[Date Prev][Date Next] [Chronological] [Thread] [Top]



I've got a question concerning the Meta-backend. But first I have to explain my current configuration:

I've got an OpenLDAP running on Linux which was compiled with the option "--with-kpasswd". It holds the user-data used by Linux and other OSs and has got the following structure:

       |    |
       |    +--uid=cju
       |    |
       |    *

The other LDAP-server runs on an IBM Mainframe (OS/390) and serves as an nice interface to the security-system of the mainframe (RACF). With the current version of OS/390 it only can authenticate users with simple authentication but it supports SSL. I'll call this server RACF-LDAP in the following.

The RACF-LDAP has got very restricted ACLs. Only a super-user can view/modify all accounts and the other users may only view their own account. It has got the following structure:

       |     |
       |     +--racfid=cju
       |     |
       |     *

On the Mainframe runs a Kerberos-server, which uses RACF as backend too. Currently I don't use it. Instead I've created the same user on my OpenLDAP with the same password (saved in plaintext in the userPassword-attribute).

Now I want to fit the RACF-LDAP-tree to the tree of my OpenLDAP with the help of back-meta. I configured my OpenLDAP and defined a rewriting-rule for the BindDN. Looking at /var/log/messages shows that the rewriting works very well (e.g.


is rewritten to


A search only works, if I make a bind to


and the same BindDN. But if I try to bind as


and make a search on


it fails.

As I've taken a look at /var/log/messages, I saw that back-meta only makes anonymous-binds when binding to e.g. dc=saarstahl,dc=de and making a search underneath ou=racf,ou=test,dc=saarstahl,dc=de.

Is there any possibility to get this stuff working without using referrals?

I'm sorry, that I can't support you with my configuration-files but I'm currently at home. It seems that the guys at work have some problems with our provider regarding their mail-server. It was impossible to register for this mailing-list from work.

regards Christian Jung

PS The configuration should look like this:

database meta
suffix ou=racf,ou=test,dc=saarstahl,dc=de
uri ldap://mvstest.saarstahl.de/ou=racf,ou=test,dc=saarstahl,dc=de
lastmod off
rewriteEngine on
rewriteContext binddn
rewriteRule "uid=(.+),ou=users,ou=test,dc=saarstahl,dc=de" "racfid=%1,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de" ":"

database ldbm
suffix "dc=saarstahl,dc=de"
rootdn "cn=Manager,dc=saarstahl,dc=de"
rootpw ****
directory /var/lib/ldap