[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: modify dn while replication

Pierangelo Masarati wrote:

what do you mean by <uid>, what should I put in <uid> ? I blindly copied
the example and obviously had an error while starting the proxy

line 154 (updatedn "cn=replicator-<uid>,ou=people,dc=int-evry,dc=fr")
/etc/openldap/slapd_proxy.conf: line 154: updatedn DN is invalid
slapd stopped.



I mean: updatedn as it would appear AFTER
it is rewritten by the rule you wrote
in the rewrite section, e.g.

rewriteMap  ldap uidMap "ldap:///ou=People,dc=int-evry,dc=fr?uid?one";
rewriteRule "^(uid=[^,]+)(,.*)$$" "%1-%{uidMap(%1)}%2" ":@I"



OK, I definitly need to understand the rewrite rules ! beacause actually I don't really understand the one you sent me :-( , I've just notice from my first test that dn: uid=maisel,ou=people,dc=int-evry,dc=fr was rewritten (seen from logs !) to dn: uid=maisel-maisel,ou=people,dc=int-evry,dc=fr, which isn't really what I wanted:

I would like to replicate to a slave, but I need to change the dn.
Here's a typical dn from the master:
dn: uid=test,ou=People,dc=int-evry,dc=fr

The slave should receive dn like this:
dn: uid=test-ei0205,ou=People,dc=int-evry,dc=fr

the "ei0205" appended here comming from the test user entry attribute:
IntEPersUserPTM: ei0205

Anyway, I'am far from this now ... , I just want to succeed in rewriting "something" a least :-)
So again I blindly set my updatedn to:

updatedn  "cn=replicator-replicator,ou=people,dc=int-evry,dc=fr"

Now while adding my new entry , logs on on proxy says:

Feb 19 16:22:50 corbeau slapd[9136]: conn=0 op=2 ADD dn="uid=maisel,ou=People,dc=int-evry,dc=fr"
Feb 19 16:22:50 corbeau slapd[9136]: conn=0 op=2 RESULT tag=105 err=53 text=referral missing

either my upadtedn is wrong, or I'am facing a new pb ? just let me know which way to go , change the rewrite rule, understand rewrite rules ! by the way, is there a way to test rules directly ( shell script or ...) for debug purpose ?, or thing are OK now for rewrite rules, I 'am just facing a new problem ?

Thank again, a lot ! I promise I'll write somthing,  when it'll work ....

what is done to avoid stripping the operational
attributes from the entry is to check if
the bound DN is equal to the updatedn; but
the bound DN definitely passes thru the rewrite
rules, because they're the default rules so they
apply to any operation including bind, so, at
least for this very purpose, you need to provide
the updatedn in the slapd.conf as it would appear
after passing thru bind and thus rewriting.

p.



If this is not the case, I'll dig further.

p.






OK, i've move to the rewrite stuff ! unfortunatly I get new problems .
Here I test with  adding a new entry (user maisel)
$ ldapadd -f maisel.ldif -h localhost -D "cn=admin,dc=int-evry,dc=fr"
-x  -W -p
389
Enter LDAP Password:
adding new entry "uid=maisel,ou=People,dc=int-evry,dc=fr"

Logs on the proxy server

Feb 19 13:27:21 corbeau slapd[7260]: conn=0 op=0 BIND
dn="cn=replicator,ou=people,dc=int-evry,dc=fr" mech=simple ssf=0 Feb
19 13:27:21 corbeau slapd[7260]: conn=0 op=0 RESULT tag=97 err=0 text=
Feb 19 13:27:21 corbeau slapd[7260]: conn=0 op=1 ADD
dn="uid=maisel,ou=People,dc=int-evry,dc=fr"
Feb 19 13:27:22 corbeau slapd[7260]: conn=0 op=1 RESULT tag=105 err=80
text=no structuralObjectClass operational attribute

