[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: RWM and bind using mail address



> Hi
>
> I have some problems with the rwm overlay and a ldap backend on an
> OpenLDAP 2.3.20 server that I hope someone can shed some light upon.
>
> I need to bind - using an email address - to an backend ldap using a
> frontend meta/proxy server. So I've used the example from the slapo-rwm
> man page (the DN made up of single email) example. But I cannot get it
> to work. When I do a
>
> ldapsearch -h proxymetaldap.somewhere.com -x -b "dc=somewhere,dc=com"
> "(mail=someone@somewhere.com)"
>
> it returns the entry including the mail attribute - from the backend
> ldap (somehost.somewhere.com) - as expected. But when trying to bind
> using the mail address (mail=someone@somewhere.com) it (the
> proxymetaldap server) doesn't contact the backend server
> (someserver.somewhere.com).

because "mail=someone@somewhere.com", although being a perfectly valid DN,
does not match the suffix of any database, so no database can be selected.
 Set the suffix of the ldap database to "" and it will work.


> I expect it to not even use the rewrite rule when binding as anonymous
> (so it just queries all database that are defined),

nope.  anonymous doesn't even get to databases, because the frontend knows
how to handle it.

> but that it does
> match the rule when binding with the email address.
>
> In my config below is would expect it to:
>
> 1  Match the rule when given mail=someone@somewhere.com
> 2  Do an anonymous search for the DN in somehost.somewhere.com
> 3. Bind with the found DN
>
> Is this not possible?
>
> My config is as follows:
>
> ############### Begin config ##############################
>
> include         /q/disk_0/openldap/etc/openldap/schema/core.schema
> include         /q/disk_0/openldap/etc/openldap/schema/cosine.schema
> include
> /q/disk_0/openldap/etc/openldap/schema/inetorgperson.schema
> include         /q/disk_0/openldap/etc/openldap/schema/nis.schema
> loglevel 256
> pidfile         /q/disk_0/openldap/var/run/slapd.pid
> argsfile        /q/disk_0/openldap/var/run/slapd.args
>
> database        ldap
> suffix          "dc=somewhere,dc=com"
> uri             ldap://somehost.somewhere.com/
>
> overlay rwm
> rwm-rewriteEngine on
> rwm-rewriteMap ldap csattr2dn
> "ldap://somehost.somewhere.com/ou=People,ou=Accounts,dc=somewhere,dc=com?dn?sub";
> rwm-rewriteContext bindDN
> rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${csattr2dn($0)}" ":@I"
>
> lastmod off
>
> ################# End config ########################
>
> For some servers an anonymous bind might not be possible so I just
> expect it bind with a given username and password to do the search
> (pseudorootdn). Is this a suitable option?

not with the pseudorootdn.  All you can do in this case is use the
identity assertion feature so that it binds with a given identity
regardless of the identity of the client.  This requires a bit of work and
in general it's not recommended.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------