Can I use open-ldap as a translation layer for queries with a ldap client with minimal configuration potential?
Right now the client (which cannot be trivially modified), can use LDAP authentication, sort-of. What it does, is it takes your user name, and assignes it to the 'uid' attribute, and then tacks on whatever string is in the config to form a distinguished name. For example, if I used 'stapleton' as my username and the config had 'ou=People,dc=domain,dc=tld', it would query for 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people usernames are everything before the '@' sign in their email, and this is not their uid. The uid is a number, that is used nowhere else. The standard process that we use is to take their user name and perform an ldap query to get the uid from the email, and then use the uid to verify if the user is correct.
Example: ldap://server:389/uid=441068,ou=People,dc=mydomain,dc=tld pulls up my information
Now, if I want to get my uid, I'd do this: ldap://server:389/ou=People,dc=mydomain,dc=tld?uid?sub?(mail=stapleton@mydomain.tld)
The client, as described cannot do that, if a user attempts to use what they expect their user name to be, it will send: uid=stapleton,ou=People,dc=mydomain,dc=tld or uid=stapleton@mydomain.tld,ou=People,dc=mydomain,dc=tld
Neither of which will authenticate. Is there a way to make OpenLDAP provide a middle layer to handle this?
Thank you, -Jim Stapleton
Jim,
No answers here yet, just a vote for what you want. I am working hard on exactly the same type of problems - trying to get OpenLDAP to handle these types of middle-man translations/prep-work.
Joe
S James S Stapleton wrote:
Can I use open-ldap as a translation layer for queries with a ldap client with minimal configuration potential?
Right now the client (which cannot be trivially modified), can use LDAP authentication, sort-of. What it does, is it takes your user name, and assignes it to the 'uid' attribute, and then tacks on whatever string is in the config to form a distinguished name. For example, if I used 'stapleton' as my username and the config had 'ou=People,dc=domain,dc=tld', it would query for 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people usernames are everything before the '@' sign in their email, and this is not their uid. The uid is a number, that is used nowhere else. The standard process that we use is to take their user name and perform an ldap query to get the uid from the email, and then use the uid to verify if the user is correct.
Example: ldap://server:389/uid=441068,ou=People,dc=mydomain,dc=tld pulls up my information
Now, if I want to get my uid, I'd do this: ldap://server:389/ou=People,dc=mydomain,dc=tld?uid?sub?(mail=stapleton@mydomain.tld)
The client, as described cannot do that, if a user attempts to use what they expect their user name to be, it will send: uid=stapleton,ou=People,dc=mydomain,dc=tld or uid=stapleton@mydomain.tld,ou=People,dc=mydomain,dc=tld
Neither of which will authenticate. Is there a way to make OpenLDAP provide a middle layer to handle this?
Thank you, -Jim Stapleton
In RFC2307, an example of 'uid' would be
uid: richton
and there's a separate uidNumber attribute such as
uidNumber: 34764
It looks like your client that expects
uid=stapleton,ou=People,dc=mydomain,dc=tld
is expecting entries in the form of RFC2307. Is there something stopping you from having such entries?
Failing that, I'm sure you can come up with a few regexp's to mangle into the expected form. But there's plenty of software out there that expects standard schema used in standard ways. I'd submit that using an unpublished integer as a naming attribute isn't a "standard way." Not wrong by any means, but not likely to gain widespread support with your vendors nor your users (as you're seeing).
On Thu, 17 May 2007, Joe Flowers wrote:
Jim,
No answers here yet, just a vote for what you want. I am working hard on exactly the same type of problems - trying to get OpenLDAP to handle these types of middle-man translations/prep-work.
Joe
S James S Stapleton wrote:
Can I use open-ldap as a translation layer for queries with a ldap client with minimal configuration potential?
Right now the client (which cannot be trivially modified), can use LDAP authentication, sort-of. What it does, is it takes your user name, and assignes it to the 'uid' attribute, and then tacks on whatever string is in the config to form a distinguished name. For example, if I used 'stapleton' as my username and the config had 'ou=People,dc=domain,dc=tld', it would query for 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people usernames are everything before the '@' sign in their email, and this is not their uid. The uid is a number, that is used nowhere else. The standard process that we use is to take their user name and perform an ldap query to get the uid from the email, and then use the uid to verify if the user is correct.
Example: ldap://server:389/uid=441068,ou=People,dc=mydomain,dc=tld pulls up my information
Now, if I want to get my uid, I'd do this: ldap://server:389/ou=People,dc=mydomain,dc=tld?uid?sub?(mail=stapleton@mydomain.tld)
The client, as described cannot do that, if a user attempts to use what they expect their user name to be, it will send: uid=stapleton,ou=People,dc=mydomain,dc=tld or uid=stapleton@mydomain.tld,ou=People,dc=mydomain,dc=tld
Neither of which will authenticate. Is there a way to make OpenLDAP provide a middle layer to handle this?
Thank you, -Jim Stapleton
S James S Stapleton wrote:
Can I use open-ldap as a translation layer for queries with a ldap client with minimal configuration potential?
Right now the client (which cannot be trivially modified), can use LDAP authentication, sort-of. What it does, is it takes your user name, and assignes it to the 'uid' attribute, and then tacks on whatever string is in the config to form a distinguished name. For example, if I used 'stapleton' as my username and the config had 'ou=People,dc=domain,dc=tld', it would query for 'uid=stapleton,ou=People,dc=dmain,dc=tld'. Unfortunately, people usernames are everything before the '@' sign in their email, and this is not their uid. The uid is a number, that is used nowhere else. The standard process that we use is to take their user name and perform an ldap query to get the uid from the email, and then use the uid to verify if the user is correct.
Example: ldap://server:389/uid=441068,ou=People,dc=mydomain,dc=tld pulls up my information
Now, if I want to get my uid, I'd do this: ldap://server:389/ou=People,dc=mydomain,dc=tld?uid?sub?(mail=stapleton@mydomain.tld)
The client, as described cannot do that, if a user attempts to use what they expect their user name to be, it will send: uid=stapleton,ou=People,dc=mydomain,dc=tld or uid=stapleton@mydomain.tld,ou=People,dc=mydomain,dc=tld
Neither of which will authenticate. Is there a way to make OpenLDAP provide a middle layer to handle this?
Yes. I did not clearly get if OpenLDAP is the database that contains the information, or if you plan to stack an instance of OpenLDAP in between your current directory server and the (braindead?) client.
In the first case, I assume you have some thing like
database bdb suffix "dc=mydomain,dc=tld" #...
while in the second case you would create an instance of slapd containing
database ldap suffix "dc=mydomain,dc=tld" uri "ldap://the.real.server/"
In either case, after all database specific directives you need to add
overlay rwm # turn on rewriting (set to "off" to temporarily disable) rwm-rewriteEngine on # LDAP map that looks up the real DN for binds; add options as needed # (see slapo-rwm(5) for details) rwm-rewriteMap ldap "realBindDNLookup" "ldap://server/ou=People,dc=mydomain,dc=tld?entryDN?sub" # The actual bind DN rewrite rules rwm-rewriteContext bindDN # extract the username from the incorrect DN, and try to use it # as mailbox in a lookup filter "(mail=<mailbox>@domain)" to # fetch the corresponding DN rwm-rewriteRule "^uid=([^,]+),ou=People,dc=mydomain,dc=tld$" "${realBindDNLookup(mail=$1@mydomain.tld)}" ":@I" # if the lookup fails, the error is ignored, and thus # the original DN is used.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Mine would definetly be the second method you described (I don't know what hte main LDAP server is running, and I can't touch its settings even if I knew)
Thes given instructions (copied below) go in the slapd.config, and everything else therein is removed?
