1 .TH SLAPO-RWM 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2006 The OpenLDAP Foundation, All Rights Reserved.
3 .\" Copying restrictions apply. See the COPYRIGHT file.
4 .\" Copyright 2004, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
7 .\" Portions of this document should probably be moved to slapd-ldap(5)
8 .\" and maybe manual pages for librewrite.
11 slapo-rwm \- rewrite/remap overlay
19 performs basic DN/data rewrite and objectClass/attributeType mapping.
20 Its usage is mostly intended to provide virtual views of existing data
21 either remotely, in conjunction with the proxy backend described in
23 or locally, in conjunction with the relay backend described in
26 This overlay is experimental.
28 An important feature of the
30 overlay is the capability to map objectClasses and attributeTypes
31 from the local set (or a subset of it) to a foreign set, and vice versa.
32 This is accomplished by means of the
36 .B rwm-map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
37 Map attributeTypes and objectClasses from the foreign server to
38 different values on the local slapd.
39 The reason is that some attributes might not be part of the local
40 slapd's schema, some attribute names might be different but serve the
42 If local or foreign name is `*', the name is preserved.
43 If local name is omitted, the foreign name is removed.
44 Unmapped names are preserved if both local and foreign name are `*',
45 and removed if local name is omitted and foreign name is `*'.
51 must be defined in the local schema; the foreign ones do not have to,
52 but users are encouraged to explicitly define the remote attributeTypes
53 and the objectClasses they intend to map. All in all, when remapping
54 a remote server via back-ldap (\fBslapd-ldap\fP(5))
55 or back-meta (\fBslapd-meta\fP(5))
56 their definition can be easily obtained by querying the \fIsubschemaSubentry\fP
57 of the remote server; the problem should not exist when remapping a local
59 Note, however, that the decision whether to rewrite or not attributeTypes
61 .IR "distinguishedName syntax" ,
62 requires the knowledge of the attributeType syntax.
63 See the REWRITING section for details.
65 Note that when mapping DN-valued attributes from local to remote,
66 first the DN is rewritten, and then the attributeType is mapped;
67 while mapping from remote to local, first the attributeType is mapped,
68 and then the DN is rewritten.
69 As such, it is important that the local attributeType is appropriately
70 defined as using the distinguishedName syntax.
71 Also, note that there are DN-related syntaxes (i.e. compound types with
72 a portion that is DN-valued), like nameAndOptionalUID,
73 whose values are currently not rewritten.
75 A basic feature of the
77 overlay is the capability to perform suffix massaging between a virtual
78 and a real naming context by means of the
82 .B rwm-suffixmassage "[<virtual naming context>]" "<real naming context>"
83 Shortcut to implement naming context rewriting; the trailing part
84 of the DN is rewritten from the virtual to the real naming context
85 in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN,
86 addDN, addAttrDN, modifyDN, modifyAttrDN, modrDN, newSuperiorDN,
87 deleteDN, exopPasswdDN, and from the real to the virtual naming context
88 in the searchEntryDN, searchAttrDN and matchedDN rewrite contexts.
89 By default no rewriting occurs for the searchFilter
90 and for the referralAttrDN and referralDN rewrite contexts.
91 If no \fI<virtual naming context>\fP is given, the first suffix of the
92 database is used; this requires the
94 directive be defined \fIafter\fP the database
99 directive automatically sets the
104 See the REWRITING section for details.
106 A string is rewritten according to a set of rules, called a `rewrite
108 The rules are based on POSIX (''extended'') regular expressions with
109 substring matching; basic variable substitution and map resolution
110 of substrings is allowed by specific mechanisms detailed in the following.
111 The behavior of pattern matching/substitution can be altered by a set
116 <rewrite context> ::= <rewrite rule> [...]
117 <rewrite rule> ::= <pattern> <action> [<flags>]
121 The underlying concept is to build a lightweight rewrite module
122 for the slapd server (initially dedicated to the LDAP backend):
125 An incoming string is matched against a set of
128 .IR "regex match pattern" ,
130 .I "substitution pattern"
131 and a set of actions, described by a set of
132 .IR "optional flags" .
133 In case of match, string rewriting is performed according to the
134 substitution pattern that allows to refer to substrings matched in the
136 The actions, if any, are finally performed.
137 Each rule is executed recursively, unless altered by specific action
138 flags; see "Action Flags" for details.
139 A default limit on the recursion level is set, and can be altered
141 .B rwm-rewriteMaxPasses
142 directive, as detailed in the "Additional Configuration Syntax" section.
143 The substitution pattern allows map resolution of substrings.
144 A map is a generic object that maps a substitution pattern to a value.
145 The flags are divided in "Pattern Matching Flags" and "Action Flags";
146 the former alter the regex match pattern behavior, while the latter
147 alter the actions that are taken after substitution.
