[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rwm/relay and ldapwhoami



Thank you Pierangelo,

the fact whoami is an exop makes it all clear. I am glad this is correct and not bad config on my part :)

Cheers

Tim

Pierangelo Masarati <masarati@aero.polimi.it> wrote:

OK - must be missing something really basic - and I am new to LDAP...

I have a server (ldapmaster) that serves

dc=new,dc=example,dc=com

and a seperate server, ldaplegacy, that uses slapd-ldap + rwm to
proxy-translate requests aimed at:

dc=old,dc=example,dc=com


So:

ldapsearch -x -b dc=old,dc=example,dc=com -H ldap://ldaplegacy/

returns
...
# me, people, old.example.com
dn: uid=me,ou=people,dc=old,dc=example,dc=com
objectClass: top
objectClass: inetOrgPerson
...

nice - exactly as expected.

But

ldapwhoami -x -W -D uid=me,ou=people,dc=old,dc=example,dc=com -H
ldap://ldaplegacy/

returns (after successful bind)

dn:uid=me,ou=people,dc=new,dc=example,dc=com


Why doesn't the DN get translated?


The config section that's relevant on ldaplegacy is:

slapd.conf
###############################
...
database relay
suffix "dc=old,dc=example,dc=com"
relay "dc=new,dc=example,dc=com"
overlay rwm
rwm-suffixmassage "dc=new,dc=example,dc=com"
...
###############################


I thought I needed more magic to translate the replies, but that *looks*
like it is happening with ldapsearch???

There are two good reasons:

1) what you get back is the *real* identity, i.e. the unmapped one.

2) whoami is an extended operation. The fact that its "payload" is a DN
is not known to slapo-rwm, as this is an extension of the protocol. Since
whoami is now part of the standard, slapo-rwm could know about it (patches
are welcome); in any case, I think point (1) still applies; assuming the
behavior your desire is legitimate, whether it takes place or not should
be at least configurable, as there are many good reasons for (1) to be
available.

p.

--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.