1 .TH SLAPO-RWM 5 "RELEASEDATE" "OpenLDAP LDVERSION"
2 .\" Copyright 1998-2005 The OpenLDAP Foundation, All Rights Reserved.
3 .\" Copying restrictions apply. See the COPYRIGHT file.
4 .\" Copyright 2004, Pierangelo Masarati, All rights reserved. <ando@sys-net.it>
7 .\" Portions of this document should probably be moved to slapd-ldap(5)
8 .\" and maybe manual pages for librewrite.
11 slapo-rwm \- rewrite/remap overlay
19 performs basic DN/data rewrite and objectClass/attributeType mapping.
20 Its usage is mostly intended to provide virtual views of existing data
21 either remotely, in conjunction with the proxy backend described in
23 or locally, in conjunction with the relay backend described in
26 This overlay is experimental.
28 An important feature of the
30 overlay is the capability to map objectClasses and attributeTypes
31 from the local set (or a subset of it) to a foreign set, and vice versa.
32 This is accomplished by means of the
36 .B rwm-map "{attribute | objectclass} [<local name> | *] {<foreign name> | *}"
37 Map attributeTypes and objectClasses from the foreign server to
38 different values on the local slapd.
39 The reason is that some attributes might not be part of the local
40 slapd's schema, some attribute names might be different but serve the
42 If local or foreign name is `*', the name is preserved.
43 If local name is omitted, the foreign name is removed.
44 Unmapped names are preserved if both local and foreign name are `*',
45 and removed if local name is omitted and foreign name is `*'.
51 must be defined in the local schema; the foreign ones do not have to,
52 but users are encouraged to explicitly define the remote attributeTypes
53 and the objectClasses they intend to map. All in all, when remapping
54 a remote server via back-ldap (\fBslapd-ldap\fP(5))
55 or back-meta (\fBslapd-meta\fP(5))
56 their definition can be easily obtained by querying the \fIsubschemaSubentry\fP
57 of the remote server; the problem should not exist when remapping a local
59 Note, however, that the decision whether to rewrite or not attributeTypes
61 .IR "distinguishedName syntax" ,
62 requires the knowledge of the attributeType syntax.
63 See the REWRITING section for details.
65 Note that when mapping DN-valued attributes from local to remote,
66 first the DN is rewritten, and then the attributeType is mapped;
67 while mapping from remote to local, first the attributeType is mapped,
68 and then the DN is rewritten.
69 As such, it is important that the local attributeType is appropriately
70 defined as using the distinguishedName syntax.
71 Also, note that there are DN-related syntaxes (i.e. compound types with
72 a portion that is DN-valued), like nameAndOptionalUID,
73 whose values are currently not rewritten.
75 A basic feature of the
77 overlay is the capability to perform suffix massaging between a virtual
78 and a real naming context by means of the
82 .B rwm-suffixmassage "[<virtual naming context>]" "<real naming context>"
83 Shortcut to implement naming context rewriting; the trailing part
84 of the DN is rewritten from the virtual to the real naming context
85 in the bindDN, searchDN, searchFilterAttrDN, compareDN, compareAttrDN,
86 addDN, addAttrDN, modifyDN, modifyAttrDN, modrDN, newSuperiorDN,
87 deleteDN, exopPasswdDN, and from the real to the virtual naming context
88 in the searchEntryDN, searchAttrDN and matchedDN rewrite contexts.
89 By default no rewriting occurs for the searchFilter
90 and for the referralAttrDN and referralDN rewrite contexts.
91 If no \fI<virtual naming context>\fP is given, the first suffix of the
92 database is used; this requires the
94 directive be defined \fIafter\fP the database
99 directive automatically sets the
104 See the REWRITING section for details.
106 A string is rewritten according to a set of rules, called a `rewrite
108 The rules are based on POSIX (''extended'') regular expressions with
109 substring matching; basic variable substitution and map resolution
110 of substrings is allowed by specific mechanisms detailed in the following.
111 The behavior of pattern matching/substitution can be altered by a set
116 <rewrite context> ::= <rewrite rule> [...]
117 <rewrite rule> ::= <pattern> <action> [<flags>]
121 The underlying concept is to build a lightweight rewrite module
122 for the slapd server (initially dedicated to the LDAP backend):
125 An incoming string is matched against a set of
128 .IR "regex match pattern" ,
130 .I "substitution pattern"
131 and a set of actions, described by a set of
132 .IR "optional flags" .
133 In case of match, string rewriting is performed according to the
134 substitution pattern that allows to refer to substrings matched in the
136 The actions, if any, are finally performed.
137 Each rule is executed recursively, unless altered by specific action
138 flags; see "Action Flags" for details.