Logs on the slave:
Feb 19 13:27:21 corbeau slapd[7278]: conn=0 op=0 BIND
dn="cn=replicator,ou=people,dc=int-evry,dc=fr" mech=simple ssf=0 Feb
19 13:27:21 corbeau slapd[7278]: conn=0 op=0 RESULT tag=97 err=0 text=
Feb 19 13:27:22 corbeau slapd[7278]: conn=0 op=1 ADD
dn="uid=maisel-maisel,ou=People,dc=int-evry,dc=fr"
Feb 19 13:27:22 corbeau slapd[7278]: No structuralObjectClass for
entry (uid=maisel-maisel,ou=People,dc=int-evry,dc=fr)
Feb 19 13:27:22 corbeau slapd[7278]: conn=0 op=1 RESULT tag=105 err=80
text=no structuralObjectClass operational attribute

However on the master it does have a structuralObjectClass opreational
attribute; proof :
$ ldapsearch -x uid=maisel -D"cn=admin,dc=int-evry,dc=fr"
-b'ou=people,dc=int-evry,dc=fr' -W -h localhost -p 389 + | grep
structuralObjectClass
Enter LDAP Password:
structuralObjectClass: inetOrgPerson

is this a pb of dn not beeing normalized ? uid=maisel-maisel is
normalized ? should'nt it be also the same value in the dn and in the
attribute uid itself in the entry:
dn: uid=maisel-maisel,ou=People,dc=int-evry,dc=fr
uid: maisel-maisel
so there should be a rewrite rule for the uid atribute itself and not
only for the dn ?

Configurations; slave and proxy replicate only the subtree:
ou=people,dc=int-evry,dc=fr, master suffix is dc=int-evry,dc=fr . I
tested before rewrite stuff , replication worked fine.

Master slapd.conf
replica         host=127.0.0.1:8006
              suffix="ou=people,dc=int-evry,dc=fr"
              binddn="cn=replicator,ou=people,dc=int-evry,dc=fr"
bindmethod=simple   credentials=secret
replogfile      /var/lib/ldap/replica/replogfile

Proxy slapd_proxy.conf
database ldap
suffix          "ou=people,dc=int-evry,dc=fr"
uri             "ldap://127.0.0.1:9006";;
updatedn  "cn=replicator,ou=people,dc=int-evry,dc=fr"
lastmod on
rewriteEngine on
rewriteContext default
binddn cn=admin,ou=people,dc=int-evry,dc=fr
bindpw {crypt}secret
rewriteMap      ldap uidMap
"ldap:///ou=People,dc=int-evry,dc=fr?uid?one"; rewriteRule
"^(uid=[^,]+)(,.*)$$" "%1-%{uidMap(%1)}%2" ":@I"

Slave slapd_slave.conf

database        bdb
suffix          "ou=people,dc=int-evry,dc=fr"
rootdn          "cn=admin,ou=people,dc=int-evry,dc=fr"
rootpw          {crypt}secret
directory       /var/lib/ldap/int_slave
#lastmod off
updatedn        "cn=replicator,ou=people,dc=int-evry,dc=fr"
updateref       "ldap://127.0.0.1:389";

Thanks.





:-(

here's the error message on the proxy server logs:
Feb 16 16:27:23 corbeau slapd[15683]: conn=0 op=1 MOD
dn="uid=test,ou=People,dc=int-evry,dc=fr"
Feb 16 16:27:23 corbeau slapd[15683]: conn=0 op=1 MOD
attr=userPassword homePostalAddress entryCSN modifiersName
modifyTimestamp
Feb 16 16:27:23 corbeau slapd[15683]: conn=0 op=1 RESULT tag=103
err=19 text=entryCSN: no user modification allowed


slapd.conf: (running on localhost port 389)
database        bdb
suffix          "dc=int-evry, dc=fr"
rootdn          "cn=admin, dc=int-evry, dc=fr"
rootpw          secret
directory       /var/lib/ldap/int
replica         host=127.0.0.1:8006
             binddn="cn=replicator,ou=System,dc=int-evry,dc=fr"
bindmethod=simple   credentials=secret
replogfile      /var/lib/ldap/replica/replogfile


