Nick Couchman wrote:
Well, I have a situation (a particular application, actually), that is so arcane in its configuration that it requires that all of the users for the application be in the same OU. So, the config for the app is something like: CN=%USERNAME%,ou=Users,dc=example,dc=com
Sounds like you're trying to integrate a Brocade switch. ;-)
I'm thinking there's probably a way to do this with the rewriteRule and some regular expressions, but I can't find quite the combination of rules/expressions to accomplish this. Any ideas? Or am I stuck making aliases?
Have a closer look at slapo-rwm(5), section REWRITE CONFIGURATION EXAMPLES: http://www.openldap.org/software/man.cgi?query=slapo-rwm
In particular:
# Bind with email instead of full DN: we first need # an ldap map that turns attributes into a DN (the # argument used when invoking the map is appended to # the URI and acts as the filter portion) rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
# Then we need to detect DN made up of a single email, # e.g. `mail=someone@example.com'; note that the rule # in case of match stops rewriting; in case of error, # it is ignored. In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDN # rewrite context overrides the default definition. rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
Note that if your "application" also uses the DN to determine group membership for authorization you would have to rewrite that too. Gets cumbersome...
For strange network equipment it's sometimes much better to have another protocol frontend using your LDAP server as backend (e.g. RADIUS or TACACS+). For one of my customers using Brocade switches we used the existing TACACS+ server with LDAP backend instead.
Ciao, Michael.