Discussion:
need an overlay for rewriting attribute values
Thomas Wunder
2010-07-13 12:10:25 UTC
Permalink
Hi,
I need some kind of overlay which allows me to rewrite attribute values. I.e. if there's an object
"cn=a,ou=src,dc=my,dc=com" which has attributes like
memberUid="uid=usrA,ou=rest,ou=of,dc=the,dc=dn" and
memberUid="uid=usrB,ou=rest,ou=of,dc=the,dc=dn"
I want that overlay to suffixmassage (or whatever) it to an object like
"cn=b,ou=dst,dc=my,dc=com" where for example
memberUid="usrA"
memberUid="usrB"
but the rest (i.e. other Attributes like 'gidNumber', 'userPassword', 'description',...) of the object should be identical to the 'source'-object.

The whole thing is needed because slapo-autogroup puts in full DNs as attribute values but my client programs (e.g. nss-ldapd) expect only a plain username to be there. In practical this means that I need to have that overlay to split the values of a particular type of attribute (like 'memberUid') and extract a particular part of it.

It would be very nice if it was possible to use regular expressions with backreferences for matching/rewriting the values or if there was a chance to 'plug in' an external program which accomplishes that job. (As far as i know slapo-rwm is only capable of rewriting dn's and attribute names etc. but no values, isn't it? So i need something else...)

Thanks in advance!
Tom
Howard Chu
2010-07-13 16:46:48 UTC
Permalink
Post by Thomas Wunder
Hi,
I need some kind of overlay which allows me to rewrite attribute values. I.e. if there's an object
"cn=a,ou=src,dc=my,dc=com" which has attributes like
memberUid="uid=usrA,ou=rest,ou=of,dc=the,dc=dn" and
memberUid="uid=usrB,ou=rest,ou=of,dc=the,dc=dn"
I want that overlay to suffixmassage (or whatever) it to an object like
"cn=b,ou=dst,dc=my,dc=com" where for example
memberUid="usrA"
memberUid="usrB"
but the rest (i.e. other Attributes like 'gidNumber', 'userPassword',
'description',...) of the object should be identical to the 'source'-object.
Post by Thomas Wunder
The whole thing is needed because slapo-autogroup puts in full DNs as
attribute values but my client programs (e.g. nss-ldapd) expect only a plain
username to be there. In practical this means that I need to have that overlay
to split the values of a particular type of attribute (like 'memberUid') and
extract a particular part of it.

You're misusing the schema here. The memberUid attribute is only for simple
user IDs, not DNs.
Post by Thomas Wunder
It would be very nice if it was possible to use regular expressions with
backreferences for matching/rewriting the values or if there was a chance to
'plug in' an external program which accomplishes that job. (As far as i know
slapo-rwm is only capable of rewriting dn's and attribute names etc. but no
values, isn't it? So i need something else...)

slapo-rwm rewrites DNs in DN-valued attributes as well. "DN-valued" meaning
that the attribute's syntax is distinguishedName. It does not rewrite any
other attributes.
Post by Thomas Wunder
Thanks in advance!
Tom
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
Hallvard B Furuseth
2010-07-14 11:20:05 UTC
Permalink
Post by Howard Chu
Post by Thomas Wunder
The whole thing is needed because slapo-autogroup puts in full DNs as
attribute values but my client programs (e.g. nss-ldapd) expect only
a plain username to be there. In practical this means that I need to
have that overlay to split the values of a particular type of
attribute (like 'memberUid') and extract a particular part of it.
You're misusing the schema here. The memberUid attribute is only for simple
user IDs, not DNs.
...so you should put DNs in the 'member' attribute like the autogroup
doc says. And you could write an overlay which inspects 'member' and
creates a 'memberUid' attribute. If you take that route, look at
overlay usn in contrib/slapd-modules/ for a "template" if you want
memberUid to be maintained when member is updated, or allop or
overlays/dynlist if you want the attributes to be generated dynamically
for searches. The latter means member and memberUid will guaranteed be
in sync, but some operations won't see memberUid - e.g. like filtering
for a memberUid, depending on how thoroughly you implement it.
--
Hallvard
Thomas Wunder
2010-07-15 09:56:35 UTC
Permalink
Post by Howard Chu
You're misusing the schema here. The memberUid attribute is only for simple
user IDs, not DNs.
I know, but the DN is just what came out of the autogroup overlay. However
Raphaël Ouazana supplied a patch which should fix this kind of problem. I still
didn't have any time to try it out but it sounds pretty much like what I need.
Post by Howard Chu
slapo-rwm rewrites DNs in DN-valued attributes as well. "DN-valued" meaning
that the attribute's syntax is distinguishedName. It does not rewrite any
other attributes.
I may need attribute-value-rewriting in other situations too but I find it really
hard to get it working the way i need it. I don't come to grips with the manpage...
(Is there some more detailed documentation?) Can you show me how the config
section should look like to rewrite e.g. the memberUid attribute value the way I
explained it in my previous post?

Thanks!
Best regards
Tom
Raphaël Ouazana-Sustowski
2010-07-15 09:18:29 UTC
Permalink
Hi,
Post by Thomas Wunder
The whole thing is needed because slapo-autogroup puts in full DNs as
attribute values but my client programs (e.g. nss-ldapd) expect only a
plain username to be there. In practical this means that I need to have
that overlay to split the values of a particular type of attribute (like
'memberUid') and extract a particular part of it.
If you need this for autogroup, you should try my patch for the overlay:
http://www.openldap.org/its/index.cgi?findid=6536
Its purpose is precisely to get an attribute value instead of the dn to
construct the group.

Regards,
Raphaël Ouazana.
Thomas Wunder
2010-07-20 13:57:28 UTC
Permalink
Hi Raphael,
thank you very much, your patch made slapo-autogroup behave exactly the way I need it!
Post by Raphaël Ouazana-Sustowski
Hi,
Post by Thomas Wunder
The whole thing is needed because slapo-autogroup puts in full DNs as
attribute values but my client programs (e.g. nss-ldapd) expect only a
plain username to be there. In practical this means that I need to have
that overlay to split the values of a particular type of attribute (like
'memberUid') and extract a particular part of it.
http://www.openldap.org/its/index.cgi?findid=6536
Its purpose is precisely to get an attribute value instead of the dn to
construct the group.
Regards,
Raphaël Ouazana.
Loading...