Hello,
I'm trying to do a rewrite using the rwm overlay: I'm trying to rewrite uid: user1-branch1 to uid: user1
Some context: We have the following situation:
We have a central OpenLDAP with several OU's. In these OU's we have user SubOU's and a user has a UID that is a combination of his CN with a dash and an abbreviation for the OU he is living in.
For example:
OU=Branch1,DC=Example,DC=ORG User 1: dn=User1,OU=Branch1,DC=Example,DC=ORG cn=User1 uid=User1-Branch1
OU=Branch2,DC=Example,DC=ORG User 1: dn=User1,OU=Branch1,DC=Example,DC=ORG cn=User1 uid=User1-Branch2
The reason this is done in the past (15 or 20 years ago) was that they wanted to have multiple branches and people could authenticate with the cn within there own branch. All very complicated history, but I have to work with it now.
Someone setup a new Samba server a while back and wanted to normalize this Samba config a little so he created a LDAP proxy on this server where he proxied only one OU and did a rwm map from cn to uid. Part of this config:
overlay rwm rwm-map attribute uid cn
This works fine to some extend. One of the problems I found just now is that I don't have a cn anymore in the DN's that I get from this LDAP proxy, besides that, if the proxy has to much access and you search for a uid=User1 it will return both User1 from Branch1 and Branch2, and this could result in some security issues.
For this reason I'm currently doing a little redesign of this setup and I would like to change the rwm-map to a rewrite of the uid where I simply strip everything including the dash in the uid, besides that I'm going to limit access of this proxy by using a proxy user with limited access to only the OU that it needs access to.
The access limitation works just fine. I only need a little help with the rewrite.
Thanks, Jan Hugo Prins