Provided by: slapd_2.4.21-0ubuntu5_i386 bug

NAME

       slapo-rwm - rewrite/remap overlay to slapd

SYNOPSIS

       /etc/ldap/slapd.conf

DESCRIPTION

       The  rwm  overlay  to  slapd(8)  performs  basic  DN/data  rewrite  and
       objectClass/attributeType mapping.  Its usage  is  mostly  intended  to
       provide  virtual views of existing data either remotely, in conjunction
       with the proxy backend  described  in  slapd-ldap(5),  or  locally,  in
       conjunction with the relay backend described in slapd-relay(5).

       This overlay is experimental.

MAPPING

       An  important  feature  of  the  rwm  overlay  is the capability to map
       objectClasses and attributeTypes from the local set (or a subset of it)
       to a foreign set, and vice versa.  This is accomplished by means of the
       rwm-map directive.

       rwm-map {attribute | objectclass} [<local name> | *] {<foreign name>  |
       *}
              Map attributeTypes and objectClasses from the foreign server  to
              different  values  on  the local slapd.  The reason is that some
              attributes might not be part of the local slapd's  schema,  some
              attribute  names  might be different but serve the same purpose,
              etc.  If local or foreign name is `*', the  name  is  preserved.
              If local name is omitted, the foreign name is removed.  Unmapped
              names are preserved if both local and foreign name are `*',  and
              removed if local name is omitted and foreign name is `*'.

       The local objectClasses and attributeTypes must be defined in the local
       schema; the foreign ones do not have to, but users  are  encouraged  to
       explicitly  define the remote attributeTypes and the objectClasses they
       intend to map.  All in all, when remapping a remote  server  via  back-
       ldap  (slapd-ldap(5)) or back-meta (slapd-meta(5)) their definition can
       be easily obtained by querying  the  subschemaSubentry  of  the  remote
       server;  the  problem should not exist when remapping a local database.
       Note,  however,  that  the  decision  whether   to   rewrite   or   not
       attributeTypes with distinguishedName syntax, requires the knowledge of
       the attributeType syntax.  See the REWRITING section for details.

       Note that when mapping DN-valued attributes from local to remote, first
       the  DN  is  rewritten,  and  then  the  attributeType is mapped; while
       mapping from remote to local, first the attributeType  is  mapped,  and
       then  the  DN  is  rewritten.   As such, it is important that the local
       attributeType is appropriately defined as using  the  distinguishedName
       syntax.   Also,  note that there are DN-related syntaxes (i.e. compound
       types with a portion that is DN-valued), like nameAndOptionalUID, whose
       values are currently not rewritten.

       If the foreign type of an attribute mapping is not defined on the local
       server, it might be desirable to have the attribute  values  normalized
       after the mapping process. Not normalizing the values can lead to wrong
       results, when the rwm overlay is used together  with  e.g.  the  pcache
       overlay.   This   normalization   can   be  enabled  by  means  of  the
       rwm-normalize-mapped-attrs directive.

       rwm-normalize-mapped-attrs {yes|no}
              Set this to "yes", if the rwm overlay should  try  to  normalize
              the  values of attributes that are mapped from an attribute type
              that is unknown to the local server. The default value  of  this
              setting is "no".

       rwm-drop-unrequested-attrs {yes|no}
              Set  this  to  "yes",  if the rwm overlay should drop attributes
              that are not explicitly requested by a search  operation.   When
              this  is  set to "no", the rwm overlay will leave all attributes
              in place, so that  subsequent  modules  can  further  manipulate
              them.   In any case, unrequested attributes will be omitted from
              search results by the frontend, when the search  entry  response
              package is encoded.  The default value of this setting is "yes".

SUFFIX MASSAGING

       A basic feature of the rwm overlay is the capability to perform  suffix
       massaging  between  a virtual and a real naming context by means of the
       rwm-suffixmassage directive.  This, in conjunction with proxy backends,
       slapd-ldap(5)   and   slapd-meta(5),   or   with   the  relay  backend,
       slapd-relay(5),  allows  to  create  virtual  views  of  databases.   A
       distinguishing  feature  of  this  overlay  is  that, when instantiated
       before any database, it can modify the DN of requests  before  database
       selection.   For  this  reason, rules that rewrite the empty DN ("") or
       the  subschemaSubentry  DN  (usually  "cn=subschema"),  would   prevent
       clients from reading the root DSE or the DSA's schema.