139 A default limit on the recursion level is set, and can be altered
141 .B rwm-rewriteMaxPasses
142 directive, as detailed in the "Additional Configuration Syntax" section.
143 The substitution pattern allows map resolution of substrings.
144 A map is a generic object that maps a substitution pattern to a value.
145 The flags are divided in "Pattern Matching Flags" and "Action Flags";
146 the former alter the regex match pattern behavior, while the latter
147 alter the actions that are taken after substitution.
148 .SH "Pattern Matching Flags"
151 honors case in matching (default is case insensitive)
154 use POSIX ''basic'' regular expressions (default is ''extended'')
159 recursive passes for a specific rule; does not alter the max total count
160 of passes, so it can only enforce a stricter limit for a specific rule.
164 apply the rule once only (default is recursive)
167 stop applying rules in case of match; the current rule is still applied
168 recursively; combine with `:' to apply the current rule only once
172 stop current operation if the rule matches, and issue an `unwilling to
178 rules back and forth (watch for loops!).
179 Note that `G{1}' is implicit in every rule.
182 ignores errors in rule; this means, in case of error, e.g. issued by a
183 map, the error is treated as a missed match.
184 The `unwilling to perform' is not overridden.
190 as return code if the rule matches; the flag does not alter the recursive
191 behavior of the rule, so, to have it performed only once, it must be used
192 in combination with `:', e.g.
194 returns the value `32' (indicating noSuchObject) after exactly
195 one execution of the rule, if the pattern matches.
196 As a consequence, its behavior is equivalent to `@', with the return
199 or, in other words, `@' is equivalent to `U{0}'.
200 Positive errors are allowed, indicating the related LDAP error codes
201 as specified in \fIdraft-ietf-ldapbis-protocol\fP.
203 The ordering of the flags can be significant.
204 For instance: `IG{2}' means ignore errors and jump two lines ahead
205 both in case of match and in case of error, while `G{2}I' means ignore
206 errors, but jump two lines ahead only in case of match.
208 More flags (mainly Action Flags) will be added as needed.
209 .SH "Pattern Matching"
214 .SH "Substitution Pattern Syntax"
215 Everything starting with `$' requires substitution;
217 the only obvious exception is `$$', which is turned into a single `$';
219 the basic substitution is `$<d>', where `<d>' is a digit;
220 0 means the whole string, while 1-9 is a submatch, as discussed in
225 a `$' followed by a `{' invokes an advanced substitution.
229 `$' `{' [ <operator> ] <name> `(' <substitution> `)' `}'
232 where <name> must be a legal name for the map, i.e.
236 <name> ::= [a-z][a-z0-9]* (case insensitive)
237 <operator> ::= `>' `|' `&' `&&' `*' `**' `$'
241 and <substitution> must be a legal substitution
242 pattern, with no limits on the nesting level.
247 sub-context invocation; <name> must be a legal, already defined
251 external command invocation; <name> must refer to a legal, already
252 defined command name (NOT IMPLEMENTED YET)
255 variable assignment; <name> defines a variable in the running
256 operation structure which can be dereferenced later; operator
258 assigns a variable in the rewrite context scope; operator
260 assigns a variable that scopes the entire session, e.g. its value
261 can be dereferenced later by other rewrite contexts
264 variable dereferencing; <name> must refer to a variable that is
265 defined and assigned for the running operation; operator
267 dereferences a variable scoping the rewrite context; operator
269 dereferences a variable scoping the whole session, e.g. the value
270 is passed across rewrite contexts
273 parameter dereferencing; <name> must refer to an existing parameter;
274 the idea is to make some run-time parameters set by the system
275 available to the rewrite engine, as the client host name, the bind DN
276 if any, constant parameters initialized at config time, and so on;
277 no parameter is currently set by either
281 but constant parameters can be defined in the configuration file
286 Substitution escaping has been delegated to the `$' symbol,
287 which is used instead of `\e' in string substitution patterns
288 because `\e' is already escaped by slapd's low level parsing routines;
289 as a consequence, regex escaping requires
290 two `\e' symbols, e.g. `\fB.*\e.foo\e.bar\fP' must
291 be written as `\fB.*\e\e.foo\e\e.bar\fP'.
293 .\" The symbol can be altered at will by redefining the related macro in
296 .SH "Rewrite Context"
297 A rewrite context is a set of rules which are applied in sequence.
298 The basic idea is to have an application initialize a rewrite
299 engine (think of Apache's mod_rewrite ...) with a set of rewrite
300 contexts; when string rewriting is required, one invokes the
301 appropriate rewrite context with the input string and obtains the
302 newly rewritten one if no errors occur.
