On Sat, 2007-04-28 at 10:44 +0200, Pierangelo Masarati wrote:
Jens Grigel wrote:
I'm still not sure if this is actually possible with overlay rwm or if i'm misunderstanding the manpage of slapo-rwm. Rewriting the cn's in searches, searchresults, bindDN and compareDN works, but the AVA from the compared attribute (here: cn) is not changed from rewriteContext compareAttrDN. "man slapo-rwm" says that the rewriteContext compareAttrDN rewrites compare AVA, but whatever i try it's not changing anything in the ldapcompare.
The compare AVA is rewritten if it is DN-valued. That's the reason of the context name: compareAttrDN. So slapo-rwm(5) does not rewrite an arbitrary AVA's value, only DN-valued ones.
Hi Pierangelo,
thank you for clarifying this, that was what I initially understood from the manpage, but I couldn't make rewriting succeed so I got unsure about the format.
But even if I call ldapcompare with a DN-valued AVA and build a regex for compareAttrDN which should match this DN-valued AVA nothing is rewritten. Packet tracing still shows the unchanged AVA gets send to the remote LDAP-Server.
I'm trying:
ldapcompare -x -D "" -H ldap://testproxy.intra.sskm.de cn=99854,o=sskm cn:cn=99854,o=sskm
and have the following slapd.conf: ... # suffixmassage overlay rwm rwm-suffixmassage "o=sskm" "ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" # ldap proxy database ldap suffix "ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" uri "ldap://5.1.35.254/" network-timeout 3 chase-referrals no idassert-bind bindmethod=simple binddn="cn=q001ldap,ou=dienstkonten,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" credentials="ldap.Lebt" mode=none idassert-authzFrom "dn.regex:.*" # rewriting for ldap proxy overlay rwm rwm-rewriteEngine on rwm-rewriteContext compareDN rwm-rewriteRule "cn=99([0-9]{3}),(.+)" "cn=s001x$1,$2" rwm-rewriteContext compareAttrDN rwm-rewriteRule "cn=99([0-9]{3}),(.+)" "cn=s001x$1,$2"
Then the packet trace shows the follwing send to the remote LDAP-Server:
compareRequest entry: cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern ava attributeDesc: cn assertionValue: cn=99854,o=sskm
The CompareDN gets rewritten by suffixmassage and context compareDN as expected, but nothing happens with CompareAttrDN. Any hints what I'm still doing wrong?