Thanks, -Jim Stapleton
database ldap suffix "dc=mydomain,dc=tld" uri "ldap://the.real.server/" In either case, after all database specific directives you need to add
overlay rwm # turn on rewriting (set to "off" to temporarily disable) rwm-rewriteEngine on # LDAP map that looks up the real DN for binds; add options as needed # (see slapo-rwm(5) for details) rwm-rewriteMap ldap "realBindDNLookup" "ldap://server/ou=People,dc=mydomain,dc=tld?entryDN?sub" # The actual bind DN rewrite rules rwm-rewriteContext bindDN # extract the username from the incorrect DN, and try to use it # as mailbox in a lookup filter "(mail=<mailbox>@domain)" to # fetch the corresponding DN rwm-rewriteRule "^uid=([^,]+),ou=People,dc=mydomain,dc=tld$" "${realBindDNLookup(mail=$1@mydomain.tld)}" ":@I" # if the lookup fails, the error is ignored, and thus # the original DN is used.
S James S Stapleton wrote:
Mine would definetly be the second method you described (I don't know what hte main LDAP server is running, and I can't touch its settings even if I knew)
OK.
Thes given instructions (copied below) go in the slapd.config, and everything else therein is removed?
Not everything. Let's say what's below is the minimal database setup to have a working proxy, but you'll need to load the schema at least, and add little more configuration before getting to the database section.
If you start from the example slapd.conf provided with OpenLDAP, you'd have to replace everything from "database bdb" on with the suggested directives. Then, you'll probably have to deal with security, e.g. using TLS to protect simple bind and so on. Make sure you read the Admin Guide and the related man pages for those rather generic tasks.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
ok, a couple more quick questions, as I'm reading further through the man pages...
(1) do I need to set up a root dn for the server since it's only a passthrough anyway? (2) I suspect I'm missing something, but I'd like to block any incoming ldap connections not from a specific host (most likely localhost). I couldn't really tell how to do this from the ldap.access page. (3) I haven't gotten far enough to know for sure, since ldap requires that the scheme be published (at least, according to LDAP Directories Explained, by T Howes), can I have OpenLDAP use the published scheme from the server it's connecting to, and not worry about setting up a local scheme?
Thank you, -Jim Stapleton
----- Original Message ----- From: "Pierangelo Masarati" ando@sys-net.it To: "S James S Stapleton" stapleton.41@osu.edu Cc: openldap-software@openldap.org Sent: Thursday, May 17, 2007 3:05 PM Subject: Re: using openldap as a translation layer.
S James S Stapleton wrote:
Mine would definetly be the second method you described (I don't know what hte main LDAP server is running, and I can't touch its settings even if I knew)
OK.
Thes given instructions (copied below) go in the slapd.config, and everything else therein is removed?
Not everything. Let's say what's below is the minimal database setup to have a working proxy, but you'll need to load the schema at least, and add little more configuration before getting to the database section.
If you start from the example slapd.conf provided with OpenLDAP, you'd have to replace everything from "database bdb" on with the suggested directives. Then, you'll probably have to deal with security, e.g. using TLS to protect simple bind and so on. Make sure you read the Admin Guide and the related man pages for those rather generic tasks.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
S James S Stapleton wrote:
ok, a couple more quick questions, as I'm reading further through the man pages...
(1) do I need to set up a root dn for the server since it's only a passthrough anyway?
No, you don't
(2) I suspect I'm missing something, but I'd like to block any incoming ldap connections not from a specific host (most likely localhost). I couldn't really tell how to do this from the ldap.access page.
start the server so that it only listens on the loopback interface? e.g.
$ slapd -h ldap://localhost
(3) I haven't gotten far enough to know for sure, since ldap requires that the scheme be published (at least, according to LDAP Directories Explained, by T Howes), can I have OpenLDAP use the published scheme from the server it's connecting to, and not worry about setting up a local scheme?
With OpenLDAP code you can't. Sysnet developed a module that allows to query a remote server at startup, and optionally to refresh the query periodically, so that the local schema is sync'ed. This module has never been released as it is experimental; you may write something similar (and simpler) yourself. Something similar was also posted some time ago in the contrib ITS, but I coulndn't locate it right now.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
OK, I got permission to go ahead with this one (finally), and I'm stuck on configuration.
These lines: ======================================== database bdb
access to * by * read readonly on uri ldap://123.45.67.89:389/
overlay rwm ========================================
error: ======================================== line 38 (database bdb) bdb_db_init: Initializing BDB database line 42 (access to * by * read) Backend ACL: access to * by * read(=rscx)
line 43 (readonly on) line 44 (uri ldap://123.45.67.89:389/) .\slapd.conf: line 44: unknown directive "uri" inside backend database definition (ignored) line 49 (overlay rwm) overlay rwm not found slapd shutdown: freeing system resources. slapd stopped. connections_destroy: nothing to destroy. ========================================
I tried looking for more info on the database directives in the docs, but all I could find was stuff on olcdatabase. Changing database type to ldap (since I want to use that as a backend, and that was originally what was suggested) also failed, giving me an 'unrecognized database type' error.
Any suggestions?
Thanks, -Jim Stapleton
----- Original Message ----- From: "Pierangelo Masarati" ando@sys-net.it To: "S James S Stapleton" stapleton.41@osu.edu Cc: openldap-software@openldap.org Sent: Friday, May 18, 2007 12:09 PM Subject: Re: using openldap as a translation layer.
S James S Stapleton wrote:
ok, a couple more quick questions, as I'm reading further through the man pages...
(1) do I need to set up a root dn for the server since it's only a passthrough anyway?
No, you don't
(2) I suspect I'm missing something, but I'd like to block any incoming ldap connections not from a specific host (most likely localhost). I couldn't really tell how to do this from the ldap.access page.
start the server so that it only listens on the loopback interface? e.g.
$ slapd -h ldap://localhost
(3) I haven't gotten far enough to know for sure, since ldap requires that the scheme be published (at least, according to LDAP Directories Explained, by T Howes), can I have OpenLDAP use the published scheme from the server it's connecting to, and not worry about setting up a local scheme?
With OpenLDAP code you can't. Sysnet developed a module that allows to query a remote server at startup, and optionally to refresh the query periodically, so that the local schema is sync'ed. This module has never been released as it is experimental; you may write something similar (and simpler) yourself. Something similar was also posted some time ago in the contrib ITS, but I coulndn't locate it right now.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
It seems that your build enabled neither the ldap backend nor the rwm overlay. None of them is built by default. See configure --help for options.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Are there any prebuilts with this enabled? I didn't actually build it myself (compiling OpenSSL provided more headache than its worth in Windows)
Thanks, -Jim Stapleton
----- Original Message ----- From: "Pierangelo Masarati" ando@sys-net.it To: "S James S Stapleton" stapleton.41@osu.edu Cc: openldap-software@openldap.org Sent: Friday, July 06, 2007 9:07 AM Subject: Re: using openldap as a translation layer.
It seems that your build enabled neither the ldap backend nor the rwm overlay. None of them is built by default. See configure --help for options.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
Disregard my last message, I must have downloaded the BDB only link by pure-and-utter-blondness last time.
However, I am still getting the "overlay rwm not found" error. Google readings suggests I need to find a module for this. I'll look for a download for that soon (unless anyone knows of a good one off hand).
Thanks, -Jim Stapleton
----- Original Message ----- From: "Pierangelo Masarati" ando@sys-net.it To: "S James S Stapleton" stapleton.41@osu.edu Cc: openldap-software@openldap.org Sent: Friday, July 06, 2007 9:07 AM Subject: Re: using openldap as a translation layer.
