[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rewrite rule in slapd.conf



Hi!

On Thu, Apr 20, 2006 at 09:34:52AM +0200, Pierangelo Masarati wrote:
> > I need "rewrite rule". For example, when client try authorize as
> > uid=A,ou=all-users,o=org I want check this uid in two containers:
> > uid=A,ou=local-users,o=org and uid=A,ou=ext-users,o=org. Is it
> > possible?
> >
> > I read about referral and subordinate. But I want use it on one server
> > and in one database. Is it possible?
> 
> Yes, although not trivial.  You should try something like
> 
> database <any>
> suffix "ou=local-users,o=org"
> 
> # ...
> 
> database <any>
> suffix "ou=ext-users,o=org"
> 
> # ...
> 
> database meta
> suffix "ou=all-users,o=org"
> 
> uri "ldap:///ou=all-users,o=org";
> suffixmassage "ou=all-users,o=org" "ou=local-users,o=org"
> 
> uri "ldap:///ou=all-users,o=org";
> suffixmassage "ou=all-users,o=org" "ou=ext-users,o=org"

I try to play with meta backend, but not get result.
My current config:
...
access to
	dn.regex="^(.+)o=oil([^,]+)$"
	attrs=userPassword,sambaLMPassword,sambaNTPassword
	by anonymous auth
	by self write
	by dn.exact,expand="uid=ldap-sync,ou=virtusers,o=oil$2" read
	by dn.exact,expand="uid=fbsd-samba-admin,ou=virtusers,o=oil$2" read
	by * none

access to * by * read

database        bdb
suffix          "o=oilspace"
...
syncrepl        rid=001
...

database        bdb
suffix          "o=oil-space"
overlay		ppolicy
overlay		accesslog
overlay		syncprov
...

database        meta
suffix          "o=oilspace-all"

rebind-as-user	yes
lastmod		off

uri		ldap://fbsd/o=oilspace-all
suffixmassage	"o=oilspace-all" "o=oilspace"

uri		ldap://fbsd/o=oilspace-all
suffixmassage	"o=olspace-all" "o=oil-space"

Config litle complex -- it's my experimental sandbox, but, may be,
detailed description of config can be important for help.

When I try:
$ ldapsearch -ZxD uid=dkirhlarov,ou=users,o=oilspace -H ldap://fbsd -s one -Wb ou=users,o=oilspace-all -vvLLL 'uid=...' 'cn'
I have two scenarios:
1. When record present in both backend databases I get:
dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy

dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy

dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy

dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy

dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy

dn: uid=dkirhlarov,ou=users,o=oilspace-all
cn: Dmitriy
....

It work very slow (some internal timeouts?) and look like as loop.

2. record present in second database.
In this case I never get result.

In both cases connection to ldap server not closed.
I'm continue re-reading slapd-meta(5), but it not help now. :)
My system is:
FreeBSD 6.1-PRERELEASE
openldap-server-2.3.21

Can somebody help me?

WBR
-- 
Dmitriy Kirhlarov
OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia
P:+7 495 105 7247 ext.203 F:+7 495 105 7246 E:DmitriyKirhlarov@oilspace.com
OILspace - The resource enriched - www.oilspace.com