Hello,
I'm new to openldap's meta backend and I get a strange issue.
I'm able to proxy active directory via openldap using meta backend. It works well except that in my user's DN, I have a comma character which is translated with the following "\2C".
How can I handle that ?
Thanks.
Emmanuel Lesouef wrote:
I'm new to openldap's meta backend and I get a strange issue.
I'm able to proxy active directory via openldap using meta backend. It works well except that in my user's DN, I have a comma character which is translated with the following "\2C".
It should work. You should provide more details: - relevant excerpts of slapd.conf - which LDAP client is doing what (try to reproduce the issue with OpenLDAP's command-line client) - how does the AD entry look like etc.
Ciao, Michael.
First of all, thanks for your answer and sorry for my late reply...
Le Wed, 01 Jul 2009 16:57:24 +0200, Michael Ströder michael@stroeder.com a écrit :
It should work. You should provide more details:
- relevant excerpts of slapd.conf
Here it is (skipped unrelevant parts) :
moduleload back_ldap moduleload back_meta moduleload rwm
database meta
overlay rwm
suffix "dc=authentification,dc=crbn"
uri "ldap://dc1.crbn.intra/ou=ad,dc=authentification,dc=crbn" "ldap://dc2.crbn.intra" suffixmassage "ou=ad,dc=authentification,dc=crbn" "ou=CRBN,dc=crbn,dc=intra"
rwm-rewriteEngine on rwm-map attribute uid sAMAccountname rwm-map objectclass inetOrgPerson user rwm-rewriteContext bindDN rwm-rewriteRule "(.+)2C(.+)" "$1,$2"
uri "ldap://mail.adl.crbn.fr/ou=adl,dc=authentification,dc=crbn" suffixmassage "ou=adl,dc=authentification,dc=crbn" "dc=adl,dc=crbn,dc=fr"
uri "ldap://mail.adl.crbn.fr/ou=lycees,dc=authentification,dc=crbn" suffixmassage "ou=lycees,dc=authentification,dc=crbn" "dc=lycee"
- which LDAP client is doing what (try to reproduce the issue with
OpenLDAP's command-line client)
The result is the same with ldapsearch and with ldapbrowser (java client v2.8.2).
- how does the AD entry look like
Here is an example of an OpenLDAP entry (skipped some attributes not in openldap schema) :
dn: cn=DUPONT, Harry, ou=DSI, ou=ad, dc=authentification,dc=crbn mail: h.dupont@crbn.fr objectGUID:: YBJCaXTvv73vv71C77+9IO+/ve+/ve+/vXvvv73vv70= uid: dupont_h objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson company: DSI name: DUPONT, Harry sn: DUPONT telephoneNumber: 9042 cn: DUPONT, Harry title: Reprographe homeDirectory: \gamelle\users$\dupont_h givenName: Harry displayName: DUPONT Harry userPrincipalName: dupont_h@crbn.intra distinguishedName: cn=DUPONT\2C Harry,ou=DSI,ou=ad,dc=authentification,dc=crbn
And here is the original AD entry :
dn: CN=DUPONT, Harry, OU=DSI, OU=CRBN, DC=crbn,DC=intra mail: h.dupont@crbn.fr objectGUID:: YBJCaXTvv73vv71C77+9IO+/ve+/ve+/vXvvv73vv70= objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user company: DSI name: DUPONT, Harry sn: DUPONT telephoneNumber: 9042 cn: DUPONT, Harry title: Reprographe homeDirectory: \gamelle\users$\dupont_h givenName: Harry displayName: DUPONT Harry userPrincipalName: dupont_h@crbn.intra distinguishedName: CN=DUPONT, Harry,OU=DSI,OU=CRBN,DC=crbn,DC=intra sAMAccountName: dupont_h
Notice the distinguishedName in the two examples... It is not rewriten, but it's another question...
etc.
Hope you have enough informations :)
Ciao, Michael.
Thanks
Emmanuel Lesouef wrote:
rwm-rewriteRule "(.+)2C(.+)" "$1,$2" [..] dn: cn=DUPONT, Harry, ou=DSI, ou=ad, dc=authentification,dc=crbn
I'm pretty sure you should fix your rwm-rewriteRule directive.
distinguishedName: cn=DUPONT\2C Harry,ou=DSI,ou=ad,dc=authentification,dc=crbn
^^^ This also shows that the hex-escaped form if even needed is also made up by the backslash which is missing in your rwm-rewriteRule. Anyway I'd rather try something like first:
rwm-rewriteRule "(([^,]+),([^,]+)" "$1,$2"
But I don't have the spare time testing it for you.
Ciao, Michael.
Emmanuel Lesouef wrote:
First of all, thanks for your answer and sorry for my late reply...
