-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi
Thanks for the reply Pierangelo Masarati wrote: >> >> I need to bind - using an email address - to an backend ldap using a >> frontend meta/proxy server. So I've used the example from the slapo-rwm >> man page (the DN made up of single email) example. But I cannot get it >> to work. When I do a >> >> ldapsearch -h proxymetaldap.somewhere.com -x -b "dc=somewhere,dc=com" >> "([EMAIL PROTECTED])" >> >> it returns the entry including the mail attribute - from the backend >> ldap (somehost.somewhere.com) - as expected. But when trying to bind >> using the mail address ([EMAIL PROTECTED]) it (the >> proxymetaldap server) doesn't contact the backend server >> (someserver.somewhere.com). > > because "[EMAIL PROTECTED]", although being a perfectly valid DN, > does not match the suffix of any database, so no database can be selected. > Set the suffix of the ldap database to "" and it will work. > It doesn't. Let me try to explain what I intend to do: Take an email as input to the meta LDAP. [EMAIL PROTECTED] Based on the suffix (a.somewhere.com) determine the proper backend database to query (dc=a,dc=somewhere,dc=com) and rewrite the postfix (someone) to a value specific for the choosen backend. E.g. uid=someone or cn=someone. Now find the dn for the value (uid=someone) in the backend and do a bind. Naturally there should be several backend defined b.somewhere.com, c.somewhere.com etc. Is this not possible? > >> I expect it to not even use the rewrite rule when binding as anonymous >> (so it just queries all database that are defined), > > nope. anonymous doesn't even get to databases, because the frontend knows > how to handle it. So if I have several backends and connect to the meta anonymously I cannot get the anonymously available data from all backends in one search? > >> but that it does >> match the rule when binding with the email address. >> >> In my config below is would expect it to: >> >> 1 Match the rule when given [EMAIL PROTECTED] >> 2 Do an anonymous search for the DN in somehost.somewhere.com >> 3. Bind with the found DN >> >> Is this not possible? >> >> My config is as follows: >> >> ############### Begin config ############################## >> >> include /q/disk_0/openldap/etc/openldap/schema/core.schema >> include /q/disk_0/openldap/etc/openldap/schema/cosine.schema >> include >> /q/disk_0/openldap/etc/openldap/schema/inetorgperson.schema >> include /q/disk_0/openldap/etc/openldap/schema/nis.schema >> loglevel 256 >> pidfile /q/disk_0/openldap/var/run/slapd.pid >> argsfile /q/disk_0/openldap/var/run/slapd.args >> >> database ldap >> suffix "dc=somewhere,dc=com" >> uri ldap://somehost.somewhere.com/ >> >> overlay rwm >> rwm-rewriteEngine on >> rwm-rewriteMap ldap csattr2dn >> "ldap://somehost.somewhere.com/ou=People,ou=Accounts,dc=somewhere,dc=com?dn?sub"; >> rwm-rewriteContext bindDN >> rwm-rewriteRule "^mail=[^,[EMAIL PROTECTED],]+$" "${csattr2dn($0)}" ":@I" >> >> lastmod off >> >> ################# End config ######################## >> >> For some servers an anonymous bind might not be possible so I just >> expect it bind with a given username and password to do the search >> (pseudorootdn). Is this a suitable option? > > not with the pseudorootdn. All you can do in this case is use the > identity assertion feature so that it binds with a given identity > regardless of the identity of the client. This requires a bit of work and > in general it's not recommended. > > p. > > > > > Ing. Pierangelo Masarati > Responsabile Open Solution > OpenLDAP Core Team > > SysNet s.n.c. > Via Dossi, 8 - 27100 Pavia - ITALIA > http://www.sys-net.it > ------------------------------------------ > Office: +39.02.23998309 > Mobile: +39.333.4963172 > Email: [EMAIL PROTECTED] > ------------------------------------------ > - -- MVH / Best regards Mikael M. Hansen IT-administrator Computer Science Dept. Email: [EMAIL PROTECTED] Aalborg University Phone: +45 9635 8905 Fredrik Bajers Vej 7E Room: E2-121 DK-9220 Aalborg, Denmark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFENOGk1ZklRSLjnxgRArrfAJ9gQnhqOMYOmhfYCDw0rVJi70jPhwCdECYH Lsa+T2MGlz+K7tjjrl/JYfk= =NZ1Y -----END PGP SIGNATURE-----
