RE: OpenLDAP in Production

["Pierangelo Masarati" <ando@sys-net.it>]

>> -----Original Message-----
>> From: Voglmaier, Reinhard Erich [mailto:rv33100@GlaxoWellcome.co.uk]
>
>> sounds interesting,
>> is there documentation about the usage around ?
>
> See the man page slapd-ldap(5).
>>
>> what I am looking for is:
>>
>> *	filter attributes out. Example I don't that the mobile
>> phone number
>> from server A will be proxied ( just to make an example )
>
> back-ldap attribute mapping handles this. It is documented in the
> manpage. (Though I think it could use some clarification. Suggestions
> welcome.)

you can make it simpler by using ACLs at the proxy side:

access to attrs=mobile
    by * none

access to *
    by * write

attribute mapping is rather intended for schema consistency purposes,
e.g. to change an attribute name into another of analogous syntax that
is known by the proxy (or to trim unknown schema attrs off).

>
>> *	the client makes a query against the proxy the proxy
>> decides which
>> server to contact, depending for example on the searchbase
>
> Set up multiple back-ldap instances, one for each
> destination/searchbase.

You may also use a proxy with empty suffix "" calling another
server with back-dnssrv for service location purposes based
on RFC2782 DNS SRV with referral chase enabled (we should
definitely integrate these two enabling referral chase in
back-dnssrv).

Ando.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it