[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bindDN-rewriting - can't get to grips with overlays rwm+relay



> Hi!
> I'm currently using the rwm overlay to filter the objects from my
> ou=students,dc=uni-bamberg,dc=de directory by their "o"-attribute and
> project
> the result to ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de
> Therefore I use the following section within my slapd.conf (before the
> "database hdb..." section):
>
> database relay
> suffix
> "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
> overlay             rwm
> #rwm-rewriteEngine  on
> rwm-suffixmassage
> "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
>                     "ou=students,dc=uni-bamberg,dc=de"
> rwm-rewriteContext  bindDN
> rwm-rewriteRule     ".*"  "cn=ldapadmin,dc=uni-bamberg,dc=de" ":@"
> rwm-rewriteContext  searchFilter
> rwm-rewriteRule     "(.*)"  "(&(o=swt)$1)" ":@I"
>
> searchFilter rewriting works perfectly but I also need to rewrite the
> bindDN
> as every operation within ou=students,dc=uni-bamberg,dc=de needs to be
> carried
> out by a particular user (cn=ldapadmin,dc=uni-bamberg,dc=de)
> (the reason is that i don't want any user other than ldapadmin to be able
> to
> write ou=students,dc=uni-bamberg,dc=de but they should be able to modifiy
> entries from ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de)
> according to the logs and the error reply messages there seems to be no
> binndn
> rewriting done...
> It looks like the rule never matches.
> Is my rule not general enough to match each possible bindDN-String? Is
> "cn=ldapadmin,dc=uni-bamberg,dc=de" (replacement string for the bindDN)
> not
> well formatted (does it expect something else)? Does the overlay "relay"
> prevent the replacement of the bindDN?

The code is working as intended, and the rule is general enough; using
verbatim the configuration you provided, if I run

ldapwhoami -x -H ldap://:9011 \
-D 'cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de'
\ -w password

I get

conn=1000 op=0 BIND
dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
method=128
do_bind: version=3
dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
method=128
==> rewrite_context_apply [depth=1]
string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de'
==> rewrite_rule_apply rule='.*'
string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de'
[1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'cn=ldapadmin,dc=uni-bamberg,dc=de'}
[rw] bindDN:
"cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" ->
"cn=ldapadmin,dc=uni-bamberg,dc=de"
>>> dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>
=> ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de,0)
<= ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
<<< dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>,
<cn=ldapadmin,dc=uni-bamberg,dc=de>

^^^ the mapping occurred as expected.

The bind fails because no database can handle that DN, which I suspect is
also your case.  What's problematic in your design is that although the DN
is rewritten, the credentials remain those of the user that's actually
binding, so the bind will always fail.  Is this what you expect?

p.


>
> Any help appreciated!
>
> --
> Lehrstuhl für Softwaretechnik und Programmiersprachen
> Fakultät WIAI, Universität Bamberg, 96045 Bamberg
>
> Email: thomas.wunder@swt-bamberg.de
> Web: http://www.swt-bamberg.de/
> Tel.: 0951 863-3852 / Fax: 0951 863-3855
>
>