       rwm-suffixmassage [<virtual naming context>] <real naming context>
              Shortcut  to  implement  naming  context rewriting; the trailing
              part of the DN is rewritten from the virtual to the real  naming
              context  in the bindDN, searchDN, searchFilterAttrDN, compareDN,
              compareAttrDN, addDN, addAttrDN, modifyDN, modifyAttrDN, modrDN,
              newSuperiorDN,  deleteDN, exopPasswdDN, and from the real to the
              virtual naming context in the  searchEntryDN,  searchAttrDN  and
              matchedDN  rewrite contexts.  By default no rewriting occurs for
              the searchFilter  and  for  the  referralAttrDN  and  referralDN
              rewrite  contexts.  If no <virtual naming context> is given, the
              first  suffix  of  the  database  is  used;  this  requires  the
              rwm-suffixmassage directive be defined after the database suffix
              directive.  The rwm-suffixmassage directive  automatically  sets
              the rwm-rewriteEngine to ON.

       See the REWRITING section for details.

REWRITING

       A  string  is  rewritten according to a set of rules, called a `rewrite
       context'.   The  rules  are  based  on  POSIX  (''extended'')   regular
       expressions  with  substring  matching; basic variable substitution and
       map resolution of substrings is allowed by specific mechanisms detailed
       in the following.  The behavior of pattern matching/substitution can be
       altered by a set of flags.

              <rewrite context> ::= <rewrite rule> [...]
              <rewrite rule> ::= <pattern> <action> [<flags>]

       The underlying concept is to build a lightweight rewrite module for the
       slapd server (initially dedicated to the LDAP backend):

Passes

       An incoming string is matched against a set of rewriteRules.  Rules are
       made of a regex match pattern, a substitution  pattern  and  a  set  of
       actions,  described  by  a  set  of  optional flags.  In case of match,
       string rewriting is performed according  to  the  substitution  pattern
       that allows to refer to substrings matched in the incoming string.  The
       actions,  if  any,  are  finally  performed.   Each  rule  is  executed
       recursively,  unless  altered  by  specific  action  flags; see "Action
       Flags" for details.  A default limit on the recursion level is set, and
       can  be  altered  by the rwm-rewriteMaxPasses directive, as detailed in
       the  "Additional  Configuration  Syntax"  section.   The   substitution
       pattern allows map resolution of substrings.  A map is a generic object
       that maps a substitution pattern to a value.  The flags are divided  in
       "Pattern Matching Flags" and "Action Flags"; the former alter the regex
       match pattern behavior, while the latter alter  the  actions  that  are
       taken after substitution.

Pattern Matching Flags

       `C'    honors case in matching (default is case insensitive)

       `R'    use    POSIX   ''basic''   regular   expressions   (default   is
              ''extended'')

       `M{n}' allow no more than n recursive passes for a specific rule;  does
              not  alter the max total count of passes, so it can only enforce
              a stricter limit for a specific rule.

Action Flags

       `:'    apply the rule once only (default is recursive)

       `@'    stop applying rules in case of match; the current rule is  still
              applied  recursively; combine with `:' to apply the current rule
              only once and then stop.

       `#'    stop current  operation  if  the  rule  matches,  and  issue  an
              `unwilling to perform' error.

       `G{n}' jump  n  rules  back  and  forth  (watch for loops!).  Note that
              `G{1}' is implicit in every rule.

       `I'    ignores errors in rule; this  means,  in  case  of  error,  e.g.
              issued  by  a  map, the error is treated as a missed match.  The
              `unwilling to perform' is not overridden.

       `U{n}' uses n as return code if the rule matches;  the  flag  does  not
              alter  the  recursive  behavior  of  the  rule,  so,  to have it
              performed only once, it must be used in  combination  with  `:',
              e.g.   `:U{32}' returns the value `32' (indicating noSuchObject)
              after exactly one execution of the rule, if the pattern matches.
              As  a  consequence,  its behavior is equivalent to `@', with the
              return code set to n; or, in other words, `@' is  equivalent  to
              `U{0}'.   Positive  errors  are  allowed, indicating the related
              LDAP error codes as specified in draft-ietf-ldapbis-protocol.

       The ordering of the flags can be significant.   For  instance:  `IG{2}'
       means  ignore errors and jump two lines ahead both in case of match and
       in case of error, while `G{2}I' means ignore errors, but jump two lines
       ahead only in case of match.

       More flags (mainly Action Flags) will be added as needed.

Pattern Matching

       See regex(7) and/or re_format(7).

Substitution Pattern Syntax

       Everything starting with `$' requires substitution;

       the only obvious exception is `$$', which is turned into a single `$';

       the  basic  substitution is `$<d>', where `<d>' is a digit; 0 means the
       whole string, while 1-9 is a submatch, as discussed in regex(7)  and/or
       re_format(7).

       a  `$' followed by a `{' invokes an advanced substitution.  The pattern
       is:

              `$' `{' [ <operator> ] <name> `(' <substitution> `)' `}'

       where <name> must be a legal name for the map, i.e.

