[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rewrite overlay to combine multiple OUs

To: Michael Ströder <michael@stroeder.com>
Subject: Re: rewrite overlay to combine multiple OUs
From: Nick Couchman <nick.couchman@seakr.com>
Date: Sun, 6 Mar 2016 14:17:13 -0700 (MST)
Cc: openldap-technical <openldap-technical@openldap.org>
In-reply-to: <56DC8B1A.70802@stroeder.com>
References: <313247248.1533345.1457242143634.JavaMail.zimbra@seakr.com> <56DC8B1A.70802@stroeder.com>
Thread-index: DFHejXjAw25GceqTFMoE/kjL64qFnQ==
Thread-topic: rewrite overlay to combine multiple OUs

----- On Mar 6, 2016, at 12:55 PM, Michael Ströder michael@stroeder.com wrote:
> 
> Have a closer look at slapo-rwm(5), section REWRITE CONFIGURATION EXAMPLES:
> http://www.openldap.org/software/man.cgi?query=slapo-rwm
> 
> In particular:
> 
>       # Bind with email instead of full DN: we first need
>       # an ldap map that turns attributes into a DN (the
>       # argument used when invoking the map is appended to
>       # the URI and acts as the filter portion)
>       rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub";
> 
>       # Then we need to detect DN made up of a single email,
>       # e.g. `mail=someone@example.com'; note that the rule
>       # in case of match stops rewriting; in case of error,
>       # it is ignored.  In case we are mapping virtual
>       # to real naming contexts, we also need to rewrite
>       # regular DNs, because the definition of a bindDN
>       # rewrite context overrides the default definition.
>       rwm-rewriteContext bindDN
>       rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
> 

Okay, so I'm sure I'm missing something simple, here, but I'm trying out the rewrite using the above examples pretty copied as-is to see if I can just get a bind DN of mail= to turn into the correct full DN.  Here are the relevant portions of my config:

## Meta Database for Fronting Real Directory
database meta
network-timeout 10
nretries 10
suffix "dc=example,dc=com"
uri "ldaps://ldap1.example.com/dc=example,dc=com" "ldaps://ldap2.example.com" "ldaps://ldap3.example.com"
overlay                 rwm
rwm-rewriteEngine       on
rwm-rewriteMap ldap attr2dn "ldaps://ldap1.example.com:3636/dc=example,dc=com?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"

I'm not sure how much the order of stuff matters, here - I'll try out a few variations on that - but the above doesn't yield a good result when I try to connect with:
ldapsearch -b dc=example,dc=com -D mail=account.one@example.com -W -x cn=Some\ User

I enter the password for the user associated with the e-mail address account.one@example.com, and just get an Invalid Credentials result.  Also, I've tried various debugging levels and am not seeing any debug messages related to the rwm overlay - nothing indicating that it picked up on the mail= bindDN and tried to search/convert that to a "real" DN.

Thanks,
Nick

==
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly.

Follow-Ups:
- Re: rewrite overlay to combine multiple OUs
  - From: Nick Couchman <nick.couchman@seakr.com>

References:
- rewrite overlay to combine multiple OUs
  - From: Nick Couchman <nick.couchman@seakr.com>
- Re: rewrite overlay to combine multiple OUs
  - From: Michael Ströder <michael@stroeder.com>

Prev by Date: Re: rewrite overlay to combine multiple OUs
Next by Date: Re: rewrite overlay to combine multiple OUs
Index(es):
- Chronological
- Thread