[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rewrite searchDN based on filter

Finn Blucher wrote:
> I know this was discussed recently but there didn't seem to be a real
> answer so I'd like to kick if off again.
> 
> I would like to be able redirect user searches to two different LDAP
> servers depending on UID, so:
> 
> if a process searches for userA with a base of o=container, then the
> request is sent to ldap://10.0.0.1/ou=subA,o=container if a process
> searches for userB with a base of o=container, then the request is
> sent to ldap://10.0.0.2/ou=subB,o=container
> 
> I'd appreciate any information relating to weather I should be using
> the ldap or meta backend to achieve this. Mostly I'm having trouble
> understanding the best way to rewrite the searchDN based on the
> contents of the searchFilter.

Yes, this was already answered, and no, the searchDN can't be rewritten
based on the contents of the searchFilter, unless you use multiple
instances of slapo-rwm (don't know if it's allowed nor if it works,
though; it shouldn't with OpenLDAP 2.3, but it might with OpenLDAP 2.4).

In any case, apart from some special cases I don't believe it's a good
idea: assuming you have some easy means to group UIDs (e.g. name@domain,
and distinguish them based on domain), a rule like

	uid := name@domain1 => ask database 1
	uid := name@domain2 => ask database 2

or even

	uid := name@domain(.+) => ask database $1

 how would you distinguish between filters like

	"(uid=name@domain)"

and

	"(&(filter)(!(uid=name@domain)))"

?

My point is that you will quickly end up with the need of something much
smarter than a regex-based pattern/action tool.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------