Re: can rwm rewrite suffix from backend response?

[David Coutadeur]

Hi Nadya,
Thanks for your explanation about the rewrite engine in back-meta! I now 
understand why it was never called.

Indeed, the rewrite context you provided below is doing exactly what I 
needed. Thank you very much!

Your help is very much appreciated :)

Regards

David


Le 28/03/2025 à 13:31, Nadezhda Ivanova a écrit :
Hi David,
I played a bit with your config, and I found out the following:
Unfortunately it seems that the back-meta rewrite engine works 
per-target, so in your configuration it is actually only applied to 
the second target, and therefore would not work as intended. There is 
currently no way to configure it per database, so your original 
approach of using the rwm overlay is indeed the best.
I was able to make it rewrite search entry DNs by adding the following 
at the end of the rwm overlay config:

rewriteContext searchEntryDN
rewriteRule "^([^,]+),dc=directory.,dc=domain,dc=com$" 
"$1,dc=domain,dc=com" ":@I"

I hope that's helpful!

Best Regards,
Nadya


------------------------------------------------------------------------

    *From: *"David Coutadeur" <david.coutad...@gmail.com>
    *To: *"nivanova" <nivan...@symas.com>, openldap-technical@openldap.org
    *Sent: *Wednesday, March 26, 2025 10:59:38 AM
    *Subject: *Re: can rwm rewrite suffix from backend response?


    Hi Nadya,

    Thanks for your answer !

    In my first attempts, I configured rewrite engine inside the meta
    backend, but without success.

    Nor rewriteContext default, not any specific context was ever
    triggered in this situation.


    As a concrete example, I provide below a full configuration that
    never triggers any rewrite.


    Regards,

    David



    include         /usr/local/openldap/etc/openldap/schema/core.schema
    include         /usr/local/openldap/etc/openldap/schema/cosine.schema
    include
            /usr/local/openldap/etc/openldap/schema/inetorgperson.schema


    logLevel 256


    pidfile         slapd.pid
    argsfile        slapd.args

    # Load dynamic backend modules:
    # moduleload    back_ldap.la
    modulepath      /usr/local/openldap/libexec/openldap
    moduleload      argon2.la
    moduleload      back_mdb.la
    moduleload      back_meta.la
    moduleload      back_ldap.la
    moduleload      dynlist.la
    moduleload      memberof.la
    moduleload      ppolicy.la
    moduleload      syncprov.la
    moduleload      unique.la
    moduleload      rwm.la

    access to dn.base=""  by * read
    access to dn.base="cn=subschema"  by * read
    access to * by * write


    #######################################################################

    # meta database
    #######################################################################


    database      meta

    suffix        "dc=domain,dc=com"

    uri "ldap://127.0.0.1:3390/dc=directory1,dc=domain,dc=com";
    uri "ldap://127.0.0.1:3391/dc=directory2,dc=domain,dc=com";

    rewriteEngine on

    # In the context of a BIND operation
    rewriteContext bindDN
    # Store user who has logged in an internal variable named binddn
    (for other LDAP operations)
    rewriteRule ".+" "${&&binddn($0)}$0" ":"
    # If the LDAP operation is a bind, directly rewrite the binddn
    # If binddn starts by prefix1 or prefix2, rewrite suffix to
    directory1
    rewriteRule
    "^uid=(prefix1[^,]+|prefix2[^,]+)(.*),dc=domain,dc=com$"
    "uid=$1$2,dc=directory1,dc=domain,dc=com" ":@I"
    # Else, rewrite suffix to directory2
    rewriteRule "^([^,]+),dc=domain,dc=com$"
    "$1,dc=directory2,dc=domain,dc=com" ":@I"

    # For SEARCH LDAP operations
    rewriteContext searchDN
    # Prefix the string to search by the binddn who has connected
    previously
    rewriteRule "(.*)" "${**binddn}<>$1" ":I"
    # If binddn starts by prefix1 or prefix2, remove binddn prefix
    from string and rewrite suffix to directory1
    rewriteRule "^uid=prefix1[^,]+,[^<]+<>(.*)dc=domain,dc=com(.*)$"
    "$1dc=directory1,dc=domain,dc=com$2" ":@I"
    rewriteRule "^uid=prefix2[^,]+,[^<]+<>(.*)dc=domain,dc=com(.*)$"
    "$1dc=directory1,dc=domain,dc=com$2" ":@I"
    # If binddn not found or does not start by prefix1 or prefix2,
    remove binddn prefix from string and rewrite suffix to directory2
    rewriteRule "^.*<>(.*)dc=domain,dc=com(.*)$"
    "$1dc=directory2,dc=domain,dc=com$2" ":@I"
    rewriteRule "^.*<>(.*)$" "$1" ":@I"

    rewriteContext searchResult
    rewriteRule "dc=directory1,dc=domain,dc=com" "dc=domain,dc=com" ":@I"
    rewriteRule "dc=directory2,dc=domain,dc=com" "dc=domain,dc=com" ":@I"





    Le 24/03/2025 à 14:10, nivan...@symas.com a écrit :

        Hi David,
        I am not proficient in the rwm either, but I know that back-meta can be 
configured with its own rewrite engine, and it can definitely be configured to rewrite 
results. You could move this config in the database definition (without "overlay 
rwm"), and use rewriteContext searchResult to rewrite the search results. I haven't 
tested this myself in ages, but I hope it works in your case, there's a lot of examples 
in the slapd-meta man page.

        Best Regards,
        Nadya


--
David Coutadeur | IAM integrator

david.coutad...@worteks.com
+33 7 88 46 85 34
16 avenue Hoche, Paris 75008

Worteks |https://www.worteks.com