[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: using openldap as a translation layer.



S James S Stapleton wrote:

> overlay rwm
> rwm-rewriteEngine on
> #left here because it might be useful, to simlpify things later, but not
> currently used
> rwm-rewriteMap
> ldap
> "realBindDNLookup"
> "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub";

I got all of the above lined up in column 1.  I hope it's the mailer,
otherwise please read slapd.conf(5) about the syntax, and specifically
about continuation lines.

> # bind DN rewrite rules
> rwm-rewriteContext bindDN
> # extract the username from the incorrect DN, and try to use it
> # as mailbox in a lookup filter "(mail=<mailbox>@domain)" to
> # fetch the corresponding DN
> #original
> # "^uid=([^,]+)?,ou=People,dc=mywork,dc=com$"
> #alt #1
> # "uid=([a-zA-Z-]+\.[\d]+)"
> #alt #2
> # "\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)"
> rwm-rewriteRule
> "\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)"
> "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub(mail=$1@osu.edu)"

I see (at least) four errors here:

1) the URI doesn't have to be here; it must be in the ldap map.
Otherwise it's just treated for what it is: a string.

2) in any case, an LDAP URL needs a "?" to separate the scope ("sub")
from the filter.

3) escapes need to appear twice, because "\" is the escape char for
slapd.conf and for the regex.  So using a single escape, like
"\(objectClass=person\)", results in passing "(objectClass=person)" to
regcomp(3), and the "(" ")" are treated as special regex chars.  This is
illustrated in slapo-rwm(5).

4) a bindDN will never look like an LDAP filter.  So this rule shouldn't
be in the "bindDN" rewrite context.

> 
> "@"
> # if the lookup fails, the error is ignored, and thus
> # the original DN is used.
> ============================================================

To obtain what you want, but in the "searchFilter" rewrite context,
something like

rwm-rewriteMap ldap "realBindDNLookup"
	"ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub";
rwm-rewriteContext searchFilter
rwm-rewriteRule
    "^\\(&\\(objectClass=person\\)\\(uid=([a-zA-Z]+\\.[0-9]+)\\)\\)$"
    "${realBindDNLookup(mail=$1@osu.edu)}" ":@"

should work.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------