Le Wed, 01 Jul 2009 16:57:24 +0200, Michael Ströder michael@stroeder.com a écrit :
It should work. You should provide more details:
- relevant excerpts of slapd.conf
Here it is (skipped unrelevant parts) :
moduleload back_ldap moduleload back_meta moduleload rwm
database meta
overlay rwm
back-meta has built-in rwm capabilities, you should not use the rwm overlay with it.
suffix "dc=authentification,dc=crbn"
uri "ldap://dc1.crbn.intra/ou=ad,dc=authentification,dc=crbn" "ldap://dc2.crbn.intra" suffixmassage "ou=ad,dc=authentification,dc=crbn" "ou=CRBN,dc=crbn,dc=intra"
rwm-rewriteEngine on rwm-map attribute uid sAMAccountname rwm-map objectclass inetOrgPerson user rwm-rewriteContext bindDN rwm-rewriteRule "(.+)2C(.+)" "$1,$2"
same as above; use the above commands without the "rwm-" prefix.
In any case, "CN=DUPONT, Harry, OU=DSI, OU=CRBN, DC=crbn,DC=intra" and "CN=DUPONT\2C Harry, OU=DSI, OU=CRBN, DC=crbn,DC=intra" are perfectly equivalent from an LDAP point of view. If AD does not recognize this, then it's broken.
If you want back-meta to map "\2C" into "," you need to use
database meta suffix "dc=virtual" uri "ldap://:9011/dc=virtual" rewriteEngine on
rewriteContext searchResult rewriteRule "^(.+,)?dc=real$" "$1dc=virtual"
rewriteContext searchAttrDN alias searchResult rewriteContext matchedDN alias searchResult rewriteContext referralDN alias searchResult
rewriteContext default rewriteRule "^(.+,)?dc=virtual$" "$1dc=real" rewriteRule "^(.*)\\2C(.*)$" "$1\,$2"
See notes about escaping in slapd.conf(5) and slapd-meta(5) and slapo-rwm(5).
uri "ldap://mail.adl.crbn.fr/ou=adl,dc=authentification,dc=crbn" suffixmassage "ou=adl,dc=authentification,dc=crbn" "dc=adl,dc=crbn,dc=fr"
uri "ldap://mail.adl.crbn.fr/ou=lycees,dc=authentification,dc=crbn" suffixmassage "ou=lycees,dc=authentification,dc=crbn" "dc=lycee"
- which LDAP client is doing what (try to reproduce the issue with
OpenLDAP's command-line client)
The result is the same with ldapsearch and with ldapbrowser (java client v2.8.2).
- how does the AD entry look like
Here is an example of an OpenLDAP entry (skipped some attributes not in openldap schema) :
dn: cn=DUPONT, Harry, ou=DSI, ou=ad, dc=authentification,dc=crbn
^^^ this is a VERY UNFORTUNATE naming convention, as "," is a special char in DN. The real fix would be to change it into something less braindead.
mail: h.dupont@crbn.fr objectGUID:: YBJCaXTvv73vv71C77+9IO+/ve+/ve+/vXvvv73vv70= uid: dupont_h objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson company: DSI name: DUPONT, Harry sn: DUPONT telephoneNumber: 9042 cn: DUPONT, Harry title: Reprographe homeDirectory: \gamelle\users$\dupont_h givenName: Harry displayName: DUPONT Harry userPrincipalName: dupont_h@crbn.intra distinguishedName: cn=DUPONT\2C Harry,ou=DSI,ou=ad,dc=authentification,dc=crbn
And here is the original AD entry :
dn: CN=DUPONT, Harry, OU=DSI, OU=CRBN, DC=crbn,DC=intra mail: h.dupont@crbn.fr objectGUID:: YBJCaXTvv73vv71C77+9IO+/ve+/ve+/vXvvv73vv70= objectClass: top objectClass: person objectClass: organizationalPerson objectClass: user company: DSI name: DUPONT, Harry sn: DUPONT telephoneNumber: 9042 cn: DUPONT, Harry title: Reprographe homeDirectory: \gamelle\users$\dupont_h givenName: Harry displayName: DUPONT Harry userPrincipalName: dupont_h@crbn.intra distinguishedName: CN=DUPONT, Harry,OU=DSI,OU=CRBN,DC=crbn,DC=intra sAMAccountName: dupont_h
Notice the distinguishedName in the two examples... It is not rewriten, but it's another question...
That's because slapd knows nothing about the "distinguishedName" attribute, as it's not standard track. If you define it as a DN-valued attribute, then back-meta can rewrite it, as soon as you instruct it to do so (e.g. by using the "suffixmassage" directive).
p.
openldap-technical@openldap.org
-
Emmanuel Lesouef -
Michael Ströder -
Pierangelo Masarati