[Date Prev][Date Next]
RE: back-ldap: proxying legacy apps to legacy or V3 servers
Is there not some library routine that the current slapd uses when a
LDAP-V2 client connects to it?
I would think it acceptable for the proxy to only support ;
1) LDAP-V2 client <-- LDAP-V2 server
2) LDAP-V3 client <-- LDAP-V3 server
3) LDAP-V2 client <-- LDAP-V3 server supporting LDAP-V2 clients
and not support
4) LDAP-V3 client <-- LDAP-V2 server
Then the only conversion would be for "3)" which I would think is already
On Thu, 17 Jan 2002, Howard Chu wrote:
: > -----Original Message-----
: > From: owner-openldap-software@OpenLDAP.org
: > [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Pierangelo
: > Masarati
: This was always one of those nagging details that I never addressed properly.
: In the current implementation, the proxy connection is always established using
: the same protocol that the incoming request uses. Clearly the protocol version
: should be configured based on what the destination server supports.
: Besides just adding a config keyword for this though, back-ldap would then need
: to perform character set translation for T.61 <-> UTF-8, which will not always
: succeed. So, it's been left as an exercise for someone more ambitious.
: > "Randall S. Winchester" wrote:
: > >
: > > I would like to use back-ldap as a proxy from an application that is
: > > compiled against openldap-1.x. I would like to support backend LDAP
: > > servers that are either openldap-1.x for newer LDAP-V3. The
: > > authentication may be either simple or one of the various SASL or
: > > other LDAP-V3 methods of authentication.
: > >
: > > While I can use "ldapsearch -x -h remotehost" to get legacy behaviour,
: > > I do not see that there is a way to do the same with back-ldap.
: > >
: > > i.e. when I try "ldapsearch -x -h 127.0.0.1" I always get failures,
: > > with or without SASL support compiled in.
: > >
: > > It looks like it needs some of the same "connection/security" options
: > > as "replica" support in the slapd.conf file.
: > >
: > > I want the "localhost LDAP applications" to always talk via simple
: > > auth to the "localhost LDAP proxy". It should then be up to the
: > > slapd.conf file to tell OpenLDAP/back-ldap how to comunicate with the
: > > remote LDAP server. Eventially (next release...) I would like the
: > > "locahost LDAP applications" to use ldapi:// vis simple auth as well,
: > > but still with the OpenLDAP back-ldap proxy as the "mediator" to the
: > > remote LDAP servers.
: > >
: > > Am I missing something? I can not find anyway to change what it thinks
: > > it is doing...
: > >
: > > The same would apply to back-meta of course, but I can get by with
: > > back-ldap untill back-meta gets released.
: > As I replied in a private posting, you added the "DN" part to the "URI"
: > parameter when configuring back-ldap; this resulted in
: > ldap_url_parselist
: > split your URI in two, with the "dc=com" part being an illegal URI.
: > Let me reply publicly to leave track of this subtle configuration issue;
: > there would have been no problem if the URI were URLencoded.
: > Pierangelo.
: > --
: > Dr. Pierangelo Masarati | voice: +39 02 2399 8309
: > Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
: > Politecnico di Milano |
: > mailto:firstname.lastname@example.org
: > via La Masa 34, 20156 Milano, Italy |
: > http://www.aero.polimi.it/~masarati
: -- Howard Chu
: Chief Architect, Symas Corp. Director, Highland Sun
: http://www.symas.com http://highlandsun.com/hyc
: Symas: Premier OpenSource Development and Support