304 Each basic server operation is associated to a rewrite context;
305 they are divided in two main groups: client \-> server and
306 server \-> client rewriting.
312 (default) if defined and no specific context
317 searchFilterAttrDN search
319 compareAttrDN compare AVA
321 addAttrDN add AVA (DN portion of "ref" excluded)
323 modifyAttrDN modify AVA (DN portion of "ref" excluded)
324 referralAttrDN add/modify DN portion of referrals
329 exopPasswdDN passwd exop DN
337 searchEntryDN search (only if defined; no default;
338 acts on DN of search entries)
339 searchAttrDN search AVA (only if defined; defaults
340 to searchEntryDN; acts on DN-syntax
341 attributes of search results)
342 matchedDN all ops (only if applicable; defaults
344 referralDN all ops (only if applicable; defaults
349 .SH "Basic Configuration Syntax"
350 All rewrite/remap directives start with the prefix
352 for backwards compatibility with the historical
356 builtin rewrite/remap capabilities, the prefix may be omitted,
357 but this practice is strongly discouraged.
359 .B rwm-rewriteEngine { on | off }
360 If `on', the requested rewriting is performed; if `off', no
361 rewriting takes place (an easy way to stop rewriting without
362 altering too much the configuration file).
364 .B rwm-rewriteContext <context name> "[ alias <aliased context name> ]"
365 <Context name> is the name that identifies the context, i.e. the name
366 used by the application to refer to the set of rules it contains.
367 It is used also to reference sub contexts in string rewriting.
368 A context may alias another one.
369 In this case the alias context contains no rule, and any reference to
370 it will result in accessing the aliased one.
372 .B rwm-rewriteRule "<regex match pattern>" "<substitution pattern>" "[ <flags> ]"
373 Determines how a string can be rewritten if a pattern is matched.
374 Examples are reported below.
375 .SH "Additional Configuration Syntax"
377 .B rwm-rewriteMap "<map type>" "<map name>" "[ <map attrs> ]"
378 Allows to define a map that transforms substring rewriting into
380 The map is referenced inside the substitution pattern of a rule.
382 .B rwm-rewriteParam <param name> <param value>
383 Sets a value with global scope, that can be dereferenced by the
384 command `${$paramName}'.
386 .B rwm-rewriteMaxPasses <number of passes> [<number of passes per rule>]
387 Sets the maximum number of total rewriting passes that can be
388 performed in a single rewrite operation (to avoid loops).
389 A safe default is set to 100; note that reaching this limit is still
390 treated as a success; recursive invocation of rules is simply
392 The count applies to the rewriting operation as a whole, not
393 to any single rule; an optional per-rule limit can be set.
394 This limit is overridden by setting specific per-rule limits
395 with the `M{n}' flag.
396 .SH "REWRITE CONFIGURATION EXAMPLES"
398 # set to `off' to disable rewriting
401 # the rules the "suffixmassage" directive implies
403 # all dataflow from client to server referring to DNs
404 rwm-rewriteContext default
405 rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
407 rwm-rewriteContext searchFilter
408 # all dataflow from server to client
409 rwm-rewriteContext searchEntryDN
410 rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
411 rwm-rewriteContext searchAttrDN alias searchEntryDN
412 rwm-rewriteContext matchedDN alias searchEntryDN
414 rwm-rewriteContext referralAttrDN
415 rwm-rewriteContext referralDN
417 # Everything defined here goes into the `default' context.
418 # This rule changes the naming context of anything sent
419 # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'
421 rwm-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
422 "$1dc=OpenLDAP, dc=org" ":"
424 # since a pretty/normalized DN does not include spaces
425 # after rdn separators, e.g. `,', this rule suffices:
427 rwm-rewriteRule "(.+,)?dc=home,dc=net$"
428 "$1dc=OpenLDAP,dc=org" ":"
430 # Start a new context (ends input of the previous one).
431 # This rule adds blanks between DN parts if not present.
432 rwm-rewriteContext addBlanks
433 rwm-rewriteRule "(.*),([^ ].*)" "$1, $2"
435 # This one eats blanks
436 rwm-rewriteContext eatBlanks
437 rwm-rewriteRule "(.*), (.*)" "$1,$2"
439 # Here control goes back to the default rewrite
440 # context; rules are appended to the existing ones.