              <name> ::= [a-z][a-z0-9]* (case insensitive)
              <operator> ::= `>' `|' `&' `&&' `*' `**' `$'

       and <substitution> must be a legal substitution pattern, with no limits
       on the nesting level.

       The operators are:

       >      sub-context  invocation; <name> must be a legal, already defined
              rewrite context name

       |      external command invocation;  <name>  must  refer  to  a  legal,
              already defined command name (NOT IMPLEMENTED YET)

       &      variable  assignment;  <name>  defines a variable in the running
              operation structure which can be dereferenced later; operator  &
              assigns  a  variable  in  the rewrite context scope; operator &&
              assigns a variable that scopes  the  entire  session,  e.g.  its
              value can be dereferenced later by other rewrite contexts

       *      variable  dereferencing; <name> must refer to a variable that is
              defined and assigned  for  the  running  operation;  operator  *
              dereferences a variable scoping the rewrite context; operator **
              dereferences a variable scoping  the  whole  session,  e.g.  the
              value is passed across rewrite contexts

       $      parameter  dereferencing;  <name>  must  refer  to  an  existing
              parameter; the idea is to make some run-time parameters  set  by
              the  system  available to the rewrite engine, as the client host
              name, the bind DN if any,  constant  parameters  initialized  at
              config  time, and so on; no parameter is currently set by either
              back-ldap or back-meta, but constant parameters can  be  defined
              in the configuration file by using the rewriteParam directive.

       Substitution  escaping  has  been delegated to the `$' symbol, which is
       used instead of `\' in string  substitution  patterns  because  `\'  is
       already   escaped   by   slapd's  low  level  parsing  routines;  as  a
       consequence,  regex   escaping   requires   two   `\'   symbols,   e.g.
       `.*\.foo\.bar' must be written as `.*\\.foo\\.bar'.

Rewrite Context

       A rewrite context is a set of rules which are applied in sequence.  The
       basic idea is to have an application initialize a rewrite engine (think
       of  Apache's  mod_rewrite  ...)  with  a  set of rewrite contexts; when
       string rewriting is  required,  one  invokes  the  appropriate  rewrite
       context with the input string and obtains the newly rewritten one if no
       errors occur.

       Each basic server operation is associated to a  rewrite  context;  they
       are  divided  in two main groups: client -> server and server -> client
       rewriting.

       client -> server:

              (default)            if defined and no specific context
                                   is available
              bindDN               bind
              searchDN             search
              searchFilter         search
              searchFilterAttrDN   search
              compareDN            compare
              compareAttrDN        compare AVA
              addDN                add
              addAttrDN            add AVA (DN portion of "ref" excluded)
              modifyDN             modify
              modifyAttrDN         modify AVA (DN portion of "ref" excluded)
              referralAttrDN       add/modify DN portion of referrals
                                   (default to none)
              renameDN             modrdn (the old DN)
              newSuperiorDN        modrdn (the new parent DN, if any)
              newRDN               modrdn (the new relative DN)
              deleteDN             delete
              exopPasswdDN         password modify extended operation DN

       server -> client:

              searchEntryDN        search (only if defined; no default;
                                   acts on DN of search entries)
              searchAttrDN         search AVA (only if defined; defaults
                                   to searchEntryDN; acts on DN-syntax
                                   attributes of search results)
              matchedDN            all ops (only if applicable; defaults
                                   to searchEntryDN)
              referralDN           all ops (only if applicable; defaults
                                   to none)

Basic Configuration Syntax

       All rewrite/remap directives start with the prefix rwm-; for  backwards
       compatibility  with  the  historical  slapd-ldap(5)  and  slapd-meta(5)
       builtin rewrite/remap capabilities, the prefix may be omitted, but this
       practice is strongly discouraged.

       rwm-rewriteEngine { on | off }
              If  `on',  the  requested  rewriting  is performed; if `off', no
              rewriting takes place (an easy way  to  stop  rewriting  without
              altering too much the configuration file).

       rwm-rewriteContext <context name> [ alias <aliased context name> ]
              <Context name> is the name that identifies the context, i.e. the
              name used by the application to refer to the  set  of  rules  it
              contains.   It  is used also to reference sub contexts in string
              rewriting.  A context may alias another one.  In this  case  the
              alias  context  contains  no  rule, and any reference to it will
              result in accessing the aliased one.

       rwm-rewriteRule <regex match pattern> <substitution pattern> [  <flags>
       ]
              Determines how a  string  can  be  rewritten  if  a  pattern  is
              matched.  Examples are reported below.