It seems that your build enabled neither the ldap backend nor the rwm overlay. None of them is built by default. See configure --help for options.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
"S James S Stapleton" stapleton.41@osu.edu writes:
Disregard my last message, I must have downloaded the BDB only link by pure-and-utter-blondness last time.
However, I am still getting the "overlay rwm not found" error. Google readings suggests I need to find a module for this. I'll look for a download for that soon (unless anyone knows of a good one off hand).
$ ./configure --help | less
SLAPD Overlay Options: [... ] --enable-rwm Rewrite/Remap overlay no|yes|mod [no] [...]
-Dieter
System Setup: Windows XP OpenLDAP 2.3.32 source MinGW from the 5.1.3 installer (most recent as of 2 hours ago from the MinGW download section of Source Forge) Msys from the 1.0.1 installer (most recent as of 2 hours ago from the MinGW download section of Source Forge) Win32 api headers/runtime extracted to /include and /lib (most recent as of 2 hours ago from the MinGW download section of Source Forge) OpenSSL headers in /include/openssl from 0.9.8e. 0.9.8e binary distribution installed.
I am getting this error with configuring openldap:
checking for ltdl.h... no configure: error: could not locate libtool ltdl.h
When I try to compile OpenLDAP (I gave up and just installed a version of OpenSSL compiled for windows, and grabbed the same source version, hoping that ends up working).
I am running config with: ./configure --bindir=/build/bin --sbindir=/build/bin \ --libexecdir=/build/lib --libdir=/build/lib \ --datadir=/build/data \ --sysconfdir=/build/conf --sharedstatedir=/build/conf --localstatedir=/build/conf \ --includedir=/include --oldincludedir=/include \ --infodir=/build/doc --mandir=/build/doc \ --disable-debug --disable-slurpd \ --enable-dynamic --enable-modules --enable-rewrite --enable-ldap --enable-rwm \ --with-tls --with-threads
(if anyone has suggestions of other things I can turn off, as this is pretty much going to be a passthrough ldap, please tell me - BDB? I tried --without-odbc, but it gave me a 'bad value no for --with-odbc')
Where/how can I get that source file? I'm assuming it's distributed with some package I don't, but should have installed.
Thank you, -Jim Stapleton
entire ./configure output for the morbidly curious:
----- Original Message ----- From: "Pierangelo Masarati" ando@sys-net.it To: "S James S Stapleton" stapleton.41@osu.edu Cc: openldap-software@openldap.org Sent: Friday, July 06, 2007 9:07 AM Subject: Re: using openldap as a translation layer.
It seems that your build enabled neither the ldap backend nor the rwm overlay. None of them is built by default. See configure --help for options.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
OK, I got it working now (rwm/ldap anway, using cygwin instead of mingw, the process worked).
However, I'm not getting any results yet.
If I see these two lines in the output (-g -1): ==> rewrite_context_apply [depth=1] string='(&(objectClass=person)(uid=stapleton.41))' ==> rewrite_context_apply [depth=1] res={0,'NULL'}
The second line means the regex did not match, correct? I tried this with the original regex that was suggested to me, and the following match attempts, with the same {0,'NULL'} results:
"(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" "(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" "uid=([a-zA-Z]+.[0-9]+)"
Any suggestions on what I am doing wrong? (I figure I am either reading the output wrong, or have botched the regex, possibly both)
Thanks, -Jim Stapleton
S James S Stapleton wrote:
OK, I got it working now (rwm/ldap anway, using cygwin instead of mingw, the process worked).
However, I'm not getting any results yet.
If I see these two lines in the output (-g -1): ==> rewrite_context_apply [depth=1] string='(&(objectClass=person)(uid=stapleton.41))' ==> rewrite_context_apply [depth=1] res={0,'NULL'}
The second line means the regex did not match, correct?
sort of
I tried this with the original regex that was suggested to me, and the following match attempts, with the same {0,'NULL'} results:
"(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" "(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" "uid=([a-zA-Z]+.[0-9]+)"
Any suggestions on what I am doing wrong? (I figure I am either reading the output wrong, or have botched the regex, possibly both)
The above regex'es make little sense to me. It doesn't even look like a rewrite statement, but just rather a bunch of regex'ish lines. What is the rewrite configuration you're actually using? What's your intention? (please excuse my laziness, but the original thread is too long to figure out myself).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
I understand the "lazyness" completely, because I've only been able to work on this intermittantly, it is a long (chronologically especially) thread.
My configuration is:
============================================================ database ldap suffix "dc=mywork,dc=com" access to * by * read readonly on uri ldap://the-server:389/
overlay rwm rwm-rewriteEngine on #left here because it might be useful, to simlpify things later, but not currently used rwm-rewriteMap ldap "realBindDNLookup" "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub" # bind DN rewrite rules rwm-rewriteContext bindDN # extract the username from the incorrect DN, and try to use it # as mailbox in a lookup filter "(mail=<mailbox>@domain)" to # fetch the corresponding DN #original # "^uid=([^,]+)?,ou=People,dc=mywork,dc=com$" #alt #1 # "uid=([a-zA-Z-]+.[\d]+)" #alt #2 # "(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" rwm-rewriteRule "(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub(mail=$1@osu.edu)" "@" # if the lookup fails, the error is ignored, and thus # the original DN is used. ============================================================
what I listed previously wasn't a rule, but 3 regexes I tried for the match parameter of the rule.
Thanks, -Jim Stapleton
----- Original Message ----- From: "Pierangelo Masarati" ando@sys-net.it To: "S James S Stapleton" stapleton.41@osu.edu Cc: openldap-software@openldap.org Sent: Thursday, July 12, 2007 12:00 PM Subject: Re: using openldap as a translation layer.
S James S Stapleton wrote:
OK, I got it working now (rwm/ldap anway, using cygwin instead of mingw, the process worked).
However, I'm not getting any results yet.
If I see these two lines in the output (-g -1): ==> rewrite_context_apply [depth=1] string='(&(objectClass=person)(uid=stapleton.41))' ==> rewrite_context_apply [depth=1] res={0,'NULL'}
The second line means the regex did not match, correct?
sort of
I tried this with the original regex that was suggested to me, and the following match attempts, with the same {0,'NULL'} results:
"(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" "(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" "uid=([a-zA-Z]+.[0-9]+)"
Any suggestions on what I am doing wrong? (I figure I am either reading the output wrong, or have botched the regex, possibly both)
The above regex'es make little sense to me. It doesn't even look like a rewrite statement, but just rather a bunch of regex'ish lines. What is the rewrite configuration you're actually using? What's your intention? (please excuse my laziness, but the original thread is too long to figure out myself).
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it
Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it
S James S Stapleton wrote:
overlay rwm rwm-rewriteEngine on #left here because it might be useful, to simlpify things later, but not currently used rwm-rewriteMap ldap "realBindDNLookup" "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub"
I got all of the above lined up in column 1. I hope it's the mailer, otherwise please read slapd.conf(5) about the syntax, and specifically about continuation lines.
# bind DN rewrite rules rwm-rewriteContext bindDN # extract the username from the incorrect DN, and try to use it # as mailbox in a lookup filter "(mail=<mailbox>@domain)" to # fetch the corresponding DN #original # "^uid=([^,]+)?,ou=People,dc=mywork,dc=com$" #alt #1 # "uid=([a-zA-Z-]+.[\d]+)" #alt #2 # "(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" rwm-rewriteRule "(&(objectClass=person)(uid=([a-zA-Z]+.[0-9]+)))" "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub(mail=$1@osu.edu)"
I see (at least) four errors here:
1) the URI doesn't have to be here; it must be in the ldap map. Otherwise it's just treated for what it is: a string.
2) in any case, an LDAP URL needs a "?" to separate the scope ("sub") from the filter.
