I'm trying to select a backend (ldap proxy) according to the the content of a search filter. I've configured something like this prior to any backend definitions:
rwm-rewriteContext bindDN rwm-rewriteRule ".*" "${&&bindprefix("")}$0" ":" rwm-rewriteRule "cn=([shaum])_(.+)" "${&&bindprefix($1)}cn=$2" ":"
rwm-rewriteContext searchFilter rwm-rewriteRule ".*" "${&&filterprefix("")}$0" ":" rwm-rewriteRule "(.*)cn=([shaum])_(.+)" "${&&filterprefix($2)}$1cn=$3" ":"
# Using this expression below breaks things. I'm guessing the searchDN # context gets processed before searchFilter, so ${**filterprefix} is # undefined. # "${**bindprefix}${**filterprefix}<>${&prefix($1)}"
rwm-rewriteContext searchDN rwm-rewriteRule "(.*)o=fc" "${**bindprefix}<>${&prefix($1)}" <=== replace w/ above ":I" rwm-rewriteRule "s{1,2}<>$" "${*prefix}o=backa" ":@I" rwm-rewriteRule "h{1,2}<>$" "${*prefix}o=backb" ":@I" etc...
Does searchDN get processed before searchFilter? Is there a way around that? Is there a better way to do this? The basic concept seems to work fine w/ bindDN, but not searchFilter.
I'm using OpenLDAP 2.4.8
TIA.
2008-03-17_16:40:26-0400 Ron Peterson rpeterso@MtHolyoke.edu:
I'm trying to select a backend (ldap proxy) according to the the content of a search filter. I've configured something like this prior to any backend definitions: ...
If I use the 'default' context, this seems to work the way I want. I'd prefer being able to be more specific about exactly what I want in each context, but I think this will do.
######################################################################## rwm-rewriteContext default # set default 'locationprefix' to empty string rwm-rewriteRule ".*" "${&&locationprefix("")}$0" ":"
# set 'locationprefix' to letter code used to indicate # ldap server location rwm-rewriteRule ".*cn=([abcde])_(.+)" "${&&locationprefix($2)}$0" ":"
######################################################################## rwm-rewriteContext searchDN # replace anything ending with suffix o=pseudobase with ${**locationprefix}<> # set 'prefix' to string preceeding o=pseudobase rwm-rewriteRule "(.*)o=pseudobase" "${**locationprefix}<>${&prefix($1)}" ":I"
# if locationprefix was 'a', rewrite searchDN to use o=backa suffix rwm-rewriteRule "a{1,2}<>$" "${*prefix}o=backa" ":@I"
# if locationprefix was 'b', rewrite searchDN to use o=backa suffix rwm-rewriteRule "b{1,2}<>$" "${*prefix}o=backb" ":@I" ...etc...
default searchDN to uses o=backdefault suffix rwm-rewriteRule ".*<>$" "${*prefix}o=backdefault" ":"
This seems to capture any bindDN or searchFilter that contains 'cn=[abcde]_', which lets me use a letter code to indicate what ldap server I want to query. I can do any further rewriting I need to do in the specific backend.
I'd anyone has any other examples of how to do something like this, or suggesions for improvements, I'd love to see them. Of course if I could specify the proper suffix in the first place, that would make this really easy. But I'm trying to handle the case where someone types just their username into a form, and I need to figure out where to look it up, bind, etc. So:
a_username goes to ldaps://backa.domaina/...
and
b_username goes to ldaps://backb.domainb/...
etc.
2008-03-18_09:18:21-0400 Ron Peterson rpeterso@MtHolyoke.edu:
2008-03-17_16:40:26-0400 Ron Peterson rpeterso@MtHolyoke.edu:
I'm trying to select a backend (ldap proxy) according to the the content of a search filter. I've configured something like this prior to any backend definitions: ...
If I use the 'default' context, this seems to work the way I want. I'd prefer being able to be more specific about exactly what I want in each context, but I think this will do.
No, I was mistaken; this still doesn't work. My tests were falling through to my default dn, which made them appear to work.
So my question remains: is there a way to process global rewrite rules for the searchFilter context prior to evaluating the searchDN context?
TIA.
