Hi list,
I've just set up a ldap proxy on witch I wish users may bind with their cn instead of dn. Some reading let me say it's possible - slapo-rwm (5) - http://blogs.turmzimmer.net/2008/06/26#ldap-3 - http://www.openldap.org/lists/openldap-software/201004/msg00065.html and some more
I run slapd 2.4.11 from Debian Lenny. Here is slapd.conf :
slapd.conf> ################################################################## slapd.conf> # Global Directives: slapd.conf> disallow bind_anon slapd.conf> require authc slapd.conf> include /etc/ldap/schema/core.schema slapd.conf> include /etc/ldap/schema/cosine.schema slapd.conf> include /etc/ldap/schema/nis.schema slapd.conf> include /etc/ldap/schema/inetorgperson.schema slapd.conf> pidfile /var/run/slapd/slapd.pid slapd.conf> argsfile /var/run/slapd/slapd.args slapd.conf> loglevel -1 slapd.conf> modulepath /usr/lib/ldap slapd.conf> moduleload back_ldap slapd.conf> moduleload rwm slapd.conf> sizelimit 500 slapd.conf> tool-threads 1 slapd.conf> ################################################################## slapd.conf> # Specific Directives for database #1 slapd.conf> slapd.conf> database ldap slapd.conf> suffix "o=MyO" slapd.conf> uri "ldap://MyLDAP" slapd.conf> readonly on slapd.conf> overlay rwm slapd.conf> rwm-rewriteEngine on slapd.conf> rwm-rewriteContext bindDN slapd.conf> rwm-rewriteRule "(.*)" "cn=$1,ou=SubOU,ou=OU,o=MyO" ":"
When trying to bind from Thunderbird as client with just "MyCN", connection fail with "invalid dn". I expected some info about rwm rewriting
syslog> slapd[11027]: conn=5 op=0 do_bind syslog> slapd[11027]: >>> dnPrettyNormal: <MyCN> syslog> slapd[11027]: conn=5 op=0 do_bind: invalid dn (glachenal) syslog> slapd[11027]: send_ldap_result: conn=5 op=0 p=3 syslog> slapd[11027]: send_ldap_result: err=34 matched="" text="invalid DN" syslog> slapd[11027]: send_ldap_response: msgid=1 tag=97 err=34 syslog> slapd[11027]: conn=5 op=0 RESULT tag=97 err=34 text=invalid DN
When trying to bind with a valid DN, rwm works as expected. (And of course bind failed because of unexistent rewritten DN)
syslog> slapd[11135]: >>> dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>, <cn=MyCN,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: conn=1 op=0 BIND dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO" method=128 syslog> slapd[11135]: do_bind: version=3 dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO" method=128 syslog> slapd[11135]: [rw] bindDN: "cn=MyCN,ou=SubOU,ou=OU,o=MyO" -> "cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO" syslog> slapd[11135]: >>> dnPrettyNormal: <cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>, <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>
So, why isn't rwm not used when supplying an invalid dn ?
Regards,
-G.-
Hi list,
I've just set up a ldap proxy on witch I wish users may bind with their cn instead of dn. Some reading let me say it's possible
- slapo-rwm (5)
- http://blogs.turmzimmer.net/2008/06/26#ldap-3
- http://www.openldap.org/lists/openldap-software/201004/msg00065.html
and some more
I run slapd 2.4.11 from Debian Lenny. Here is slapd.conf :
slapd.conf> ################################################################## slapd.conf> # Global Directives: slapd.conf> disallow bind_anon slapd.conf> require authc slapd.conf> include /etc/ldap/schema/core.schema slapd.conf> include /etc/ldap/schema/cosine.schema slapd.conf> include /etc/ldap/schema/nis.schema slapd.conf> include /etc/ldap/schema/inetorgperson.schema slapd.conf> pidfile /var/run/slapd/slapd.pid slapd.conf> argsfile /var/run/slapd/slapd.args slapd.conf> loglevel -1 slapd.conf> modulepath /usr/lib/ldap slapd.conf> moduleload back_ldap slapd.conf> moduleload rwm slapd.conf> sizelimit 500 slapd.conf> tool-threads 1 slapd.conf> ################################################################## slapd.conf> # Specific Directives for database #1 slapd.conf> slapd.conf> database ldap slapd.conf> suffix "o=MyO" slapd.conf> uri "ldap://MyLDAP" slapd.conf> readonly on slapd.conf> overlay rwm slapd.conf> rwm-rewriteEngine on slapd.conf> rwm-rewriteContext bindDN slapd.conf> rwm-rewriteRule "(.*)" "cn=$1,ou=SubOU,ou=OU,o=MyO" ":"
When trying to bind from Thunderbird as client with just "MyCN", connection fail with "invalid dn". I expected some info about rwm rewriting
syslog> slapd[11027]: conn=5 op=0 do_bind syslog> slapd[11027]: >>> dnPrettyNormal: <MyCN> syslog> slapd[11027]: conn=5 op=0 do_bind: invalid dn (glachenal)
^^^ The error comes from do_bind(); so the invalid DN is rejected before slapo-rwm comes into play. p.
