Hi,
we're using openldap 2.3.35 as ldap proxy to support anonymous binds and searches to a restricted ldap server.
We're now trying to rewrite existing cn's with old suffix to new cn's with new suffix of the restricted ldap server. So far almost everything is working with rwm-suffixmassage and overlay rwm except rewriting AVA's from ldapcompare.
I'm still not sure if this is actually possible with overlay rwm or if i'm misunderstanding the manpage of slapo-rwm. Rewriting the cn's in searches, searchresults, bindDN and compareDN works, but the AVA from the compared attribute (here: cn) is not changed from rewriteContext compareAttrDN. "man slapo-rwm" says that the rewriteContext compareAttrDN rewrites compare AVA, but whatever i try it's not changing anything in the ldapcompare.
What format of the rwm-rewriteRules for rewriteContext compareAttrDN is expected for rewriting to succeed? Or is this actually impossible what i'm thinking of?
Here my shortened (removed a lot of rewriteRules, but still working) slapd.conf:
# slapd.conf loglevel -1 include /usr/local/etc/openldap/schema/core.schema pidfile /usr/local/var/run/slapd.pid argsfile /usr/local/var/run/slapd.args modulepath /usr/local/libexec/openldap moduleload rwm.la
overlay rwm rwm-suffixmassage "o=sskm" "ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern"
database ldap suffix "ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" uri "ldap://5.1.35.254/" network-timeout 3 chase-referrals no idassert-bind bindmethod=simple binddn="cn=q001ldap,ou=dienstkonten,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" credentials="secret" mode=none idassert-authzFrom "dn.regex:.*"
overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchFilter rwm-rewriteRule "cn=99([0-9]{3})" "cn=s001x$1" ":@" rwm-rewriteContext bindDN rwm-rewriteRule "cn=99([0-9]{3}),(.+)" "cn=s001x$1,$2" ":@" rwm-rewriteContext searchEntryDN rwm-rewriteRule "cn=s001x([0-9]{3}),(.+)" "cn=99$1,$2" ":@" rwm-rewriteContext compareDN rwm-rewriteRule "cn=99([0-9]{3}),(.+)" "cn=s001x$1,$2" ":@" rwm-rewriteContext compareAttrDN rwm-rewriteRule "99([0-9]{3})" "s001x$1" # end slapd.conf
The basic idea from this simple setup is to rewrite a cn=99854 to cn=s001x854 and back whereever possible. I'm trying with ldapcompare -x -D "" -H ldap://testproxy cn=99854,o=sskm cn:99854 this fails and produces the following logs
slapd[9789]: do_compare slapd[9789]: >>> dnPrettyNormal: <cn=99854,o=sskm> slapd[9789]: <<< dnPrettyNormal: <cn=99854,o=sskm>, <cn=99854,o=sskm> slapd[9789]: [rw] compareDN: "cn=99854,o=sskm" -> "cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" slapd[9789]: >>> dnPrettyNormal: <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: <<< dnPrettyNormal: <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern>, <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: do_compare: dn (cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern) attr (cn) value (99854) slapd[9789]: conn=1 op=1 CMP dn="cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" attr="cn" slapd[9789]: [rw] compareDN: "cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" -> "cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" slapd[9789]: >>> dnPrettyNormal: <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: <<< dnPrettyNormal: <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern>, <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: send_ldap_result: conn=1 op=1 p=3 slapd[9789]: send_ldap_result: err=5 matched="" text=""
packet capturing shows that the value is not rewritten when sent to the ldap server. Using the value which i was trying to rewrite to ldapcompare -x -D "" -H ldap://testproxy cn=99854,o=sskm cn:s001x854 succeeds
slapd[9789]: do_compare slapd[9789]: >>> dnPrettyNormal: <cn=99854,o=sskm> slapd[9789]: <<< dnPrettyNormal: <cn=99854,o=sskm>, <cn=99854,o=sskm> slapd[9789]: [rw] compareDN: "cn=99854,o=sskm" -> "cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" slapd[9789]: >>> dnPrettyNormal: <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: <<< dnPrettyNormal: <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern>, <cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: do_compare: dn (cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern) attr (cn) value (s001x854) slapd[9789]: conn=10 op=1 CMP dn="cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" attr="cn" slapd[9789]: [rw] compareDN: "cn=99854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" -> "cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" slapd[9789]: >>> dnPrettyNormal: <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: <<< dnPrettyNormal: <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern>, <cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern> slapd[9789]: send_ldap_result: conn=10 op=1 p=3 slapd[9789]: send_ldap_result: err=6 matched="" text=""
Jens Grigel wrote:
I'm still not sure if this is actually possible with overlay rwm or if i'm misunderstanding the manpage of slapo-rwm. Rewriting the cn's in searches, searchresults, bindDN and compareDN works, but the AVA from the compared attribute (here: cn) is not changed from rewriteContext compareAttrDN. "man slapo-rwm" says that the rewriteContext compareAttrDN rewrites compare AVA, but whatever i try it's not changing anything in the ldapcompare.