2008-03-18_15:36:23-0400 Ron Peterson rpeterso@MtHolyoke.edu:
2008-03-18_09:18:21-0400 Ron Peterson rpeterso@MtHolyoke.edu:
2008-03-17_16:40:26-0400 Ron Peterson rpeterso@MtHolyoke.edu:
I'm trying to select a backend (ldap proxy) according to the the content of a search filter. I've configured something like this prior to any backend definitions: ...
If I use the 'default' context, this seems to work the way I want. I'd prefer being able to be more specific about exactly what I want in each context, but I think this will do.
No, I was mistaken; this still doesn't work. My tests were falling through to my default dn, which made them appear to work.
So my question remains: is there a way to process global rewrite rules for the searchFilter context prior to evaluating the searchDN context?
I just had an 'aha' moment and realized I've been misunderstanding how the global -> specific backend rewrite rules are processed. I think I'll have this pinned down shortly. I'll post back when I've got a good handle on it.
2008-03-17_16:40:26-0400 Ron Peterson rpeterso@MtHolyoke.edu:
Does searchDN get processed before searchFilter? Is there a way around that? Is there a better way to do this? The basic concept seems to work fine w/ bindDN, but not searchFilter.
I guess I'm back to my original question. Below, I'm simply hardcoding the value of ${**case}, and otherwise leaving the searchFilter or bindDN string alone. If I uncomment my searchFilter rule as below, I get a 'searchDN massage error'. I don't have any searchDN rules anywhere else. If I comment my searchFilter rule, and uncomment my bindDN rule, it works fine. OpenLDAP 2.4.8.
________________________________________________________________________ # Global rewrite rules, before any backend definitions overlay rwm rwm-rewriteEngine on
# This does not work rwm-rewriteContext searchFilter rwm-rewriteRule ".*" "${&&case(m)}$0" ":"
# This works # rwm-rewriteContext bindDN # rwm-rewriteRule ".*" # "${&&case(m)}$0" # ":"
rwm-rewriteContext searchDN rwm-rewriteRule "(.*)o=fc" "${**case}<>${&prefix($1)}" ":" rwm-rewriteRule "m{1,2}<>$" "${*prefix}o=m" ":@" rwm-rewriteRule ".*<>$" "${*prefix}o=default" ":"
________________________________________________________________________ 1304# ldapsearch -x -W -D "cn=username,o=m" -b "o=fc" '(cn=somebody)' Enter LDAP Password: xxxxx
# extended LDIF # # LDAPv3 # base <o=fc> with scope subtree # filter: (cn=somebody) # requesting: ALL #
# search result search: 2 result: 80 Other (e.g., implementation specific) error text: searchDN massage error
Ron Peterson wrote:
I'm trying to select a backend (ldap proxy) according to the the content of a search filter. I've configured something like this prior to any backend definitions:
rwm-rewriteContext bindDN rwm-rewriteRule ".*" "${&&bindprefix("")}$0" ":" rwm-rewriteRule "cn=([shaum])_(.+)" "${&&bindprefix($1)}cn=$2" ":"
rwm-rewriteContext searchFilter rwm-rewriteRule ".*" "${&&filterprefix("")}$0" ":" rwm-rewriteRule "(.*)cn=([shaum])_(.+)" "${&&filterprefix($2)}$1cn=$3" ":"
# Using this expression below breaks things. I'm guessing the searchDN # context gets processed before searchFilter, so ${**filterprefix} is # undefined. # "${**bindprefix}${**filterprefix}<>${&prefix($1)}"
rwm-rewriteContext searchDN rwm-rewriteRule "(.*)o=fc" "${**bindprefix}<>${&prefix($1)}" <=== replace w/ above ":I" rwm-rewriteRule "s{1,2}<>$" "${*prefix}o=backa" ":@I" rwm-rewriteRule "h{1,2}<>$" "${*prefix}o=backb" ":@I" etc...
Does searchDN get processed before searchFilter? Is there a way around that? Is there a better way to do this? The basic concept seems to work fine w/ bindDN, but not searchFilter.
I'm using OpenLDAP 2.4.8
See http://www.openldap.org/lists/openldap-software/200712/msg00127.html. The only way around I see right now is either hack the code.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
See http://www.openldap.org/lists/openldap-software/200712/msg00127.html. The only way around I see right now is either hack the code.
please forget the "either" above. I realized the "or" is too complicated to be explained in one mail, and would be too cumbersome to be of any use.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Pierangelo Masarati -
Ron Peterson