[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapo-rwm How to define order that Rewrite Contexts are processed

To: openldap-technical@openldap.org
Subject: Re: slapo-rwm How to define order that Rewrite Contexts are processed
From: Dieter Klünter <dieter@dkluenter.de>
Date: Sat, 18 Feb 2017 19:33:54 +0100
In-reply-to: <8C25543C8B43D148B002C759F457C6133A84CA7670@VFNZ-MSX05.vf-nz.internal.vodafone.com>
Organization: AVCI
References: <8C25543C8B43D148B002C759F457C6133A84CA7670@VFNZ-MSX05.vf-nz.internal.vodafone.com>

Am Fri, 17 Feb 2017 14:38:16 +1300
schrieb "Lowrie, Paul, Vodafone NZ" <Paul.Lowrie@vodafone.com>:

> Hi
> 
> I've been asked to configure a SLAPD/LDAP proxy with more than one
> LDAP Back-End.  The users log into the LDAP client using their email
> address and the proxy uses the domain part of their UID to  decide
> which slapd-ldap back-end to authenticate against. I have the proxy
> working - with two defined slapd-ldap back-ends.  It's tested and
> works with one back-end at a time.
> 
> I need rwm to process a rewrite of both the searchFilter and searchDN
> using a key piece of information identified the searchFilter to
> decide the searchDN.
> 
> Original searchDN = "ou=people,ou=my,dc=proxy,dc=com"
> Original
> searchFilter="(&(objectClass=posixAccount)(uid=john@domain.one.com))"
> 
> Rewritten searchDN = "ou=people,ou=domain,dc=one,dc=com"
> Rewritten searchFilter = "(&(objectClass=posixAccount)(uid=john))"
> 
> I have:
> 
> dn: olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config
> objectClass: olcOverlayConfig
> objectClass: olcRwmConfig
> olcOverlay: {0}rwm
> olcRwmNormalizeMapped: FALSE
> olcRwmRewrite: {0}rwm-rewriteEngine on
> #
> #Unix LDAP authentication requests arrive with these three components:
> # searchDN:      OU=people,DC=my,DC=proxy,DC=com - as defined on the
> LDAP client # searchFilter:
> (&(objectClass=posixAccount)(uid=john@domain.one.com)) #
> attributes:    userPassword cn gidNumber uidNumber #
> loginShell objectClass gecos uid homeDirectory #
> # {1} searchFilter Context:
> # {2} rewrite john@domain.one.com:
> #     Strip @domain.one.com part and set &&target to
> OU=people,DC=domain,DC=one,DC=com # {3} rewrite jane@domain.two.com:
> #     Strip @domain.two.com part and set &&target to
> OU=people,DC=domain,DC=two,DC=com # {4} searchDN Context:
> # {5} rewrite OU=people,DC=my,DC=proxy,DC=com the value already
> defined in &&target #
> olcRwmRewrite: {1}rwm-rewriteContext SearchFilter
> #
> olcRwmRewrite: {2}rwm-rewriteRule
> "^(.+uid=[^,]+)@domain.one.com(,.*)$"
> "${&&target(\"ou=people,dc=domain,dc=one,dc=com\")}$1$2" ":" #
> olcRwmRewrite: {3}rwm-rewriteRule
> "^(.+uid=[^,]+)@domain.two.com(,.*)$"
> "${&&target(\"ou=people,dc=domain,dc=two,dc=com\")}$1$2" ":" #
> olcRwmRewrite: {4}rwm-rewriteContext searchDN # olcRwmRewrite:
> {5}rwm-rewriteRule "OU=people,[ ]?DC=my,[ ]?DC=proxy,[ ]?DC=com "
> "${**target}"  ":"
> 
> This results in a slapd crash because searchDN wants to use the
> **target variable, but its not yet defined because the searchFilter
> Context hasn't been run yet. How do I change the order that the
> rwm-rewriteContexts are executed so that the context for searcFilter
> is run first ?

you may try old fashioned slapd.conf instead of using config
database. There are some ordering problems in config.

-Dieter 

-- 
Dieter Klünter | Systemberatung
http://sys4.de
GPG Key ID: E9ED159B
53°37'09,95"N
10°08'02,42"E

References:
- slapo-rwm How to define order that Rewrite Contexts are processed
  - From: "Lowrie, Paul, Vodafone NZ" <Paul.Lowrie@vodafone.com>

Prev by Date: Re: After few seconds slapd automatically closes connection. Why?
Next by Date: Re: syncrepl skipped entryCSN on openldap-2.4.44 on centos 6
Index(es):
- Chronological
- Thread