I've setup OpenLDAP as AD proxy according to:
https://wiki.samba.org/index.php/OpenLDAP_as_proxy_to_AD
Everything's working fine for clients using standard bindDN of full dn: attribute (e.g. cn=jdoe,ou=users,dc=example,dc=com
)
Some of the clients are using userPrincipalName as bindDN, which is perfectly ok with AD, but not with the OpenLDAP proxy, which throws an error upon connect:
conn=1002 op=1 do_bind: invalid dn (jdoe@example.com)
send_ldap_result: conn=1002 op=1 p=3
send_ldap_result: err=34 matched="" text="invalid DN"
send_ldap_response: msgid=2 tag=97 err=34
conn=1002 op=1 RESULT tag=97 err=34 text=invalid DN
I tried to rewrite the bindDN of userPrincipalName using rwm-rewriteRule from the rwm overlay. That didn't work, although it works with standard bind dn's (e.g. cn=jdoe,ou=users,dc=example,dc=com
)
This doesn't work:
rwm-rewriteRule "(.+,)@example.com$" "cn=$1,ou=users,dc=example,dc=com" ":"
This works:
rewritin ou=users for ou=employees as a test:
rwm-rewriteRule "(.+,)?ou=users,dc=example,dc=com$" "$1ou=employees,dc=example,dc=com" ":"
Is there a way how to rewrite bindDN of jdoe@example.com to bindDN of cn=jdoe,ou=users,dc=example,dc=com
?
Here's my current config:
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/inetorgperson.schema
include /etc/openldap/schema/misc.schema
include /etc/openldap/schema/nis.schema
modulepath /usr/lib64/openldap/
moduleload back_ldap
moduleload rwm
pidfile /var/run/openldap/slapd.pid
argsfile /var/run/openldap/slapd.args
database ldap
readonly yes
protocol-version 3
rebind-as-user yes
uri "ldap://X.X.X.X:389"
suffix "dc=example,dc=com"
overlay rwm
rwm-rewriteEngine on
rwm-rewriteRule "(.+,)@example.com$" "cn=$1,ou=users,dc=example,dc=com" ":"
logfile /var/log/slapd/slapd.log
loglevel -1
TLSCACertificatePath /etc/openldap/certs
TLSCertificateFile "OpenLDAP Server"
TLSCertificateKeyFile /etc/openldap/certs/password
Best Answer
It's right that you can rewrite bind-DNs with slapo-rwm but those have to be DNs.
So you could rewrite the short DN
uid=user@example.com
touid=user,dc=example,dc=com
even by searching the entry with filter(attr=user@example.com)
.But the short form to be rewritten must be a valid DN string representation as defined in RFC 4514 and not just a user principal name
user@example.com
as with MS AD.See examples in slapo-rwm(5).