[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-meta

To: <Christian.Jung@wanadoo.fr>
Subject: Re: back-meta
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Tue, 4 Mar 2003 21:59:18 +0100 (CET)
Cc: <openLDAP-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <3E65081F.1080404@wanadoo.fr>
References: <3E65081F.1080404@wanadoo.fr>

> Hi!
>
> I've got a question concerning the Meta-backend. But first I have to
> explain my current configuration:
>
> I've got an OpenLDAP running on Linux which was compiled with the option
>  "--with-kpasswd". It holds the user-data used by Linux and other OSs
> and  has got the following structure:
>
> dc=saarstahl,dc=de
>    |
>    +--ou=test
>         |
>         +--ou=users
>         |    |
>         |    +--uid=cju
>         |    |
>         |    *
>         |
>         +--ou=racf
>         |
>         *
>
> The other LDAP-server runs on an IBM Mainframe (OS/390) and serves as an
>  nice interface to the security-system of the mainframe (RACF). With the
>  current version of OS/390 it only can authenticate users with simple
> authentication but it supports SSL. I'll call this server RACF-LDAP in
> the following.
>
> The RACF-LDAP has got very restricted ACLs. Only a super-user can
> view/modify all accounts and the other users may only view their own
> account. It has got the following structure:
>
> ou=test,dc=saarstahl,dc=de
>    |
>    +--ou=racf
>         |
>         +--profileType=USER
>         |     |
>         |     +--racfid=cju
>         |     |
>         |     *
>         *
>
> On the Mainframe runs a Kerberos-server, which uses RACF as backend too.
>  Currently I don't use it. Instead I've created the same user on my
> OpenLDAP with the same password (saved in plaintext in the
> userPassword-attribute).
>
> Now I want to fit the RACF-LDAP-tree to the tree of my OpenLDAP with the
>  help of back-meta. I configured my OpenLDAP and defined a
> rewriting-rule  for the BindDN. Looking at /var/log/messages shows that
> the rewriting  works very well (e.g.
>
> "uid=cju,ou=users,ou=test,dc=saarstahl,dc=de"
>
> is rewritten to
>
> "racfid=cju,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de").
>
> A search only works, if I make a bind to
>
> "racfid=cju,profileType=USER,ou=racf,ou=testdc=saarstahl,dc=de"
>
> and the same BindDN. But if I try to bind as
>
> "uid=cju,ou=users,ou=test,dc=saarstahl,dc=de"
>
> and make a search on
>
> "racfid=cju,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de"
>
> it fails.
>
> As I've taken a look at /var/log/messages, I saw that back-meta only
> makes anonymous-binds when binding to e.g. dc=saarstahl,dc=de and making
>  a search underneath ou=racf,ou=test,dc=saarstahl,dc=de.
>
> Is there any possibility to get this stuff working without using
> referrals?
>
> I'm sorry, that I can't support you with my configuration-files but I'm
> currently at home. It seems that the guys at work have some problems
> with our provider regarding their mail-server. It was impossible to
> register for this mailing-list from work.

I think you config files are mandatory since your setup is really
unusual.  the tentative ones you reported below seem incorrect,
because the suffix of back meta is incompatible with the bindDn
rewrite rule: a suffix "ou=racf,ou=test,dc=saarstahl,dc=de" will
never catch searches for anything under
"ou=users,ou=test,dc=saarstahl,dc=de" as in the left hand side of
your rewrite rule.

As a consequence, if you bind as
"uid=cju,ou=users,ou=test,dc=saarstahl,dc=de", your request will
likely be satisfied by the superior database (the ldbm one at the
bottom with suffix "dc=saarstahl,dc=de").  When you search for
"racfid=cju,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de",
the serch request is satisfied by the meta database, the binddn
is rewritten for back-meta internal purposes (mostly ACLs), but
no binding towards the RACF is done (remember back-meta is
handling a search request here).  You need to bind to the back meta
also, e.g. bind as "uid=cju,ou=racf,ou=test,dc=saarstahl,dc=de",
with bindDN rewrite rule

rewriteRule "uid=([^,]+),ou=racf,ou=test,dc=saarstahl,dc=de"
    "racfid=%1,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de" ":"

or anything like this to do both bind and search on the RACF
(and you need appropriate default and result rewrite contexts).

By the way, since you're hitting a single target, you can use
back-ldap instead of back-meta; it basically offers the same
functionality with a single target ldap server.

Of course this might not answer your question (which I can hardly
understand).  If what you want to do is to have user entries in ldbm
with bind on RACF then I'm afraid you can't with current back-meta.
In this case you'd need to have back-meta invoke RACF for bind
operations and back-ldbm for other operations.  In this case what
you need is a sasl plugin for RACF (I don't know any, though).

p.

>
>
> regards
> Christian Jung
>
>
> PS The configuration should look like this:
>
> database meta
> suffix ou=racf,ou=test,dc=saarstahl,dc=de
> subordinate
> uri ldap://mvstest.saarstahl.de/ou=racf,ou=test,dc=saarstahl,dc=de
> rebind-as-user
> lastmod off
> rewriteEngine on
> rewriteContext binddn
> rewriteRule "uid=(.+),ou=users,ou=test,dc=saarstahl,dc=de"
> "racfid=%1,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de" ":"
>
> database ldbm
> suffix "dc=saarstahl,dc=de"
> rootdn "cn=Manager,dc=saarstahl,dc=de"
> rootpw ****
> directory /var/lib/ldap


-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

Follow-Ups:
- Re: back-meta
  - From: Christian Jung <Christian.Jung@wanadoo.fr>

References:
- back-meta
  - From: Christian Jung <Christian.Jung@wanadoo.fr>

Prev by Date: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
Next by Date: Re: [LDAP-SOFTWARE] ACLand regex (matching self)
Index(es):
- Chronological
- Thread