hyc@OpenLDAP.org wrote:
Update of /repo/OpenLDAP/pkg/ldap/servers/slapd
Modified Files: sasl.c 1.245 -> 1.246 sl_malloc.c 1.40 -> 1.41 connection.c 1.393 -> 1.394 proto-slap.h 1.715 -> 1.716
Log Message: Added "slapd" rewrite map handler, connection_fake_init2 to use existing tmpmemctx without reinitializing
The documentation for this feature presents a bit of a problem, since most of the functionality of librewrite is documented in slapo-rwm(5). When SLAP_AUTH_REWRITE is defined (which it is, whenever --enable-rewrite is used) then all of librewrite's capabilities really should be in the main slapd documentation.
In the meantime, here's an example usage:
rwm-rewriteMap slapd cn2dn "ldap:///dc=example,dc=com?dn?sub?(&(objectclass=person)"
rwm-rewriteContext bindDN rwm-rewriteRule "^(cn=[^,]+),.*" "${cn2dn(($1)))}" ":@I"
This (stupid) example allows a user with a long DN to bind using just their RDN plus any subset of the DB suffix. E.g, a user with DN cn=Joe Bob,ou=Team1,ou=Teams,ou=Divisions,dc=example,dc=com could bind with just cn=Joe Bob,dc=example,dc=com
Howard Chu writes:
The documentation for this feature presents a bit of a problem, since most of the functionality of librewrite is documented in slapo-rwm(5). When SLAP_AUTH_REWRITE is defined (which it is, whenever --enable-rewrite is used) then all of librewrite's capabilities really should be in the main slapd documentation.
Possibly big enough to move to a slapd.rewrite(5) page.
Hallvard B Furuseth wrote:
Howard Chu writes:
The documentation for this feature presents a bit of a problem, since most of the functionality of librewrite is documented in slapo-rwm(5). When SLAP_AUTH_REWRITE is defined (which it is, whenever --enable-rewrite is used) then all of librewrite's capabilities really should be in the main slapd documentation.
Possibly big enough to move to a slapd.rewrite(5) page.
I don't want to add too much burden to this thread, but librewrite is showing the signs of age. It needs some reworking. I think Howard started working to (or at least though about) adding some callback capabilities. Things like the LDAP map should definitely be reworked that way, so that slapd internals relying on that feature can use direct internal searches rather than resorting to a real LDAP operation. One thing that would improve and streamline much of the code is the use of bervals for the whole API. Unless that library got in use outside of OpenLDAP's suite (I personally used it in a couple of projects, but I can easily rework them), the current API could be preserved replacing char* with BerValue*; otherwise a rewrite_bv_*() API could be designed, and the current one could be wrapped around it.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Hallvard B Furuseth wrote:
Howard Chu writes:
The documentation for this feature presents a bit of a problem, since most of the functionality of librewrite is documented in slapo-rwm(5). When SLAP_AUTH_REWRITE is defined (which it is, whenever --enable-rewrite is used) then all of librewrite's capabilities really should be in the main slapd documentation.
Possibly big enough to move to a slapd.rewrite(5) page.
I don't want to add too much burden to this thread, but librewrite is showing the signs of age. It needs some reworking. I think Howard started working to (or at least though about) adding some callback capabilities. Things like the LDAP map should definitely be reworked that way, so that slapd internals relying on that feature can use direct internal searches rather than resorting to a real LDAP operation. One thing that would improve and streamline much of the code is the use of bervals for the whole API. Unless that library got in use outside of OpenLDAP's suite (I personally used it in a couple of projects, but I can easily rework them), the current API could be preserved replacing char* with BerValue*; otherwise a rewrite_bv_*() API could be designed, and the current one could be wrapped around it.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: pierangelo.masarati@sys-net.it ------------------------------------------
Pierangelo Masarati wrote:
Hallvard B Furuseth wrote:
Howard Chu writes:
The documentation for this feature presents a bit of a problem, since most of the functionality of librewrite is documented in slapo-rwm(5). When SLAP_AUTH_REWRITE is defined (which it is, whenever --enable-rewrite is used) then all of librewrite's capabilities really should be in the main slapd documentation.
Possibly big enough to move to a slapd.rewrite(5) page.
I don't want to add too much burden to this thread, but librewrite is showing the signs of age. It needs some reworking. I think Howard started working to (or at least though about) adding some callback capabilities.
Yes, the callback framework went into HEAD a couple weeks ago. This commit was the slapd side of the implementation.
Things like the LDAP map should definitely be reworked
that way, so that slapd internals relying on that feature can use direct internal searches rather than resorting to a real LDAP operation. One thing that would improve and streamline much of the code is the use of bervals for the whole API. Unless that library got in use outside of OpenLDAP's suite (I personally used it in a couple of projects, but I can easily rework them), the current API could be preserved replacing char* with BerValue*; otherwise a rewrite_bv_*() API could be designed, and the current one could be wrapped around it.