1 .TH SLAPO-RWM 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2005 The OpenLDAP Foundation, All Rights Reserved.
3 .\" Copying restrictions apply. See the COPYRIGHT file.
4 .\" Copyright 2004, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
7 .\" Portions of this document should probably be moved to slapd-ldap(5)
8 .\" and maybe manual pages for librewrite.
11 slapo-rwm \- rewrite/remap overlay
19 performs basic DN/data rewrite and objectClass/attributeType mapping.
20 Its usage is mostly intended to provide virtual views of existing data
21 either remotely, in conjunction with the proxy backend described in
23 or locally, in conjunction with the relay backend described in
26 An important feature of the
28 overlay is the capability to map objectClasses and attributeTypes
29 from the local set (or a subset of it) to a foreign set, and vice versa.
30 This is accomplished by means of the
34 .B rwm-map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
35 Map attributeTypes and objectClasses from the foreign server to
36 different values on the local slapd.
37 The reason is that some attributes might not be part of the local
38 slapd's schema, some attribute names might be different but serve the
40 If local or foreign name is `*', the name is preserved.
41 If local name is omitted, the foreign name is removed.
42 Unmapped names are preseved if both local and foreign name are `*',
43 and removed if local name is omitted and foreign name is `*'.
49 must be defined in the local schema; the foreign ones do not have to,
50 but users are encouraged to explicitly define the remote attributeTypes
51 and the objectClasses they intend to map. All in all, when remapping
52 a remote server via back-ldap (\fBslapd-ldap\fP(5))
53 or back-meta (\fBslapd-meta\fP(5))
54 their definition can be easily obtained by querying the \fIsubschemaSubentry\fP
55 of the remote server; the problem should not exist when remapping a local
57 Note, however, that the decision whether to rewrite or not attributeTypes
59 .IR "distinguishedName syntax" ,
60 requires the knowledge of the attributeType syntax.
61 See the REWRITING section for details.
63 Note that when mapping DN-valued attributes from local to remote,
64 first the DN is rewritten, and then the attributeType is mapped;
65 while mapping from remote to local, first the attributeType is mapped,
66 and then the DN is rewritten.
67 As such, it is important that the local attributeType is appropriately
68 defined as using the distinguishedName syntax.
69 Also, note that there are DN-related syntaxes (i.e. compound types with
70 a portion that is DN-valued), like nameAndOptionalUID,
71 whose values are currently not rewritten.
73 A basic feature of the
75 overlay is the capability to perform suffix massaging between a virtual
76 and a real naming context by means of the
80 .B rwm-suffixmassage "[<virtual naming context>]" "<real naming context>"
81 Shortcut to implement naming context rewriting; the trailing part
82 of the DN is rewritten from the virtual to the real naming context
83 in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN,
84 addDN, addAttrDN, modifyDN, modifyAttrDN, modrDN, newSuperiorDN,
85 deleteDN, exopPasswdDN, and from the real to the virtual naming context
86 in the searchEntryDN, searchAttrDN and matchedDN rewrite contexts.
87 By default no rewriting occurs for the searchFilter
88 and for the referralAttrDN and referralDN rewrite contexts.
89 If no \fI<virtual naming context>\fP is given, the first suffix of the
90 database is used; this requires the
92 directive be defined \fIafter\fP the database
97 directive automatically sets the
102 See the REWRITING section for details.
104 A string is rewritten according to a set of rules, called a `rewrite
106 The rules are based on POSIX (''extended'') regular expressions with
107 substring matching; basic variable substitution and map resolution
108 of substrings is allowed by specific mechanisms detailed in the following.
109 The behavior of pattern matching/substitution can be altered by a set
114 <rewrite context> ::= <rewrite rule> [...]
115 <rewrite rule> ::= <pattern> <action> [<flags>]
119 The underlying concept is to build a lightweight rewrite module
120 for the slapd server (initially dedicated to the LDAP backend):
123 An incoming string is matched agains a set of
126 .IR "regex match pattern" ,
128 .I "substitution pattern"
129 and a set of actions, described by a set of
130 .IR "optional flags" .
131 In case of match, string rewriting is performed according to the
132 substitution pattern that allows to refer to substrings matched in the
134 The actions, if any, are finally performed.
135 Each rule is executed recursively, unless altered by specific action
136 flags; see "Action Flags" for details.
137 A default limit on the recursion level is set, and can be altered
139 .B rwm-rewriteMaxPasses
140 directive, as detailed in the "Additional Configuration Syntax" section.
