To answer my own question partly, I have now done the following to fix
it I think:
olcRwmRewrite: {0}rwm-rewriteEngine on
olcRwmRewrite: {1}rwm-rewriteContext searchFilter
olcRwmRewrite: {2}rwm-rewriteRule "^(.*)\(uid=([a-z]+)\)(.*)$"
"$1(uid=$2-branch1)$3" ":"
I have done this in an LDAP proxy that is specific for branch1 and that
is only being used by a samba server available to users in branch1.
When I go to this LDAP server using a ldap browser I see the full
objects, and I don't see the dubble UID anymore that was bothering me
before.
I don't know if there is a way to alter the UID that is visible in the
LDAP browser, but I don't know if that is even needed at this moment.
Jan Hugo Prins
On 6/10/20 2:37 PM, Jan Hugo Prins wrote:
> Hello,
>
> I'm trying to do a rewrite using the rwm overlay:
> I'm trying to rewrite uid: user1-branch1 to uid: user1
>
> Some context:
> We have the following situation:
>
> We have a central OpenLDAP with several OU's. In these OU's we have user
> SubOU's and a user has a UID that is a combination of his CN with a dash
> and an abbreviation for the OU he is living in.
>
> For example:
>
> OU=Branch1,DC=Example,DC=ORG
> User 1:
> dn=User1,OU=Branch1,DC=Example,DC=ORG
> cn=User1
> uid=User1-Branch1
>
> OU=Branch2,DC=Example,DC=ORG
> User 1:
> dn=User1,OU=Branch1,DC=Example,DC=ORG
> cn=User1
> uid=User1-Branch2
>
> The reason this is done in the past (15 or 20 years ago) was that they
> wanted to have multiple branches and people could authenticate with the
> cn within there own branch. All very complicated history, but I have to
> work with it now.
>
> Someone setup a new Samba server a while back and wanted to normalize
> this Samba config a little so he created a LDAP proxy on this server
> where he proxied only one OU and did a rwm map from cn to uid. Part of
> this config:
>
> overlay rwm
> rwm-map attribute uid cn
>
> This works fine to some extend. One of the problems I found just now is
> that I don't have a cn anymore in the DN's that I get from this LDAP
> proxy, besides that, if the proxy has to much access and you search for
> a uid=User1 it will return both User1 from Branch1 and Branch2, and this
> could result in some security issues.
>
> For this reason I'm currently doing a little redesign of this setup and
> I would like to change the rwm-map to a rewrite of the uid where I
> simply strip everything including the dash in the uid, besides that I'm
> going to limit access of this proxy by using a proxy user with limited
> access to only the OU that it needs access to.
>
> The access limitation works just fine.
> I only need a little help with the rewrite.
>
> Thanks,
> Jan Hugo Prins
>
>
>