Additional Configuration Syntax

       rwm-rewriteMap <map type> <map name> [ <map attrs> ]
              Allows  to define a map that transforms substring rewriting into
              something else.  The map is referenced inside  the  substitution
              pattern of a rule.

       rwm-rewriteParam <param name> <param value>
              Sets  a value with global scope, that can be dereferenced by the
              command `${$paramName}'.

       rwm-rewriteMaxPasses <number of passes> [<number of passes per rule>]
              Sets the maximum number of total rewriting passes  that  can  be
              performed  in  a  single  rewrite operation (to avoid loops).  A
              safe default is set to 100; note that  reaching  this  limit  is
              still  treated  as  a  success; recursive invocation of rules is
              simply  interrupted.   The  count  applies  to   the   rewriting
              operation  as  a whole, not to any single rule; an optional per-
              rule limit can be set.  This  limit  is  overridden  by  setting
              specific per-rule limits with the `M{n}' flag.

MAPS

       Currently,  few  maps  are  builtin  but  additional  map  types may be
       registered at runtime.

       Supported maps are:

       LDAP   <URI>   [bindwhen=<when>]   [version=<version>]    [binddn=<DN>]
       [credentials=<cred>]
              The LDAP map expands a value by performing a simple LDAP search.
              Its  configuration  is  based  on  a  mandatory URI, whose attrs
              portion must contain exactly one attribute (use entryDN to fetch
              the  DN of an entry).  If a multi-valued attribute is used, only
              the first value is considered.

              The  parameter  bindwhen  determines  when  the  connection   is
              established.   It can take the values now, later, and everytime,
              respectively indicating that the connection should be created at
              startup,  when  required, or any time it is used.  In the former
              two cases, the connection is cached, while in the latter a fresh
              new one is used all times.  This is the default.

              The  parameters  binddn and credentials represent the DN and the
              password that is used to perform an  authenticated  simple  bind
              before  performing  the  search  operation;  if  not  given,  an
              anonymous connection is used.

              The parameter version can be 2 or 3  to  indicate  the  protocol
              version that must be used.  The default is 3.

       slapd <URI>
              The  slapd  map  expands  a value by performing an internal LDAP
              search.  Its configuration is based on a  mandatory  URI,  which
              must  begin  with  ldap:/// (i.e., it must be an LDAP URI and it
              must not specify a host).  As  with  the  LDAP  map,  the  attrs
              portion  must  contain  exactly  one  attribute, and if a multi-
              valued attribute is used, only the first value is considered.

REWRITE CONFIGURATION EXAMPLES

       # set to `off' to disable rewriting
       rwm-rewriteEngine on

       # the rules the "suffixmassage" directive implies
       rwm-rewriteEngine on
       # all dataflow from client to server referring to DNs
       rwm-rewriteContext default
       rwm-rewriteRule "(.+,)?<virtualnamingcontext>$" "$1<realnamingcontext>" ":"
       # empty filter rule
       rwm-rewriteContext searchFilter
       # all dataflow from server to client
       rwm-rewriteContext searchEntryDN
       rwm-rewriteRule "(.+,)?<realnamingcontext>$" "$1<virtualnamingcontext>" ":"
       rwm-rewriteContext searchAttrDN alias searchEntryDN
       rwm-rewriteContext matchedDN alias searchEntryDN
       # misc empty rules
       rwm-rewriteContext referralAttrDN
       rwm-rewriteContext referralDN

       # Everything defined here goes into the `default' context.
       # This rule changes the naming context of anything sent
       # to `dc=home,dc=net' to `dc=OpenLDAP, dc=org'

       rwm-rewriteRule "(.+,)?dc=home,[ ]?dc=net$"
                   "$1dc=OpenLDAP, dc=org"  ":"

       # since a pretty/normalized DN does not include spaces
       # after rdn separators, e.g. `,', this rule suffices:

       rwm-rewriteRule "(.+,)?dc=home,dc=net$"
                   "$1dc=OpenLDAP,dc=org"  ":"

       # Start a new context (ends input of the previous one).
       # This rule adds blanks between DN parts if not present.
       rwm-rewriteContext  addBlanks
       rwm-rewriteRule     "(.*),([^ ].*)" "$1, $2"

       # This one eats blanks
       rwm-rewriteContext  eatBlanks
       rwm-rewriteRule     "(.*), (.*)" "$1,$2"

       # Here control goes back to the default rewrite
       # context; rules are appended to the existing ones.
       # anything that gets here is piped into rule `addBlanks'
       rwm-rewriteContext  default
       rwm-rewriteRule     ".*" "${>addBlanks($0)}" ":"

