Discussion:
bindDN-rewriting - can't get to grips with overlays rwm+relay
Thomas Wunder
2010-04-14 07:51:47 UTC
Permalink
Hi!
I'm currently using the rwm overlay to filter the objects from my
ou=students,dc=uni-bamberg,dc=de directory by their "o"-attribute and project
the result to ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de
Therefore I use the following section within my slapd.conf (before the
"database hdb..." section):

database relay
suffix "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
overlay rwm
#rwm-rewriteEngine on
rwm-suffixmassage "ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
"ou=students,dc=uni-bamberg,dc=de"
rwm-rewriteContext bindDN
rwm-rewriteRule ".*" "cn=ldapadmin,dc=uni-bamberg,dc=de" ":@"
rwm-rewriteContext searchFilter
rwm-rewriteRule "(.*)" "(&(o=swt)$1)" ":@I"

searchFilter rewriting works perfectly but I also need to rewrite the bindDN
as every operation within ou=students,dc=uni-bamberg,dc=de needs to be carried
out by a particular user (cn=ldapadmin,dc=uni-bamberg,dc=de)
(the reason is that i don't want any user other than ldapadmin to be able to
write ou=students,dc=uni-bamberg,dc=de but they should be able to modifiy
entries from ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de)
according to the logs and the error reply messages there seems to be no binndn
rewriting done...
It looks like the rule never matches.
Is my rule not general enough to match each possible bindDN-String? Is
"cn=ldapadmin,dc=uni-bamberg,dc=de" (replacement string for the bindDN) not
well formatted (does it expect something else)? Does the overlay "relay"
prevent the replacement of the bindDN?

Any help appreciated!
--
Lehrstuhl für Softwaretechnik und Programmiersprachen
Fakultät WIAI, Universität Bamberg, 96045 Bamberg

Email: ***@swt-bamberg.de
Web: http://www.swt-bamberg.de/
Tel.: 0951 863-3852 / Fax: 0951 863-3855
m***@aero.polimi.it
2010-04-14 16:27:32 UTC
Permalink
Post by Thomas Wunder
Hi!
I'm currently using the rwm overlay to filter the objects from my
ou=students,dc=uni-bamberg,dc=de directory by their "o"-attribute and project
the result to ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de
Therefore I use the following section within my slapd.conf (before the
database relay
suffix
"ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
overlay rwm
#rwm-rewriteEngine on
rwm-suffixmassage
"ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
"ou=students,dc=uni-bamberg,dc=de"
rwm-rewriteContext bindDN
rwm-rewriteContext searchFilter
searchFilter rewriting works perfectly but I also need to rewrite the bindDN
as every operation within ou=students,dc=uni-bamberg,dc=de needs to be carried
out by a particular user (cn=ldapadmin,dc=uni-bamberg,dc=de)
(the reason is that i don't want any user other than ldapadmin to be able to
write ou=students,dc=uni-bamberg,dc=de but they should be able to modifiy
entries from ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de)
according to the logs and the error reply messages there seems to be no binndn
rewriting done...
It looks like the rule never matches.
Is my rule not general enough to match each possible bindDN-String? Is
"cn=ldapadmin,dc=uni-bamberg,dc=de" (replacement string for the bindDN) not
well formatted (does it expect something else)? Does the overlay "relay"
prevent the replacement of the bindDN?
The code is working as intended, and the rule is general enough; using
verbatim the configuration you provided, if I run

ldapwhoami -x -H ldap://:9011 \
-D 'cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de'
\ -w password

I get

conn=1000 op=0 BIND
dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
method=128
do_bind: version=3
dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
method=128
==> rewrite_context_apply [depth=1]
string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de'
==> rewrite_rule_apply rule='.*'
string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de'
[1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'cn=ldapadmin,dc=uni-bamberg,dc=de'}
[rw] bindDN:
"cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" ->
"cn=ldapadmin,dc=uni-bamberg,dc=de"
Post by Thomas Wunder
dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>
=> ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de,0)
<= ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
<<< dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>,
<cn=ldapadmin,dc=uni-bamberg,dc=de>

^^^ the mapping occurred as expected.

The bind fails because no database can handle that DN, which I suspect is
also your case. What's problematic in your design is that although the DN
is rewritten, the credentials remain those of the user that's actually
binding, so the bind will always fail. Is this what you expect?

p.
Post by Thomas Wunder
Any help appreciated!
--
Lehrstuhl für Softwaretechnik und Programmiersprachen
Fakultät WIAI, Universität Bamberg, 96045 Bamberg
Web: http://www.swt-bamberg.de/
Tel.: 0951 863-3852 / Fax: 0951 863-3855
Thomas Wunder
2010-04-15 08:54:32 UTC
Permalink
Then it seems that I've misinterpret the way bindDN rewriting works.

I actually thought that it would be possible that an operation on an object
within the rewritten subtree (ou=students,ou=people,ou=swt,ou=wiai,dc=uni-
bamberg,dc=de) which is started by a user (cn=smbldapadmin,dc=uni-
bamberg,dc=de (who is not within the subtree which is rewritten)) could be
internally carried out with the privileges of a different user
(cn=ldapadmin,dc=uni-bamberg,dc=de).