148 .SH "Pattern Matching Flags"
151 honors case in matching (default is case insensitive)
154 use POSIX ''basic'' regular expressions (default is ''extended'')
159 recursive passes for a specific rule; does not alter the max total count
160 of passes, so it can only enforce a stricter limit for a specific rule.
164 apply the rule once only (default is recursive)
167 stop applying rules in case of match; the current rule is still applied
168 recursively; combine with `:' to apply the current rule only once
172 stop current operation if the rule matches, and issue an `unwilling to
178 rules back and forth (watch for loops!).
179 Note that `G{1}' is implicit in every rule.
182 ignores errors in rule; this means, in case of error, e.g. issued by a
183 map, the error is treated as a missed match.
184 The `unwilling to perform' is not overridden.
190 as return code if the rule matches; the flag does not alter the recursive
191 behavior of the rule, so, to have it performed only once, it must be used
192 in combination with `:', e.g.
194 returns the value `32' (indicating noSuchObject) after exactly
195 one execution of the rule, if the pattern matches.
196 As a consequence, its behavior is equivalent to `@', with the return
199 or, in other words, `@' is equivalent to `U{0}'.
200 Positive errors are allowed, indicating the related LDAP error codes
201 as specified in \fIdraft-ietf-ldapbis-protocol\fP.
203 The ordering of the flags can be significant.
204 For instance: `IG{2}' means ignore errors and jump two lines ahead
205 both in case of match and in case of error, while `G{2}I' means ignore
206 errors, but jump two lines ahead only in case of match.
208 More flags (mainly Action Flags) will be added as needed.
209 .SH "Pattern Matching"
214 .SH "Substitution Pattern Syntax"
215 Everything starting with `$' requires substitution;
217 the only obvious exception is `$$', which is turned into a single `$';
219 the basic substitution is `$<d>', where `<d>' is a digit;
220 0 means the whole string, while 1-9 is a submatch, as discussed in
225 a `$' followed by a `{' invokes an advanced substitution.
229 `$' `{' [ <operator> ] <name> `(' <substitution> `)' `}'
232 where <name> must be a legal name for the map, i.e.
236 <name> ::= [a-z][a-z0-9]* (case insensitive)
237 <operator> ::= `>' `|' `&' `&&' `*' `**' `$'
241 and <substitution> must be a legal substitution
242 pattern, with no limits on the nesting level.
247 sub-context invocation; <name> must be a legal, already defined
251 external command invocation; <name> must refer to a legal, already
252 defined command name (NOT IMPLEMENTED YET)
255 variable assignment; <name> defines a variable in the running
256 operation structure which can be dereferenced later; operator
258 assigns a variable in the rewrite context scope; operator
260 assigns a variable that scopes the entire session, e.g. its value
261 can be dereferenced later by other rewrite contexts
264 variable dereferencing; <name> must refer to a variable that is
265 defined and assigned for the running operation; operator
267 dereferences a variable scoping the rewrite context; operator
269 dereferences a variable scoping the whole session, e.g. the value
270 is passed across rewrite contexts
273 parameter dereferencing; <name> must refer to an existing parameter;
274 the idea is to make some run-time parameters set by the system
275 available to the rewrite engine, as the client host name, the bind DN
276 if any, constant parameters initialized at config time, and so on;
277 no parameter is currently set by either
281 but constant parameters can be defined in the configuration file
286 Substitution escaping has been delegated to the `$' symbol,
287 which is used instead of `\e' in string substitution patterns
288 because `\e' is already escaped by slapd's low level parsing routines;
289 as a consequence, regex escaping requires
290 two `\e' symbols, e.g. `\fB.*\e.foo\e.bar\fP' must
291 be written as `\fB.*\e\e.foo\e\e.bar\fP'.
293 .\" The symbol can be altered at will by redefining the related macro in
296 .SH "Rewrite Context"
297 A rewrite context is a set of rules which are applied in sequence.
298 The basic idea is to have an application initialize a rewrite
299 engine (think of Apache's mod_rewrite ...) with a set of rewrite
300 contexts; when string rewriting is required, one invokes the
301 appropriate rewrite context with the input string and obtains the
302 newly rewritten one if no errors occur.
304 Each basic server operation is associated to a rewrite context;
305 they are divided in two main groups: client \-> server and
306 server \-> client rewriting.
