[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rewrite overlay to combine multiple OUs

To: Michael Ströder <michael@stroeder.com>
Subject: Re: rewrite overlay to combine multiple OUs
From: Nick Couchman <nick.couchman@seakr.com>
Date: Sun, 6 Mar 2016 15:34:30 -0700 (MST)
Cc: openldap-technical <openldap-technical@openldap.org>
In-reply-to: <1227153448.1535618.1457299033737.JavaMail.zimbra@seakr.com>
References: <313247248.1533345.1457242143634.JavaMail.zimbra@seakr.com> <56DC8B1A.70802@stroeder.com> <1227153448.1535618.1457299033737.JavaMail.zimbra@seakr.com>
Thread-index: DFHejXjAw25GceqTFMoE/kjL64qFndyXjkc2
Thread-topic: rewrite overlay to combine multiple OUs

----- On Mar 6, 2016, at 2:17 PM, Nick E Couchman nick.couchman@seakr.com wrote:
> ----- On Mar 6, 2016, at 12:55 PM, Michael Ströder michael@stroeder.com wrote:
>> 
>> Have a closer look at slapo-rwm(5), section REWRITE CONFIGURATION EXAMPLES:
>> http://www.openldap.org/software/man.cgi?query=slapo-rwm
>> 
>> In particular:
>> 
>>       # Bind with email instead of full DN: we first need
>>       # an ldap map that turns attributes into a DN (the
>>       # argument used when invoking the map is appended to
>>       # the URI and acts as the filter portion)
>>       rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub";
>> 
>>       # Then we need to detect DN made up of a single email,
>>       # e.g. `mail=someone@example.com'; note that the rule
>>       # in case of match stops rewriting; in case of error,
>>       # it is ignored.  In case we are mapping virtual
>>       # to real naming contexts, we also need to rewrite
>>       # regular DNs, because the definition of a bindDN
>>       # rewrite context overrides the default definition.
>>       rwm-rewriteContext bindDN
>>       rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
>> 
> 
> Okay, so I'm sure I'm missing something simple, here, but I'm trying out the
> rewrite using the above examples pretty copied as-is to see if I can just get a
> bind DN of mail= to turn into the correct full DN.  Here are the relevant
> portions of my config:
> 
> ## Meta Database for Fronting Real Directory
> database meta
> network-timeout 10
> nretries 10
> suffix "dc=example,dc=com"
> uri "ldaps://ldap1.example.com/dc=example,dc=com" "ldaps://ldap2.example.com"
> "ldaps://ldap3.example.com"
> overlay                 rwm
> rwm-rewriteEngine       on
> rwm-rewriteMap ldap attr2dn
> "ldaps://ldap1.example.com:3636/dc=example,dc=com?dn?sub"
> rwm-rewriteContext bindDN
> rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
> 
> I'm not sure how much the order of stuff matters, here - I'll try out a few
> variations on that - but the above doesn't yield a good result when I try to
> connect with:
> ldapsearch -b dc=example,dc=com -D mail=account.one@example.com -W -x cn=Some\
> User

Answering my own question here - found another post that indicated rwm stuff needed to be before the database declaration.  Moved it up and this is working perfectly, and I think will make this silly application's LDAP "implementation" actually work with my directory tree.  Thanks very much for the help!

-Nick

==
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly.

References:
- rewrite overlay to combine multiple OUs
  - From: Nick Couchman <nick.couchman@seakr.com>
- Re: rewrite overlay to combine multiple OUs
  - From: Michael Ströder <michael@stroeder.com>
- Re: rewrite overlay to combine multiple OUs
  - From: Nick Couchman <nick.couchman@seakr.com>

Prev by Date: Re: rewrite overlay to combine multiple OUs
Next by Date: Re: DB_LOG_AUTOREMOVE fails to suppress the log files
Index(es):
- Chronological
- Thread