441 # anything that gets here is piped into rule `addBlanks'
442 rwm-rewriteContext default
443 rwm-rewriteRule ".*" "${>addBlanks($0)}" ":"
445 .\" # Anything with `uid=username' is looked up in
446 .\" # /etc/passwd for gecos (I know it's nearly useless,
447 .\" # but it is there just as a guideline to implementing
449 .\" # Note the `I' flag that leaves `uid=username' in place
450 .\" # if `username' does not have a valid account, and the
451 .\" # `:' that forces the rule to be processed exactly once.
452 .\" rwm-rewriteContext uid2Gecos
453 .\" rwm-rewriteRule "(.*)uid=([a-z0-9]+),(.+)"
454 .\" "$1cn=$2{xpasswd},$3" "I:"
456 .\" # Finally, in a bind, if one uses a `uid=username' DN,
457 .\" # it is rewritten in `cn=name surname' if possible.
458 .\" rwm-rewriteContext bindDN
459 .\" rwm-rewriteRule ".*" "${>addBlanks(${>uid2Gecos($0)})}" ":"
461 # Rewrite the search base according to `default' rules.
462 rwm-rewriteContext searchDN alias default
464 # Search results with OpenLDAP DN are rewritten back with
465 # `dc=home,dc=net' naming context, with spaces eaten.
466 rwm-rewriteContext searchEntryDN
467 rwm-rewriteRule "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$"
468 "${>eatBlanks($1)}dc=home,dc=net" ":"
470 # Bind with email instead of full DN: we first need
471 # an ldap map that turns attributes into a DN (the
472 # argument used when invoking the map is appended to
473 # the URI and acts as the filter portion)
474 rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"
476 # Then we need to detect DN made up of a single email,
477 # e.g. `mail=someone@example.com'; note that the rule
478 # in case of match stops rewriting; in case of error,
479 # it is ignored. In case we are mapping virtual
480 # to real naming contexts, we also need to rewrite
481 # regular DNs, because the definition of a bindDN
482 # rewrite context overrides the default definition.
483 rwm-rewriteContext bindDN
484 rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"
486 # This is a rather sophisticated example. It massages a
487 # search filter in case who performs the search has
488 # administrative privileges. First we need to keep
489 # track of the bind DN of the incoming request, which is
490 # stored in a variable called `binddn' with session scope,
491 # and left in place to allow regular binding:
492 rwm-rewriteContext bindDN
493 rwm-rewriteRule ".+" "${&&binddn($0)}$0" ":"
495 # A search filter containing `uid=' is rewritten only
496 # if an appropriate DN is bound.
497 # To do this, in the first rule the bound DN is
498 # dereferenced, while the filter is decomposed in a
499 # prefix, in the value of the `uid=<arg>' AVA, and
500 # in a suffix. A tag `<>' is appended to the DN.
501 # If the DN refers to an entry in the `ou=admin' subtree,
502 # the filter is rewritten OR-ing the `uid=<arg>' with
503 # `cn=<arg>'; otherwise it is left as is. This could be
504 # useful, for instance, to allow apache's auth_ldap-1.4
505 # module to authenticate users with both `uid' and
506 # `cn', but only if the request comes from a possible
507 # `cn=Web auth,ou=admin,dc=home,dc=net' user.
508 rwm-rewriteContext searchFilter
509 rwm-rewriteRule "(.*\e\e()uid=([a-z0-9_]+)(\e\e).*)"
510 "${**binddn}<>${&prefix($1)}${&arg($2)}${&suffix($3)}"
512 rwm-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$"
513 "${*prefix}|(uid=${*arg})(cn=${*arg})${*suffix}" ":@I"
514 rwm-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"
516 # This example shows how to strip unwanted DN-valued
517 # attribute values from a search result; the first rule
518 # matches DN values below "ou=People,dc=example,dc=com";
519 # in case of match the rewriting exits successfully.
520 # The second rule matches everything else and causes
521 # the value to be rejected.
522 rwm-rewriteContext searchEntryDN
523 rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
524 rwm-rewriteRule ".*" "" "#"
526 .SH "MAPPING EXAMPLES"
527 The following directives map the object class `groupOfNames' to
528 the object class `groupOfUniqueNames' and the attribute type
529 `member' to the attribute type `uniqueMember':
533 map objectclass groupOfNames groupOfUniqueNames
534 map attribute uniqueMember member
538 This presents a limited attribute set from the foreign
545 map attribute manager *
546 map attribute description *
551 These lines map cn, sn, manager, and description to themselves, and
552 any other attribute gets "removed" from the object before it is sent
553 to the client (or sent up to the LDAP server). This is obviously a
554 simplistic example, but you get the point.
558 default slapd configuration file
563 .BR slapd\-relay (5),
568 Pierangelo Masarati; based on back-ldap rewrite/remap features
569 by Howard Chu, Pierangelo Masarati.