> Hi > > I have some problems with the rwm overlay and a ldap backend on an > OpenLDAP 2.3.20 server that I hope someone can shed some light upon. > > I need to bind - using an email address - to an backend ldap using a > frontend meta/proxy server. So I've used the example from the slapo-rwm > man page (the DN made up of single email) example. But I cannot get it > to work. When I do a > > ldapsearch -h proxymetaldap.somewhere.com -x -b "dc=somewhere,dc=com" > "([EMAIL PROTECTED])" > > it returns the entry including the mail attribute - from the backend > ldap (somehost.somewhere.com) - as expected. But when trying to bind > using the mail address ([EMAIL PROTECTED]) it (the > proxymetaldap server) doesn't contact the backend server > (someserver.somewhere.com).
because "[EMAIL PROTECTED]", although being a perfectly valid DN, does not match the suffix of any database, so no database can be selected. Set the suffix of the ldap database to "" and it will work. > I expect it to not even use the rewrite rule when binding as anonymous > (so it just queries all database that are defined), nope. anonymous doesn't even get to databases, because the frontend knows how to handle it. > but that it does > match the rule when binding with the email address. > > In my config below is would expect it to: > > 1 Match the rule when given [EMAIL PROTECTED] > 2 Do an anonymous search for the DN in somehost.somewhere.com > 3. Bind with the found DN > > Is this not possible? > > My config is as follows: > > ############### Begin config ############################## > > include /q/disk_0/openldap/etc/openldap/schema/core.schema > include /q/disk_0/openldap/etc/openldap/schema/cosine.schema > include > /q/disk_0/openldap/etc/openldap/schema/inetorgperson.schema > include /q/disk_0/openldap/etc/openldap/schema/nis.schema > loglevel 256 > pidfile /q/disk_0/openldap/var/run/slapd.pid > argsfile /q/disk_0/openldap/var/run/slapd.args > > database ldap > suffix "dc=somewhere,dc=com" > uri ldap://somehost.somewhere.com/ > > overlay rwm > rwm-rewriteEngine on > rwm-rewriteMap ldap csattr2dn > "ldap://somehost.somewhere.com/ou=People,ou=Accounts,dc=somewhere,dc=com?dn?sub"; > rwm-rewriteContext bindDN > rwm-rewriteRule "^mail=[^,[EMAIL PROTECTED],]+$" "${csattr2dn($0)}" ":@I" > > lastmod off > > ################# End config ######################## > > For some servers an anonymous bind might not be possible so I just > expect it bind with a given username and password to do the search > (pseudorootdn). Is this a suitable option? not with the pseudorootdn. All you can do in this case is use the identity assertion feature so that it binds with a given identity regardless of the identity of the client. This requires a bit of work and in general it's not recommended. p. Ing. Pierangelo Masarati Responsabile Open Solution OpenLDAP Core Team SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: [EMAIL PROTECTED] ------------------------------------------