3) escapes need to appear twice, because "" is the escape char for slapd.conf and for the regex. So using a single escape, like "(objectClass=person)", results in passing "(objectClass=person)" to regcomp(3), and the "(" ")" are treated as special regex chars. This is illustrated in slapo-rwm(5).
4) a bindDN will never look like an LDAP filter. So this rule shouldn't be in the "bindDN" rewrite context.
"@" # if the lookup fails, the error is ignored, and thus
# the original DN is used.
To obtain what you want, but in the "searchFilter" rewrite context, something like
rwm-rewriteMap ldap "realBindDNLookup" "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub" rwm-rewriteContext searchFilter rwm-rewriteRule "^\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)$" "${realBindDNLookup(mail=$1@osu.edu)}" ":@"
should work.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
I appologize, they were not lined up in one column in the config, the mail client stripped the leading whitespace.
I didn't realize that was specific to filters. So this is a search then? ============================================================ overlay rwm rwm-rewriteEngine off
#note: I changed the name of the filter since the original name wasn't usefully descriptive rwm-rewriteMap ldap "realMailSearchLookup" "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub"
rwm-rewriteContext searchFilter
rwm-rewriteRule "^\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)$" "${RealMailSearchLookup(mail=$1@osu.edu)}" ":@" ":@"
#added because it didn't seem to be matching anything #rwm-rewriteContext searchDN alias searchFilter #rwm-rewriteContext searchFilterAttrDN alias searchFilter ============================================================
just for grins, I tried this, but with no luck either: ============================================================ rwm-rewriteRule "^(.*)\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)(.*)$" "$1(&(objectClass=person)(mail=$2@osu.edu))$3" "@" ============================================================
Thank you, -Jim Stapleton
Addendum: Here's the slapd log output from the query (startup portion truncated due to length, but it can be given), in case it can give you an idea of what the server is trying to do.
slap_listener(ldap:///)
daemon: listen=5, new connection on 6 daemon: added 6r (active) listener=0x0 conn=0 fd=6 ACCEPT from IP=127.0.0.1:1377 (IP=0.0.0.0:389) daemon: select: listen=5 active_threads=0 tvp=NULL daemon: activity on 1 descriptor daemon: activity on: 6r daemon: read activity on 6 connection_get(6) connection_get(6): got connid=0 connection_read(6): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 3c 02 01 01 63 37 04 0<...c7. ldap_read: want=54, got=54 0000: 17 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f 73 .ou=People,dc=os 0010: 75 2c 64 63 3d 65 64 75 0a 01 00 0a 01 03 02 01 u,dc=edu........ 0020: 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 63 74 43 .........objectC 0030: 6c 61 73 73 30 00 lass0. ber_get_next: tag 0x30 len 60 contents: ber_dump: buf=0x10546c08 ptr=0x10546c08 end=0x10546c44 len=60 0000: 02 01 01 63 37 04 17 6f 75 3d 50 65 6f 70 6c 65 ...c7..ou=People 0010: 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 0a 01 ,dc=osu,dc=edu.. 0020: 00 0a 01 03 02 01 00 02 01 00 01 01 00 87 0b 6f ...............o 0030: 62 6a 65 63 74 43 6c 61 73 73 30 00 bjectClass0. ber_get_next ldap_read: want=8 error=Resource temporarily unavailable do_search daemon: select: listen=5 active_threads=0 tvp=NULL ber_scanf fmt ({miiiib) ber: ber_dump: buf=0x10546c08 ptr=0x10546c0b end=0x10546c44 len=57 0000: 63 37 04 17 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 c7..ou=People,dc 0010: 3d 6f 73 75 2c 64 63 3d 65 64 75 0a 01 00 0a 01 =osu,dc=edu..... 0020: 03 02 01 00 02 01 00 01 01 00 87 0b 6f 62 6a 65 ............obje 0030: 63 74 43 6c 61 73 73 30 00 ctClass0.
dnPrettyNormal: <ou=People,dc=osu,dc=edu>
=> ldap_bv2dn(ou=People,dc=osu,dc=edu,0) <= ldap_bv2dn(ou=People,dc=osu,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=People,dc=osu,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=people,dc=osu,dc=edu)=0 <<< dnPrettyNormal: <ou=People,dc=osu,dc=edu>, <ou=people,dc=osu,dc=edu> SRCH "ou=People,dc=osu,dc=edu" 0 3 0 0 0 begin get_filter PRESENT ber_scanf fmt (m) ber: ber_dump: buf=0x10546c08 ptr=0x10546c35 end=0x10546c44 len=15 0000: 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 00 ..objectClass0. end get_filter 0 filter: (objectClass=*) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x10546c08 ptr=0x10546c42 end=0x10546c44 len=2 0000: 00 00 .. attrs: conn=0 op=0 SRCH base="ou=People,dc=osu,dc=edu" scope=0 deref=3 filter="(objectClass=*)" ==> limits_get: conn=0 op=0 dn="[anonymous]" [rw] searchDN: "ou=People,dc=osu,dc=edu" -> "ou=People,dc=osu,dc=edu" [rw] searchFilter: "(objectClass=*)" -> "(objectClass=*)" str2filter "(objectClass=*)" put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" begin get_filter PRESENT ber_scanf fmt (m) ber: ber_dump: buf=0x7fea023c ptr=0x7fea023c end=0x7fea0249 len=13 0000: 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 ..objectClass end get_filter 0 ldap_create ldap_url_parse_ext(ldap://the-server:389) =>ldap_back_getconn: conn 0x1053e308 inserted refcnt=1 binding=1 ldap_search_ext put_filter: "(objectClass=*)" put_filter: simple put_simple_filter: "objectClass=*" ldap_build_search_req ATTRS: * ldap_send_initial_request ldap_new_connection 1 1 0 ldap_int_open_connection ldap_connect_to_host: TCP the-server:389 ldap_new_socket: 7 ldap_prepare_socket: 7 ldap_connect_to_host: Trying the-server:389 ldap_connect_timeout: fd: 7 tm: -1 async: 0 ldap_open_defconn: successful ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x1053f280 ptr=0x1053f280 end=0x1053f2c0 len=64 0000: 30 3e 02 01 01 63 39 04 17 6f 75 3d 50 65 6f 70 0>...c9..ou=Peop 0010: 6c 65 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 le,dc=osu,dc=edu 0020: 0a 01 00 0a 01 03 02 02 01 f4 02 02 0e 10 01 01 ................ 