Hello,
I am working on a use case when I want an openldap meta server to balance requests on multiple backends according to the bindDN of the incoming user.
I succeeded to do this with a meta + rwm configuration as showed
below:
overlay rwm
rewriteEngine on
# In the context of a BIND operation
rewriteContext bindDN
# Store user who has logged in an internal variable named binddn (for other LDAP operations)
rwm-rewriteRule ".+" "${&&binddn($0)}$0" ":"
# If the LDAP operation is a bind, directly rewrite the binddn
# If binddn starts by dir1, rewrite suffix to directory1
rewriteRule "^uid=(dir1[^,]+)(.*),dc=domain,dc=com$" "uid=$1$2,dc=directory1,dc=domain,dc=com" ":@I"
# Else, rewrite suffix to directory2
rewriteRule "^([^,]+),dc=domain,dc=com$" "$1,dc=directory2,dc=domain,dc=com" ":@I"
# For SEARCH LDAP operations
rewriteContext searchDN
# Prefix the string to search by the binddn who has connected previously
rewriteRule "(.*)" "${**binddn}<>$1" ":I"
# If binddn starts by dir1, remove binddn prefix from string and rewrite suffix to directory1
rewriteRule "^uid=dir1[^,]+,[^<]+<>(.*)dc=domain,dc=com(.*)$" "$1dc=directory1,dc=domain,dc=com$2" ":@I"
# If binddn not found or does not start by dir1, remove binddn prefix from string and rewrite suffix to directory2
rewriteRule "^.*<>(.*)dc=domain,dc=com(.*)$" "$1dc=directory2,dc=domain,dc=com$2" ":@I"
rewriteRule "^.*<>(.*)$" "$1" ":@I"
database meta suffix "dc=domain,dc=com" uri "ldap://127.0.0.1:3390/dc=directory1,dc=domain,dc=com" uri "ldap://127.0.0.1:3391/dc=directory2,dc=domain,dc=com"
This is working well, but all operations are returned with the real backend suffix, which can be disturbing for the client application.
I'd like the bind and search results to be rewritten with the virtual suffix (removing dc=directory1 or dc=directory2 part)
I have tried using these server->client rewrite contexts: searchEntryDN, searchAttrDN, matchedDN, or referralDN, but they don't seem to be called.
Does anyone know if it is possible to achieve this?
Thanks for any help!
David