141 The substitution pattern allows map resolution of substrings.
142 A map is a generic object that maps a substitution pattern to a value.
143 The flags are divided in "Pattern Matching Flags" and "Action Flags";
144 the former alter the regex match pattern behavior, while the latter
145 alter the actions that are taken after substitution.
146 .SH "Pattern Matching Flags"
149 honors case in matching (default is case insensitive)
152 use POSIX ''basic'' regular expressions (default is ''extended'')
157 recursive passes for a specific rule; does not alter the max total count
158 of passes, so it can only enforce a stricter limit for a specific rule.
162 apply the rule once only (default is recursive)
165 stop applying rules in case of match; the current rule is still applied
166 recursively; combine with `:' to apply the current rule only once
170 stop current operation if the rule matches, and issue an `unwilling to
176 rules back and forth (watch for loops!).
177 Note that `G{1}' is implicit in every rule.
180 ignores errors in rule; this means, in case of error, e.g. issued by a
181 map, the error is treated as a missed match.
182 The `unwilling to perform' is not overridden.
188 as return code if the rule matches; the flag does not alter the recursive
189 behavior of the rule, so, to have it performed only once, it must be used
190 in combination with `:', e.g.
192 returns the value `16' after exactly one execution of the rule, if the
194 As a consequence, its behavior is equivalent to `@', with the return
197 or, in other words, `@' is equivalent to `U{0}'.
198 By convention, the freely available codes are above 16 included;
199 the others are reserved.
201 The ordering of the flags can be significant.
202 For instance: `IG{2}' means ignore errors and jump two lines ahead
203 both in case of match and in case of error, while `G{2}I' means ignore
204 errors, but jump two lines ahead only in case of match.
206 More flags (mainly Action Flags) will be added as needed.
207 .SH "Pattern Matching"
212 .SH "Substitution Pattern Syntax"
213 Everything starting with `$' requires substitution;
215 the only obvious exception is `$$', which is turned into a single `$';
217 the basic substitution is `$<d>', where `<d>' is a digit;
218 0 means the whole string, while 1-9 is a submatch, as discussed in
223 a `$' followed by a `{' invokes an advanced substitution.
227 `$' `{' [ <operator> ] <name> `(' <substitution> `)' `}'
230 where <name> must be a legal name for the map, i.e.
234 <name> ::= [a-z][a-z0-9]* (case insensitive)
235 <operator> ::= `>' `|' `&' `&&' `*' `**' `$'
239 and <substitution> must be a legal substitution
240 pattern, with no limits on the nesting level.
245 sub-context invocation; <name> must be a legal, already defined
249 external command invocation; <name> must refer to a legal, already
250 defined command name (NOT IMPLEMENTED YET)
253 variable assignment; <name> defines a variable in the running
254 operation structure which can be dereferenced later; operator
256 assigns a variable in the rewrite context scope; operator
258 assigns a variable that scopes the entire session, e.g. its value
259 can be derefenced later by other rewrite contexts
262 variable dereferencing; <name> must refer to a variable that is
263 defined and assigned for the running operation; operator
265 dereferences a variable scoping the rewrite context; operator
267 dereferences a variable scoping the whole session, e.g. the value
268 is passed across rewrite contexts
271 parameter dereferencing; <name> must refer to an existing parameter;
272 the idea is to make some run-time parameters set by the system
273 available to the rewrite engine, as the client host name, the bind DN
274 if any, constant parameters initialized at config time, and so on;
275 no parameter is currently set by either
279 but constant parameters can be defined in the configuration file
284 Substitution escaping has been delegated to the `$' symbol,
285 which is used instead of `\e' in string substitution patterns
286 because `\e' is already escaped by slapd's low level parsing routines;
287 as a consequence, regex escaping requires
288 two `\e' symbols, e.g. `\fB.*\e.foo\e.bar\fP' must
289 be written as `\fB.*\e\e.foo\e\e.bar\fP'.
291 .\" The symbol can be altered at will by redefining the related macro in
294 .SH "Rewrite Context"
295 A rewrite context is a set of rules which are applied in sequence.
296 The basic idea is to have an application initialize a rewrite
297 engine (think of Apache's mod_rewrite ...) with a set of rewrite
298 contexts; when string rewriting is required, one invokes the
299 appropriate rewrite context with the input string and obtains the
300 newly rewritten one if no errors occur.
