[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: back-ldap: proxying legacy apps to legacy or V3 servers

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo
> Masarati

This was always one of those nagging details that I never addressed properly.
In the current implementation, the proxy connection is always established using
the same protocol that the incoming request uses. Clearly the protocol version
should be configured based on what the destination server supports.
Besides just adding a config keyword for this though, back-ldap would then need
to perform character set translation for T.61 <-> UTF-8, which will not always
succeed. So, it's been left as an exercise for someone more ambitious.

> "Randall S. Winchester" wrote:
> >
> > I would like to use back-ldap as a proxy from an application that is
> > compiled against openldap-1.x. I would like to support backend LDAP
> > servers that are either openldap-1.x for newer LDAP-V3. The
> > authentication may be either simple or one of the various SASL or
> > other LDAP-V3 methods of authentication.
> >
> > While I can use "ldapsearch -x -h remotehost" to get legacy behaviour,
> > I do not see that there is a way to do the same with back-ldap.
> >
> > i.e. when I try "ldapsearch -x -h" I always get failures,
> > with or without SASL support compiled in.
> >
> > It looks like it needs some of the same "connection/security" options
> > as "replica" support in the slapd.conf file.
> >
> > I want the "localhost LDAP applications" to always talk via simple
> > auth to the "localhost LDAP proxy". It should then be up to the
> > slapd.conf file to tell OpenLDAP/back-ldap how to comunicate with the
> > remote LDAP server. Eventially (next release...) I would like the
> > "locahost LDAP applications" to use ldapi:// vis simple auth as well,
> > but still with the OpenLDAP back-ldap proxy as the "mediator" to the
> > remote LDAP servers.
> >
> > Am I missing something? I can not find anyway to change what it thinks
> > it is doing...
> >
> > The same would apply to back-meta of course, but I can get by with
> > back-ldap untill back-meta gets released.
> As I replied in a private posting, you added the "DN" part to the "URI"
> parameter when configuring back-ldap; this resulted in
> ldap_url_parselist
> split your URI in two, with the "dc=com" part being an illegal URI.
> Let me reply publicly to leave track of this subtle configuration issue;
> there would have been no problem if the URI were URLencoded.
> Pierangelo.
> --
> Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
> Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
> Politecnico di Milano                 |
> mailto:pierangelo.masarati@polimi.it
> via La Masa 34, 20156 Milano, Italy   |
> http://www.aero.polimi.it/~masarati

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support