[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: DefaultSearchBase / ForceSearchBase

To: <ldap@mitchiner.net>
Subject: Re: DefaultSearchBase / ForceSearchBase
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Fri, 4 Apr 2003 20:57:14 +0200 (CEST)
Cc: <openldap-software@OpenLDAP.org>
Importance: Normal
In-reply-to: <014201c2fac5$30a2c470$1606800a@campus.gu.gallaudet.edu>
References: <014201c2fac5$30a2c470$1606800a@campus.gu.gallaudet.edu>

> I was searching through the threads about the DefaultSearchBase for LDAP
> clients that do not submit a default search base and set it to a
> particular string.
>
> Unfortunately, there are broken clients out there (specifically,
> Microsoft) that send a default search base, such as "c=US", "c=UK",
> among other things. To make matters complicated, some of our users have
> a search base that is set up incorrectly.
>
> Instead of attempting to fix the users, I am wondering if it would be a
> good idea to add in a 'feature' to OpenLDAP, especially if the directory
> structure is simple.  The new feature I'd like to see would be called
> "ForceSearchBase".
>
> It would be nice if this feature would change the search base to
> something else, for instance, changing any search base to
> "dc=example,dc=com".
>
> Id appreciate some feedback and opinion on this to see if I should add
> this 'feature' to LDAP.

One solution would be to use a back-ldap gateway with appropriate
dn rewrite rules to access a normal database, e.g.

<slapd.conf snippet>
database bdb
suffix "<your suffix>"
...

database ldap
suffix ""
uri ldap://

rewriteEngine on
# default context
rewriteRule "<regex erroneous naming context>" "<your suffix>" "@"
rewriteRule "<regex erroneous naming context>" "<your suffix>" "@"
...

# disable these contexts
rewriteContext searchFilter
rewriteContext searchResult
rewriteContext matchedDn

</slapd.conf snippet>

in your case:
rewriteRule "<regex erroneous naming context>" "<your suffix>" "@"

<slapd.conf snippet>
database bdb
suffix "dc=mitchiner,dc=net"
...

database ldap
suffix ""
uri ldap://

rewriteEngine on

# default context (searchBase, compareDn, bindDn, ...)
rewriteRule "(.*)c=[^,]+$" "%1dc=mitchiner,dc=net" "@"
rewriteRule ".*" "%0,dc=mitchiner,dc=net" "@"

# disable these contexts
rewriteContext searchFilter
rewriteContext searchResult
rewriteContext matchedDn

</slapd.conf snippet>

you need to --enable-rewrite --enable-ldap at configure time;
of course you pay ops with a bad naming contexts with extra ops.

To this purpose, you may want to enforce limits (e.g. search
limits see man slapd.conf(5) or disable write operations with
erroneous base, e.g. by using the "#" flag for addDn, modifyDn
rewrite to reject such operations.

See slapd-ldap(5) and slapd-meta(5) for further details.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it

References:
- DefaultSearchBase / ForceSearchBase
  - From: "Jon Mitchiner" <ldap@mitchiner.net>

Prev by Date: RE: newbie question
Next by Date: RE: DefaultSearchBase / ForceSearchBase
Index(es):
- Chronological
- Thread