0030: 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 00 ...objectClass0. ber_scanf fmt ({) ber: ber_dump: buf=0x1053f280 ptr=0x1053f285 end=0x1053f2c0 len=59 0000: 63 39 04 17 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 c9..ou=People,dc 0010: 3d 6f 73 75 2c 64 63 3d 65 64 75 0a 01 00 0a 01 =osu,dc=edu..... 0020: 03 02 02 01 f4 02 02 0e 10 01 01 00 87 0b 6f 62 ..............ob 0030: 6a 65 63 74 43 6c 61 73 73 30 00 jectClass0. ber_flush: 64 bytes to sd 7 0000: 30 3e 02 01 01 63 39 04 17 6f 75 3d 50 65 6f 70 0>...c9..ou=Peop 0010: 6c 65 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 le,dc=osu,dc=edu 0020: 0a 01 00 0a 01 03 02 02 01 f4 02 02 0e 10 01 01 ................ 0030: 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 00 ...objectClass0. ldap_write: want=64, written=64 0000: 30 3e 02 01 01 63 39 04 17 6f 75 3d 50 65 6f 70 0>...c9..ou=Peop 0010: 6c 65 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 le,dc=osu,dc=edu 0020: 0a 01 00 0a 01 03 02 02 01 f4 02 02 0e 10 01 01 ................ 0030: 00 87 0b 6f 62 6a 65 63 74 43 6c 61 73 73 30 00 ...objectClass0. ldap_result ld 0x1053e080 msgid 1 ldap_chkResponseList ld 0x1053e080 msgid 1 all 0 ldap_chkResponseList returns ld 0x1053e080 NULL wait4msg ld 0x1053e080 msgid 1 (timeout 100000 usec) wait4msg continue ld 0x1053e080 msgid 1 all 0 ** ld 0x1053e080 Connections: * host: the-server port: 389 (default) refcnt: 2 status: Connected last used: Thu Jul 12 13:36:34 2007
** ld 0x1053e080 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1053e080 Response Queue: Empty ldap_chkResponseList ld 0x1053e080 msgid 1 all 0 ldap_chkResponseList returns ld 0x1053e080 NULL ldap_int_select read1msg: ld 0x1053e080 msgid 1 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 5a 02 01 01 64 55 04 0Z...dU. ldap_read: want=84, got=84 0000: 17 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f 73 .ou=People,dc=os 0010: 75 2c 64 63 3d 65 64 75 30 3a 30 0e 04 02 6f 75 u,dc=edu0:0...ou 0020: 31 08 04 06 50 65 6f 70 6c 65 30 28 04 0b 6f 62 1...People0(..ob 0030: 6a 65 63 74 43 6c 61 73 73 31 19 04 03 74 6f 70 jectClass1...top 0040: 04 12 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 61 6c ..organizational 0050: 75 6e 69 74 unit ber_get_next: tag 0x30 len 90 contents: ber_dump: buf=0x1053e150 ptr=0x1053e150 end=0x1053e1aa len=90 0000: 02 01 01 64 55 04 17 6f 75 3d 50 65 6f 70 6c 65 ...dU..ou=People 0010: 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 30 3a ,dc=osu,dc=edu0: 0020: 30 0e 04 02 6f 75 31 08 04 06 50 65 6f 70 6c 65 0...ou1...People 0030: 30 28 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 31 0(..objectClass1 0040: 19 04 03 74 6f 70 04 12 6f 72 67 61 6e 69 7a 61 ...top..organiza 0050: 74 69 6f 6e 61 6c 75 6e 69 74 tionalunit read1msg: ld 0x1053e080 msgid 1 message type search-entry ber_scanf fmt ({m{) ber: ber_dump: buf=0x1053e150 ptr=0x1053e153 end=0x1053e1aa len=87 0000: 64 55 04 17 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 dU..ou=People,dc 0010: 3d 6f 73 75 2c 64 63 3d 65 64 75 30 3a 30 0e 04 =osu,dc=edu0:0.. 0020: 02 6f 75 31 08 04 06 50 65 6f 70 6c 65 30 28 04 .ou1...People0(. 0030: 0b 6f 62 6a 65 63 74 43 6c 61 73 73 31 19 04 03 .objectClass1... 0040: 74 6f 70 04 12 6f 72 67 61 6e 69 7a 61 74 69 6f top..organizatio 0050: 6e 61 6c 75 6e 69 74 nalunit
dnPrettyNormal: <ou=People,dc=osu,dc=edu>
=> ldap_bv2dn(ou=People,dc=osu,dc=edu,0) <= ldap_bv2dn(ou=People,dc=osu,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=People,dc=osu,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=people,dc=osu,dc=edu)=0 <<< dnPrettyNormal: <ou=People,dc=osu,dc=edu>, <ou=people,dc=osu,dc=edu> ber_scanf fmt ({m) ber: ber_dump: buf=0x1053e150 ptr=0x1053e170 end=0x1053e1aa len=58 0000: 30 0e 04 02 6f 75 31 08 04 06 50 65 6f 70 6c 65 0...ou1...People 0010: 30 28 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 31 0(..objectClass1 0020: 19 04 03 74 6f 70 04 12 6f 72 67 61 6e 69 7a 61 ...top..organiza 0030: 74 69 6f 6e 61 6c 75 6e 69 74 tionalunit ber_scanf fmt ([W]) ber: ber_dump: buf=0x1053e150 ptr=0x1053e176 end=0x1053e1aa len=52 0000: 00 08 04 06 50 65 6f 70 6c 65 30 28 04 0b 6f 62 ....People0(..ob 0010: 6a 65 63 74 43 6c 61 73 73 31 19 04 03 74 6f 70 jectClass1...top 0020: 04 12 6f 72 67 61 6e 69 7a 61 74 69 6f 6e 61 6c ..organizational 0030: 75 6e 69 74 unit ber_scanf fmt ({m) ber: ber_dump: buf=0x1053e150 ptr=0x1053e180 end=0x1053e1aa len=42 0000: 30 28 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 31 0(..objectClass1 0010: 19 04 03 74 6f 70 04 12 6f 72 67 61 6e 69 7a 61 ...top..organiza 0020: 74 69 6f 6e 61 6c 75 6e 69 74 tionalunit ber_scanf fmt ([W]) ber: ber_dump: buf=0x1053e150 ptr=0x1053e18f end=0x1053e1aa len=27 0000: 00 19 04 03 74 6f 70 04 12 6f 72 67 61 6e 69 7a ....top..organiz 0010: 61 74 69 6f 6e 61 6c 75 6e 69 74 ationalunit ber_scanf fmt ({m) ber: ber_dump: buf=0x1053e150 ptr=0x1053e1aa end=0x1053e1aa len=0
[rw] searchEntryDN: "ou=People,dc=osu,dc=edu" -> "ou=People,dc=osu,dc=edu" => send_search_entry: conn 0 dn="ou=People,dc=osu,dc=edu" => access_allowed: read access to "ou=People,dc=osu,dc=edu" "entry" requested => acl_get: [1] attr entry => acl_mask: access to entry "ou=People,dc=osu,dc=edu", attr "entry" requested => acl_mask: to all values by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: read access to "ou=People,dc=osu,dc=edu" "ou" requested => acl_get: [1] attr ou access_allowed: no res from state (ou) => acl_mask: access to entry "ou=People,dc=osu,dc=edu", attr "ou" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => access_allowed: read access granted by read(=rscxd) => access_allowed: read access to "ou=People,dc=osu,dc=edu" "objectClass" requested => acl_get: [1] attr objectClass access_allowed: no res from state (objectClass) => acl_mask: access to entry "ou=People,dc=osu,dc=edu", attr "objectClass" requested => acl_mask: to value by "", (=0) <= check a_dn_pat: * <= acl_mask: [1] applying read(=rscxd) (stop) <= acl_mask: [1] mask: read(=rscxd) => access_allowed: read access granted by read(=rscxd) ber_flush: 92 bytes to sd 6 0000: 30 5a 02 01 01 64 55 04 17 6f 75 3d 50 65 6f 70 0Z...dU..ou=Peop 0010: 6c 65 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 le,dc=osu,dc=edu 0020: 30 3a 30 0e 04 02 6f 75 31 08 04 06 50 65 6f 70 0:0...ou1...Peop 0030: 6c 65 30 28 04 0b 6f 62 6a 65 63 74 43 6c 61 73 le0(..objectClas 0040: 73 31 19 04 03 74 6f 70 04 12 6f 72 67 61 6e 69 