slapo-rwm How to define order that Rewrite Contexts are processed

["Lowrie, Paul, Vodafone NZ" <Paul.Lowrie@vodafone.com>]

Hi

 

I’ve been asked to configure a SLAPD/LDAP proxy with more than one LDAP Back-End.  The users log into the LDAP client using their email address and the proxy uses the domain part of their UID to  decide which slapd-ldap back-end to authenticate against. I have the proxy working – with two defined slapd-ldap back-ends.  It’s tested and works with one back-end at a time.

 

I need rwm to process a rewrite of both the searchFilter and searchDN using a key piece of information identified the searchFilter to decide the searchDN.

 

Original searchDN = "ou=people,ou=my,dc=proxy,dc=com"

Original searchFilter="(&(objectClass=posixAccount)(uid=john@domain.one.com))"

 

Rewritten searchDN = "ou=people,ou=domain,dc=one,dc=com"

Rewritten searchFilter = "(&(objectClass=posixAccount)(uid=john))"

 

I have:

 

dn: olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config

objectClass: olcOverlayConfig

objectClass: olcRwmConfig

olcOverlay: {0}rwm

olcRwmNormalizeMapped: FALSE

olcRwmRewrite: {0}rwm-rewriteEngine on

#

#Unix LDAP authentication requests arrive with these three components:

# searchDN:      OU=people,DC=my,DC=proxy,DC=com - as defined on the LDAP client

# searchFilter:  (&(objectClass=posixAccount)(uid=john@domain.one.com))

# attributes:    userPassword cn gidNumber uidNumber

#                loginShell objectClass gecos uid homeDirectory

#

# {1} searchFilter Context:

# {2} rewrite john@domain.one.com:

#     Strip @domain.one.com part and set &&target to OU=people,DC=domain,DC=one,DC=com

# {3} rewrite jane@domain.two.com:

#     Strip @domain.two.com part and set &&target to OU=people,DC=domain,DC=two,DC=com

# {4} searchDN Context:

# {5} rewrite OU=people,DC=my,DC=proxy,DC=com the value already defined in &&target

#

olcRwmRewrite: {1}rwm-rewriteContext SearchFilter

#

olcRwmRewrite: {2}rwm-rewriteRule "^(.+uid=[^,]+)@domain.one.com(,.*)$" "${&&target(\"ou=people,dc=domain,dc=one,dc=com\")}$1$2" ":"

#

olcRwmRewrite: {3}rwm-rewriteRule "^(.+uid=[^,]+)@domain.two.com(,.*)$" "${&&target(\"ou=people,dc=domain,dc=two,dc=com\")}$1$2" ":"

#

olcRwmRewrite: {4}rwm-rewriteContext searchDN

#

olcRwmRewrite: {5}rwm-rewriteRule "OU=people,[ ]?DC=my,[ ]?DC=proxy,[ ]?DC=com " "${**target}"  ":"

 

This results in a slapd crash because searchDN wants to use the **target variable, but its not yet defined because the searchFilter Context hasn’t been run yet.

How do I change the order that the rwm-rewriteContexts are executed so that the context for searcFilter is run first ?

 

Thanks
Paul