Hi,
I have some special requirements for a ldap installation. I want to use a central ldap for a group of users having access to different services. The user should be able to set a different password for each service. I try to keep the effort low, therefor I particularly do not want to modify each of the services. (They all authenticate via ldap-bind.)
To archive the desired features I tried to use the following entity tree.
dn: uid=alex,ou=People,dc=example,dc=com dn: cn=service1,uid=alex,ou=People,dc=example,dc=com dn: cn=service2,uid=alex,ou=People,dc=example,dc=com
The uid=alex entity is the real account. Storing the name, uid, the master password for this account and possibly other attributes. The "sub"-entities with cn=service* should only store the password, if it is set to a special value.
Now the problem: It should be find the service entities if matched against attributes of the "master" account. That means that I want to search for (uid=alex) and want to find all the three dns mentioned above (but only the first dn should keep the real data - I do not want to sync all data on every change into all "sub"-entities).
What I have tried so far:
- collect-overlay: Apart from the problem, that I have to specify the explicit master dn (it is impossible to specify some thing like uid=*,ou=People...), the collected attributes could not be matched with an filter during ldap search.
- rwm-overlay: I did not find a context, where I could rewrite the dn, that is matched against a filter and I do not know if it is possible. The searchFilterAttrDN context sounds promising, but I did not find any documentation.
So what can I do, to get it working. It seems, that maybe an ldap-backend or meta-backend proxying the requests to the local server, could used to archive that, but I wanted to know if there is any easier way.
If the attributes are inherited the ldap-bind with the password fallback could be archived in a way with the rwm-overlay:
dn: olcOverlay=rwm,olcDatabase={1}hdb,cn=config objectClass: olcOverlayConfig objectClass: olcRwmConfig olcOverlay: rwm olcRwmRewrite: rwm-rewriteEngine "on" olcRwmRewrite: rwm-rewriteMap slapd usermap "ldap:///ou=People,dc=example,dc=com?dn?sub" olcRwmRewrite: rwm-rewriteContext "bindDN" olcRwmRewrite: rwm-rewriteRule "^(cn=[^,]+),(uid=[^,]+),.*$" "${usermap((&(userPassword=*)($1)($2)))}" ":@I" olcRwmRewrite: rwm-rewriteRule "^cn=[^,]+,(uid=[^,]+),.*$" "${usermap((&(userPassword=*)($1)))}" ":@I" olcRwmTFSupport: no olcRwmNormalizeMapped: FALSE
Thanks, Alex