s1...top..organi 0050: 7a 61 74 69 6f 6e 61 6c 55 6e 69 74 zationalUnit ldap_write: want=92, written=92 0000: 30 5a 02 01 01 64 55 04 17 6f 75 3d 50 65 6f 70 0Z...dU..ou=Peop 0010: 6c 65 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 le,dc=osu,dc=edu 0020: 30 3a 30 0e 04 02 6f 75 31 08 04 06 50 65 6f 70 0:0...ou1...Peop 0030: 6c 65 30 28 04 0b 6f 62 6a 65 63 74 43 6c 61 73 le0(..objectClas 0040: 73 31 19 04 03 74 6f 70 04 12 6f 72 67 61 6e 69 s1...top..organi 0050: 7a 61 74 69 6f 6e 61 6c 55 6e 69 74 zationalUnit conn=0 op=0 ENTRY dn="ou=people,dc=osu,dc=edu" <= send_search_entry: conn 0 exit. ldap_msgfree ldap_result ld 0x1053e080 msgid 1 ldap_chkResponseList ld 0x1053e080 msgid 1 all 0 ldap_chkResponseList returns ld 0x1053e080 NULL wait4msg ld 0x1053e080 msgid 1 (timeout 100000 usec) wait4msg continue ld 0x1053e080 msgid 1 all 0 ** ld 0x1053e080 Connections: * host: the-server port: 389 (default) refcnt: 2 status: Connected last used: Thu Jul 12 13:36:34 2007
** ld 0x1053e080 Outstanding Requests: * msgid 1, origid 1, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1053e080 Response Queue: Empty ldap_chkResponseList ld 0x1053e080 msgid 1 all 0 ldap_chkResponseList returns ld 0x1053e080 NULL ldap_int_select read1msg: ld 0x1053e080 msgid 1 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 01 65 07 0a 0....e.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x1053d978 ptr=0x1053d978 end=0x1053d984 len=12 0000: 02 01 01 65 07 0a 01 00 04 00 04 00 ...e........ read1msg: ld 0x1053e080 msgid 1 message type search-result ber_scanf fmt ({eaa) ber: ber_dump: buf=0x1053d978 ptr=0x1053d97b end=0x1053d984 len=9 0000: 65 07 0a 01 00 04 00 04 00 e........ ber_scanf fmt ({eaa}) ber: ber_dump: buf=0x1053d978 ptr=0x1053d97b end=0x1053d984 len=9 0000: 65 07 0a 01 00 04 00 04 00 e........ new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x1053e080 0 new referrals read1msg: mark request completed, ld 0x1053e080 msgid 1 request done: ld 0x1053e080 msgid 1 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 1, msgid 1) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x1053d978 ptr=0x1053d97b end=0x1053d984 len=9 0000: 65 07 0a 01 00 04 00 04 00 e........ ber_scanf fmt (}) ber: ber_dump: buf=0x1053d978 ptr=0x1053d984 end=0x1053d984 len=0
ldap_msgfree send_ldap_result: conn=0 op=0 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=1 tag=101 err=0 ber_flush: 14 bytes to sd 6 0000: 30 0c 02 01 01 65 07 0a 01 00 04 00 04 00 0....e........ ldap_write: want=14, written=14 0000: 30 0c 02 01 01 65 07 0a 01 00 04 00 04 00 0....e........ conn=0 op=0 SEARCH RESULT tag=101 err=0 nentries=1 text= daemon: activity on 1 descriptor daemon: activity on: 6r daemon: read activity on 6 connection_get(6) connection_get(6): got connid=0 connection_read(6): checking for input on id=0 ber_get_next ldap_read: want=8, got=8 0000: 30 61 02 01 02 63 5c 04 0a...c. ldap_read: want=91, got=91 0000: 17 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 3d 6f 73 .ou=People,dc=os 0010: 75 2c 64 63 3d 65 64 75 0a 01 02 0a 01 03 02 01 u,dc=edu........ 0020: 00 02 01 00 01 01 00 a0 2c a3 15 04 0b 6f 62 6a ........,....obj 0030: 65 63 74 63 6c 61 73 73 04 06 70 65 72 73 6f 6e ectclass..person 0040: a3 13 04 03 75 69 64 04 0c 73 74 61 70 6c 65 74 ....uid..staplet 0050: 6f 6e 2e 34 31 30 04 04 02 64 6e on.410...dn ber_get_next: tag 0x30 len 97 contents: ber_dump: buf=0x1053d948 ptr=0x1053d948 end=0x1053d9a9 len=97 0000: 02 01 02 63 5c 04 17 6f 75 3d 50 65 6f 70 6c 65 ...c..ou=People 0010: 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 0a 01 ,dc=osu,dc=edu.. 0020: 02 0a 01 03 02 01 00 02 01 00 01 01 00 a0 2c a3 ..............,. 0030: 15 04 0b 6f 62 6a 65 63 74 63 6c 61 73 73 04 06 ...objectclass.. 0040: 70 65 72 73 6f 6e a3 13 04 03 75 69 64 04 0c 73 person....uid..s 0050: 74 61 70 6c 65 74 6f 6e 2e 34 31 30 04 04 02 64 tapleton.410...d 0060: 6e n ber_get_next do_search ldap_read: want=8 error=Resource temporarily unavailable ber_scanf fmt ({miiiib) ber: daemon: select: listen=5 active_threads=0 tvp=NULL ber_dump: buf=0x1053d948 ptr=0x1053d94b end=0x1053d9a9 len=94 0000: 63 5c 04 17 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 c..ou=People,dc 0010: 3d 6f 73 75 2c 64 63 3d 65 64 75 0a 01 02 0a 01 =osu,dc=edu..... 0020: 03 02 01 00 02 01 00 01 01 00 a0 2c a3 15 04 0b ...........,.... 0030: 6f 62 6a 65 63 74 63 6c 61 73 73 04 06 70 65 72 objectclass..per 0040: 73 6f 6e a3 13 04 03 75 69 64 04 0c 73 74 61 70 son....uid..stap 0050: 6c 65 74 6f 6e 2e 34 31 30 04 04 02 64 6e leton.410...dn
dnPrettyNormal: <ou=People,dc=osu,dc=edu>
=> ldap_bv2dn(ou=People,dc=osu,dc=edu,0) <= ldap_bv2dn(ou=People,dc=osu,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=People,dc=osu,dc=edu)=0 => ldap_dn2bv(272) <= ldap_dn2bv(ou=people,dc=osu,dc=edu)=0 <<< dnPrettyNormal: <ou=People,dc=osu,dc=edu>, <ou=people,dc=osu,dc=edu> SRCH "ou=People,dc=osu,dc=edu" 2 3 0 0 0 begin get_filter AND begin get_filter_list begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0x1053d948 ptr=0x1053d977 end=0x1053d9a9 len=50 0000: a3 15 04 0b 6f 62 6a 65 63 74 63 6c 61 73 73 04 ....objectclass. 0010: 06 70 65 72 73 6f 6e a3 13 04 03 75 69 64 04 0c .person....uid.. 0020: 73 74 61 70 6c 65 74 6f 6e 2e 34 31 30 04 04 02 stapleton.410... 0030: 64 6e dn end get_filter 0 begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0x1053d948 ptr=0x1053d98e end=0x1053d9a9 len=27 0000: 00 13 04 03 75 69 64 04 0c 73 74 61 70 6c 65 74 ....uid..staplet 0010: 6f 6e 2e 34 31 30 04 04 02 64 6e on.410...dn end get_filter 0 end get_filter_list end get_filter 0 filter: (&(objectClass=person)(uid=stapleton.41)) ber_scanf fmt ({M}}) ber: ber_dump: buf=0x1053d948 ptr=0x1053d9a3 end=0x1053d9a9 len=6 0000: 00 04 04 02 64 6e ....dn attrs: dn conn=0 op=1 SRCH base="ou=People,dc=osu,dc=edu" scope=2 deref=3 filter="(&(objectClass=person)(uid=stapleton.41))" conn=0 op=1 SRCH attr=dn ==> limits_get: conn=0 op=1 dn="[anonymous]" [rw] searchDN: "ou=People,dc=osu,dc=edu" -> "ou=People,dc=osu,dc=edu" [rw] searchFilter: "(&(objectClass=person)(uid=stapleton.41))" -> "(&(objectClass=person)(uid=stapleton.41))" str2filter "(&(objectClass=person)(uid=stapleton.41))" put_filter: "(&(objectClass=person)(uid=stapleton.41))" put_filter: AND put_filter_list "(objectClass=person)(uid=stapleton.41)" put_filter: "(objectClass=person)" put_filter: simple put_simple_filter: "objectClass=person" put_filter: "(uid=stapleton.41)" put_filter: simple put_simple_filter: "uid=stapleton.41" begin get_filter AND begin get_filter_list begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0x7fea0384 ptr=0x7fea0386 end=0x7fea03b2 len=44 0000: a3 15 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 ....objectClass. 