----- On Mar 6, 2016, at 12:55 PM, Michael Ströder [email protected] wrote:
>
> Have a closer look at slapo-rwm(5), section REWRITE CONFIGURATION EXAMPLES:
> http://www.openldap.org/software/man.cgi?query=slapo-rwm
>
> In particular:
>
> # Bind with email instead of full DN: we first need
> # an ldap map that turns attributes into a DN (the
> # argument used when invoking the map is appended to
> # the URI and acts as the filter portion)
> rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub";
>
> # Then we need to detect DN made up of a single email,
> # e.g. `[email protected]'; note that the rule
> # in case of match stops rewriting; in case of error,
> # it is ignored. In case we are mapping virtual
> # to real naming contexts, we also need to rewrite
> # regular DNs, because the definition of a bindDN
> # rewrite context overrides the default definition.
> rwm-rewriteContext bindDN
> rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
>
Okay, so I'm sure I'm missing something simple, here, but I'm trying out the
rewrite using the above examples pretty copied as-is to see if I can just get a
bind DN of mail= to turn into the correct full DN. Here are the relevant
portions of my config:
## Meta Database for Fronting Real Directory
database meta
network-timeout 10
nretries 10
suffix "dc=example,dc=com"
uri "ldaps://ldap1.example.com/dc=example,dc=com" "ldaps://ldap2.example.com"
"ldaps://ldap3.example.com"
overlay rwm
rwm-rewriteEngine on
rwm-rewriteMap ldap attr2dn
"ldaps://ldap1.example.com:3636/dc=example,dc=com?dn?sub"
rwm-rewriteContext bindDN
rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
I'm not sure how much the order of stuff matters, here - I'll try out a few
variations on that - but the above doesn't yield a good result when I try to
connect with:
ldapsearch -b dc=example,dc=com -D [email protected] -W -x cn=Some\
User
I enter the password for the user associated with the e-mail address
[email protected], and just get an Invalid Credentials result. Also,
I've tried various debugging levels and am not seeing any debug messages
related to the rwm overlay - nothing indicating that it picked up on the mail=
bindDN and tried to search/convert that to a "real" DN.
Thanks,
Nick
==
This e-mail may contain SEAKR Engineering (SEAKR) Confidential and Proprietary
Information. If this message is not intended for you, you are strictly
prohibited from using this message, its contents or attachments in any way. If
you have received this message in error, please delete the message from your
mailbox. This e-mail may contain export-controlled material and should be
handled accordingly.
