[Date Prev][Date Next]
Re: LDAP proxy
FOREST Laurent writes:
I am looking for an LDAP proxy that could:
- authenticate LDAP clients (simple bind with encrypted username & password)
- re-direct requests to an LDAP server (e.g. iPlanet Directory Server)
- restrict the allowed operations to search requests
- limit the number of returned entries for each search request to a
- allow attribute renaming (nice-to-have feature, but not mandatory)
I saw many discussions in the mailing list about LDAP proxy and back-ldap,
but I am totally confused at the moment.
Is there a decent documentation about implementation of LDAP proxy with
OpenLDAP (I looked at the OpenLDAP administration guide but found nothing
about back-ldap or proxy)? I also spotted a FAQ "how do I use the LDAP
backend" but it is not really helpful as a starting point.
I think back-ldap meets most if not all your requirements,
at least in the HEAD version; unfortunately there's little
documentation apart from what you mentioned.
Could someone tell me in a few words
- WHAT are back-<xxx> (e.g. back-ldap, back-shell)?
. are they the modules between the LDAP interface and the backend
. if yes, where are these modules' APIs documented?
They're backends to the front-end slapd. You can compile them into
one static slapd or as run-time loaded modules. Each back-XXX
implements a backend type, which is declared in the configuration
of slapd by the "backend XXX" directive (for general backend-specific
configuration) and instantiated by the "database XXX" directive
(for each database specific configuration).
The module API is documented by the code itself.
- what are their main features?
Each backend provides a set of operations divided in 3 main areas:
- implement LDAP operations (abandon, add, bind, compare, delete,
extended, modify, modrdn, search, unbind, ...)
- implement helper operations (group and attribute ACL check,
operational and more)
- implement utility operations (entry put, entry get and so)
- what is "suffixmassage"?
This is specific to back-ldap and back-meta (a sort of super
back-ldap): it allows to modify the naming context of the entries
that are being proxied: a proxy with naming context "dc=example,dc=com"
may be proxying a server with naming context "o=Example,c=US";
suffix massage takes care of rewriting the naming context both ways.
back-ldap and back-meta currently perform a more comprehensive, regex
based rewriting of the operation data (dn, filter and dn-valued
attributes), plus attribute mapping and so.
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:firstname.lastname@example.org
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati
- LDAP proxy
- From: FOREST Laurent <email@example.com>