I'm currently setting up slapd as a proxy and facing a challenge with rewriting LDAP attributes. I'm aware of the rewrite module (rwm) capability for DNs, but I need to apply similar functionality to LDAP attributes.
Context: Our user IDs are structured with a prefix of one or two non-essential letters followed by 8-9 important digits. My goal is to strip these letters and utilize the remaining digits to assign POSIX user/group IDs through nslcd/sssd. Unfortunately, modifications on the original LDAP server are not an option as the admins are not open to changes.
Problem: Despite several days of research and trials, including consulting resources and using ChatGPT, I've only succeeded in rewriting the DNs. I am looking to understand whether it's possible to use the rewrite functionality for attributes other than DNs and, if so, how to achieve this.
Attempts:
I have tried using both database map and ldap with the rwm overlay to manipulate attributes. My configurations have only successfully rewritten DNs but not other attributes.
Example of last try:
...
moduleload back_ldap
moduleload back_meta
database meta
...
rebind-as-user true
rewriteEngine on
rewriteContext searchResult
rewriteRule "^(uid=[a-zA-Z]*)([0-9]*)(,.*)$" "$1$2$3,posixUID=$2" ":@"
Questions:
- Is it possible to rewrite LDAP attributes using the rwm in slapd?
- If yes, how can I configure this to strip specific characters from the user ID attributes and retain the digits?
Any guidance or examples would be greatly appreciated. Thank you!
From Howard Chu, one of the openldap developers, in a message back in 2014:
It seems pretty clear that the
rwmmodule won't do what you want.