302 Each basic server operation is associated to a rewrite context;
303 they are divided in two main groups: client \-> server and
304 server \-> client rewriting.
310 (default) if defined and no specific context
315 searchFilterAttrDN search
317 compareAttrDN compare AVA
319 addAttrDN add AVA (DN portion of "ref" excluded)
321 modifyAttrDN modify AVA (DN portion of "ref" excluded)
322 referralAttrDN add/modify DN portion of referrals
327 exopPasswdDN passwd exop DN
335 searchEntryDN search (only if defined; no default;
336 acts on DN of search entries)
337 searchAttrDN search AVA (only if defined; defaults
338 to searchEntryDN; acts on DN-syntax
339 attributes of search results)
340 matchedDN all ops (only if applicable; defaults
342 referralDN all ops (only if applicable; defaults
347 .SH "Basic Configuration Syntax"
348 All rewrite/remap directives start with the prefix
350 for backwards compatibility with the historical
354 builtin rewrite/remap capabilities, the prefix may be omitted,
355 but this practice is strongly discouraged.
357 .B rwm-rewriteEngine { on | off }
358 If `on', the requested rewriting is performed; if `off', no
359 rewriting takes place (an easy way to stop rewriting without
360 altering too much the configuration file).
362 .B rwm-rewriteContext <context name> "[ alias <aliased context name> ]"
363 <Context name> is the name that identifies the context, i.e. the name
364 used by the application to refer to the set of rules it contains.
365 It is used also to reference sub contexts in string rewriting.
366 A context may aliase another one.
367 In this case the alias context contains no rule, and any reference to
368 it will result in accessing the aliased one.
370 .B rwm-rewriteRule "<regex match pattern>" "<substitution pattern>" "[ <flags> ]"
371 Determines how a string can be rewritten if a pattern is matched.
372 Examples are reported below.
373 .SH "Additional Configuration Syntax"
375 .B rwm-rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
376 Allows to define a map that transforms substring rewriting into
378 The map is referenced inside the substitution pattern of a rule.
380 .B rwm-rewriteParam <param name> <param value>
381 Sets a value with global scope, that can be dereferenced by the
382 command `${$paramName}'.
384 .B rwm-rewriteMaxPasses <number of passes> [<number of passes per rule>]
385 Sets the maximum number of total rewriting passes that can be
386 performed in a single rewrite operation (to avoid loops).
387 A safe default is set to 100; note that reaching this limit is still
388 treated as a success; recursive invocation of rules is simply
390 The count applies to the rewriting operation as a whole, not
391 to any single rule; an optional per-rule limit can be set.
392 This limit is overridden by setting specific per-rule limits
393 with the `M{n}' flag.
394 .SH "REWRITE CONFIGURATION EXAMPLES"
396 # set to `off' to disable rewriting
399 # the rules the "suffixmassage" directive implies
401 # all dataflow from client to server referring to DNs
402 rwm-rewriteContext default
403 rwm-rewriteRule "(.*)<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
405 rwm-rewriteContext searchFilter
406 # all dataflow from server to client
407 rwm-rewriteContext searchEntryDN
408 rwm-rewriteRule "(.*)<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
409 rwm-rewriteContext searchAttrDN alias searchEntryDN
410 rwm-rewriteContext matchedDN alias searchEntryDN
412 # Everything defined here goes into the `default' context.
413 # This rule changes the naming context of anything sent
414 # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
416 rwm-rewriteRule "(.*)dc=home,[ ]?dc=net$"
417 "$1dc=OpenLDAP, dc=org" ":"
419 # since a pretty/normalized DN does not include spaces
420 # after rdn separators, e.g. `,', this rule suffices:
422 rwm-rewriteRule "(.*)dc=home,dc=net$"
423 "$1dc=OpenLDAP,dc=org" ":"
425 # Start a new context (ends input of the previous one).
426 # This rule adds blanks between DN parts if not present.
427 rwm-rewriteContext addBlanks
428 rwm-rewriteRule "(.*),([^ ].*)" "$1, $2"
430 # This one eats blanks
431 rwm-rewriteContext eatBlanks
432 rwm-rewriteRule "(.*), (.*)" "$1,$2"
434 # Here control goes back to the default rewrite
435 # context; rules are appended to the existing ones.
