Re: back-meta

[Christian Jung <Christian.Jung@wanadoo.fr>]

Hi Pierangelo!

Thanks for the answer. Actually I'm trying to build a single point of 
administration. That's a part of my diploma thesis.

It would be cute, if I could manage it to integrate the RACF-LDAP 
seemless in my OpenLDAP. I think it's more transparent for the users and 
application-developers having a tree which contains all necessary data 
of all OSs.

I'm sorry for my dizzy previous post (was a really ballbraking day today 
- uh sorry, yesterday) and promise to provide you with more useful 
information in the next days.


bye
Chris

Pierangelo Masarati wrote:
> > Hi!
> >
> > I've got a question concerning the Meta-backend. But first I have to
> > explain my current configuration:
> >
> > I've got an OpenLDAP running on Linux which was compiled with the option
> > "--with-kpasswd". It holds the user-data used by Linux and other OSs
> > and  has got the following structure:
> >
> > dc=saarstahl,dc=de
> >   |
> >   +--ou=test
> >        |
> >        +--ou=users
> >        |    |
> >        |    +--uid=cju
> >        |    |
> >        |    *
> >        |
> >        +--ou=racf
> >        |
> >        *
> >
> > The other LDAP-server runs on an IBM Mainframe (OS/390) and serves as an
> > nice interface to the security-system of the mainframe (RACF). With the
> > current version of OS/390 it only can authenticate users with simple
> > authentication but it supports SSL. I'll call this server RACF-LDAP in
> > the following.
> >
> > The RACF-LDAP has got very restricted ACLs. Only a super-user can
> > view/modify all accounts and the other users may only view their own
> > account. It has got the following structure:
> >
> > ou=test,dc=saarstahl,dc=de
> >   |
> >   +--ou=racf
> >        |
> >        +--profileType=USER
> >        |     |
> >        |     +--racfid=cju
> >        |     |
> >        |     *
> >        *
> >
> > On the Mainframe runs a Kerberos-server, which uses RACF as backend too.
> > Currently I don't use it. Instead I've created the same user on my
> > OpenLDAP with the same password (saved in plaintext in the
> > userPassword-attribute).
> >
> > Now I want to fit the RACF-LDAP-tree to the tree of my OpenLDAP with the
> > help of back-meta. I configured my OpenLDAP and defined a
> > rewriting-rule  for the BindDN. Looking at /var/log/messages shows that
> > the rewriting  works very well (e.g.
> >
> > "uid=cju,ou=users,ou=test,dc=saarstahl,dc=de"
> >
> > is rewritten to
> >
> > "racfid=cju,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de").
> >
> > A search only works, if I make a bind to
> >
> > "racfid=cju,profileType=USER,ou=racf,ou=testdc=saarstahl,dc=de"
> >
> > and the same BindDN. But if I try to bind as
> >
> > "uid=cju,ou=users,ou=test,dc=saarstahl,dc=de"
> >
> > and make a search on
> >
> > "racfid=cju,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de"
> >
> > it fails.
> >
> > As I've taken a look at /var/log/messages, I saw that back-meta only
> > makes anonymous-binds when binding to e.g. dc=saarstahl,dc=de and making
> > a search underneath ou=racf,ou=test,dc=saarstahl,dc=de.
> >
> > Is there any possibility to get this stuff working without using
> > referrals?
> >
> > I'm sorry, that I can't support you with my configuration-files but I'm
> > currently at home. It seems that the guys at work have some problems
> > with our provider regarding their mail-server. It was impossible to
> > register for this mailing-list from work.
>
>
> I think you config files are mandatory since your setup is really
> unusual.  the tentative ones you reported below seem incorrect,
> because the suffix of back meta is incompatible with the bindDn
> rewrite rule: a suffix "ou=racf,ou=test,dc=saarstahl,dc=de" will
> never catch searches for anything under
> "ou=users,ou=test,dc=saarstahl,dc=de" as in the left hand side of
> your rewrite rule.
>
> As a consequence, if you bind as
> "uid=cju,ou=users,ou=test,dc=saarstahl,dc=de", your request will
> likely be satisfied by the superior database (the ldbm one at the
> bottom with suffix "dc=saarstahl,dc=de").  When you search for
> "racfid=cju,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de",
> the serch request is satisfied by the meta database, the binddn
> is rewritten for back-meta internal purposes (mostly ACLs), but
> no binding towards the RACF is done (remember back-meta is
> handling a search request here).  You need to bind to the back meta
> also, e.g. bind as "uid=cju,ou=racf,ou=test,dc=saarstahl,dc=de",
> with bindDN rewrite rule
>
> rewriteRule "uid=([^,]+),ou=racf,ou=test,dc=saarstahl,dc=de"
>     "racfid=%1,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de" ":"
>
> or anything like this to do both bind and search on the RACF
> (and you need appropriate default and result rewrite contexts).
>
> By the way, since you're hitting a single target, you can use
> back-ldap instead of back-meta; it basically offers the same
> functionality with a single target ldap server.
>
> Of course this might not answer your question (which I can hardly
> understand).  If what you want to do is to have user entries in ldbm
> with bind on RACF then I'm afraid you can't with current back-meta.
> In this case you'd need to have back-meta invoke RACF for bind
> operations and back-ldbm for other operations.  In this case what
> you need is a sasl plugin for RACF (I don't know any, though).
>
> p.
>
>
> > regards
> > Christian Jung
> >
> >
> > PS The configuration should look like this:
> >
> > database meta
> > suffix ou=racf,ou=test,dc=saarstahl,dc=de
> > subordinate
> > uri ldap://mvstest.saarstahl.de/ou=racf,ou=test,dc=saarstahl,dc=de
> > rebind-as-user
> > lastmod off
> > rewriteEngine on
> > rewriteContext binddn
> > rewriteRule "uid=(.+),ou=users,ou=test,dc=saarstahl,dc=de"
> > "racfid=%1,profileType=USER,ou=racf,ou=test,dc=saarstahl,dc=de" ":"
> >
> > database ldbm
> > suffix "dc=saarstahl,dc=de"
> > rootdn "cn=Manager,dc=saarstahl,dc=de"
> > rootpw ****
> > directory /var/lib/ldap