[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Rewriting entry dns

To: PHILIP LEMBO <plembo@arrow.com>
Subject: Re: Rewriting entry dns
From: Pierangelo Masarati <ando@sys-net.it>
Date: Tue, 18 Nov 2008 01:31:38 +0100
Cc: openldap-software@openldap.org
In-reply-to: <5D3376F92BA6944EA9202AC476F49014011125DB@wmhex011p.arrownao.corp.arrow.com>
References: <5D3376F92BA6944EA9202AC476F49014011125DB@wmhex011p.arrownao.corp.arrow.com>
User-agent: Thunderbird 2.0.0.17 (X11/20081001)

PHILIP LEMBO wrote:

We have a Sun Directory 5.x whose DIT has entry dn's in the format

"uid=xxxxxxx,ou=people,l=region,dc=example,dc=com"

with "region" being the name of each of 4 continents (north america,
south america, asia, europe).

What I'd like to do is use the OpenLDAP meta backend to rewrite those
dns so that searches against the OpenLDAP server return these dns in the
format

"uid=xxxxxxx,ou=people,dc=example,dc=com"

The OpenLDAP server was built with --enable-overlays, as well as
--enable-meta and --enable-ldap, in addition to the defaults.

I've looked over the doc for slapd-meta, slapd-ldap, slapo-rwm and
slapo-glue, as well as the configs in the distribution test scripts,
without coming up with a working slapd.conf to accomplish this.

Questions: (1) is this possible with any released version of OpenLDAP?;
(2) If so, does anyone have a working example of a config that they
could post here?

It is possible if your sun directory allows you to search for "dc=example,dc=com". In that case, you should use something like

database ldap
suffix "dc=example,dc=com"
uri "ldap://remote/";

overlay rwm
rwm-rewriteEngine on
rwm-rewriteContext default
rwm-rewriteContext searchEntryDN
rwm-rewriteRule "(.+,)?l=[^,]+,dc=example,dc=com"
		"$1dc=example,dc=com" ":@"
rwm-rewriteContext searchAttrDN alias searchEntryDN
rwm-rewriteContext matchedDN alias searchEntryDN
rwm-rewriteContext referralDN alias searchEntryDN

This configuration suffers from a number of problems:

1) you'll get 5 entries whose dn is "dc=example,dc=com", since those with dn "l=something,dc=example,dc=com" will have the "l=something" part stripped.

2) you'll get 4 entries whose dn is "ou=People,dc=example,dc=com" for the same reason above

3) you'll get other duplicate entries if entries with the same dn, except for the "l=something" part, exist

4) you won't be able to access entries directly, because any entry whose dn looks like "<whatever>,dc=example,dc=com" would need to be expanded to "<whatever>,l=something,dc=example,dc=com", which is obviously impossible.

p.


Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
-----------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Fax:     +39 0382 476497
Email:   ando@sys-net.it
-----------------------------------

Follow-Ups:
- RE: Rewriting entry dns
  - From: "PHILIP LEMBO" <plembo@arrow.com>

References:
- Rewriting entry dns
  - From: "PHILIP LEMBO" <plembo@arrow.com>

Prev by Date: Rewriting entry dns
Next by Date: Appropiate value for Read Waiters
Index(es):
- Chronological
- Thread