[apologies if this gets duped: I appear to be having GMANE problems]
Greetings. I'm trying to duplicate the docs on rewriting BindDN before twiddling them to my actual goals. I'm using 2.3.35 on linux (gentoo).
I've tried to strip the twiddling I'm doing down as far as I can:
moduleload rwm overlay rwm rwm-rewriteEngine on rwm-rewriteMap LDAP attr2dn "ldap://localhost/ou=People,dc=ufl,dc=edu?dn?sub" rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
which is, I think, straight out of the docs.
Jul 19 10:44:12 misc01 slapd[15708]: line 2 (moduleload rwm) Jul 19 10:44:12 misc01 slapd[15708]: loaded module rwm Jul 19 10:44:12 misc01 slapd[15708]: module rwm: null module registered Jul 19 10:44:12 misc01 slapd[15708]: line 3 (overlay rwm) Jul 19 10:44:12 misc01 slapd[15708]: line 5 (rwm-rewriteEngine on) Jul 19 10:44:12 misc01 slapd[15708]: line 7 (rwm-rewriteMap LDAP attr2dn "ldap://localhost/ou=People,dc=ufl,dc=edu?dn?sub") Jul 19 10:44:12 misc01 slapd[15708]: line 9 (rwm-rewriteContext bindDN) Jul 19 10:44:12 misc01 slapd[15708]: line 10 (rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I")
I think that the module is getting loaded. The 'null module' confuses me. But if I take out the moduleload, the overlay declaration fails, so -something- is getting loaded, and if I take out the overlay statement then the directives are undefined. I can't come up with a scenario where the module would be loaded and define all the entry points, but not actually do anything. :)
But when I connect, I get invalid credentials, and:
Jul 19 10:44:33 misc01 slapd[15721]: connection_read(12): checking for input on id=0 Jul 19 10:44:33 misc01 slapd[15721]: daemon: epoll: listen=7 active_threads=1 tvp=zero Jul 19 10:44:33 misc01 slapd[15721]: daemon: epoll: listen=8 active_threads=1 tvp=zero Jul 19 10:44:33 misc01 slapd[15721]: do_bind Jul 19 10:44:33 misc01 slapd[15721]: >>> dnPrettyNormal: mail=asr@ufl.edu Jul 19 10:44:33 misc01 slapd[15721]: <<< dnPrettyNormal: mail=asr@ufl.edu, mail=asr@ufl.edu Jul 19 10:44:33 misc01 slapd[15721]: do_bind: version=3 dn="mail=asr@ufl.edu" method=128 Jul 19 10:44:33 misc01 slapd[15721]: conn=0 op=0 BIND dn="mail=asr@ufl.edu" method=128 Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_result: conn=0 op=0 p=3 Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_result: err=49 matched="" text="" Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_response: msgid=1 tag=97 err=49 Jul 19 10:44:33 misc01 slapd[15721]: conn=0 op=0 RESULT tag=97 err=49 text= Jul 19 10:44:33 misc01 slapd[15721]: daemon: activity on 1 descriptor
what I find frustrating about this is that I don't even see an attempt to (say) apply the bindDN rewrite rule. Should I be expecting to see that? What config entries do I need to get some visibility into this process? I'm already doing loglevel -1: is there more? :)
- Allen S. Rout
Allen S. Rout wrote:
[apologies if this gets duped: I appear to be having GMANE problems]
Greetings. I'm trying to duplicate the docs on rewriting BindDN before twiddling them to my actual goals. I'm using 2.3.35 on linux (gentoo).
I've tried to strip the twiddling I'm doing down as far as I can:
moduleload rwm overlay rwm rwm-rewriteEngine on rwm-rewriteMap LDAP attr2dn "ldap://localhost/ou=People,dc=ufl,dc=edu?dn?sub" rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
which is, I think, straight out of the docs.
