[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-meta: BindRequest to flat name space

> HI!
> Some really weird software assumes a flat name space and does
> authentication  by doing a BindRequest against
> uid=<user id>,<search root>
> instead of searching the for (uid=<user id>) under <search root> and use
> the  DN in the result as Bind-DN.
> Is it possible to use back-meta in OpenLDAP 2.1.x to fix this situation?
> Or  do I have to implement my own LDAP proxy back-end?

Yes, you can.  If you can map <user id> to the DN,
you can use the rewriteEngine to do the mapping
for you before binding.  Note that you can use
back-ldap, which has the same rewriting features
of back-meta with reduced overhead.

You need to do something like

database ldap
suffix <search root>

rewriteEngine on
rewriteContext default

# only if the real naming context is different from search root
rewriteRule "<search root>$" "<real naming context>" ":"
rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"

rewriteContext searchResult
rewriteRule "<real naming context>$" "<search root>" ":"
rewriteRule "(.*),<real naming context>$" "%1,<search root>" ":"

rewriteContext matchedDN alias searchResult

# this is to have safe defaults
rewriteContext searchFilter

# this is the real rule ...
rewriteContext bindDN
rewriteRule "^uid=([^,]+),<search root>$" "<rule with %1 as the uid>" ":"
rewriteRule "<search root>$" "<real naming context>" ":"
rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"

# and that's it.  In slapd-meta(5) there is an example that
# does something similar to what you're lookinhg for:
# it defines a LDAP map (e.g. a LDAP search that maps
# a matched portion of a pattern to the search result)
# note that match 1 (%1) becomes the filter of the search;
# the last two rules are caught as a safe fallthru in case
# the search fails; they simply massage the DN, you don't
# need them if <search root> and <real naming context> are
# the same.  The search should be calling the REAL database,
# e.g. the same server back-ldap is targeting.
rewriteContext bindDN
rewriteMap ldap attr2dn "ldap:///<real naming context>?dn?sub"
rewriteRule "^(uid=[^,]+),<search root>$" "%{attr2dn(%1)}" "@I"
rewriteRule "<search root>$" "<real naming context>" ":"
rewriteRule "(.*),<search root>$" "%1,<real naming context>" ":"

Note: I haven't used these features in a while,
so I'm not sure they still work correctly, so
feedback would be appreciated.  In case of success,
you may want to turn it into a FAQ...


Pierangelo Masarati