Hi.
My configuration is like this:
---------
database meta suffix "ou=a,dc=c,dc=b"
uri "ldap://host:port/ou=a,dc=c,dc=b" suffixmassage "ou=a,dc=c,dc=b" "dc=a,dc=b"
...
---------
This works fine in everything else but the uniqueMembers of groupOfUniqueNames gets not rewritten (they are still in dc=a,dc=b domain).
If I however add a mapping
---------
map objectClass groupOfNames groupOfUniqueNames map attribute member uniqueMember
---------
then the "member" attributes are correctly rewritten. The problem of course is that I do not want to change the objectclass.
Mapping the attribute to itself does not help either. So
---------
map objectClass groupOfUniqueNames * map attribute uniqueMember *
---------
does not have any effect.
I must have missed something crucial on the documentation. Can someone please tell me what it is and how can I get uniqueMembers rewritten without changing the objectclass.
OpenLDAP version is 2.4.11 for both the real and the meta server.
BR, Jari-Pekka Arvo
Arvo Jari-Pekka wrote:
Hi.
My configuration is like this:
database meta suffix "ou=a,dc=c,dc=b"
uri "ldap://host:port/ou=a,dc=c,dc=b" suffixmassage "ou=a,dc=c,dc=b" "dc=a,dc=b"
...
This works fine in everything else but the uniqueMembers of groupOfUniqueNames gets not rewritten (they are still in dc=a,dc=b domain).
If I however add a mapping
map objectClass groupOfNames groupOfUniqueNames map attribute member uniqueMember
then the "member" attributes are correctly rewritten. The problem of course is that I do not want to change the objectclass.
Mapping the attribute to itself does not help either. So
map objectClass groupOfUniqueNames * map attribute uniqueMember *
does not have any effect.
I must have missed something crucial on the documentation. Can someone please tell me what it is and how can I get uniqueMembers rewritten without changing the objectclass.
OpenLDAP version is 2.4.11 for both the real and the meta server.
uniqueMember does not have DN syntax; only attributes with DN syntax are mapped. You should have used groupOfNames/member instead of groupOfUniqueNames/uniqueMember.
p.
I solved this on our setup with the following rewrite rules: for bases dc=c,dc=b,dc=a to dc=b,dc=a
rewriteContext searchFilter rewriteRule "(.*)memberUid=(.*)ou=people,dc=c,dc=b,dc=a(.*)" "%1memberUid=%2ou=people,dc=b,dc=a%3" ":" rewriteContext searchResult rewriteRule "(.*)memberUid=(.*)ou=people,dc=b,dc=a(.*)" "%1memberUid=%2ou=people,dc=c,dc=b,dc=a%3" ":"
This intercepts the queries of the group memberships and updates the DN, since the attributes are not of the DN type, thus do not get updated by the suffix massage, then intercepts the response and converts the DN back to what the querier is expecting (basically doing with suffix-massage does).
Change memberUid to whichever membership attr you are using, and the edit the base dns to your setup as well. (yeh, this goes against the attr definition, but works in our 2307bis schema setup for posixGroup groups).
-T
Arvo Jari-Pekka wrote:
Hi.
My configuration is like this:
database meta suffix "ou=a,dc=c,dc=b"
uri "ldap://host:port/ou=a,dc=c,dc=b" suffixmassage "ou=a,dc=c,dc=b" "dc=a,dc=b"
...
This works fine in everything else but the uniqueMembers of
groupOfUniqueNames gets not rewritten (they are still in dc=a,dc=b domain).
If I however add a mapping
map objectClass groupOfNames groupOfUniqueNames map attribute member uniqueMember
then the "member" attributes are correctly rewritten. The problem of
course is that I do not want to change the objectclass.
Mapping the attribute to itself does not help either. So
map objectClass groupOfUniqueNames * map attribute uniqueMember *
does not have any effect.
I must have missed something crucial on the documentation. Can
someone please tell me what it is and how can I get uniqueMembers rewritten without changing the objectclass.
OpenLDAP version is 2.4.11 for both the real and the meta server.
uniqueMember does not have DN syntax; only attributes with DN syntax are mapped. You should have used groupOfNames/member instead of groupOfUniqueNames/uniqueMember.
p.
openldap-technical@openldap.org