Hi, we're using openldap 2.3.35 as ldap proxy to support anonymous binds and searches to a restricted ldap server. We're now trying to rewrite existing cn's with old suffix to new cn's with new suffix of the restricted ldap server. So far almost everything is working with rwm-suffixmassage and overlay rwm except rewriting AVA's from ldapcompare. I'm still not sure if this is actually possible with overlay rwm or if i'm misunderstanding the manpage of slapo-rwm. Rewriting the cn's in searches, searchresults, bindDN and compareDN works, but the AVA from the compared attribute (here: cn) is not changed from rewriteContext compareAttrDN. "man slapo-rwm" says that the rewriteContext compareAttrDN rewrites compare AVA, but whatever i try it's not changing anything in the ldapcompare. What format of the rwm-rewriteRules for rewriteContext compareAttrDN is expected for rewriting to succeed? Or is this actually impossible what i'm thinking of? Here my shortened (removed a lot of rewriteRules, but still working) slapd.conf: # slapd.conf loglevel -1 include /usr/local/etc/openldap/schema/core.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args modulepath /usr/local/libexec/openldap moduleload rwm.la overlay rwm rwm-suffixmassage "o=sskm" "ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" database ldap suffix "ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" uri "ldap://5.1.35.254/" network-timeout 3 chase-referrals no idassert-bind bindmethod=simple binddn="cn=q001ldap,ou=dienstkonten,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" credentials="secret" mode=none idassert-authzFrom "dn.regex:.*" overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchFilter rwm-rewriteRule "cn=99([0-9]{3})" "cn=s001x$1" ":@" rwm-rewriteContext bindDN rwm-rewriteRule "cn=99([0-9]{3}),(.+)" "cn=s001x$1,$2" ":@" rwm-rewriteContext searchEntryDN rwm-rewriteRule "cn=s001x([0-9]{3}),(.+)" "cn=99$1,$2" ":@" rwm-rewriteContext compareDN rwm-rewriteRule "cn=99([0-9]{3}),(.+)" "cn=s001x$1,$2" ":@" rwm-rewriteContext compareAttrDN rwm-rewriteRule "99([0-9]{3})" "s001x$1" # end slapd.conf The basic idea from this simple setup is to rewrite a cn=99854 to cn=s001x854 and back whereever possible. I'm trying with ldapcompare -x -D "" -H ldap://testproxy cn=99854,o=sskm cn:99854 this fails and produces the following logs slapd[9789]: do_compare slapd[9789]: >>> dnPrettyNormal: <cn=99854,o=sskm> slapd[9789]: <<< dnPrettyNormal: <cn=99854,o=sskm>, <cn=99854,o=sskm> slapd[9789]: [rw] compareDN: "cn=99854,o=sskm" -> "cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" slapd[9789]: >>> dnPrettyNormal: <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: <<< dnPrettyNormal: <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern>, <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: do_compare: dn (cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern) attr (cn) value (99854) slapd[9789]: conn=1 op=1 CMP dn="cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" attr="cn" slapd[9789]: [rw] compareDN: "cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" -> "cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" slapd[9789]: >>> dnPrettyNormal: <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: <<< dnPrettyNormal: <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern>, <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: send_ldap_result: conn=1 op=1 p=3 slapd[9789]: send_ldap_result: err=5 matched="" text="" packet capturing shows that the value is not rewritten when sent to the ldap server. Using the value which i was trying to rewrite to ldapcompare -x -D "" -H ldap://testproxy cn=99854,o=sskm cn:s001x854 succeeds slapd[9789]: do_compare slapd[9789]: >>> dnPrettyNormal: <cn=99854,o=sskm> slapd[9789]: <<< dnPrettyNormal: <cn=99854,o=sskm>, <cn=99854,o=sskm> slapd[9789]: [rw] compareDN: "cn=99854,o=sskm" -> "cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" slapd[9789]: >>> dnPrettyNormal: <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: <<< dnPrettyNormal: <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern>, <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: do_compare: dn (cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern) attr (cn) value (s001x854) slapd[9789]: conn=10 op=1 CMP dn="cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" attr="cn" slapd[9789]: [rw] compareDN: "cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" -> "cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" slapd[9789]: >>> dnPrettyNormal: <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: <<< dnPrettyNormal: <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern>, <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: send_ldap_result: conn=10 op=1 p=3 slapd[9789]: send_ldap_result: err=6 matched="" text="" -- Jens Grigel Citysavingsbank Munich, Germany Dept. of Network/Security