Then it seems that I've misinterpret the way bindDN rewriting works.
I actually thought that it would be possible that an operation on an object within the rewritten subtree (ou=students,ou=people,ou=swt,ou=wiai,dc=uni- bamberg,dc=de) which is started by a user (cn=smbldapadmin,dc=uni- bamberg,dc=de (who is not within the subtree which is rewritten)) could be internally carried out with the privileges of a different user (cn=ldapadmin,dc=uni-bamberg,dc=de).
To make it a bit clearer this are the Users/Objects involved...: UsrA: cn=smbldapadmin,dc=uni-bamberg,dc=de Obj : cn=A,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de UsrB: cn=ldapadmin,dc=uni-bamberg,dc=de Obj' : cn=A,ou=students,dc=uni-bamberg,dc=de
...and this is what i want my LDAP-Server to do: 1. UsrA -> bind to LDAP-Service 2. Add Obj (as UsrA) --- internal rewriting ---> Add Obj' (as UsrB) 3. process "Add Obj' " internally 4. --> if successful "Obj" should be visible to UsrA
Would it be possible to achieve this with the rwm/relay overlay or is there another overlay that could do that for me?
On Wednesday 14 April 2010 18:27:32 masarati@aero.polimi.it wrote:
Hi! I'm currently using the rwm overlay to filter the objects from my ou=students,dc=uni-bamberg,dc=de directory by their "o"-attribute and project the result to ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de Therefore I use the following section within my slapd.conf (before the "database hdb..." section):
database relay suffix "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" overlay rwm #rwm-rewriteEngine on rwm-suffixmassage "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" "ou=students,dc=uni-bamberg,dc=de" rwm-rewriteContext bindDN rwm-rewriteRule ".*" "cn=ldapadmin,dc=uni-bamberg,dc=de" ":@" rwm-rewriteContext searchFilter rwm-rewriteRule "(.*)" "(&(o=swt)$1)" ":@I"
searchFilter rewriting works perfectly but I also need to rewrite the bindDN as every operation within ou=students,dc=uni-bamberg,dc=de needs to be carried out by a particular user (cn=ldapadmin,dc=uni-bamberg,dc=de) (the reason is that i don't want any user other than ldapadmin to be able to write ou=students,dc=uni-bamberg,dc=de but they should be able to modifiy entries from ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de) according to the logs and the error reply messages there seems to be no binndn rewriting done... It looks like the rule never matches. Is my rule not general enough to match each possible bindDN-String? Is "cn=ldapadmin,dc=uni-bamberg,dc=de" (replacement string for the bindDN) not well formatted (does it expect something else)? Does the overlay "relay" prevent the replacement of the bindDN?
The code is working as intended, and the rule is general enough; using verbatim the configuration you provided, if I run
ldapwhoami -x -H ldap://:9011 \ -D 'cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de' \ -w password
I get
conn=1000 op=0 BIND dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" method=128 do_bind: version=3 dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" method=128 ==> rewrite_context_apply [depth=1] string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=d e' ==> rewrite_rule_apply rule='.*' string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=d e' [1 pass(es)] ==> rewrite_context_apply [depth=1] res={0,'cn=ldapadmin,dc=uni-bamberg,dc=de'} [rw] bindDN: "cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" -> "cn=ldapadmin,dc=uni-bamberg,dc=de"
dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>
=> ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de,0) <= ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0 => ldap_dn2bv(272) <= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0 <<< dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>, <cn=ldapadmin,dc=uni-bamberg,dc=de>
^^^ the mapping occurred as expected.
The bind fails because no database can handle that DN, which I suspect is also your case. What's problematic in your design is that although the DN is rewritten, the credentials remain those of the user that's actually binding, so the bind will always fail. Is this what you expect?
p.
Any help appreciated!
-- Lehrstuhl für Softwaretechnik und Programmiersprachen Fakultät WIAI, Universität Bamberg, 96045 Bamberg
Email: thomas.wunder@swt-bamberg.de Web: http://www.swt-bamberg.de/ Tel.: 0951 863-3852 / Fax: 0951 863-3855