312 (default) if defined and no specific context
317 searchFilterAttrDN search
319 compareAttrDN compare AVA
321 addAttrDN add AVA (DN portion of "ref" excluded)
323 modifyAttrDN modify AVA (DN portion of "ref" excluded)
324 referralAttrDN add/modify DN portion of referrals
329 exopPasswdDN password modify extended operation DN
337 searchEntryDN search (only if defined; no default;
338 acts on DN of search entries)
339 searchAttrDN search AVA (only if defined; defaults
340 to searchEntryDN; acts on DN-syntax
341 attributes of search results)
342 matchedDN all ops (only if applicable; defaults
344 referralDN all ops (only if applicable; defaults
349 .SH "Basic Configuration Syntax"
350 All rewrite/remap directives start with the prefix
352 for backwards compatibility with the historical
356 builtin rewrite/remap capabilities, the prefix may be omitted,
357 but this practice is strongly discouraged.
359 .B rwm-rewriteEngine { on | off }
360 If `on', the requested rewriting is performed; if `off', no
361 rewriting takes place (an easy way to stop rewriting without
362 altering too much the configuration file).
364 .B rwm-rewriteContext <context name> "[ alias <aliased context name> ]"
365 <Context name> is the name that identifies the context, i.e. the name
366 used by the application to refer to the set of rules it contains.
367 It is used also to reference sub contexts in string rewriting.
368 A context may alias another one.
369 In this case the alias context contains no rule, and any reference to
370 it will result in accessing the aliased one.
372 .B rwm-rewriteRule "<regex match pattern>" "<substitution pattern>" "[ <flags> ]"
373 Determines how a string can be rewritten if a pattern is matched.
374 Examples are reported below.
375 .SH "Additional Configuration Syntax"
377 .B rwm-rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
378 Allows to define a map that transforms substring rewriting into
380 The map is referenced inside the substitution pattern of a rule.
382 .B rwm-rewriteParam <param name> <param value>
383 Sets a value with global scope, that can be dereferenced by the
384 command `${$paramName}'.
386 .B rwm-rewriteMaxPasses <number of passes> [<number of passes per rule>]
387 Sets the maximum number of total rewriting passes that can be
388 performed in a single rewrite operation (to avoid loops).
389 A safe default is set to 100; note that reaching this limit is still
390 treated as a success; recursive invocation of rules is simply
392 The count applies to the rewriting operation as a whole, not
393 to any single rule; an optional per-rule limit can be set.
394 This limit is overridden by setting specific per-rule limits
395 with the `M{n}' flag.
398 Currently, few maps are builtin and there are no provisions for developers
399 to register new map types at runtime.
403 .B LDAP <URI> [bindwhen=<when>] [version=<version>] [binddn=<DN>] [credentials=<cred>]
406 map expands a value by performing a simple LDAP search.
407 Its configuration is based on a mandatory URI, whose
409 portion must contain exactly one attribute
412 to fetch the DN of an entry).
413 If a multi-valued attribute is used, only the first value is considered.
417 determines when the connection is established.
418 It can take the values
423 respectively indicating that the connection should be created at startup,
424 when required, or any time it is used.
425 In the former two cases, the connection is cached, while in the latter
426 a fresh new one is used all times. This is the default.
432 represent the DN and the password that is used to perform an authenticated
433 simple bind before performing the search operation; if not given,
434 an anonymous connection is used.
438 can be 2 or 3 to indicate the protocol version that must be used.
441 .SH "REWRITE CONFIGURATION EXAMPLES"
443 # set to `off' to disable rewriting
446 # the rules the "suffixmassage" directive implies
448 # all dataflow from client to server referring to DNs
449 rwm-rewriteContext default
450 rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
452 rwm-rewriteContext searchFilter
453 # all dataflow from server to client
454 rwm-rewriteContext searchEntryDN
455 rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
456 rwm-rewriteContext searchAttrDN alias searchEntryDN
457 rwm-rewriteContext matchedDN alias searchEntryDN
459 rwm-rewriteContext referralAttrDN
460 rwm-rewriteContext referralDN
462 # Everything defined here goes into the `default' context.
463 # This rule changes the naming context of anything sent
464 # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
466 rwm-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
467 "$1dc=OpenLDAP, dc=org" ":"
469 # since a pretty/normalized DN does not include spaces
470 # after rdn separators, e.g. `,', this rule suffices:
472 rwm-rewriteRule "(.+,)?dc=home,dc=net$"
473 "$1dc=OpenLDAP,dc=org" ":"
475 # Start a new context (ends input of the previous one).
476 # This rule adds blanks between DN parts if not present.
477 rwm-rewriteContext addBlanks
478 rwm-rewriteRule "(.*),([^ ].*)" "$1, $2"
480 # This one eats blanks
481 rwm-rewriteContext eatBlanks
482 rwm-rewriteRule "(.*), (.*)" "$1,$2"
484 # Here control goes back to the default rewrite
485 # context; rules are appended to the existing ones.
