Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   slapd-meta    ( 5 )

бэкэнд метакаталога для slapd (metadirectory backend to slapd)

Configuration examples:

# set to `off' to disable rewriting rewriteEngine on

# the rules the "suffixmassage" directive implies rewriteEngine on # all dataflow from client to server referring to DNs rewriteContext default rewriteRule "(.*)<virtualnamingcontext>$" "%1<realnamingcontext>" ":" # empty filter rule rewriteContext searchFilter # all dataflow from server to client rewriteContext searchResult rewriteRule "(.*)<realnamingcontext>$" "%1<virtualnamingcontext>" ":" rewriteContext searchAttrDN alias searchResult rewriteContext matchedDN alias searchResult

# Everything defined here goes into the `default' context. # This rule changes the naming context of anything sent # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'

rewriteRule "(.*)dc=home,[ ]?dc=net" "%1dc=OpenLDAP, dc=org" ":"

# since a pretty/normalized DN does not include spaces # after rdn separators, e.g. `,', this rule suffices:

rewriteRule "(.*)dc=home,dc=net" "%1dc=OpenLDAP,dc=org" ":"

# Start a new context (ends input of the previous one). # This rule adds blanks between DN parts if not present. rewriteContext addBlanks rewriteRule "(.*),([^ ].*)" "%1, %2"

# This one eats blanks rewriteContext eatBlanks rewriteRule "(.*),[ ](.*)" "%1,%2"

# Here control goes back to the default rewrite # context; rules are appended to the existing ones. # anything that gets here is piped into rule `addBlanks' rewriteContext default rewriteRule ".*" "%{>addBlanks(%0)}" ":"

# Rewrite the search base according to `default' rules. rewriteContext searchBase alias default

# Search results with OpenLDAP DN are rewritten back with # `dc=home,dc=net' naming context, with spaces eaten. rewriteContext searchResult rewriteRule "(.*[^ ]?)[ ]?dc=OpenLDAP,[ ]?dc=org" "%{>eatBlanks(%1)}dc=home,dc=net" ":"

# Bind with email instead of full DN: we first need # an ldap map that turns attributes into a DN (the # argument used when invoking the map is appended to # the URI and acts as the filter portion) rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"

# Then we need to detect DN made up of a single email, # e.g. `mail=someone@example.com'; note that the rule # in case of match stops rewriting; in case of error, # it is ignored. In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDn # rewrite context overrides the default definition. rewriteContext bindDN rewriteRule "^mail=[^,]+@[^,]+$" "%{attr2dn(%0)}" ":@I"

# This is a rather sophisticated example. It massages a # search filter in case who performs the search has # administrative privileges. First we need to keep # track of the bind DN of the incoming request, which is # stored in a variable called `binddn' with session scope, # and left in place to allow regular binding: rewriteContext bindDN rewriteRule ".+" "%{&&binddn(%0)}%0" ":"

# A search filter containing `uid=' is rewritten only # if an appropriate DN is bound. # To do this, in the first rule the bound DN is # dereferenced, while the filter is decomposed in a # prefix, in the value of the `uid=<arg>' AVA, and # in a suffix. A tag `<>' is appended to the DN. # If the DN refers to an entry in the `ou=admin' subtree, # the filter is rewritten OR-ing the `uid=<arg>' with # `cn=<arg>'; otherwise it is left as is. This could be # useful, for instance, to allow apache's auth_ldap-1.4 # module to authenticate users with both `uid' and # `cn', but only if the request comes from a possible # `cn=Web auth,ou=admin,dc=home,dc=net' user. rewriteContext searchFilter rewriteRule "(.*\\()uid=([a-z0-9_]+)(\\).*)" "%{**binddn}<>%{&prefix(%1)}%{&arg(%2)}%{&suffix(%3)}" ":I" rewriteRule "[^,]+,ou=admin,dc=home,dc=net" "%{*prefix}|(uid=%{*arg})(cn=%{*arg})%{*suffix}" ":@I" rewriteRule ".*<>" "%{*prefix}uid=%{*arg}%{*suffix}" ":"

# This example shows how to strip unwanted DN-valued # attribute values from a search result; the first rule # matches DN values below "ou=People,dc=example,dc=com"; # in case of match the rewriting exits successfully. # The second rule matches everything else and causes # the value to be rejected. rewriteContext searchResult rewriteRule ".*,ou=People,dc=example,dc=com" "%0" ":@" rewriteRule ".*" "" "#"