0010: 06 70 65 72 73 6f 6e a3 13 04 03 75 69 64 04 0c .person....uid.. 0020: 73 74 61 70 6c 65 74 6f 6e 2e 34 31 stapleton.41 end get_filter 0 begin get_filter EQUALITY ber_scanf fmt ({mm}) ber: ber_dump: buf=0x7fea0384 ptr=0x7fea039d end=0x7fea03b2 len=21 0000: 00 13 04 03 75 69 64 04 0c 73 74 61 70 6c 65 74 ....uid..staplet 0010: 6f 6e 2e 34 31 on.41 end get_filter 0 end get_filter_list end get_filter 0 =>ldap_back_getconn: conn 0x1053e308 fetched refcnt=1 binding=1. ldap_search_ext put_filter: "(&(objectClass=person)(uid=stapleton.41))" put_filter: AND put_filter_list "(objectClass=person)(uid=stapleton.41)" put_filter: "(objectClass=person)" put_filter: simple put_simple_filter: "objectClass=person" put_filter: "(uid=stapleton.41)" put_filter: simple put_simple_filter: "uid=stapleton.41" ldap_build_search_req ATTRS: dn ldap_send_initial_request ldap_send_server_request ber_scanf fmt ({it) ber: ber_dump: buf=0x1053f280 ptr=0x1053f280 end=0x1053f2e5 len=101 0000: 30 63 02 01 02 63 5e 04 17 6f 75 3d 50 65 6f 70 0c...c^..ou=Peop 0010: 6c 65 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 le,dc=osu,dc=edu 0020: 0a 01 02 0a 01 03 02 02 01 f4 02 02 0e 10 01 01 ................ 0030: 00 a0 2c a3 15 04 0b 6f 62 6a 65 63 74 43 6c 61 ..,....objectCla 0040: 73 73 04 06 70 65 72 73 6f 6e a3 13 04 03 75 69 ss..person....ui 0050: 64 04 0c 73 74 61 70 6c 65 74 6f 6e 2e 34 31 30 d..stapleton.410 0060: 04 04 02 64 6e ...dn ber_scanf fmt ({) ber: ber_dump: buf=0x1053f280 ptr=0x1053f285 end=0x1053f2e5 len=96 0000: 63 5e 04 17 6f 75 3d 50 65 6f 70 6c 65 2c 64 63 c^..ou=People,dc 0010: 3d 6f 73 75 2c 64 63 3d 65 64 75 0a 01 02 0a 01 =osu,dc=edu..... 0020: 03 02 02 01 f4 02 02 0e 10 01 01 00 a0 2c a3 15 .............,.. 0030: 04 0b 6f 62 6a 65 63 74 43 6c 61 73 73 04 06 70 ..objectClass..p 0040: 65 72 73 6f 6e a3 13 04 03 75 69 64 04 0c 73 74 erson....uid..st 0050: 61 70 6c 65 74 6f 6e 2e 34 31 30 04 04 02 64 6e apleton.410...dn ber_flush: 101 bytes to sd 7 0000: 30 63 02 01 02 63 5e 04 17 6f 75 3d 50 65 6f 70 0c...c^..ou=Peop 0010: 6c 65 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 le,dc=osu,dc=edu 0020: 0a 01 02 0a 01 03 02 02 01 f4 02 02 0e 10 01 01 ................ 0030: 00 a0 2c a3 15 04 0b 6f 62 6a 65 63 74 43 6c 61 ..,....objectCla 0040: 73 73 04 06 70 65 72 73 6f 6e a3 13 04 03 75 69 ss..person....ui 0050: 64 04 0c 73 74 61 70 6c 65 74 6f 6e 2e 34 31 30 d..stapleton.410 0060: 04 04 02 64 6e ...dn ldap_write: want=101, written=101 0000: 30 63 02 01 02 63 5e 04 17 6f 75 3d 50 65 6f 70 0c...c^..ou=Peop 0010: 6c 65 2c 64 63 3d 6f 73 75 2c 64 63 3d 65 64 75 le,dc=osu,dc=edu 0020: 0a 01 02 0a 01 03 02 02 01 f4 02 02 0e 10 01 01 ................ 0030: 00 a0 2c a3 15 04 0b 6f 62 6a 65 63 74 43 6c 61 ..,....objectCla 0040: 73 73 04 06 70 65 72 73 6f 6e a3 13 04 03 75 69 ss..person....ui 0050: 64 04 0c 73 74 61 70 6c 65 74 6f 6e 2e 34 31 30 d..stapleton.410 0060: 04 04 02 64 6e ...dn ldap_result ld 0x1053e080 msgid 2 ldap_chkResponseList ld 0x1053e080 msgid 2 all 0 ldap_chkResponseList returns ld 0x1053e080 NULL wait4msg ld 0x1053e080 msgid 2 (timeout 100000 usec) wait4msg continue ld 0x1053e080 msgid 2 all 0 ** ld 0x1053e080 Connections: * host: the-server port: 389 (default) refcnt: 2 status: Connected last used: Thu Jul 12 13:36:34 2007
** ld 0x1053e080 Outstanding Requests: * msgid 2, origid 2, status InProgress outstanding referrals 0, parent count 0 ** ld 0x1053e080 Response Queue: Empty ldap_chkResponseList ld 0x1053e080 msgid 2 all 0 ldap_chkResponseList returns ld 0x1053e080 NULL ldap_int_select read1msg: ld 0x1053e080 msgid 2 all 0 ber_get_next ldap_read: want=8, got=8 0000: 30 0c 02 01 02 65 07 0a 0....e.. ldap_read: want=6, got=6 0000: 01 00 04 00 04 00 ...... ber_get_next: tag 0x30 len 12 contents: ber_dump: buf=0x1053db48 ptr=0x1053db48 end=0x1053db54 len=12 0000: 02 01 02 65 07 0a 01 00 04 00 04 00 ...e........ read1msg: ld 0x1053e080 msgid 2 message type search-result ber_scanf fmt ({eaa) ber: ber_dump: buf=0x1053db48 ptr=0x1053db4b end=0x1053db54 len=9 0000: 65 07 0a 01 00 04 00 04 00 e........ ber_scanf fmt ({eaa}) ber: ber_dump: buf=0x1053db48 ptr=0x1053db4b end=0x1053db54 len=9 0000: 65 07 0a 01 00 04 00 04 00 e........ new result: res_errno: 0, res_error: <>, res_matched: <> read1msg: ld 0x1053e080 0 new referrals read1msg: mark request completed, ld 0x1053e080 msgid 2 request done: ld 0x1053e080 msgid 2 res_errno: 0, res_error: <>, res_matched: <> ldap_free_request (origid 2, msgid 2) ldap_free_connection 0 1 ldap_free_connection: refcnt 1 ldap_parse_result ber_scanf fmt ({iaa) ber: ber_dump: buf=0x1053db48 ptr=0x1053db4b end=0x1053db54 len=9 0000: 65 07 0a 01 00 04 00 04 00 e........ ber_scanf fmt (}) ber: ber_dump: buf=0x1053db48 ptr=0x1053db54 end=0x1053db54 len=0
ldap_msgfree send_ldap_result: conn=0 op=1 p=3 send_ldap_result: err=0 matched="" text="" send_ldap_response: msgid=2 tag=101 err=0 ber_flush: 14 bytes to sd 6 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........ ldap_write: want=14, written=14 0000: 30 0c 02 01 02 65 07 0a 01 00 04 00 04 00 0....e........ conn=0 op=1 SEARCH RESULT tag=101 err=0 nentries=0 text= daemon: shutdown requested and initiated. daemon: closing 5 connection_closing: readying conn=0 sd=6 for close connection_close: conn=0 sd=6 =>ldap_back_conn_destroy: fetching conn 0 daemon: removing 6 conn=0 fd=6 closed (slapd shutdown) slapd shutdown: waiting for 0 threads to terminate slapd shutdown: initiated slapd destroy: freeing system resources. ldap_free_connection 1 1 ldap_send_unbind ber_flush: 7 bytes to sd 7 0000: 30 05 02 01 03 42 00 0....B. ldap_write: want=7, written=7 0000: 30 05 02 01 03 42 00 0....B. ldap_free_connection: actually freed slapd stopped.
