[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: LDAP proxy

FOREST Laurent writes:


I am looking for an LDAP proxy that could:
- authenticate LDAP clients (simple bind with encrypted username & password)
- re-direct requests to an LDAP server (e.g. iPlanet Directory Server)
- restrict the allowed operations to search requests
- limit the number of returned entries for each search request to a
configurable value
- allow attribute renaming (nice-to-have feature, but not mandatory)

I saw many discussions in the mailing list about LDAP proxy and back-ldap,
but I am totally confused at the moment.

Is there a decent documentation about implementation of LDAP proxy with
OpenLDAP (I looked at the OpenLDAP administration guide but found nothing
about back-ldap or proxy)? I also spotted a FAQ "how do I use the LDAP
backend" but it is not really helpful as a starting point.

I think back-ldap meets most if not all your requirements,
at least in the HEAD version; unfortunately there's little
documentation apart from what you mentioned.

Could someone tell me in a few words - WHAT are back-<xxx> (e.g. back-ldap, back-shell)? . are they the modules between the LDAP interface and the backend databases? . if yes, where are these modules' APIs documented?

They're backends to the front-end slapd. You can compile them into
one static slapd or as run-time loaded modules. Each back-XXX
implements a backend type, which is declared in the configuration
of slapd by the "backend XXX" directive (for general backend-specific configuration) and instantiated by the "database XXX" directive
(for each database specific configuration).

The module API is documented by the code itself.

- what are their main features?

Each backend provides a set of operations divided in 3 main areas:
- implement LDAP operations (abandon, add, bind, compare, delete,
extended, modify, modrdn, search, unbind, ...)
- implement helper operations (group and attribute ACL check,
operational and more)
- implement utility operations (entry put, entry get and so)

- what is "suffixmassage"?

This is specific to back-ldap and back-meta (a sort of super
back-ldap): it allows to modify the naming context of the entries
that are being proxied: a proxy with naming context "dc=example,dc=com"
may be proxying a server with naming context "o=Example,c=US";
suffix massage takes care of rewriting the naming context both ways.

back-ldap and back-meta currently perform a more comprehensive, regex
based rewriting of the operation data (dn, filter and dn-valued
attributes), plus attribute mapping and so.


Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati