Then it seems that I've misinterpret the way bindDN rewriting works. I actually thought that it would be possible that an operation on an object within the rewritten subtree (ou=students,ou=people,ou=swt,ou=wiai,dc=uni- bamberg,dc=de) which is started by a user (cn=smbldapadmin,dc=uni- bamberg,dc=de (who is not within the subtree which is rewritten)) could be internally carried out with the privileges of a different user (cn=ldapadmin,dc=uni-bamberg,dc=de).
To make it a bit clearer this are the Users/Objects involved...: UsrA: cn=smbldapadmin,dc=uni-bamberg,dc=de Obj : cn=A,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de UsrB: cn=ldapadmin,dc=uni-bamberg,dc=de Obj' : cn=A,ou=students,dc=uni-bamberg,dc=de ...and this is what i want my LDAP-Server to do: 1. UsrA -> bind to LDAP-Service 2. Add Obj (as UsrA) --- internal rewriting ---> Add Obj' (as UsrB) 3. process "Add Obj' " internally 4. --> if successful "Obj" should be visible to UsrA Would it be possible to achieve this with the rwm/relay overlay or is there another overlay that could do that for me? On Wednesday 14 April 2010 18:27:32 masar...@aero.polimi.it wrote: > > Hi! > > I'm currently using the rwm overlay to filter the objects from my > > ou=students,dc=uni-bamberg,dc=de directory by their "o"-attribute and > > project > > the result to ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de > > Therefore I use the following section within my slapd.conf (before the > > "database hdb..." section): > > > > database relay > > suffix > > "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" > > overlay rwm > > #rwm-rewriteEngine on > > rwm-suffixmassage > > "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" > > "ou=students,dc=uni-bamberg,dc=de" > > rwm-rewriteContext bindDN > > rwm-rewriteRule ".*" "cn=ldapadmin,dc=uni-bamberg,dc=de" ":@" > > rwm-rewriteContext searchFilter > > rwm-rewriteRule "(.*)" "(&(o=swt)$1)" ":@I" > > > > searchFilter rewriting works perfectly but I also need to rewrite the > > bindDN > > as every operation within ou=students,dc=uni-bamberg,dc=de needs to be > > carried > > out by a particular user (cn=ldapadmin,dc=uni-bamberg,dc=de) > > (the reason is that i don't want any user other than ldapadmin to be able > > to > > write ou=students,dc=uni-bamberg,dc=de but they should be able to modifiy > > entries from ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de) > > according to the logs and the error reply messages there seems to be no > > binndn > > rewriting done... > > It looks like the rule never matches. > > Is my rule not general enough to match each possible bindDN-String? Is > > "cn=ldapadmin,dc=uni-bamberg,dc=de" (replacement string for the bindDN) > > not > > well formatted (does it expect something else)? Does the overlay "relay" > > prevent the replacement of the bindDN? > > The code is working as intended, and the rule is general enough; using > verbatim the configuration you provided, if I run > > ldapwhoami -x -H ldap://:9011 \ > -D 'cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de' > \ -w password > > I get > > conn=1000 op=0 BIND > dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" > method=128 > do_bind: version=3 > dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" > method=128 > ==> rewrite_context_apply [depth=1] > string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=d > e' ==> rewrite_rule_apply rule='.*' > string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=d > e' [1 pass(es)] > ==> rewrite_context_apply [depth=1] > res={0,'cn=ldapadmin,dc=uni-bamberg,dc=de'} > [rw] bindDN: > "cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" -> > "cn=ldapadmin,dc=uni-bamberg,dc=de" > > >>> dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de> > > => ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de,0) > <= ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0 > => ldap_dn2bv(272) > <= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0 > <<< dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>, > <cn=ldapadmin,dc=uni-bamberg,dc=de> > > ^^^ the mapping occurred as expected. > > The bind fails because no database can handle that DN, which I suspect is > also your case. What's problematic in your design is that although the DN > is rewritten, the credentials remain those of the user that's actually > binding, so the bind will always fail. Is this what you expect? > > p. > > > Any help appreciated! > > > > -- > > Lehrstuhl für Softwaretechnik und Programmiersprachen > > Fakultät WIAI, Universität Bamberg, 96045 Bamberg > > > > Email: thomas.wun...@swt-bamberg.de > > Web: http://www.swt-bamberg.de/ > > Tel.: 0951 863-3852 / Fax: 0951 863-3855 > -- Lehrstuhl für Softwaretechnik und Programmiersprachen Fakultät WIAI, Universität Bamberg, 96045 Bamberg Email: thomas.wun...@swt-bamberg.de Web: http://www.swt-bamberg.de/ Tel.: 0951 863-3852 / Fax: 0951 863-3855