The compare AVA is rewritten if it is DN-valued. That's the reason of the context name: compareAttrDN. So slapo-rwm(5) does not rewrite an arbitrary AVA's value, only DN-valued ones.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
On Sat, 2007-04-28 at 10:44 +0200, Pierangelo Masarati wrote:
Jens Grigel wrote:
I'm still not sure if this is actually possible with overlay rwm or if i'm misunderstanding the manpage of slapo-rwm. Rewriting the cn's in searches, searchresults, bindDN and compareDN works, but the AVA from the compared attribute (here: cn) is not changed from rewriteContext compareAttrDN. "man slapo-rwm" says that the rewriteContext compareAttrDN rewrites compare AVA, but whatever i try it's not changing anything in the ldapcompare.
The compare AVA is rewritten if it is DN-valued. That's the reason of the context name: compareAttrDN. So slapo-rwm(5) does not rewrite an arbitrary AVA's value, only DN-valued ones.
Hi Pierangelo,
thank you for clarifying this, that was what I initially understood from the manpage, but I couldn't make rewriting succeed so I got unsure about the format.
But even if I call ldapcompare with a DN-valued AVA and build a regex for compareAttrDN which should match this DN-valued AVA nothing is rewritten. Packet tracing still shows the unchanged AVA gets send to the remote LDAP-Server.
I'm trying:
ldapcompare -x -D "" -H ldap://testproxy.intra.sskm.de cn=99854,o=sskm cn:cn=99854,o=sskm
and have the following slapd.conf: ... # suffixmassage overlay rwm rwm-suffixmassage "o=sskm" "ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" # ldap proxy database ldap suffix "ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" uri "ldap://5.1.35.254/" network-timeout 3 chase-referrals no idassert-bind bindmethod=simple binddn="cn=q001ldap,ou=dienstkonten,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern" credentials="ldap.Lebt" mode=none idassert-authzFrom "dn.regex:.*" # rewriting for ldap proxy overlay rwm rwm-rewriteEngine on rwm-rewriteContext compareDN rwm-rewriteRule "cn=99([0-9]{3}),(.+)" "cn=s001x$1,$2" rwm-rewriteContext compareAttrDN rwm-rewriteRule "cn=99([0-9]{3}),(.+)" "cn=s001x$1,$2"
Then the packet trace shows the follwing send to the remote LDAP-Server:
compareRequest entry: cn=s001x854,ou=benutzer,ou=konten,ou=institut,dc=e001dpk1,dc=e001,dc=intern ava attributeDesc: cn assertionValue: cn=99854,o=sskm
The CompareDN gets rewritten by suffixmassage and context compareDN as expected, but nothing happens with CompareAttrDN. Any hints what I'm still doing wrong?
Jens Grigel wrote:
ldapcompare -x -D "" -H ldap://testproxy.intra.sskm.de cn=99854,o=sskm cn:cn=99854,o=sskm
DN-syntax doesn't simply mean it has to look like a DN. The syntax is inferred from the syntax of the attribute that is being asserted. Here the asserted attr is "cn", which, in standard track schema, does not have DN syntax. You can rewrite the asserted value, for example, when asserting "member", "entryDN", ...
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------
openldap-software@openldap.org