Am Fri, 17 Feb 2017 14:38:16 +1300 schrieb "Lowrie, Paul, Vodafone NZ" Paul.Lowrie@vodafone.com:
Hi
I've been asked to configure a SLAPD/LDAP proxy with more than one LDAP Back-End. The users log into the LDAP client using their email address and the proxy uses the domain part of their UID to decide which slapd-ldap back-end to authenticate against. I have the proxy working - with two defined slapd-ldap back-ends. It's tested and works with one back-end at a time.
I need rwm to process a rewrite of both the searchFilter and searchDN using a key piece of information identified the searchFilter to decide the searchDN.
Original searchDN = "ou=people,ou=my,dc=proxy,dc=com" Original searchFilter="(&(objectClass=posixAccount)(uid=john@domain.one.com))"
Rewritten searchDN = "ou=people,ou=domain,dc=one,dc=com" Rewritten searchFilter = "(&(objectClass=posixAccount)(uid=john))"
I have:
dn: olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: {0}rwm olcRwmNormalizeMapped: FALSE olcRwmRewrite: {0}rwm-rewriteEngine on # #Unix LDAP authentication requests arrive with these three components: # searchDN: OU=people,DC=my,DC=proxy,DC=com - as defined on the LDAP client # searchFilter: (&(objectClass=posixAccount)(uid=john@domain.one.com)) # attributes: userPassword cn gidNumber uidNumber # loginShell objectClass gecos uid homeDirectory # # {1} searchFilter Context: # {2} rewrite john@domain.one.com: # Strip @domain.one.com part and set &&target to OU=people,DC=domain,DC=one,DC=com # {3} rewrite jane@domain.two.com: # Strip @domain.two.com part and set &&target to OU=people,DC=domain,DC=two,DC=com # {4} searchDN Context: # {5} rewrite OU=people,DC=my,DC=proxy,DC=com the value already defined in &&target # olcRwmRewrite: {1}rwm-rewriteContext SearchFilter # olcRwmRewrite: {2}rwm-rewriteRule "^(.+uid=[^,]+)@domain.one.com(,.*)$" "${&&target("ou=people,dc=domain,dc=one,dc=com")}$1$2" ":" # olcRwmRewrite: {3}rwm-rewriteRule "^(.+uid=[^,]+)@domain.two.com(,.*)$" "${&&target("ou=people,dc=domain,dc=two,dc=com")}$1$2" ":" # olcRwmRewrite: {4}rwm-rewriteContext searchDN # olcRwmRewrite: {5}rwm-rewriteRule "OU=people,[ ]?DC=my,[ ]?DC=proxy,[ ]?DC=com " "${**target}" ":"
This results in a slapd crash because searchDN wants to use the **target variable, but its not yet defined because the searchFilter Context hasn't been run yet. How do I change the order that the rwm-rewriteContexts are executed so that the context for searcFilter is run first ?
you may try old fashioned slapd.conf instead of using config database. There are some ordering problems in config.
-Dieter