[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: uniqueMember attribute is not suffixmassaged if attribute is not mapped and changed

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: RE: uniqueMember attribute is not suffixmassaged if attribute is not mapped and changed
From: "Mackey, Theral" <tmackey@zetta.net>
Date: Tue, 9 Nov 2010 21:56:14 +0000
Accept-language: en-US
Acceptlanguage: en-US
Content-language: en-US
In-reply-to: <4CC7EB6A.6000202@aero.polimi.it>
References: <5F6DCD424D0252408F75D29EDB76963215FF896C@JKLMAIL02.ixonos.local> <4CC7EB6A.6000202@aero.polimi.it>
Thread-index: Act1t/itTqrQFXLFR76HR81pereUBQKnrnAw
Thread-topic: uniqueMember attribute is not suffixmassaged if attribute is not mapped and changed

I solved this on our setup with the following rewrite rules:
for bases dc=c,dc=b,dc=a   to   dc=b,dc=a


rewriteContext searchFilter
rewriteRule "(.*)memberUid=(.*)ou=people,dc=c,dc=b,dc=a(.*)" "%1memberUid=%2ou=people,dc=b,dc=a%3" ":"
rewriteContext searchResult
rewriteRule "(.*)memberUid=(.*)ou=people,dc=b,dc=a(.*)" "%1memberUid=%2ou=people,dc=c,dc=b,dc=a%3" ":"


This intercepts the queries of the group memberships and updates the DN, since the attributes are not of the DN type, thus do not get updated by the suffix massage, then intercepts the response and converts the DN back to what the querier is expecting (basically doing with suffix-massage does).

Change memberUid to whichever membership attr you are using, and the edit the base dns to your setup as well.
(yeh, this goes against the attr definition, but works in our 2307bis schema setup for posixGroup groups). 

-T


> Arvo Jari-Pekka wrote:
> > Hi.
> >
> > My configuration is like this:
> >
> > ---------
> >
> > database meta
> > suffix   "ou=a,dc=c,dc=b"
> >
> > uri           "ldap://host:port/ou=a,dc=c,dc=b";
> > suffixmassage "ou=a,dc=c,dc=b" "dc=a,dc=b"
> >
> > ...
> >
> > ---------
> >
> > This works fine in everything else but the uniqueMembers of
> groupOfUniqueNames gets not rewritten (they are still in dc=a,dc=b
> domain).
> >
> > If I however add a mapping
> >
> > ---------
> >
> > map             objectClass groupOfNames groupOfUniqueNames
> > map             attribute member uniqueMember
> >
> > ---------
> >
> > then the "member" attributes are correctly rewritten. The problem of
> course is that I do not want to change the objectclass.
> >
> > Mapping the attribute to itself does not help either. So
> >
> > ---------
> >
> > map objectClass groupOfUniqueNames *
> > map attribute uniqueMember *
> >
> > ---------
> >
> > does not have any effect.
> >
> > I must have missed something crucial on the documentation. Can
> someone please tell me what it is and how can I get uniqueMembers
> rewritten without changing the objectclass.
> >
> > OpenLDAP version is 2.4.11 for both the real and the meta server.
> 
> uniqueMember does not have DN syntax; only attributes with DN syntax
> are
> mapped.  You should have used groupOfNames/member instead of
> groupOfUniqueNames/uniqueMember.
> 
> p.

Prev by Date: How to convert Solaris m5 passwords to LDAP?
Next by Date: Re: pamL-dap configuration guide
Index(es):
- Chronological
- Thread