Jul 19 10:44:12 misc01 slapd[15708]: line 2 (moduleload rwm) Jul 19 10:44:12 misc01 slapd[15708]: loaded module rwm Jul 19 10:44:12 misc01 slapd[15708]: module rwm: null module registered Jul 19 10:44:12 misc01 slapd[15708]: line 3 (overlay rwm) Jul 19 10:44:12 misc01 slapd[15708]: line 5 (rwm-rewriteEngine on) Jul 19 10:44:12 misc01 slapd[15708]: line 7 (rwm-rewriteMap LDAP attr2dn "ldap://localhost/ou=People,dc=ufl,dc=edu?dn?sub") Jul 19 10:44:12 misc01 slapd[15708]: line 9 (rwm-rewriteContext bindDN) Jul 19 10:44:12 misc01 slapd[15708]: line 10 (rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I")
I think that the module is getting loaded. The 'null module' confuses me. But if I take out the moduleload, the overlay declaration fails, so -something- is getting loaded, and if I take out the overlay statement then the directives are undefined. I can't come up with a scenario where the module would be loaded and define all the entry points, but not actually do anything. :)
But when I connect, I get invalid credentials, and:
Jul 19 10:44:33 misc01 slapd[15721]: connection_read(12): checking for input on id=0 Jul 19 10:44:33 misc01 slapd[15721]: daemon: epoll: listen=7 active_threads=1 tvp=zero Jul 19 10:44:33 misc01 slapd[15721]: daemon: epoll: listen=8 active_threads=1 tvp=zero Jul 19 10:44:33 misc01 slapd[15721]: do_bind Jul 19 10:44:33 misc01 slapd[15721]: >>> dnPrettyNormal: mail=asr@ufl.edu Jul 19 10:44:33 misc01 slapd[15721]: <<< dnPrettyNormal: mail=asr@ufl.edu, mail=asr@ufl.edu Jul 19 10:44:33 misc01 slapd[15721]: do_bind: version=3 dn="mail=asr@ufl.edu" method=128 Jul 19 10:44:33 misc01 slapd[15721]: conn=0 op=0 BIND dn="mail=asr@ufl.edu" method=128 Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_result: conn=0 op=0 p=3 Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_result: err=49 matched="" text="" Jul 19 10:44:33 misc01 slapd[15721]: send_ldap_response: msgid=1 tag=97 err=49 Jul 19 10:44:33 misc01 slapd[15721]: conn=0 op=0 RESULT tag=97 err=49 text= Jul 19 10:44:33 misc01 slapd[15721]: daemon: activity on 1 descriptor
what I find frustrating about this is that I don't even see an attempt to (say) apply the bindDN rewrite rule. Should I be expecting to see that? What config entries do I need to get some visibility into this process? I'm already doing loglevel -1: is there more? :)
You don't provide enough information (e.g. the rest of your slapd.conf). Apparently, no attempt to rewrite the bind DN ever takes place. I guess there's no database that can handle that request and pass it to the rwm overlay.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On Fri, 27 Jul 2007 09:16:01 +0200, Pierangelo Masarati ando@sys-net.it said:
You don't provide enough information (e.g. the rest of your slapd.conf). Apparently, no attempt to rewrite the bind DN ever takes place. I guess there's no database that can handle that request and pass it to the rwm overlay.
My apologies: I was trying not to include too much data. But that may be an aspect I just missed: I've been focusing on the rewrite mechanics. The examples in slapo-rwm don't seem to specify an enclosing database, including the example I'm trying to duplicate. I'm not sure how to work out what is required.
# Then we need to detect DN made up of a single email, # e.g. `mail=someone@example.com'; note that the rule # in case of match stops rewriting; in case of error, # it is ignored. In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDN # rewrite context overrides the default definition. rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
That seems to be talking about a DN without any suffix at all; i.e.
ldapsearch -x -D "mail=someone@example.com" -W
bare. I infer from your comment that I need to define a database with a blank suffix, and express this rewrite rule within that? I'll set about attempting this.
If there's some better FM which I should be Ring, I'll be more than content with a pointer to it. I googled rather a lot before getting to this point, and the slapo-rwm man page appears to be the most detailed document available.
If I get it working, would the Lords of LDAP entertain a doc patch?
- Allen S. Rout
Allen S. Rout wrote:
My apologies: I was trying not to include too much data. But that may be an aspect I just missed: I've been focusing on the rewrite mechanics. The examples in slapo-rwm don't seem to specify an enclosing database, including the example I'm trying to duplicate. I'm not sure how to work out what is required.
# Then we need to detect DN made up of a single email, # e.g. `mail=someone@example.com'; note that the rule # in case of match stops rewriting; in case of error, # it is ignored. In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDN # rewrite context overrides the default definition. rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
That seems to be talking about a DN without any suffix at all; i.e.
ldapsearch -x -D "mail=someone@example.com" -W
bare.
Exactly.
I infer from your comment that I need to define a database with a blank suffix, and express this rewrite rule within that?
Either this, or place the rwm overlay __before__ any database, so that it intercepts bind requests __before__ ever getting to database selection. So both
<slapd.conf: database> database bdb suffix "" # ... overlay rwm rwm-... # ... </slapd.conf: database>
and
<slapd.conf: global> # before any database... overlay rwm rwm-... # ...
database bdb suffix "dc=example,dc=com" # ... </slapd.conf: global>
should give the expected behavior, with the noticeable difference that the former will only affect requests related to the "" database, while the latter would affect requests to any database configured within that instance of slapd.
I'll set about attempting this.
If there's some better FM which I should be Ring, I'll be more than content with a pointer to it. I googled rather a lot before getting to this point, and the slapo-rwm man page appears to be the most detailed document available.
If I get it working, would the Lords of LDAP entertain a doc patch?
Well, IMHO the current documentation covers what's required to set up what you want to accomplish. However, if you feel it's not clear enough, please feel free to submit patches (to the man pages, to the Admin Guide or so) using the Issue Tracking System http://www.openldap.org/its/.
Perhaps, since the use you're trying to set up seems to be very specialistic, you may want to start with a FAQ entry. In this case, the FAQ is interactive, so you are welcome to add contributions.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org
-
Allen S. Rout -
Pierangelo Masarati