[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: [Fwd: sUffixAlias]

> -----Original Message-----
> From: ando@core2.bci.it [mailto:ando@core2.bci.it]On Behalf Of
> Pierangelo Masarati

> To avoid excessive implementation overhead I'm thinking about
> handling such
> feature at the slapd level, i.e. right before sending any search
> result, so
> any backend
> would allow it. I'm still trying to figure out how to handle
> add/modify/delete
> stuff.
> All of this should be done only in case the masquerading is intentionally
> switched
> on, otherwise it is likely to add undesirable overhead.

I think you misunderstood part of my meaning. In my implementation, the LDAP
proxy performs all DN translation. It acts as an LDAP client of the target
directory. The target directory does nothing special with any requests or
responses. The proxy code collects responses and massages them, then relays
them back to the ultimate caller. In our nested hierarchy, the client can
be another proxy from yet another level up the tree, and so on ad nauseum.

As such, there is no overhead imposed on regular backends that are contacted
directly by arbitrary LDAP clients. The DN translation only occurs when
someone contacts the proxy. Add/Modify/Delete is not much different from
search, in all cases you must walk through all attributes of requests and
responses to look for DNs to rewrite. Search is actually more complicated
because we use a thread pool to spawn searches over multiple subordinate
servers in parallel. All other requests are pretty simple since they only
affect a single target. (Sometimes this restriction is annoying, but there
are hacks around that too...)

I was going to submit this back-ldap change to the main tree but we have
licensing decisions to resolve within Symas still. We consider this a still
novel feature, with pending patent. I personally think it's useful enough
that someone else will duplicate our work, and then we'll be stuck on the
nonstandard side of the fence. sigh... Anyway, if you go ahead and write
this code and submit it back to OpenLDAP, it will all be a moot point. Go
for it...