Hello,
I'm trying to do a rewrite using the rwm overlay: I'm trying to rewrite uid: user1-branch1 to uid: user1
Some context: We have the following situation:
We have a central OpenLDAP with several OU's. In these OU's we have user SubOU's and a user has a UID that is a combination of his CN with a dash and an abbreviation for the OU he is living in.
For example:
OU=Branch1,DC=Example,DC=ORG User 1: dn=User1,OU=Branch1,DC=Example,DC=ORG cn=User1 uid=User1-Branch1
OU=Branch2,DC=Example,DC=ORG User 1: dn=User1,OU=Branch1,DC=Example,DC=ORG cn=User1 uid=User1-Branch2
The reason this is done in the past (15 or 20 years ago) was that they wanted to have multiple branches and people could authenticate with the cn within there own branch. All very complicated history, but I have to work with it now.
Someone setup a new Samba server a while back and wanted to normalize this Samba config a little so he created a LDAP proxy on this server where he proxied only one OU and did a rwm map from cn to uid. Part of this config:
overlay rwm rwm-map attribute uid cn
This works fine to some extend. One of the problems I found just now is that I don't have a cn anymore in the DN's that I get from this LDAP proxy, besides that, if the proxy has to much access and you search for a uid=User1 it will return both User1 from Branch1 and Branch2, and this could result in some security issues.
For this reason I'm currently doing a little redesign of this setup and I would like to change the rwm-map to a rewrite of the uid where I simply strip everything including the dash in the uid, besides that I'm going to limit access of this proxy by using a proxy user with limited access to only the OU that it needs access to.
The access limitation works just fine. I only need a little help with the rewrite.
Thanks, Jan Hugo Prins
To answer my own question partly, I have now done the following to fix it I think:
olcRwmRewrite: {0}rwm-rewriteEngine on olcRwmRewrite: {1}rwm-rewriteContext searchFilter olcRwmRewrite: {2}rwm-rewriteRule "^(.*)(uid=([a-z]+))(.*)$" "$1(uid=$2-branch1)$3" ":"
I have done this in an LDAP proxy that is specific for branch1 and that is only being used by a samba server available to users in branch1.
When I go to this LDAP server using a ldap browser I see the full objects, and I don't see the dubble UID anymore that was bothering me before.
I don't know if there is a way to alter the UID that is visible in the LDAP browser, but I don't know if that is even needed at this moment.
Jan Hugo Prins
On 6/10/20 2:37 PM, Jan Hugo Prins wrote:
Hello,
I'm trying to do a rewrite using the rwm overlay: I'm trying to rewrite uid: user1-branch1 to uid: user1
Some context: We have the following situation:
We have a central OpenLDAP with several OU's. In these OU's we have user SubOU's and a user has a UID that is a combination of his CN with a dash and an abbreviation for the OU he is living in.
For example:
OU=Branch1,DC=Example,DC=ORG User 1: dn=User1,OU=Branch1,DC=Example,DC=ORG cn=User1 uid=User1-Branch1
OU=Branch2,DC=Example,DC=ORG User 1: dn=User1,OU=Branch1,DC=Example,DC=ORG cn=User1 uid=User1-Branch2
The reason this is done in the past (15 or 20 years ago) was that they wanted to have multiple branches and people could authenticate with the cn within there own branch. All very complicated history, but I have to work with it now.
Someone setup a new Samba server a while back and wanted to normalize this Samba config a little so he created a LDAP proxy on this server where he proxied only one OU and did a rwm map from cn to uid. Part of this config:
overlay rwm rwm-map attribute uid cn
This works fine to some extend. One of the problems I found just now is that I don't have a cn anymore in the DN's that I get from this LDAP proxy, besides that, if the proxy has to much access and you search for a uid=User1 it will return both User1 from Branch1 and Branch2, and this could result in some security issues.
For this reason I'm currently doing a little redesign of this setup and I would like to change the rwm-map to a rewrite of the uid where I simply strip everything including the dash in the uid, besides that I'm going to limit access of this proxy by using a proxy user with limited access to only the OU that it needs access to.
The access limitation works just fine. I only need a little help with the rewrite.
Thanks, Jan Hugo Prins
openldap-technical@openldap.org
-
Jan Hugo Prins