[Date Prev][Date Next]
Re: How to hide namingContext in rootDSE ?
Thomas Chemineau wrote:
My question is relative to "how to hide a namingContext in rootDSE?". But
for information, I will explain why I need to configure this.
Ref : http://www.openldap.org/lists/openldap-software/200501/msg00494.html
I have two distinct OpenLDAP servers :
- V1 : "o=example" ;
- V2 : "dc=example,dc=com"
I would like to delete the first one, and to allow most of V1's actions on
- respond to V1 suffix ;
- take care of DN in search result ;
- take care of DN in uniqueMember ;
For the moment, I have :
- 1 back-ldap on "o=example" ;
rwm-suffixmassage "o=example" "o=example transitional"
rwm-map attribute uniqueMember tmpUniqueMember
- 1 back-ldap on "o=example transitional"
rwm-suffixmassage "o=example transitional" "dc=example,dc=com"
rwm-map attribute tmpUniqueMember uniqueMember
- 1 back-hdb on "dc=example,dc=com"
datas... nothing special
- define tmpUniqueMember inherits from member, and used by an auxiliary
objectclass in my groups
All work fine. DN are rewritten on my uniqueMember's values. But, I think
it is really ugly...
Well now, I have few questions :
1/ Is there a better way to do this, without rewrite V2 values ?
Well, you can use multiple instances of back-relay instead of back-ldap,
saving transliterations of requests and responses. I don't see other
chances of rewriting the value of uniqueMember attributes.
Probably, a solution here (for a future enhancement) would be to allow
specifying when rewriting should take place (before or after mapping?),
or simply be as liberal as possible, allowing rewriting when either
before or after an attribute will have DN syntax. You can file an ITS
2/ How can I hide my transitional LDAP suffix in the rootDSE ?
Hiding values in namingContexts can be done using ACLs. What makes it
tricky is that namingContexts, by (poor?) design has no EQUALITY rule,
so if you write a rule like
access to dn.exact="" attrs=namingContext val="o=example transitional"
by * none
will not work. You need to specify what equality rule to use, something
access to dn.exact=""
by * none
3/ Could it be possible to close all on this transitional LDAP backend and
allow read access only for a particular user which will be use by the
first LDAP backend (through acl-bind for example) ?
Yes, again by ACL and idassert-bind. But in this case, you would lose
any information about who is performing the operation, since any
identity would need to be mapped to the idassert-bind identity. I
suggest you use this trick:
- make slapd listen on a particular ldapi listener
(-h 'ldap:// ldapi://path/to/transitional)
- only allow access to the transitional database by requests coming from
access to *
by sockurl="ldapi://path/to/transitional" write
thus delegating actual access control to the remote server.
Ing. Pierangelo Masarati
OpenLDAP Core Team
via Dossi, 8 - 27100 Pavia - ITALIA
Office: +39 02 23998309
Mobile: +39 333 4963172
Fax: +39 0382 476497