[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bindDN-rewriting - can't get to grips with overlays rwm+relay



Then it seems that I've misinterpret the way bindDN rewriting works.

I actually thought that it would be possible that an operation on an object 
within the rewritten subtree (ou=students,ou=people,ou=swt,ou=wiai,dc=uni-
bamberg,dc=de) which is started by a user (cn=smbldapadmin,dc=uni-
bamberg,dc=de (who is not within the subtree which is rewritten)) could be 
internally carried out with the privileges of a different user 
(cn=ldapadmin,dc=uni-bamberg,dc=de). 

To make it a bit clearer this are the Users/Objects involved...:
UsrA: cn=smbldapadmin,dc=uni-bamberg,dc=de
Obj : cn=A,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de
UsrB: cn=ldapadmin,dc=uni-bamberg,dc=de
Obj' : cn=A,ou=students,dc=uni-bamberg,dc=de

...and this is what i want my LDAP-Server to do:
1. UsrA -> bind to LDAP-Service
2. Add Obj (as UsrA) --- internal rewriting ---> Add Obj' (as UsrB)
3. process "Add Obj' " internally
4. --> if successful "Obj" should be visible to UsrA

Would it be possible to achieve this with the rwm/relay overlay or is there 
another overlay that could do that for me?

On Wednesday 14 April 2010 18:27:32 masarati@aero.polimi.it wrote:
> > Hi!
> > I'm currently using the rwm overlay to filter the objects from my
> > ou=students,dc=uni-bamberg,dc=de directory by their "o"-attribute and
> > project
> > the result to ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de
> > Therefore I use the following section within my slapd.conf (before the
> > "database hdb..." section):
> >
> > database relay
> > suffix
> > "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
> > overlay             rwm
> > #rwm-rewriteEngine  on
> > rwm-suffixmassage
> > "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
> >                     "ou=students,dc=uni-bamberg,dc=de"
> > rwm-rewriteContext  bindDN
> > rwm-rewriteRule     ".*"  "cn=ldapadmin,dc=uni-bamberg,dc=de" ":@"
> > rwm-rewriteContext  searchFilter
> > rwm-rewriteRule     "(.*)"  "(&(o=swt)$1)" ":@I"
> >
> > searchFilter rewriting works perfectly but I also need to rewrite the
> > bindDN
> > as every operation within ou=students,dc=uni-bamberg,dc=de needs to be
> > carried
> > out by a particular user (cn=ldapadmin,dc=uni-bamberg,dc=de)
> > (the reason is that i don't want any user other than ldapadmin to be able
> > to
> > write ou=students,dc=uni-bamberg,dc=de but they should be able to modifiy
> > entries from ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de)
> > according to the logs and the error reply messages there seems to be no
> > binndn
> > rewriting done...
> > It looks like the rule never matches.
> > Is my rule not general enough to match each possible bindDN-String? Is
> > "cn=ldapadmin,dc=uni-bamberg,dc=de" (replacement string for the bindDN)
> > not
> > well formatted (does it expect something else)? Does the overlay "relay"
> > prevent the replacement of the bindDN?
> 
> The code is working as intended, and the rule is general enough; using
> verbatim the configuration you provided, if I run
> 
> ldapwhoami -x -H ldap://:9011 \
> -D 'cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de'
> \ -w password
> 
> I get
> 
> conn=1000 op=0 BIND
> dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
> method=128
> do_bind: version=3
> dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
> method=128
> ==> rewrite_context_apply [depth=1]
> string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=d
> e' ==> rewrite_rule_apply rule='.*'
> string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=d
> e' [1 pass(es)]
> ==> rewrite_context_apply [depth=1]
> res={0,'cn=ldapadmin,dc=uni-bamberg,dc=de'}
> [rw] bindDN:
> "cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" ->
> "cn=ldapadmin,dc=uni-bamberg,dc=de"
> 
> >>> dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>
> 
> => ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de,0)
> <= ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
> => ldap_dn2bv(272)
> <= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
> <<< dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>,
> <cn=ldapadmin,dc=uni-bamberg,dc=de>
> 
> ^^^ the mapping occurred as expected.
> 
> The bind fails because no database can handle that DN, which I suspect is
> also your case.  What's problematic in your design is that although the DN
> is rewritten, the credentials remain those of the user that's actually
> binding, so the bind will always fail.  Is this what you expect?
> 
> p.
> 
> > Any help appreciated!
> >
> > --
> > Lehrstuhl für Softwaretechnik und Programmiersprachen
> > Fakultät WIAI, Universität Bamberg, 96045 Bamberg
> >
> > Email: thomas.wunder@swt-bamberg.de
> > Web: http://www.swt-bamberg.de/
> > Tel.: 0951 863-3852 / Fax: 0951 863-3855
> 

-- 
Lehrstuhl für Softwaretechnik und Programmiersprachen
Fakultät WIAI, Universität Bamberg, 96045 Bamberg

Email: thomas.wunder@swt-bamberg.de
Web: http://www.swt-bamberg.de/
Tel.: 0951 863-3852 / Fax: 0951 863-3855