Am Fri, 17 Feb 2017 14:38:16 +1300 schrieb "Lowrie, Paul, Vodafone NZ" <[email protected]>:
> Hi > > I've been asked to configure a SLAPD/LDAP proxy with more than one > LDAP Back-End. The users log into the LDAP client using their email > address and the proxy uses the domain part of their UID to decide > which slapd-ldap back-end to authenticate against. I have the proxy > working - with two defined slapd-ldap back-ends. It's tested and > works with one back-end at a time. > > I need rwm to process a rewrite of both the searchFilter and searchDN > using a key piece of information identified the searchFilter to > decide the searchDN. > > Original searchDN = "ou=people,ou=my,dc=proxy,dc=com" > Original > searchFilter="(&(objectClass=posixAccount)([email protected]))" > > Rewritten searchDN = "ou=people,ou=domain,dc=one,dc=com" > Rewritten searchFilter = "(&(objectClass=posixAccount)(uid=john))" > > I have: > > dn: olcOverlay={0}rwm,olcDatabase={-1}frontend,cn=config > objectClass: olcOverlayConfig > objectClass: olcRwmConfig > olcOverlay: {0}rwm > olcRwmNormalizeMapped: FALSE > olcRwmRewrite: {0}rwm-rewriteEngine on > # > #Unix LDAP authentication requests arrive with these three components: > # searchDN: OU=people,DC=my,DC=proxy,DC=com - as defined on the > LDAP client # searchFilter: > (&(objectClass=posixAccount)([email protected])) # > attributes: userPassword cn gidNumber uidNumber # > loginShell objectClass gecos uid homeDirectory # > # {1} searchFilter Context: > # {2} rewrite [email protected]: > # Strip @domain.one.com part and set &&target to > OU=people,DC=domain,DC=one,DC=com # {3} rewrite [email protected]: > # Strip @domain.two.com part and set &&target to > OU=people,DC=domain,DC=two,DC=com # {4} searchDN Context: > # {5} rewrite OU=people,DC=my,DC=proxy,DC=com the value already > defined in &&target # > olcRwmRewrite: {1}rwm-rewriteContext SearchFilter > # > olcRwmRewrite: {2}rwm-rewriteRule > "^(.+uid=[^,]+)@domain.one.com(,.*)$" > "${&&target(\"ou=people,dc=domain,dc=one,dc=com\")}$1$2" ":" # > olcRwmRewrite: {3}rwm-rewriteRule > "^(.+uid=[^,]+)@domain.two.com(,.*)$" > "${&&target(\"ou=people,dc=domain,dc=two,dc=com\")}$1$2" ":" # > olcRwmRewrite: {4}rwm-rewriteContext searchDN # olcRwmRewrite: > {5}rwm-rewriteRule "OU=people,[ ]?DC=my,[ ]?DC=proxy,[ ]?DC=com " > "${**target}" ":" > > This results in a slapd crash because searchDN wants to use the > **target variable, but its not yet defined because the searchFilter > Context hasn't been run yet. How do I change the order that the > rwm-rewriteContexts are executed so that the context for searcFilter > is run first ? you may try old fashioned slapd.conf instead of using config database. There are some ordering problems in config. -Dieter -- Dieter Klünter | Systemberatung http://sys4.de GPG Key ID: E9ED159B 53°37'09,95"N 10°08'02,42"E