436 # anything that gets here is piped into rule `addBlanks'
437 rwm-rewriteContext default
438 rwm-rewriteRule ".*" "${>addBlanks($0)}" ":"
440 .\" # Anything with `uid=username' is looked up in
441 .\" # /etc/passwd for gecos (I know it's nearly useless,
442 .\" # but it is there just as a guideline to implementing
444 .\" # Note the `I' flag that leaves `uid=username' in place
445 .\" # if `username' does not have a valid account, and the
446 .\" # `:' that forces the rule to be processed exactly once.
447 .\" rwm-rewriteContext uid2Gecos
448 .\" rwm-rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
449 .\" "$1cn=$2{xpasswd},$3" "I:"
451 .\" # Finally, in a bind, if one uses a `uid=username' DN,
452 .\" # it is rewritten in `cn=name surname' if possible.
453 .\" rwm-rewriteContext bindDN
454 .\" rwm-rewriteRule ".*" "${>addBlanks(${>uid2Gecos($0)})}" ":"
456 # Rewrite the search base according to `default' rules.
457 rwm-rewriteContext searchDN alias default
459 # Search results with OpenLDAP DN are rewritten back with
460 # `dc=home,dc=net' naming context, with spaces eaten.
461 rwm-rewriteContext searchEntryDN
462 rwm-rewriteRule "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$"
463 "${>eatBlanks($1)}dc=home,dc=net" ":"
465 # Bind with email instead of full DN: we first need
466 # an ldap map that turns attributes into a DN (the
467 # argument used when invoking the map is appended to
468 # the URI and acts as the filter portion)
469 rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
471 # Then we need to detect DN made up of a single email,
472 # e.g. `mail=someone@example.com'; note that the rule
473 # in case of match stops rewriting; in case of error,
474 # it is ignored. In case we are mapping virtual
475 # to real naming contexts, we also need to rewrite
476 # regular DNs, because the definition of a bindDN
477 # rewrite context overrides the default definition.
478 rwm-rewriteContext bindDN
479 rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
481 # This is a rather sophisticated example. It massages a
482 # search filter in case who performs the search has
483 # administrative privileges. First we need to keep
484 # track of the bind DN of the incoming request, which is
485 # stored in a variable called `binddn' with session scope,
486 # and left in place to allow regular binding:
487 rwm-rewriteContext bindDN
488 rwm-rewriteRule ".+" "${&&binddn($0)}$0" ":"
490 # A search filter containing `uid=' is rewritten only
491 # if an appropriate DN is bound.
492 # To do this, in the first rule the bound DN is
493 # dereferenced, while the filter is decomposed in a
494 # prefix, in the value of the `uid=<arg>' AVA, and
495 # in a suffix. A tag `<>' is appended to the DN.
496 # If the DN refers to an entry in the `ou=admin' subtree,
497 # the filter is rewritten OR-ing the `uid=<arg>' with
498 # `cn=<arg>'; otherwise it is left as is. This could be
499 # useful, for instance, to allow apache's auth_ldap-1.4
500 # module to authenticate users with both `uid' and
501 # `cn', but only if the request comes from a possible
502 # `cn=Web auth,ou=admin,dc=home,dc=net' user.
503 rwm-rewriteContext searchFilter
504 rwm-rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
505 "${**binddn}<>${&prefix($1)}${&arg($2)}${&suffix($3)}"
507 rwm-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$"
508 "${*prefix}|(uid=${*arg})(cn=${*arg})${*suffix}" ":@I"
509 rwm-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"
511 # This example shows how to strip unwanted DN-valued
512 # attribute values from a search result; the first rule
513 # matches DN values below "ou=People,dc=example,dc=com";
514 # in case of match the rewriting exits successfully.
515 # The second rule matches everything else and causes
516 # the value to be rejected.
517 rwm-rewriteContext searchEntryDN
518 rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
519 rwm-rewriteRule ".*" "" "#"
521 .SH "MAPPING EXAMPLES"
522 The following directives map the object class `groupOfNames' to
523 the object class `groupOfUniqueNames' and the attribute type
524 `member' to the attribute type `uniqueMember':
528 map objectclass groupOfNames groupOfUniqueNames
529 map attribute uniqueMember member
533 This presents a limited attribute set from the foreign
540 map attribute manager *
541 map attribute description *
546 These lines map cn, sn, manager, and description to themselves, and
547 any other attribute gets "removed" from the object before it is sent
548 to the client (or sent up to the LDAP server). This is obviously a
549 simplistic example, but you get the point.
553 default slapd configuration file
558 .BR slapd\-relay (5),
563 Pierangelo Masarati; based on back-ldap rewrite/remap features
564 by Howard Chu, Pierangelo Masarati.