Hi, I need some kind of overlay which allows me to rewrite attribute values. I.e. if there's an object "cn=a,ou=src,dc=my,dc=com" which has attributes like memberUid="uid=usrA,ou=rest,ou=of,dc=the,dc=dn" and memberUid="uid=usrB,ou=rest,ou=of,dc=the,dc=dn" I want that overlay to suffixmassage (or whatever) it to an object like "cn=b,ou=dst,dc=my,dc=com" where for example memberUid="usrA" memberUid="usrB" but the rest (i.e. other Attributes like 'gidNumber', 'userPassword', 'description',...) of the object should be identical to the 'source'-object.
The whole thing is needed because slapo-autogroup puts in full DNs as attribute values but my client programs (e.g. nss-ldapd) expect only a plain username to be there. In practical this means that I need to have that overlay to split the values of a particular type of attribute (like 'memberUid') and extract a particular part of it.
It would be very nice if it was possible to use regular expressions with backreferences for matching/rewriting the values or if there was a chance to 'plug in' an external program which accomplishes that job. (As far as i know slapo-rwm is only capable of rewriting dn's and attribute names etc. but no values, isn't it? So i need something else...)
Thanks in advance! Tom
Thomas Wunder wrote:
Hi, I need some kind of overlay which allows me to rewrite attribute values. I.e. if there's an object "cn=a,ou=src,dc=my,dc=com" which has attributes like memberUid="uid=usrA,ou=rest,ou=of,dc=the,dc=dn" and memberUid="uid=usrB,ou=rest,ou=of,dc=the,dc=dn" I want that overlay to suffixmassage (or whatever) it to an object like "cn=b,ou=dst,dc=my,dc=com" where for example memberUid="usrA" memberUid="usrB" but the rest (i.e. other Attributes like 'gidNumber', 'userPassword',
'description',...) of the object should be identical to the 'source'-object.
The whole thing is needed because slapo-autogroup puts in full DNs as
attribute values but my client programs (e.g. nss-ldapd) expect only a plain username to be there. In practical this means that I need to have that overlay to split the values of a particular type of attribute (like 'memberUid') and extract a particular part of it.
You're misusing the schema here. The memberUid attribute is only for simple user IDs, not DNs.
It would be very nice if it was possible to use regular expressions with
backreferences for matching/rewriting the values or if there was a chance to 'plug in' an external program which accomplishes that job. (As far as i know slapo-rwm is only capable of rewriting dn's and attribute names etc. but no values, isn't it? So i need something else...)
slapo-rwm rewrites DNs in DN-valued attributes as well. "DN-valued" meaning that the attribute's syntax is distinguishedName. It does not rewrite any other attributes.
Thanks in advance! Tom
Howard Chu writes:
Thomas Wunder wrote:
The whole thing is needed because slapo-autogroup puts in full DNs as attribute values but my client programs (e.g. nss-ldapd) expect only a plain username to be there. In practical this means that I need to have that overlay to split the values of a particular type of attribute (like 'memberUid') and extract a particular part of it.
You're misusing the schema here. The memberUid attribute is only for simple user IDs, not DNs.
...so you should put DNs in the 'member' attribute like the autogroup doc says. And you could write an overlay which inspects 'member' and creates a 'memberUid' attribute. If you take that route, look at overlay usn in contrib/slapd-modules/ for a "template" if you want memberUid to be maintained when member is updated, or allop or overlays/dynlist if you want the attributes to be generated dynamically for searches. The latter means member and memberUid will guaranteed be in sync, but some operations won't see memberUid - e.g. like filtering for a memberUid, depending on how thoroughly you implement it.
On Tuesday 13 July 2010 18:46:48 you wrote:
You're misusing the schema here. The memberUid attribute is only for simple user IDs, not DNs.
I know, but the DN is just what came out of the autogroup overlay. However Raphaël Ouazana supplied a patch which should fix this kind of problem. I still didn't have any time to try it out but it sounds pretty much like what I need.
slapo-rwm rewrites DNs in DN-valued attributes as well. "DN-valued" meaning that the attribute's syntax is distinguishedName. It does not rewrite any other attributes.
I may need attribute-value-rewriting in other situations too but I find it really hard to get it working the way i need it. I don't come to grips with the manpage... (Is there some more detailed documentation?) Can you show me how the config section should look like to rewrite e.g. the memberUid attribute value the way I explained it in my previous post?
Thanks! Best regards Tom
Hi,
Le Mar 13 juillet 2010 14:10, Thomas Wunder a écrit :
The whole thing is needed because slapo-autogroup puts in full DNs as attribute values but my client programs (e.g. nss-ldapd) expect only a plain username to be there. In practical this means that I need to have that overlay to split the values of a particular type of attribute (like 'memberUid') and extract a particular part of it.
If you need this for autogroup, you should try my patch for the overlay: http://www.openldap.org/its/index.cgi?findid=6536 Its purpose is precisely to get an attribute value instead of the dn to construct the group.
Regards, Raphaël Ouazana.
Hi Raphael, thank you very much, your patch made slapo-autogroup behave exactly the way I need it!
On Thursday 15 July 2010 11:18:29 you wrote:
Hi,
Le Mar 13 juillet 2010 14:10, Thomas Wunder a écrit :
The whole thing is needed because slapo-autogroup puts in full DNs as attribute values but my client programs (e.g. nss-ldapd) expect only a plain username to be there. In practical this means that I need to have that overlay to split the values of a particular type of attribute (like 'memberUid') and extract a particular part of it.
If you need this for autogroup, you should try my patch for the overlay: http://www.openldap.org/its/index.cgi?findid=6536 Its purpose is precisely to get an attribute value instead of the dn to construct the group.
Regards, Raphaël Ouazana.
openldap-technical@openldap.org
-
Hallvard B Furuseth -
Howard Chu -
Raphaël Ouazana-Sustowski -
Thomas Wunder