slapd_proxy.conf: (running on localhost port 8006)
database ldap
suffix          "dc=int-evry,dc=fr"
uri             "ldap://127.0.0.1:9006";;
lastmod on
binddn cn=admin,dc=int-evry,dc=fr
bindpw secret

slapd_slave.conf: (running on localhost port 9006)

database        bdb
suffix          "dc=int-evry,dc=fr"
rootdn          "cn=admin,dc=int-evry,dc=fr"
rootpw          secret
directory       /var/lib/ldap/int_slave
updatedn        "cn=replicator,ou=System,dc=int-evry,dc=fr"
updateref       "ldap://127.0.0.1:389";

What a I doing wrong ?,

thanks .


Pierangelo Masarati wrote:







Pierangelo Masarati wrote:









It could be possible, but it's going to be rather clumsy;
it depends on whether there's a clear way you can extract
a filtering attribute from the DN, e.g. the "uid=<smtg>"
part, to do:

rewriteMap      ldap uidMap "ldap:///<naming context>?uid?sub"
rewriteRule     "^(uid=[^,]+)(,.*)$$" "%1-%{uidMap(%1)}%2" ":@I"











OK thanks a lot for the example :-), I'll try out, but before one
question, where should I put
these rewrite rules, in the replica section of the master ? this
way :

replica         host=127.0.0.1:9006
            suffix="ou=people,dc=int-evry,dc=fr"

attr!="posixAccount,shadowAccount,loginShell,homeDirectory,uidNumber,gidNumber,gecos"
            binddn="cn=replicator,ou=people,dc=int-evry,dc=fr"
bindmethod=simple   credentials=secret
            rewriteMap      ldap uidMap
"ldap:///ou=People,dc=int-evry,dc=fr?uid?one";
            rewriteRule     "^(uid=[^,]+)(,.*)$$"
"%1-%{uidMap(%1)}%2" ":@I"
replogfile /var/lib/ldap/replica/replogfile

or on a dediceted ldap or meta backend ? sorry for beeing so
ignorant, but it's the first time I play with the rewrite engine !
by the way, I suspect I need a " rewriteEngine on" somewhere, in
slapd.conf ?








Sorry, my answer was incomplete.  Yes, you need to replicate
thru a proxy server, e.g. a server in between the master and
the slave so that

master --> m2s-proxy: uid=test,... ==> uid=test-number,... -->
slave

you need to figure out what you intend to do with referrals






from slave to master; if you need to rewrite as well, then 






you need another proxy to revert the massaging.

slave --> s2m-proxy: uid=test-number,... ==> uid=test,... -->
master

the proxy needs to be a back-ldap compiled with --enable-rewrite,
and needs to be configured with

database ldap
uri ldap://<slave>
lastmod on
rewriteEngine on
rewriteContext default
<rules as in example>

Note:

if the proxy is used also for normal operations,
you'll need to deal with other rewrite contexts,
e.g. searchBase, searchFilter, compareDN,
compareAttrDN if you want any rewriting to occur
in these cases.

you'll also need to deal with searchResults and more,
otherwise they'll be treated with the default rules.
see slapd-meta(5) in the REWRITE section for what
rewrite contexts are active.  otherwise you can add

rewriteContext searchBase
rewriteContext searchFilter
rewriteContext compareDN
rewriteContext compareAttrDN

rewriteContext searchResult
rewriteContext searchAttrDN
rewriteContext matchedDN

if you don't want any rewrite to occur for these
rewrite contexts.

On the contrary, the default rewriting should occur
for any write operation; the default naming context
is picked if you don't specify any.

Note: the "lastmod on" should work since the target
is a replica; it is important wince you want the
replica to be in sync with the master also in terms
of timestamps.

p.