[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-meta

Hi Pierangelo!

Thanks for the answer. Actually I'm trying to build a single point of administration. That's a part of my diploma thesis.

It would be cute, if I could manage it to integrate the RACF-LDAP seemless in my OpenLDAP. I think it's more transparent for the users and application-developers having a tree which contains all necessary data of all OSs.

I'm sorry for my dizzy previous post (was a really ballbraking day today - uh sorry, yesterday) and promise to provide you with more useful information in the next days.

bye Chris

Pierangelo Masarati wrote:

I've got a question concerning the Meta-backend. But first I have to
explain my current configuration:

I've got an OpenLDAP running on Linux which was compiled with the option
"--with-kpasswd". It holds the user-data used by Linux and other OSs
and  has got the following structure:

       |    |
       |    +--uid=cju
       |    |
       |    *

The other LDAP-server runs on an IBM Mainframe (OS/390) and serves as an
nice interface to the security-system of the mainframe (RACF). With the
current version of OS/390 it only can authenticate users with simple
authentication but it supports SSL. I'll call this server RACF-LDAP in
the following.

The RACF-LDAP has got very restricted ACLs. Only a super-user can
view/modify all accounts and the other users may only view their own
account. It has got the following structure:

       |     |
       |     +--racfid=cju
       |     |
       |     *

On the Mainframe runs a Kerberos-server, which uses RACF as backend too.
Currently I don't use it. Instead I've created the same user on my
OpenLDAP with the same password (saved in plaintext in the

Now I want to fit the RACF-LDAP-tree to the tree of my OpenLDAP with the
help of back-meta. I configured my OpenLDAP and defined a
rewriting-rule  for the BindDN. Looking at /var/log/messages shows that
the rewriting  works very well (e.g.


is rewritten to


A search only works, if I make a bind to


and the same BindDN. But if I try to bind as


and make a search on


it fails.

As I've taken a look at /var/log/messages, I saw that back-meta only
makes anonymous-binds when binding to e.g. dc=saarstahl,dc=de and making
a search underneath ou=racf,ou=test,dc=saarstahl,dc=de.

Is there any possibility to get this stuff working without using

I'm sorry, that I can't support you with my configuration-files but I'm
currently at home. It seems that the guys at work have some problems
with our provider regarding their mail-server. It was impossible to
register for this mailing-list from work.

I think you config files are mandatory since your setup is really
unusual.  the tentative ones you reported below seem incorrect,
because the suffix of back meta is incompatible with the bindDn
rewrite rule: a suffix "ou=racf,ou=test,dc=saarstahl,dc=de" will
never catch searches for anything under
"ou=users,ou=test,dc=saarstahl,dc=de" as in the left hand side of
your rewrite rule.

As a consequence, if you bind as
"uid=cju,ou=users,ou=test,dc=saarstahl,dc=de", your request will
likely be satisfied by the superior database (the ldbm one at the
bottom with suffix "dc=saarstahl,dc=de").  When you search for
the serch request is satisfied by the meta database, the binddn
is rewritten for back-meta internal purposes (mostly ACLs), but
no binding towards the RACF is done (remember back-meta is
handling a search request here).  You need to bind to the back meta
also, e.g. bind as "uid=cju,ou=racf,ou=test,dc=saarstahl,dc=de",
with bindDN rewrite rule

rewriteRule "uid=([^,]+),ou=racf,ou=test,dc=saarstahl,dc=de"
    "racfid=%1,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de" ":"

or anything like this to do both bind and search on the RACF
(and you need appropriate default and result rewrite contexts).

By the way, since you're hitting a single target, you can use
back-ldap instead of back-meta; it basically offers the same
functionality with a single target ldap server.

Of course this might not answer your question (which I can hardly
understand).  If what you want to do is to have user entries in ldbm
with bind on RACF then I'm afraid you can't with current back-meta.
In this case you'd need to have back-meta invoke RACF for bind
operations and back-ldbm for other operations.  In this case what
you need is a sasl plugin for RACF (I don't know any, though).


regards Christian Jung

PS The configuration should look like this:

database meta
suffix ou=racf,ou=test,dc=saarstahl,dc=de
uri ldap://mvstest.saarstahl.de/ou=racf,ou=test,dc=saarstahl,dc=de
lastmod off
rewriteEngine on
rewriteContext binddn
rewriteRule "uid=(.+),ou=users,ou=test,dc=saarstahl,dc=de"
"racfid=%1,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de" ":"

database ldbm
suffix "dc=saarstahl,dc=de"
rootdn "cn=Manager,dc=saarstahl,dc=de"
rootpw ****
directory /var/lib/ldap