Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Server
User Name
Linux - Server This forum is for the discussion of Linux Software used in a server related context.


  Search this Thread
Old 07-05-2009, 12:25 AM   #1
LQ Newbie
Registered: Jul 2009
Posts: 9

Rep: Reputation: 0
Debian OpenLDAP 2.4.11 - back_relay Overlay difficulties with 'ldapwhoami' operation


I am quite skilled with OpenLDAP in general, but am having difficulties with one aspect of a popular set of Overlays (modules) used with OpenLDAP: the "back_relay" backend module, and the module (basically mod-rewrite for slapd).

First, let me get the scenario out of the way:

We have configured a nice LDAP server for a set of network hosts to use for authentication, posix accounts, etc. However, these hosts are spread amongst various subdomains of our network. I want "fake" backends to be used to each respective domain. Clients in these zones have LDAP client files that point to an LDAP DIT (database) that does not exist in reality =).

Some generic examples, but you get the idea:

dc=real,dc=example,dc=com <- the REAL HDB backend, an actual DB
dc=corp,dc=example,dc=com <- fake "relay" that rewrites dc=real
dc=eng,dc=example,dc=com <- another fake "relay" that rewrites dc=real
dc=pub,dc=example,dc=com <- another fake "relay" that rewrites dc=real

For those of you unfamiliar with "back_relay" and "", the above is accomplished by doing the following:

1. Build your normal LDAP DIT, get it perfect. Use a name you do not intend the "public" or untrusted clients to see.
2. Load the modules in slapd.conf:
moduleload back_relay
3. right after your REAL database section in slapd.conf, start another backend (might look something like this in your config):
########## Relay Instance for "CORP" (NOT a REAL DB)

database relay
suffix dc=corp,dc=example,dc=com
relay dc=real,dc=example,dc=com
overlay rwm
rwm-suffixmassage dc=real,dc=example,dc=com
rwm-rewriteEngine on
rwm-normalize-mapped-attrs yes

access to dn.subtree="dc=corp,dc=example,dc=com"
by users read
4. Restart slapd

Of course, your real DIT has to have ACLs permitting access for this to work.

Now I must stress WE HAVE THIS WORKING. For example, if one of our engineers executes an LDAP search, his results returned have the DNs rewritten according to their zones' configuration.

What DOES NOT work is the 'ldapwhoami' operation. When user Joe executes the ldapwhoami cmd:

joe@host~:/$ ldapwhoami -xw password -D uid=joe,cn=users,dc=corp,dc=example,dc=com

The returned data is NOT what we want:


I have tried the following, before you start making suggestions:

1. Reading the man page for days, trying examples
2. Googling other peoples' configs. Frankly no one does what I do with LDAP ;-)
3. Using authz-regexp in both the global and per-relay config-space to rewrite a returned DN to the desired one.

I KNOW the relay DB IS working with our REAL db because of the following:

1. We can auth to the relay base (dc=corp,dc=example,dc=com)
2. Data returned in normal LDAP searches has every DN rewritten, as desired.

We are using:

HP Proliant DL140 / 4GB RAM on amd64 Kernel
Debian Lenny + OpenLDAP 2.4.11
libpam-ldap and libnss-ldap for client-side auth
ldap-utils on client-side for arbitrary ldap commands

Someone please help =)

Thank you



Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
LXer: OpenLDAP Quick Tips: Regularly upgrade OpenLDAP! LXer Syndicated Linux News 0 11-25-2008 02:00 PM
Bind9 with OpenLDAP on Debian etch slp1992 Linux - Server 5 10-23-2008 12:11 AM
OpenLDAP in Debian 4.1 toynbee Linux - Software 4 03-06-2008 11:23 AM
OpenLDAP in Ubuntu/Debian depam Linux - Software 3 08-28-2006 12:45 PM
PCMCIA difficulties on Debian/Knoppix Stimz Debian 0 08-14-2005 09:44 AM > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 01:27 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration