1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
|
.TH SLAPO-ADREMAP 5 "RELEASEDATE" "OpenLDAP LDVERSION"
.\" Copyright 2015 Howard Chu, All Rights Reserved.
.\" $OpenLDAP$
.SH NAME
slapo-adremap \- AD Remap overlay to slapd
.SH SYNOPSIS
ETCDIR/slapd.conf
.SH DESCRIPTION
The
.B adremap
overlay to
.BR slapd (8)
remaps some attribute values for compatibility between Microsoft AD
and older POSIX systems' PAM/NSS clients. It can be configured to
convert values of given attributes to lower case, and it can be
configured to generate RFC2307-compliant group memberships based
on RFC2307bis groups. All mapping is only performed on entries
returned as search responses.
.SH CONFIGURATION
The config directives that are specific to the
.B adremap
overlay must be prefixed by
.BR adremap\- ,
to avoid potential conflicts with directives specific to the underlying
database or to other stacked overlays.
.TP
.B overlay adremap
This directive adds the
.B adremap
overlay to the current database, see
.BR slapd.conf (5)
for details.
.LP
These
.B slapd.conf
configuration options are defined for the adremap overlay. They must
appear after the
.B overlay
directive. They can each be specified multiple times:
.TP
.B adremap-downcase <attr>
Specify an attributeType whose values will all be mapped to lowercase
when returned in search responses.
.TP
.B adremap-dnmap <dnattr> <targetattr> <newattr> <remoteOC> <localOC> <targetOC> <baseDN>
Specify a DN-valued attributeType whose values will be dereferenced. The
.B <targetattr>
of the target entry will be retrieved and its value will be added to the
.B <newattr>
in the entry. In addition, searches using a filter of the form
.B (&(objectClass=<localOC>)(<newattr>=xxx))
will be rewritten into the form
.BR (&(objectClass=<remoteOC>)(<dnattr>=xxx-DN)) .
This rewrite will accomplished by performing an additional internal search,
with subtree scope, using the specified baseDN and a filter of the form
.BR (&(objectClass=<targetOC>)(<targetattr>=xxx)) .
.SH EXAMPLE
This example configures the
.B adremap
overlay to map all
.B uid
attributes to lowercase, and create
.B memberUid
values for group entries. The mapping will turn requests for posixGroup
entries into requests for groupOfNames entries, and the internal search
will use inetOrgPerson entries under the ou=People,dc=example,dc=com subtree.
Add the following to
.BR slapd.conf (5):
.LP
.nf
database <database>
# ...
overlay adremap
adremap-downcase uid
adremap-dnmap member uid memberUid groupOfNames posixGroup inetOrgPerson ou=people,dc=example,dc=com
.fi
.LP
.B slapd
must also load
.B adremap.la,
if compiled as a run-time module;
.SH FILES
.TP
ETCDIR/slapd.conf
default slapd configuration file
.SH SEE ALSO
.BR slapd.conf (5),
.BR slapd (8).
The
.BR slapo-adremap (5)
overlay supports dynamic configuration via
.BR back-config.
.SH ACKNOWLEDGEMENTS
.P
This module was written in 2015 by Howard Chu.
|