       # Rewrite the search base according to `default' rules.
       rwm-rewriteContext  searchDN alias default

       # Search results with OpenLDAP DN are rewritten back with
       # `dc=home,dc=net' naming context, with spaces eaten.
       rwm-rewriteContext  searchEntryDN
       rwm-rewriteRule     "(.*[^ ],)?[ ]?dc=OpenLDAP,[ ]?dc=org$"
                       "${>eatBlanks($1)}dc=home,dc=net"    ":"

       # Bind with email instead of full DN: we first need
       # an ldap map that turns attributes into a DN (the
       # argument used when invoking the map is appended to
       # the URI and acts as the filter portion)
       rwm-rewriteMap ldap attr2dn "ldap://host/dc=my,dc=org?dn?sub"

       # Then we need to detect DN made up of a single email,
       # e.g. `mail=someone@example.com'; note that the rule
       # in case of match stops rewriting; in case of error,
       # it is ignored.  In case we are mapping virtual
       # to real naming contexts, we also need to rewrite
       # regular DNs, because the definition of a bindDN
       # rewrite context overrides the default definition.
       rwm-rewriteContext bindDN
       rwm-rewriteRule "^mail=[^,]+@[^,]+$" "${attr2dn($0)}" ":@I"

       # This is a rather sophisticated example. It massages a
       # search filter in case who performs the search has
       # administrative privileges.  First we need to keep
       # track of the bind DN of the incoming request, which is
       # stored in a variable called `binddn' with session scope,
       # and left in place to allow regular binding:
       rwm-rewriteContext  bindDN
       rwm-rewriteRule     ".+" "${&&binddn($0)}$0" ":"

       # A search filter containing `uid=' is rewritten only
       # if an appropriate DN is bound.
       # To do this, in the first rule the bound DN is
       # dereferenced, while the filter is decomposed in a
       # prefix, in the value of the `uid=<arg>' AVA, and
       # in a suffix. A tag `<>' is appended to the DN.
       # If the DN refers to an entry in the `ou=admin' subtree,
       # the filter is rewritten OR-ing the `uid=<arg>' with
       # `cn=<arg>'; otherwise it is left as is. This could be
       # useful, for instance, to allow apache's auth_ldap-1.4
       # module to authenticate users with both `uid' and
       # `cn', but only if the request comes from a possible
       # `cn=Web auth,ou=admin,dc=home,dc=net' user.
       rwm-rewriteContext searchFilter
       rwm-rewriteRule "(.*\\()uid=([a-z0-9_]+)(\\).*)"
         "${**binddn}<>${&prefix($1)}${&arg($2)}${&suffix($3)}"
         ":I"
       rwm-rewriteRule "^[^,]+,ou=admin,dc=home,dc=net$"
         "${*prefix}|(uid=${*arg})(cn=${*arg})${*suffix}" ":@I"
       rwm-rewriteRule ".*<>$" "${*prefix}uid=${*arg}${*suffix}" ":"

       # This example shows how to strip unwanted DN-valued
       # attribute values from a search result; the first rule
       # matches DN values below "ou=People,dc=example,dc=com";
       # in case of match the rewriting exits successfully.
       # The second rule matches everything else and causes
       # the value to be rejected.
       rwm-rewriteContext searchEntryDN
       rwm-rewriteRule ".+,ou=People,dc=example,dc=com$" "$0" ":@"
       rwm-rewriteRule ".*" "" "#"

MAPPING EXAMPLES

       The following directives map the object  class  `groupOfNames'  to  the
       object  class  `groupOfUniqueNames'  and the attribute type `member' to
       the attribute type `uniqueMember':

              map objectclass groupOfNames groupOfUniqueNames
              map attribute uniqueMember member

       This presents a limited attribute set from the foreign server:

              map attribute cn *
              map attribute sn *
              map attribute manager *
              map attribute description *
              map attribute *

       These lines map cn, sn, manager, and description to themselves, and any
       other attribute gets "removed" from the object before it is sent to the
       client (or sent up to the LDAP server).  This is obviously a simplistic
       example, but you get the point.

FILES

       /etc/ldap/slapd.conf
              default slapd configuration file

SEE ALSO

       slapd.conf(5),     slapd-config(5),    slapd-ldap(5),    slapd-meta(5),
       slapd-relay(5), slapd(8), regex(7), re_format(7).

AUTHOR

       Pierangelo Masarati;  based  on  back-ldap  rewrite/remap  features  by
       Howard Chu, Pierangelo Masarati.