[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How to hide namingContext in rootDSE ?

Thomas Chemineau wrote:

My question is relative to "how to hide a namingContext in rootDSE?". But
for information, I will explain why I need to configure this.

Ref : http://www.openldap.org/lists/openldap-software/200501/msg00494.html

I have two distinct OpenLDAP servers :
- V1 : "o=example" ;
- V2 : "dc=example,dc=com"

I would like to delete the first one, and to allow most of V1's actions on
V2 :
- respond to V1 suffix ;
- take care of DN in search result ;
- take care of DN in uniqueMember ;

For the moment, I have :
- 1 back-ldap on "o=example" ;
  rwm-suffixmassage "o=example" "o=example transitional"
  rwm-map attribute uniqueMember tmpUniqueMember
- 1 back-ldap on "o=example transitional"
  rwm-suffixmassage "o=example transitional" "dc=example,dc=com"
  rwm-map attribute tmpUniqueMember uniqueMember
- 1 back-hdb on "dc=example,dc=com"
  datas... nothing special
- define tmpUniqueMember inherits from member, and used by an auxiliary
  objectclass in my groups

All work fine. DN are rewritten on my uniqueMember's values. But, I think
it is really ugly...

Well now, I have few questions :
1/ Is there a better way to do this, without rewrite V2 values ?

Well, you can use multiple instances of back-relay instead of back-ldap, saving transliterations of requests and responses. I don't see other chances of rewriting the value of uniqueMember attributes.

Probably, a solution here (for a future enhancement) would be to allow specifying when rewriting should take place (before or after mapping?), or simply be as liberal as possible, allowing rewriting when either before or after an attribute will have DN syntax. You can file an ITS for this.

2/ How can I hide my transitional LDAP suffix in the rootDSE ?

Hiding values in namingContexts can be done using ACLs. What makes it tricky is that namingContexts, by (poor?) design has no EQUALITY rule, so if you write a rule like

access to dn.exact="" attrs=namingContext val="o=example transitional"
	by * none

will not work. You need to specify what equality rule to use, something like

access to dn.exact=""
		val/distinguishedNameMatch="o=example transitional"
	by * none

3/ Could it be possible to close all on this transitional LDAP backend and
   allow read access only for a particular user which will be use by the
   first LDAP backend (through acl-bind for example) ?

Yes, again by ACL and idassert-bind. But in this case, you would lose any information about who is performing the operation, since any identity would need to be mapped to the idassert-bind identity. I suggest you use this trick:

- make slapd listen on a particular ldapi listener
  (-h 'ldap:// ldapi://path/to/transitional)

- only allow access to the transitional database by requests coming from that listener

access to *
	by sockurl="ldapi://path/to/transitional" write

thus delegating actual access control to the remote server.


Ing. Pierangelo Masarati OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it