[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: proxy + backend meta + rewrite
Johann Heymes wrote:
Hello,
Context:
We have 2 directories, 1 Microsoft for domain domain1.fr, 1 Notes for
domain domain2.fr. In reality, we have more domains and 3 directories
but the problem remains the same.
We have an application which can produce only one type of request like
the following : ldapsearch -Wxy /tmp/pwdfile -h 127.0.0.1 -D
"cn=robot,dc=foo,dc=com" -b "dc=foo,dc=com"
"(attributMail=jhe@domain1.fr)"
We planed to use an intelligent proxy LDAP with rewriting
functionalities (openLDAP with backend meta and rewrite rule) to be
able to "adapt" the LDAP query to the context (the domain): select the
right directory and use the right attribute name. Moreover, to be able
to query to 2 LDAP (in a cluster) instead of one for high availability
needs.
But we don't know how to do this, and not even if it's possible.
We have thought to a configuration slapd.conf like that :
----------------------
backend meta
database meta
suffix "dc=foo,dc=com"
lastmod off
rootdn "cd=robot,dc=foo,dc=com"
rootpw "*****"
uri "ldap://ldap1_domain1:389/dc=ad,dc=foo,dc=com"; uri "ldap://ldap2_domain1:389/dc=ad,dc=foo,dc=com";
rewriteEngine on
suffixmassage "dc=ad,dc=foo,dc=com" "dc=domain1,dc=fr"
pseudorootdn "cn=subRobot,dc=domain1,dc=fr"
pseudorootpw "*****"
uri "ldap://ldap1_domain2:389/dc=notes,dc=foo,dc=com"; "ldap://ldap2_domain2:389/dc=notes,dc=foo,dc=com";
rewriteEngine on
suffixmassage "dc=notes,dc=foo,dc=com" "dc=domain2,dc=fr"
pseudorootdn "cn=subRobot,dc=domain2,dc=fr"
pseudorootpw "*****"
----------------------
So how it's possible to rewrite the search request -b "dc=foo,dc=com"
"(attributMail=jhe@domain1.fr)" to -b "dc=ad,ou=users,dc=foo,dc=com"
"(userPrincipalName=jhe@domain1.fr)"
or the search request -b "dc=foo,dc=com"
"(attributMail=jhe@domain2.fr)" to -b
"dc=notes,ou=Utilisateurs,dc=foo,dc=com" "(mail=jhe@domain2.fr)"
You're not too far from optimal; try
database meta
suffix "dc=foo,dc=com"
rootdn "cd=robot,dc=foo,dc=com"
rootpw "*****"
uri "ldap://ldap1_domain1:389/dc=ad,dc=foo,dc=com ldap://ldap2_domain1:389/";
suffixmassage "dc=ad,dc=foo,dc=com" "dc=domain1,dc=fr"
pseudorootdn "cn=subRobot,dc=domain1,dc=fr"
pseudorootpw "*****"
map attribute attributMail userPrincipalName
uri "ldap://ldap1_domain2:389/dc=notes,dc=foo,dc=com ldap://ldap2_domain2:389/";
suffixmassage "dc=notes,dc=foo,dc=com" "dc=domain2,dc=fr"
pseudorootdn "cn=subRobot,dc=domain2,dc=fr"
pseudorootpw "*****"
map attribute attributMail mail
Note : I already noted a problem with the use of unknown attributes by
the proxy openldap such as userPrincipalName
All you need to do is define that attribute in the local schema. You
can grab it from AD by inspecting the schema via LDAP. As far as I
remember, schema in AD does not report matching rules; this would
prevent slapd from allowing those attrs, for example, in filters.
You'll need to invent some appropriate matching rule (at least for
EQUALITY) in case you cannot find any specific reference.
Note: Currently I use an openldap package powered by ubuntu dapper and
another build powered by redhat el 4 but If it is necessary to rebuild
from cvs, it's not a problem.
I hope you don't need to rebuild from the CVS! A decent, recent 2.3
version should suffice. Note that, for heavy duty operation, nothing
earlier than the latest 2.3 should be used, because 2.3 was specifically
strengthened both in the proxy and in the libldap bits.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office: +39.02.23998309
Mobile: +39.333.4963172
Email: pierangelo.masarati@sys-net.it
------------------------------------------