To make it a bit clearer this are the Users/Objects involved...:
UsrA: cn=smbldapadmin,dc=uni-bamberg,dc=de
Obj : cn=A,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de
UsrB: cn=ldapadmin,dc=uni-bamberg,dc=de
Obj' : cn=A,ou=students,dc=uni-bamberg,dc=de

...and this is what i want my LDAP-Server to do:
1. UsrA -> bind to LDAP-Service
2. Add Obj (as UsrA) --- internal rewriting ---> Add Obj' (as UsrB)
3. process "Add Obj' " internally
4. --> if successful "Obj" should be visible to UsrA

Would it be possible to achieve this with the rwm/relay overlay or is there
another overlay that could do that for me?
Post by m***@aero.polimi.it
Post by Thomas Wunder
Hi!
I'm currently using the rwm overlay to filter the objects from my
ou=students,dc=uni-bamberg,dc=de directory by their "o"-attribute and project
the result to ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de
Therefore I use the following section within my slapd.conf (before the
database relay
suffix
"ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
overlay rwm
#rwm-rewriteEngine on
rwm-suffixmassage
"ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
"ou=students,dc=uni-bamberg,dc=de"
rwm-rewriteContext bindDN
rwm-rewriteContext searchFilter
searchFilter rewriting works perfectly but I also need to rewrite the bindDN
as every operation within ou=students,dc=uni-bamberg,dc=de needs to be carried
out by a particular user (cn=ldapadmin,dc=uni-bamberg,dc=de)
(the reason is that i don't want any user other than ldapadmin to be able to
write ou=students,dc=uni-bamberg,dc=de but they should be able to modifiy
entries from ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de)
according to the logs and the error reply messages there seems to be no binndn
rewriting done...
It looks like the rule never matches.
Is my rule not general enough to match each possible bindDN-String? Is
"cn=ldapadmin,dc=uni-bamberg,dc=de" (replacement string for the bindDN) not
well formatted (does it expect something else)? Does the overlay "relay"
prevent the replacement of the bindDN?
The code is working as intended, and the rule is general enough; using
verbatim the configuration you provided, if I run
ldapwhoami -x -H ldap://:9011 \
-D 'cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de'
\ -w password
I get
conn=1000 op=0 BIND
dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
method=128
do_bind: version=3
dn="cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de"
method=128
==> rewrite_context_apply [depth=1]
string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=d
e' ==> rewrite_rule_apply rule='.*'
string='cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=d
e' [1 pass(es)]
==> rewrite_context_apply [depth=1]
res={0,'cn=ldapadmin,dc=uni-bamberg,dc=de'}
"cn=Someone,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" ->
"cn=ldapadmin,dc=uni-bamberg,dc=de"
Post by Thomas Wunder
dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>
=> ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de,0)
<= ldap_bv2dn(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
=> ldap_dn2bv(272)
<= ldap_dn2bv(cn=ldapadmin,dc=uni-bamberg,dc=de)=0
<<< dnPrettyNormal: <cn=ldapadmin,dc=uni-bamberg,dc=de>,
<cn=ldapadmin,dc=uni-bamberg,dc=de>
^^^ the mapping occurred as expected.
The bind fails because no database can handle that DN, which I suspect is
also your case. What's problematic in your design is that although the DN
is rewritten, the credentials remain those of the user that's actually
binding, so the bind will always fail. Is this what you expect?
p.
Post by Thomas Wunder
Any help appreciated!
--
Lehrstuhl für Softwaretechnik und Programmiersprachen
Fakultät WIAI, Universität Bamberg, 96045 Bamberg
Web: http://www.swt-bamberg.de/
Tel.: 0951 863-3852 / Fax: 0951 863-3855
--
Lehrstuhl für Softwaretechnik und Programmiersprachen
Fakultät WIAI, Universität Bamberg, 96045 Bamberg

Email: ***@swt-bamberg.de
Web: http://www.swt-bamberg.de/
Tel.: 0951 863-3852 / Fax: 0951 863-3855
m***@aero.polimi.it
2010-04-15 15:56:48 UTC
Permalink
Please reply to the address I'm using. I assume you didn't read my
"vacation" message, then.
Post by Thomas Wunder
Then it seems that I've misinterpret the way bindDN rewriting works.
I actually thought that it would be possible that an operation on an object
within the rewritten subtree (ou=students,ou=people,ou=swt,ou=wiai,dc=uni-
bamberg,dc=de) which is started by a user (cn=smbldapadmin,dc=uni-
bamberg,dc=de (who is not within the subtree which is rewritten)) could be
internally carried out with the privileges of a different user
(cn=ldapadmin,dc=uni-bamberg,dc=de).
UsrA: cn=smbldapadmin,dc=uni-bamberg,dc=de
Obj : cn=A,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de
UsrB: cn=ldapadmin,dc=uni-bamberg,dc=de
Obj' : cn=A,ou=students,dc=uni-bamberg,dc=de
1. UsrA -> bind to LDAP-Service
2. Add Obj (as UsrA) --- internal rewriting ---> Add Obj' (as UsrB)
3. process "Add Obj' " internally
4. --> if successful "Obj" should be visible to UsrA
Would it be possible to achieve this with the rwm/relay overlay or is there
another overlay that could do that for me?
What you're looking for is authorization. You want any user
"cn=A,ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de" to
authorize as "cn=ldapadmin,dc=uni-bamberg,dc=de". You should then use
proxyAuthz (RFC4370).

You need to add

authz-policy from

then, in "cn=ldapadmin,dc=uni-bamberg,dc=de", you need to add the attribute

authzFrom:
dn.onelevel:ou=students,ou=people,ou=swt,ou=wiai,dc=uni-bamberg,dc=de

an your clients need to use the proxyAuthz control; for example

ldapsearch -e '!authzid=dn:cn=ldapadmin,dc=uni-bamberg,dc=de'

Currently, there's no overlay that can do this for you. You could obtain
something like this using slapd-ldap (possibly with slapo-rwm), by means
of the idassert feature. This would allow to authorize selected users as
the "cn=ldapadmin,dc=uni-bamberg,dc=de" identity, subjected to
authorization privileges by the remote DSA.

p.

Loading...