486 # anything that gets here is piped into rule `addBlanks'
487 rwm-rewriteContext default
488 rwm-rewriteRule ".*" "${>addBlanks($0)}" ":"
490 .\" # Anything with `uid=username' is looked up in
491 .\" # /etc/passwd for gecos (I know it's nearly useless,
492 .\" # but it is there just as a guideline to implementing
494 .\" # Note the `I' flag that leaves `uid=username' in place
495 .\" # if `username' does not have a valid account, and the
496 .\" # `:' that forces the rule to be processed exactly once.
497 .\" rwm-rewriteContext uid2Gecos
498 .\" rwm-rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
499 .\" "$1cn=$2{xpasswd},$3" "I:"
501 .\" # Finally, in a bind, if one uses a `uid=username' DN,
502 .\" # it is rewritten in `cn=name surname' if possible.
503 .\" rwm-rewriteContext bindDN
504 .\" rwm-rewriteRule ".*" "${>addBlanks(${>uid2Gecos($0)})}" ":"
506 # Rewrite the search base according to `default' rules.
507 rwm-rewriteContext searchDN alias default
509 # Search results with OpenLDAP DN are rewritten back with
510 # `dc=home,dc=net' naming context, with spaces eaten.
511 rwm-rewriteContext searchEntryDN
512 rwm-rewriteRule "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$"
513 "${>eatBlanks($1)}dc=home,dc=net" ":"
515 # Bind with email instead of full DN: we first need
516 # an ldap map that turns attributes into a DN (the
517 # argument used when invoking the map is appended to
518 # the URI and acts as the filter portion)
519 rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
521 # Then we need to detect DN made up of a single email,
522 # e.g. `mail=someone@example.com'; note that the rule
523 # in case of match stops rewriting; in case of error,
524 # it is ignored. In case we are mapping virtual
525 # to real naming contexts, we also need to rewrite
526 # regular DNs, because the definition of a bindDN
527 # rewrite context overrides the default definition.
528 rwm-rewriteContext bindDN
529 rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
531 # This is a rather sophisticated example. It massages a
532 # search filter in case who performs the search has
533 # administrative privileges. First we need to keep
534 # track of the bind DN of the incoming request, which is
535 # stored in a variable called `binddn' with session scope,
536 # and left in place to allow regular binding:
537 rwm-rewriteContext bindDN
538 rwm-rewriteRule ".+" "${&&binddn($0)}$0" ":"
540 # A search filter containing `uid=' is rewritten only
541 # if an appropriate DN is bound.
542 # To do this, in the first rule the bound DN is
543 # dereferenced, while the filter is decomposed in a
544 # prefix, in the value of the `uid=<arg>' AVA, and
545 # in a suffix. A tag `<>' is appended to the DN.
546 # If the DN refers to an entry in the `ou=admin' subtree,
547 # the filter is rewritten OR-ing the `uid=<arg>' with
548 # `cn=<arg>'; otherwise it is left as is. This could be
549 # useful, for instance, to allow apache's auth_ldap-1.4
550 # module to authenticate users with both `uid' and
551 # `cn', but only if the request comes from a possible
552 # `cn=Web auth,ou=admin,dc=home,dc=net' user.
553 rwm-rewriteContext searchFilter
554 rwm-rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
555 "${**binddn}<>${&prefix($1)}${&arg($2)}${&suffix($3)}"
557 rwm-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$"
558 "${*prefix}|(uid=${*arg})(cn=${*arg})${*suffix}" ":@I"
559 rwm-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"
561 # This example shows how to strip unwanted DN-valued
562 # attribute values from a search result; the first rule
563 # matches DN values below "ou=People,dc=example,dc=com";
564 # in case of match the rewriting exits successfully.
565 # The second rule matches everything else and causes
566 # the value to be rejected.
567 rwm-rewriteContext searchEntryDN
568 rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
569 rwm-rewriteRule ".*" "" "#"
571 .SH "MAPPING EXAMPLES"
572 The following directives map the object class `groupOfNames' to
573 the object class `groupOfUniqueNames' and the attribute type
574 `member' to the attribute type `uniqueMember':
578 map objectclass groupOfNames groupOfUniqueNames
579 map attribute uniqueMember member
583 This presents a limited attribute set from the foreign
590 map attribute manager *
591 map attribute description *
596 These lines map cn, sn, manager, and description to themselves, and
597 any other attribute gets "removed" from the object before it is sent
598 to the client (or sent up to the LDAP server). This is obviously a
599 simplistic example, but you get the point.
603 default slapd configuration file
608 .BR slapd\-relay (5),
613 Pierangelo Masarati; based on back-ldap rewrite/remap features
614 by Howard Chu, Pierangelo Masarati.