syslog> slapd[11027]: send_ldap_result: conn=5 op=0 p=3 syslog> slapd[11027]: send_ldap_result: err=34 matched="" text="invalid DN" syslog> slapd[11027]: send_ldap_response: msgid=1 tag=97 err=34 syslog> slapd[11027]: conn=5 op=0 RESULT tag=97 err=34 text=invalid DN
When trying to bind with a valid DN, rwm works as expected. (And of course bind failed because of unexistent rewritten DN)
syslog> slapd[11135]: >>> dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>, <cn=MyCN,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: conn=1 op=0 BIND dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO" method=128 syslog> slapd[11135]: do_bind: version=3 dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO" method=128 syslog> slapd[11135]: [rw] bindDN: "cn=MyCN,ou=SubOU,ou=OU,o=MyO" -> "cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO" syslog> slapd[11135]: >>> dnPrettyNormal: <cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>, <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>
So, why isn't rwm not used when supplying an invalid dn ?
Regards,
-G.-
Le 11 mai 10 à 09:37, masarati@aero.polimi.it a écrit :
Hi list,
I've just set up a ldap proxy on witch I wish users may bind with their cn instead of dn. Some reading let me say it's possible
- slapo-rwm (5)
- http://blogs.turmzimmer.net/2008/06/26#ldap-3
- http://www.openldap.org/lists/openldap-software/201004/
msg00065.html and some more
I run slapd 2.4.11 from Debian Lenny. Here is slapd.conf :
slapd.conf> ################################################################## slapd.conf> # Global Directives: slapd.conf> disallow bind_anon slapd.conf> require authc slapd.conf> include /etc/ldap/schema/core.schema slapd.conf> include /etc/ldap/schema/cosine.schema slapd.conf> include /etc/ldap/schema/nis.schema slapd.conf> include /etc/ldap/schema/inetorgperson.schema slapd.conf> pidfile /var/run/slapd/slapd.pid slapd.conf> argsfile /var/run/slapd/slapd.args slapd.conf> loglevel -1 slapd.conf> modulepath /usr/lib/ldap slapd.conf> moduleload back_ldap slapd.conf> moduleload rwm slapd.conf> sizelimit 500 slapd.conf> tool-threads 1 slapd.conf> ################################################################## slapd.conf> # Specific Directives for database #1 slapd.conf> slapd.conf> database ldap slapd.conf> suffix "o=MyO" slapd.conf> uri "ldap://MyLDAP" slapd.conf> readonly on slapd.conf> overlay rwm slapd.conf> rwm-rewriteEngine on slapd.conf> rwm-rewriteContext bindDN slapd.conf> rwm-rewriteRule "(.*)" "cn=$1,ou=SubOU,ou=OU,o=MyO" ":"
When trying to bind from Thunderbird as client with just "MyCN", connection fail with "invalid dn". I expected some info about rwm rewriting
syslog> slapd[11027]: conn=5 op=0 do_bind syslog> slapd[11027]: >>> dnPrettyNormal: <MyCN> syslog> slapd[11027]: conn=5 op=0 do_bind: invalid dn (glachenal)
^^^ The error comes from do_bind(); so the invalid DN is rejected before slapo-rwm comes into play. p.
Yes, I didn't object what the logs say :) Is there a way to accept this invalid DN then rewrite it ?
Thanks in advance.
Regards,
-G.-
syslog> slapd[11027]: send_ldap_result: conn=5 op=0 p=3 syslog> slapd[11027]: send_ldap_result: err=34 matched="" text="invalid DN" syslog> slapd[11027]: send_ldap_response: msgid=1 tag=97 err=34 syslog> slapd[11027]: conn=5 op=0 RESULT tag=97 err=34 text=invalid DN
When trying to bind with a valid DN, rwm works as expected. (And of course bind failed because of unexistent rewritten DN)
syslog> slapd[11135]: >>> dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=MyCN,ou=SubOU,ou=OU,o=MyO>, <cn=MyCN,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: conn=1 op=0 BIND dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO" method=128 syslog> slapd[11135]: do_bind: version=3 dn="cn=MyCN,ou=SubOU,ou=OU,o=MyO" method=128 syslog> slapd[11135]: [rw] bindDN: "cn=MyCN,ou=SubOU,ou=OU,o=MyO" -> "cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO" syslog> slapd[11135]: >>> dnPrettyNormal: <cn=cn=MyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO> syslog> slapd[11135]: <<< dnPrettyNormal: <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>, <cn=cn\3DMyCN,ou=SubOU,ou=OU,o=MyO,ou=SubOU,ou=OU,o=MyO>
So, why isn't rwm not used when supplying an invalid dn ?
Regards,
-G.-
openldap-technical@openldap.org