Hi Nadya,

Thanks for your answer !

In my first attempts, I configured rewrite engine inside the meta backend, but without success.

Nor rewriteContext default, not any specific context was ever triggered in this situation.


As a concrete example, I provide below a full configuration that never triggers any rewrite.


Regards,

David



include         /usr/local/openldap/etc/openldap/schema/core.schema
include         /usr/local/openldap/etc/openldap/schema/cosine.schema
include         /usr/local/openldap/etc/openldap/schema/inetorgperson.schema


logLevel 256


pidfile         slapd.pid
argsfile        slapd.args

# Load dynamic backend modules:
# moduleload    back_ldap.la
modulepath      /usr/local/openldap/libexec/openldap
moduleload      argon2.la
moduleload      back_mdb.la
moduleload      back_meta.la
moduleload      back_ldap.la
moduleload      dynlist.la
moduleload      memberof.la
moduleload      ppolicy.la
moduleload      syncprov.la
moduleload      unique.la
moduleload      rwm.la

access to dn.base=""  by * read
access to dn.base="cn=subschema"  by * read
access to * by * write


#######################################################################
# meta database
#######################################################################

database      meta

suffix        "dc=domain,dc=com"

uri           "ldap://127.0.0.1:3390/dc=directory1,dc=domain,dc=com"
uri           "ldap://127.0.0.1:3391/dc=directory2,dc=domain,dc=com"

rewriteEngine on

# In the context of a BIND operation
rewriteContext bindDN
# Store user who has logged in an internal variable named binddn (for other LDAP operations)
rewriteRule ".+" "${&&binddn($0)}$0" ":"
# If the LDAP operation is a bind, directly rewrite the binddn
# If binddn starts by prefix1 or prefix2, rewrite suffix to directory1
rewriteRule "^uid=(prefix1[^,]+|prefix2[^,]+)(.*),dc=domain,dc=com$" "uid=$1$2,dc=directory1,dc=domain,dc=com" ":@I"
# Else, rewrite suffix to directory2
rewriteRule "^([^,]+),dc=domain,dc=com$" "$1,dc=directory2,dc=domain,dc=com" ":@I"

# For SEARCH LDAP operations
rewriteContext searchDN
# Prefix the string to search by the binddn who has connected previously
rewriteRule "(.*)" "${**binddn}<>$1" ":I"
# If binddn starts by prefix1 or prefix2, remove binddn prefix from string and rewrite suffix to directory1
rewriteRule "^uid=prefix1[^,]+,[^<]+<>(.*)dc=domain,dc=com(.*)$" "$1dc=directory1,dc=domain,dc=com$2" ":@I"
rewriteRule "^uid=prefix2[^,]+,[^<]+<>(.*)dc=domain,dc=com(.*)$" "$1dc=directory1,dc=domain,dc=com$2" ":@I"
# If binddn not found or does not start by prefix1 or prefix2, remove binddn prefix from string and rewrite suffix to directory2
rewriteRule "^.*<>(.*)dc=domain,dc=com(.*)$" "$1dc=directory2,dc=domain,dc=com$2" ":@I"
rewriteRule "^.*<>(.*)$" "$1" ":@I"

rewriteContext searchResult
rewriteRule "dc=directory1,dc=domain,dc=com" "dc=domain,dc=com" ":@I"
rewriteRule "dc=directory2,dc=domain,dc=com" "dc=domain,dc=com" ":@I"





Le 24/03/2025 à 14:10, nivanova@symas.com a écrit :
Hi David,
I am not proficient in the rwm either, but I know that back-meta can be configured with its own rewrite engine, and it can definitely be configured to rewrite results. You could move this config in the database definition (without "overlay rwm"), and use rewriteContext searchResult to rewrite the search results. I haven't tested this myself in ages, but I hope it works in your case, there's a lot of examples in the slapd-meta man page.

Best Regards,
Nadya