Re: rewrite overlay to combine multiple OUs

[Nick Couchman <nick.couchman@seakr.com>]

> Nick Couchman wrote:
>> Well, I have a situation (a particular application, actually), that is so
>> arcane in its configuration that it requires that all of the users for the
>> application be in the same OU.  So, the config for the app is something
>> like:
>> CN=%USERNAME%,ou=Users,dc=example,dc=com
> 
> Sounds like you're trying to integrate a Brocade switch. ;-)

No, if it were a network switch I'd just use RADIUS as you suggested below.  It's actually an ERP system that I'll save the name of - and it's built to work more with Active Directory than it is LDAP.  I'll also spare this list my feelings on how a certain software mogul likes to butcher standards.

> 
>> I'm thinking there's probably a way to do this with the rewriteRule and some
>> regular expressions, but I can't find quite the combination of
>> rules/expressions to accomplish this.  Any ideas?  Or am I stuck making
>> aliases?
> 
> Have a closer look at slapo-rwm(5), section REWRITE CONFIGURATION EXAMPLES:
> http://www.openldap.org/software/man.cgi?query=slapo-rwm
> 
> In particular:
> 
>       # Bind with email instead of full DN: we first need
>       # an ldap map that turns attributes into a DN (the
>       # argument used when invoking the map is appended to
>       # the URI and acts as the filter portion)
>       rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub";
> 
>       # Then we need to detect DN made up of a single email,
>       # e.g. `mail=someone@example.com'; note that the rule
>       # in case of match stops rewriting; in case of error,
>       # it is ignored.  In case we are mapping virtual
>       # to real naming contexts, we also need to rewrite
>       # regular DNs, because the definition of a bindDN
>       # rewrite context overrides the default definition.
>       rwm-rewriteContext bindDN
>       rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
> 
> Note that if your "application" also uses the DN to determine group membership
> for authorization you would have to rewrite that too. Gets cumbersome...

Okay, I figured it was buried in there somewhere, but my RegEx knowledge is sketchy and I was having trouble deciphering the examples and applying them to these situations.  I'll take a closer look at those examples and see if I can work something out.  I don't think it does anything with group memberships - just authenticating existing internal user accounts to an external LDAP server.

> 
> For strange network equipment it's sometimes much better to have another
> protocol frontend using your LDAP server as backend (e.g. RADIUS or TACACS+).
> For one of my customers using Brocade switches we used the existing TACACS+
> server with LDAP backend instead.
> 
> Ciao, Michael.

Yeah, would that I could just use RADIUS or something like that, but it's a stupid application, at least in terms of external authentication.  Thank you very much for taking the time to respond - I appreciate the help!

-Nick

==
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary Information. If this message is not intended for you, you are strictly prohibited from using this message, its contents or attachments in any way. If you have received this message in error, please delete the message from your mailbox. This e-mail may contain export-controlled material and should be handled accordingly.