Allen S. Rout wrote:
My apologies: I was trying not to include too much data. But that may be an aspect I just missed: I've been focusing on the rewrite mechanics. The examples in slapo-rwm don't seem to specify an enclosing database, including the example I'm trying to duplicate. I'm not sure how to work out what is required.
# Then we need to detect DN made up of a single email, # e.g. `mail=someone@example.com'; note that the rule # in case of match stops rewriting; in case of error, # it is ignored. In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDN # rewrite context overrides the default definition. rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
That seems to be talking about a DN without any suffix at all; i.e.
ldapsearch -x -D "mail=someone@example.com" -W
bare.
Exactly.
I infer from your comment that I need to define a database with a blank suffix, and express this rewrite rule within that?
Either this, or place the rwm overlay __before__ any database, so that it intercepts bind requests __before__ ever getting to database selection. So both
<slapd.conf: database> database bdb suffix "" # ... overlay rwm rwm-... # ... </slapd.conf: database>
and
<slapd.conf: global> # before any database... overlay rwm rwm-... # ...
database bdb suffix "dc=example,dc=com" # ... </slapd.conf: global>
should give the expected behavior, with the noticeable difference that the former will only affect requests related to the "" database, while the latter would affect requests to any database configured within that instance of slapd.
I'll set about attempting this.
If there's some better FM which I should be Ring, I'll be more than content with a pointer to it. I googled rather a lot before getting to this point, and the slapo-rwm man page appears to be the most detailed document available.
If I get it working, would the Lords of LDAP entertain a doc patch?
Well, IMHO the current documentation covers what's required to set up what you want to accomplish. However, if you feel it's not clear enough, please feel free to submit patches (to the man pages, to the Admin Guide or so) using the Issue Tracking System http://www.openldap.org/its/.
Perhaps, since the use you're trying to set up seems to be very specialistic, you may want to start with a FAQ entry. In this case, the FAQ is interactive, so you are welcome to add contributions.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------