https://bugs.openldap.org/show_bug.cgi?id=9817
--- Comment #5 from Thierry PUBELLIER thierry.pubellier@paris.fr --- Hi,
Please accept my apologies for responding so lately and for the imprecision of my request.
Basically, I want to route bind operations to different databases based on the result of a LDAP request : - The initial bind operation is for cn=myuser,ou=users,dc=paris,dc=local - If there is a match for a LDAP search on a remote server, I want to choose local database A (dc=paris,dc=local), whose suffix is the same than the remote one. Otherwise, I want to choose database B (dc=paris2,dc=local), whose suffix can be obtained with basic substitution.
Here my global configuration, with the correct rewriteMap : rwm-rewriteEngine on # Line 1 rwm-rewriteContext bindDN # Line 2 rwm-rewriteMap ldap checkIfPasswordExpiredDN "ldaps://10.2.3.4/ou=users,dc=paris,dc=local?dn?sub" binddn="remote-DN" credentials="remote-cred" # Line 3 rwm-rewriteRule ".+" "${&binddn($0)}$0" ":" # Line 4 : backup of the initial DN rwm-rewriteRule ".+" "(&(!(description=TEST))(distinguishedName=$0))" ":" # Line 5 : creating LDAP filter based on the original DN. rwm-rewriteRule ".+" "${checkIfPasswordExpiredDN($0)}" ":@I" # Line 6 : if there is a match, it will reflect the initial DN and stop rewriting rwm-rewriteRule ".+" "${*binddn}" ":" # Line 7 : restoring initial DN rwm-rewriteRule "(.+,)?ou=users,dc=paris,dc=local$" "$1ou=users,dc=paris2,dc=local" ":@" # Line 8 : basic substitution for A --> B
More generally, as I am working with "bindDN" rewrite context, data that will be manipulated is a DN. Using a rewrite-map (Line 6 above) will require the construction of a LDAP filter in a way like this : %myDN% --> (&(!(description=TEST))(distinguishedName=$0)), with the help of an rewrite-rule (Line "5" above). This works fine for DNs like "cn=myuser,ou=users,dc=paris,dc=local", which has no "," or other special characters in it.
But in my own directory, I have DNs like 'cn=Pubellier, Thierry (TEST),ou=users,dc=paris,dc=local'. In this case, line 5 will generate an incorrect LDAP filter. So I need to simulate an escape of the special characters (according to RFC 4515, like with 'escape_filter_value' in Net::LDAP::Util Perl Module) : - for ",", I need to insert a line like 'rwm-rewriteRule "(.+).\2C(.+)" "$1\,$2"', as the "," character seems to be replace internally by a '\2C'. - for other special characters ( ')', '*', '(' and ''), I try to emulate the escape mechanism, in an unperfect way, with the two following lines : rwm-rewriteRule "(.*)([)*(\])([^#].*|$)" "$1$2#$3" # Supposing there is no '#' in my DNs, I add a '#' after each special character. rwm-rewriteRule "(.*)([)*(\])#(.*)" "$1\$2$3" # I replace each 1 special character + '#' by ''+ special character. This trick avoids infinite loop for adding an '' before each special character.
So my request is to have a way to natively escape the DN value, like having a '#' operator in place of the usual '&' for use in Substitution Patterns.
Could you please precise me what is OpenLDAP regression suite ? Is this a test/scripts directory of OpenLDAP source ? In this case, I'll try to make a script to reproduce my issue.
Best regards,
Thierry