Full_Name: Vlado Nespor Version: 2.4.40 OS: Linux URL: ftp://ftp.openldap.org/incoming/vlado-nespor-150318.patch Submission from: (NULL) (129.132.179.222)
In certain situations users may welcome the possibility to authenticate in different applications using the same user uid, but an alternative user password value.
In order to avoid the creation of a new user entry, and repeating the same values for all user attributes, but the attribute userPassword, virtual views (see slapd-relay(5) and slapo-rwm(5)) seem to be a good alternative.
Although the mapping of the userPassword attribute in the relay backend configuration works fine for e.g the search operation, it does not work for the bind operation. For example, for the following configuration in slapd.conf
----------------------- database relay suffix "ou=webUsers,ou=auth,o=example" relay "ou=users,ou=auth,o=example"
overlay rwm rwm-suffixmassage "ou=webUsers,ou=auth,o=example" "ou=users,ou=auth,o=example" rwm-map attribute sn * rwm-map attribute cn * rwm-map attribute uid * rwm-map attribute userPassword webUserPassword rwm-map attribute * -----------------------%%0
the search operation in "ou=webUsers,ou=auth,o=example" would present the password value stored in the attribute webUserPassword (from "ou=users,ou=auth,o=example"). But for the bind operation the user has to use the password value stored in the attribute userPassword (and not in the attribute webUserPassword, as one could expect).
The patch, presented in
ftp://ftp.openldap.org/incoming/vlado-nespor-150318.patch
aims to extend the functionality of virtual views. With the patch applied, the mapping of the attribute userPassword in the above example should also work for the user bind operation. (In order to use the alternative password value stored in webUserPassword, the application (LDAP client) just needs to modify the search base.)
The changes in the patch have been tested for simple authentication, and they should work for the following backends:
back-bdb back-hdb back-mdb back-sql
There are a few examples (configurations and data) in
ftp://ftp.openldap.org/incoming/vlado-nespor-150318-examples.tar
to illustrate the idea and to allow simple tests.
The patch has been tested in our production (back-hdb) for several moths, and there were no problems detected.