S James S Stapleton wrote:
I didn't realize that was specific to filters.
It is not specific to filters. It is specific to specific contexts. Did you read slapo-rwm(5)?
So this is a search then?
overlay rwm rwm-rewriteEngine off
??? "off" ???
#note: I changed the name of the filter since the original name wasn't usefully descriptive rwm-rewriteMap ldap "realMailSearchLookup" "ldap://the-server:389/ou=People,dc=osu,dc=edu?entryDN?sub"
rwm-rewriteContext searchFilter
Rules that follow will be invoked only during searches, passing the search filter
rwm-rewriteRule "^\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)$"
This pattern is supposed to be filter specific, as it is defined for a "searchFilter" context
"${RealMailSearchLookup(mail=$1@osu.edu)}" ":@"
The result of the map lookup will be used as search filter, replacing the original filter. But your map returns a DN, which is __NOT__ a valid search filter. So the remote server will barf (unless local controls reject the search without even contacting the remote server; I'm not sure about this).
":@"
#added because it didn't seem to be matching anything #rwm-rewriteContext searchDN alias searchFilter
A "searchDN" context cannot use rules defined for filters, since it is supposed to be passed and to return a DN, and a filter and a DN usually differ radically.
#rwm-rewriteContext searchFilterAttrDN alias searchFilter
Same as above.
just for grins, I tried this, but with no luck either:
rwm-rewriteRule "^(.*)\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)(.*)$" "$1(&(objectClass=person)(mail=$2@osu.edu))$3" "@"
Not sure what you're trying to achieve. But slapo-rwm(5) is not the right tool to just try and see what happens. Unless you follow some rationale, it can give very puzzling results (usually just nothing, which is frustrating).
I'd rather go back and describe what you want to obtain.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
It is not specific to filters. It is specific to specific contexts. Did you read slapo-rwm(5)?
by it I was referring to the (&(a=b)(c=d)) syntax. I thought that could be used in different types of request. Sorry, still a noob with LDAP.
Yeah I read the man page, and I've been referencing it a lot while fiddling with this. Unfortunately they are only doing so much to clarify things.
So this is a search then?
overlay rwm rwm-rewriteEngine off
??? "off" ???
Crud, oops, I missed that. I turned it off so I could see some clean-slate results for comparison. Just turned it on. The result is a stackdump. Given your comments later in the mail, that's not surprising.
just for grins, I tried this, but with no luck either:
rwm-rewriteRule
"^(.*)\(&\(objectClass=person\)\(uid=([a-zA-Z]+\.[0-9]+)\)\)(.*)$" "$1(&(objectClass=person)(mail=$2@osu.edu))$3" "@"
Not sure what you're trying to achieve. But slapo-rwm(5) is not the right tool to just try and see what happens. Unless you follow some rationale, it can give very puzzling results (usually just nothing, which is frustrating).
I'm trying to get the queries from a server people are logging into to translate to the form of the authentication server server. I did read the man page, but it has not cleared up my confusion in some of these matters.
The login server is sending a query, wherein the uid is set to a persons 'unique name', which is not part of the DN. To get the DN, you need to do a search on the mail address, which is the unique name + '@osu.edu'. The uid is a number and part of the DN, the unique name is not.
Right now it is running a query with: (*(objectClass=people)(uid=name.number))
and it needs to be: (*(objectClass=people)(mail=name.number@osu.edu))
Thanks, -Jim Stapleton
S James S Stapleton wrote:
Crud, oops, I missed that. I turned it off so I could see some clean-slate results for comparison. Just turned it on. The result is a stackdump.
You mean core dump? Please file an ITS for that, it shouldn't happen (you should be using the latest OpenLDAP 2.3 or so, right?). Since you're using Cygwin, you should be able to install gdb and get a decent stack trace out of a non-stripped binary (e.g. the one before installation, servers/slapd/slapd.exe).
I'm trying to get the queries from a server people are logging into to translate to the form of the authentication server server. I did read the man page, but it has not cleared up my confusion in some of these matters.
The login server is sending a query, wherein the uid is set to a persons 'unique name', which is not part of the DN. To get the DN, you need to do a search on the mail address, which is the unique name + '@osu.edu'. The uid is a number and part of the DN, the unique name is not.
Right now it is running a query with: (*(objectClass=people)(uid=name.number))
and it needs to be: (*(objectClass=people)(mail=name.number@osu.edu))
Not sure what you mean with "queries". If what you mean is:
"simple binds get in with some DN; the DN is not right, but it can be used to look up the right DN"
that's one business.
Otherwise, if you mean
"plain searches come in with some filter; the filter looks for some value of uid, but they should rather look for a value of mail that can be derived from that of uid"
then what you should do is
rewriteContext searchFilter rewriteRule "^\(&\(objectClass=person\)\(uid=([^.]+\.[0-9]+)\)\)$" "(&(objectClass=person)(mail=$1@osu.edu))" ":@"
and that's it.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
S James S Stapleton wrote:
The result is a stackdump.
I've spotted a potential cause for this, and fixed it (ITS#5043: http://www.openldap.org/its/?findid=5043); before reporting your problem, please check if the fix to ITS#5043: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/overlays/rwmmap.c.diff?r1=1.14.2.14&r2=1.14.2.15&hideattic=1&sortbydate=0 solves it.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
Pierangelo Masarati wrote:
S James S Stapleton wrote:
Can I use open-ldap as a translation layer for queries with a ldap client with minimal configuration potential?
Yes. I did not clearly get if OpenLDAP is the database that contains the information, or if you plan to stack an instance of OpenLDAP in between your current directory server and the (braindead?) client.
In the first case, I assume you have some thing like
database bdb suffix "dc=mydomain,dc=tld" #...
while in the second case you would create an instance of slapd containing
database ldap suffix "dc=mydomain,dc=tld" uri "ldap://the.real.server/"
In either case, after all database specific directives you need to add
Ing. Pierangelo Masarati OpenLDAP Core Team
What an interesting and elegant solution to a real world problem. I love software that doesn't assume to know all the problems or all the answers but simply provides a rich tool-set for the engineer. Very cool!
\Greg
openldap-software@openldap.org
-
Aaron Richton -
Dieter Kluenter -
Greg Martin -
Joe Flowers -
Pierangelo Masarati -
S James S Stapleton