Storing the name, uid, the
master password for this account and possibly other attributes. The
"sub"-entities with cn=service* should only store the password, if it is
set to a special value.

Now the problem: It should be find the service entities if matched
against attributes of the "master" account. That means that I want to
search for (uid=alex) and want to find all the three dns mentioned above
(but only the first dn should keep the real data - I do not want to sync
all data on every change into all "sub"-entities).

What I have tried so far:

 - collect-overlay: Apart from the problem, that I have to specify the
   explicit master dn (it is impossible to specify some thing like
   uid=*,ou=People...), the collected attributes could not be matched
   with an filter during ldap search.

 - rwm-overlay: I did not find a context, where I could rewrite the dn, 
   that is matched against a filter and I do not know if it is possible.
   The searchFilterAttrDN context sounds promising, but I did not find 
   any documentation.

So what can I do, to get it working. It seems, that maybe an
ldap-backend or meta-backend proxying the requests to the local server,
could used to archive that, but I wanted to know if there is any easier
way.

If the attributes are inherited the ldap-bind with the password fallback
could be archived in a way with the rwm-overlay:

dn: olcOverlay=rwm,olcDatabase={1}hdb,cn=config
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: rwm
olcRwmRewrite: rwm-rewriteEngine "on"
olcRwmRewrite: rwm-rewriteMap slapd usermap
               "ldap:///ou=People,dc=example,dc=com?dn?sub";
olcRwmRewrite: rwm-rewriteContext "bindDN"
olcRwmRewrite: rwm-rewriteRule "^(cn=[^,]+),(uid=[^,]+),.*$"
               "${usermap((&(userPassword=*)($1)($2)))}" ":@I"
olcRwmRewrite: rwm-rewriteRule "^cn=[^,]+,(uid=[^,]+),.*$"
               "${usermap((&(userPassword=*)($1)))}" ":@I"
olcRwmTFSupport: no
olcRwmNormalizeMapped: FALSE


Thanks,
Alex

Prev by Date: Fixing a multi-master divergence
Next by Date: LDAP database corrupted
Index(es):
- Chronological
- Thread