5:37 a.m.
Hello,
I'm trying to do a rewrite using the rwm overlay:
I'm trying to rewrite uid: user1-branch1 to uid: user1
Some context:
We have the following situation:
We have a central OpenLDAP with several OU's. In these OU's we have user
SubOU's and a user has a UID that is a combination of his CN with a dash
and an abbreviation for the OU he is living in.
For example:
OU=Branch1,DC=Example,DC=ORG
User 1:
dn=User1,OU=Branch1,DC=Example,DC=ORG
cn=User1
uid=User1-Branch1
OU=Branch2,DC=Example,DC=ORG
User 1:
dn=User1,OU=Branch1,DC=Example,DC=ORG
cn=User1
uid=User1-Branch2
The reason this is done in the past (15 or 20 years ago) was that they
wanted to have multiple branches and people could authenticate with the
cn within there own branch. All very complicated history, but I have to
work with it now.
Someone setup a new Samba server a while back and wanted to normalize
this Samba config a little so he created a LDAP proxy on this server
where he proxied only one OU and did a rwm map from cn to uid. Part of
this config:
overlay rwm
rwm-map attribute uid cn
This works fine to some extend. One of the problems I found just now is
that I don't have a cn anymore in the DN's that I get from this LDAP
proxy, besides that, if the proxy has to much access and you search for
a uid=User1 it will return both User1 from Branch1 and Branch2, and this
could result in some security issues.
For this reason I'm currently doing a little redesign of this setup and
I would like to change the rwm-map to a rewrite of the uid where I
simply strip everything including the dash in the uid, besides that I'm
going to limit access of this proxy by using a proxy user with limited
access to only the OU that it needs access to.
The access limitation works just fine.
I only need a little help with the rewrite.
Thanks,
Jan Hugo Prins
7:20 a.m.
To answer my own question partly, I have now done the following to fix
it I think:
olcRwmRewrite: {0}rwm-rewriteEngine on
olcRwmRewrite: {1}rwm-rewriteContext searchFilter
olcRwmRewrite: {2}rwm-rewriteRule "^(.*)\(uid=([a-z]+)\)(.*)$"
"$1(uid=$2-branch1)$3" ":"
I have done this in an LDAP proxy that is specific for branch1 and that
is only being used by a samba server available to users in branch1.
When I go to this LDAP server using a ldap browser I see the full
objects, and I don't see the dubble UID anymore that was bothering me
before.
I don't know if there is a way to alter the UID that is visible in the
LDAP browser, but I don't know if that is even needed at this moment.
Jan Hugo Prins
On 6/10/20 2:37 PM, Jan Hugo Prins wrote:
Hello,
I'm trying to do a rewrite using the rwm overlay:
I'm trying to rewrite uid: user1-branch1 to uid: user1
Some context:
We have the following situation:
We have a central OpenLDAP with several OU's. In these OU's we have user
SubOU's and a user has a UID that is a combination of his CN with a dash
and an abbreviation for the OU he is living in.
For example:
OU=Branch1,DC=Example,DC=ORG
User 1:
dn=User1,OU=Branch1,DC=Example,DC=ORG
cn=User1
uid=User1-Branch1
OU=Branch2,DC=Example,DC=ORG
User 1:
dn=User1,OU=Branch1,DC=Example,DC=ORG
cn=User1
uid=User1-Branch2
The reason this is done in the past (15 or 20 years ago) was that they
wanted to have multiple branches and people could authenticate with the
cn within there own branch. All very complicated history, but I have to
work with it now.
Someone setup a new Samba server a while back and wanted to normalize
this Samba config a little so he created a LDAP proxy on this server
where he proxied only one OU and did a rwm map from cn to uid. Part of
this config:
overlay rwm
rwm-map attribute uid cn
This works fine to some extend. One of the problems I found just now is
that I don't have a cn anymore in the DN's that I get from this LDAP
proxy, besides that, if the proxy has to much access and you search for
a uid=User1 it will return both User1 from Branch1 and Branch2, and this
could result in some security issues.
For this reason I'm currently doing a little redesign of this setup and
I would like to change the rwm-map to a rewrite of the uid where I
simply strip everything including the dash in the uid, besides that I'm
going to limit access of this proxy by using a proxy user with limited
access to only the OU that it needs access to.
The access limitation works just fine.
I only need a little help with the rewrite.
Thanks,
Jan Hugo Prins
1268
days inactive
1269
days old
openldap-technical@openldap.org
1 comments
1 participants
participants (1)
-
Jan Hugo Prins