Путеводитель по Руководству Linux
  User  |  Syst  |  Libr  |  Device  |  Files  |  Other  |  Admin  |  Head  |


   slapo-rwm    ( 5 )

перезаписать / переназначить оверлей на slapd (rewrite/remap overlay to slapd)

REWRITE CONFIGURATION EXAMPLES

# set to `off' to disable rewriting rwm-rewriteEngine on

# the rules the "suffixmassage" directive implies rwm-rewriteEngine on # all dataflow from client to server referring to DNs rwm-rewriteContext default rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":" # empty filter rule rwm-rewriteContext searchFilter # all dataflow from server to client rwm-rewriteContext searchEntryDN rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":" rwm-rewriteContext searchAttrDN alias searchEntryDN rwm-rewriteContext matchedDN alias searchEntryDN # misc empty rules rwm-rewriteContext referralAttrDN rwm-rewriteContext referralDN

# Everything defined here goes into the `default' context. # This rule changes the naming context of anything sent # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'

rwm-rewriteRule "(.+,)?dc=home,[ ]?dc=net$" "$1dc=OpenLDAP, dc=org" ":"

# since a pretty/normalized DN does not include spaces # after rdn separators, e.g. `,', this rule suffices:

rwm-rewriteRule "(.+,)?dc=home,dc=net$" "$1dc=OpenLDAP,dc=org" ":"

# Start a new context (ends input of the previous one). # This rule adds blanks between DN parts if not present. rwm-rewriteContext addBlanks rwm-rewriteRule "(.*),([^ ].*)" "$1, $2"

# This one eats blanks rwm-rewriteContext eatBlanks rwm-rewriteRule "(.*), (.*)" "$1,$2"

# Here control goes back to the default rewrite # context; rules are appended to the existing ones. # anything that gets here is piped into rule `addBlanks' rwm-rewriteContext default rwm-rewriteRule ".*" "${>addBlanks($0)}" ":"

# Rewrite the search base according to `default' rules. rwm-rewriteContext searchDN alias default

# Search results with OpenLDAP DN are rewritten back with # `dc=home,dc=net' naming context, with spaces eaten. rwm-rewriteContext searchEntryDN rwm-rewriteRule "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$" "${>eatBlanks($1)}dc=home,dc=net" ":"

# Bind with email instead of full DN: we first need # an ldap map that turns attributes into a DN (the # argument used when invoking the map is appended to # the URI and acts as the filter portion) rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"

# Then we need to detect DN made up of a single email, # e.g. `mail=someone@example.com'; note that the rule # in case of match stops rewriting; in case of error, # it is ignored. In case we are mapping virtual # to real naming contexts, we also need to rewrite # regular DNs, because the definition of a bindDN # rewrite context overrides the default definition. rwm-rewriteContext bindDN rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"

# This is a rather sophisticated example. It massages a # search filter in case who performs the search has # administrative privileges. First we need to keep # track of the bind DN of the incoming request, which is # stored in a variable called `binddn' with session scope, # and left in place to allow regular binding: rwm-rewriteContext bindDN rwm-rewriteRule ".+" "${&&binddn($0)}$0" ":"

# A search filter containing `uid=' is rewritten only # if an appropriate DN is bound. # To do this, in the first rule the bound DN is # dereferenced, while the filter is decomposed in a # prefix, in the value of the `uid=<arg>' AVA, and # in a suffix. A tag `<>' is appended to the DN. # If the DN refers to an entry in the `ou=admin' subtree, # the filter is rewritten OR-ing the `uid=<arg>' with # `cn=<arg>'; otherwise it is left as is. This could be # useful, for instance, to allow apache's auth_ldap-1.4 # module to authenticate users with both `uid' and # `cn', but only if the request comes from a possible # `cn=Web auth,ou=admin,dc=home,dc=net' user. rwm-rewriteContext searchFilter rwm-rewriteRule "(.*\\()uid=([a-z0-9_]+)(\\).*)" "${**binddn}<>${&prefix($1)}${&arg($2)}${&suffix($3)}" ":I" rwm-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$" "${*prefix}|(uid=${*arg})(cn=${*arg})${*suffix}" ":@I" rwm-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"

# This example shows how to strip unwanted DN-valued # attribute values from a search result; the first rule # matches DN values below "ou=People,dc=example,dc=com"; # in case of match the rewriting exits successfully. # The second rule matches everything else and causes # the value to be rejected. rwm-rewriteContext searchEntryDN rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@" rwm-rewriteRule ".*" "" "#"