[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP proxy with features

To: "Pratt, Benjamin E." <bepratt@stcloudstate.edu>
Subject: Re: LDAP proxy with features
From: "Pierangelo Masarati" <ando@sys-net.it>
Date: Mon, 5 Dec 2005 17:04:47 +0100 (CET)
Cc: openldap-software@OpenLDAP.org
Importance: Normal
In-reply-to: <0451409FD6EF4F49AE13E3D1DD45280027E310@EXCHANGE.campus.stcloudstate.e du>
References: <0451409FD6EF4F49AE13E3D1DD45280027E310@EXCHANGE.campus.stcloudstate.edu>
User-agent: SquirrelMail/1.4.3a-1

> Hello. A few months ago I tried setting up an OpenLDAP server to:
>
> 1. Act as a proxy to several other LDAP servers.
> 2. Accept LDAP requests and convert them to LDAPS requests before going
> to backend servers.
> 3. Allow attribute mapping for specific attributes to certain backend
> directories.
>
> I was running OpenLDAP 2.2 and had points 2 and 3 working great but
> point 1 was a problem because many of the other LDAP attributes didn't
> pass through the proxy.
>
> This week I started looking into this again and saw a posting to the
> list from a user who said that OpenLDAP 2.3 resolves this issue. I
> upgraded and yes, the proxying of attributes to the backend server issue
> was resolved. Unfortunately points 2 and 3 were broken.

I'd restate this as "I was unable to make them work"; the code, as far as
my intensive recent testing concern, is fully functional.  In fact, your
configuration looks broken in a few points.

>
> I installed the FreeBSD port using the command:
>
> make CONFIGURE_ARGS="--enable-ldap=yes --enable-meta=yes
> --enable-rewrite=yes --enable-rwm=yes --with-tls=openssl" install clean
>
> My slapd.conf file contains:
>
> database        ldap
> lastmod         off
> suffix          "DC=university,DC=edu"
> directory       /var/db/openldap-data
> rwm-map attribute displayName cn
> uri             "ldap://193.18.49.200 ldap://193.18.49.201
> ldap://193.18.49.202";
>
> When I change the uri to point to protocols ldaps (e.g.
> ldaps://193.18.49.200) the proxy breaks. Also, I used to have "map
> attribute displayName cn" working but now the configuration appears to
> be rwm-map but that is not working.
>
> Are my install options correct for LDAPS? Is a proxy conversion from
> LDAP to LDAPS still possible?

yes, as per documentation of slapd.conf(5), ldap.conf(5) and
slapd-ldap(5).  In detail, the proxy (back-ldap) is using the libldap
client library as a client, and thus its configuration, specifically with
respect to TLS, should follow the directives in ldap.conf(5).  I suspect
you took the misfunctionality as broken code and you didn't investigate
the real reason of the misbehaving, which is 99% likely to be related to
misconfiguration.

>
> Am I using the map attribute options correctly?

No.

> If not, what is the
> correct way?

The slapo-rwm(5) overlay requires explicit instantiation by "overlay rwm";
otherwise, all the rwm-map directive is likely to result is a warning.

>
> I appreciate any help that the community has to offer. If I need to
> provide any more info please let me know. Thanks.

In general, moving between minor version numbers requires resurfing thru
the documentation, because things happen to change, most of the time they
improve.  Otherwise ther would be no reason to have 2.3, we'd still be
playing with 2.0.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it



Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

References:
- LDAP proxy with features
  - From: "Pratt, Benjamin E." <bepratt@stcloudstate.edu>

Prev by Date: Re: slapd 2.3.11: protocol error, historical protocol version requested
Next by Date: RE: LDAP proxy with features
Index(es):
- Chronological
- Thread