[Date Prev][Date Next] [Chronological] [Thread] [Top]

Local rewrite and authz-regexp

Hi everyone,

In this period, a "Happy new year" is most appropriate, isn't ?

I have setup two servers in multimaster replication, with using
SASL/EXTERNAL+authz_regexp (1 have to authz_regexp - one for cn=config and
one for the replicator dn in data context) to authenticate the replication
instances with SSL Certificates.

I would like to implement a "local" rewrite of incoming requests (mostly
BIND and Search operations) so that queries originating with dn like
"cn=jdoe,ou=people,dc=local" are transformed in
"uid=jdoe,ou=people,dc=local".

I have two problems and one question :

1. I can't implement any olcRwmRewrite attribute.
Any of the following lines in the olcOverlay={4}rwm.ldif file :
olcRwmRewrite: {0}rwm-rewriteEngine "on"
olcRwmRewrite: {1}rwm-rewriteContext "default"
olcRwmRewrite: {2}rwm-rewriteRule "cn=(.+),ou=people,dc=local$"
"uid=$1,ou=people,dc=local" ":"

give the error message (in debug mode) :
-------------
[/etc/openldap/slapd.d/:1] unknown command ''
olcRwmRewrite: value #0: <olcRwmRewrite> handler exited with 1!
config error processing olcOverlay={4}rwm,olcDatabase={2}hdb,cn=config:
<olcRwmRewrite> handler exited with 1
send_ldap_result: conn=-1 op=0 p=0
send_ldap_result: err=80 matched="" text=""
slaptest: bad configuration directory!
--------------

Those lines were generated by slaptest from a working slapd.conf file

2. Segfault at startup (or when pushing LDIF configuration - maybe at first
sync):
The segfault point varies from one startup to another, always after a TLS
negociation (it is the syncrepl instance with itself) and sometimes the
following lines appear:
ldap_msgfree
[rw] searchDN: "dc=app,dc=eiffage,dc=loc" -> "dc=app,dc=eiffage,dc=loc"
=> bdb_entry_get: ndn: "(null)"
=> bdb_entry_get: oc: "(null)", at: "contextCSN"
bdb_dn2entry("(null)")
Erreur de segmentation

Even when the overlay configuration LDIF file is reduced to the following :
dn: olcOverlay={4}rwm
objectClass: olcConfig
objectClass: olcOverlayConfig
objectClass: olcRwmConfig
olcOverlay: {4}rwm
structuralObjectClass: olcRwmConfig

If I remove the overlay configuration LDIF file, the server starts working
immediately.

3. Where can I find documentation about olcRwmTFSupport and
olcRwmNormalizeMapped, that slaptest generated for me ?

For documentation, here are the authz_regexp :
{0}cn=.*_repl_config,ou=AC-LDAP,o=myorg cn=config
{1}cn=.*_replicator,ou=AC-LDAP,o=myorg
cn=Replicator,ou=replicators,dc=local

and the olcsyncrepl attributes look like this :

{0}rid=001 provider="ldap://slxp0059.app.local"; bindmethod=sasl
saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist
starttls=critical retry="5 5 60 +" timeout=10
tls_cacert=/etc/openldap/cacerts/cacert.pem
tls_cert=/etc/openldap/repl_config.cert.pem
tls_key=/etc/openldap/repl_config.key.pem
{1}rid=002 provider="ldap://slxp0058.app.local"; bindmethod=sasl
saslmech="EXTERNAL" searchbase="cn=config" type=refreshAndPersist
starttls=critical retry="5 5 60 +" timeout=10
tls_cacert=/etc/openldap/cacerts/cacert.pem
tls_cert=/etc/openldap/repl_config.cert.pem
tls_key=/etc/openldap/repl_config.key.pem

{0}rid=201 provider="ldap://slxp0059.app.local"; bindmethod=sasl
saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly
interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical
tls_cacert=/etc/openldap/cacerts/cacert.pem
tls_cert=/etc/openldap/replicator.cert.pem
tls_key=/etc/openldap/replicator.key.pem 
{1}rid=202 provider="ldap://slxp0058.app.local"; bindmethod=sasl
saslmech="EXTERNAL" searchbase="dc=local" scope=sub type=refreshOnly
interval=00:00:00:30 retry="5 5 300 5" timeout=10 starttls=critical
tls_cacert=/etc/openldap/cacerts/cacert.pem
tls_cert=/etc/openldap/replicator.cert.pem
tls_key=/etc/openldap/replicator.key.pem


Thanks in advance for any answer.
Sincerely yours, Mathieu MILLET.

-- 
Mathieu MILLET
mailto:ldap@htam.net
----