Hello, You are right, I did misinterpret authz-regexp to be a more general query rewriter. I had actually come to this conclusion about an hour after sending this email. Sorry for the wasted time. I'm taking a look at the rwm overlay now.
Thank you for your time.
On Wed, Feb 2, 2011 at 6:21 AM, Ralf Haferkamp rhafer@suse.de wrote:
Am Dienstag 01 Februar 2011, 18:19:33 schrieb Derek Bodner:
Hello, I'm running an ldap 2.3 server, with users setup under cn=<first name> <last name>,ou=People,dc=org,dc=com. I have an application that is trying to access the dn's directly, via uid=<username>,ou=People,dc=org,dc=com
I've setup an authz-regexp rule to try to rewrite the request: authz-regexp uid=([^,]*),ou=People,dc=org,dc=com ldap:///ou=People,dc=org,dc=com??one?(uid=$1)
But my query still seems to be failing
[..]
Any ideas on what I'm doing wrong ?
It seems you heavily missunderstood the purpose of authz-regexp. It is only meant for converting user names as used during SASL authentication to LDAP DNs e.g. for Authorization purposes. E.g. if you authenticate against you slapd as joe@YOUR.KRB.REALM using SASL/GSSAPI you can use authz-regexp to map that name to an LDAP DN that makes sense in your setup.
For details see: http://www.openldap.org/doc/admin24/sasl.html
authz-regexp is NOT
- able to rewrite DNs in LDAP Simple Bind Request.
- a general purpose tool to rewrite LDAP Search Results.
If you can't fix you application to be more flexible in regards to how your DNs must look, it might be possible to achieve what you want through the rwm-Overlay, but I don't know the overlay well enough to say for sure. See the slapo-rwm man-page for details.
Ralf
-- SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)