[Date Prev][Date Next]
RE: LDAP proxy
thank you very much for your very helpful answer. Much appreciated.
By the way, what is "HEAD"? Whre can I get the "HEAD version".
From: Pierangelo Masarati [mailto:firstname.lastname@example.org]
Sent: Saturday, April 13, 2002 5:33 AM
To: FOREST Laurent
Subject: Re: LDAP proxy
FOREST Laurent writes:
> I am looking for an LDAP proxy that could:
> - authenticate LDAP clients (simple bind with encrypted username &
> - re-direct requests to an LDAP server (e.g. iPlanet Directory Server)
> - restrict the allowed operations to search requests
> - limit the number of returned entries for each search request to a
> configurable value
> - allow attribute renaming (nice-to-have feature, but not mandatory)
> I saw many discussions in the mailing list about LDAP proxy and back-ldap,
> but I am totally confused at the moment.
> Is there a decent documentation about implementation of LDAP proxy with
> OpenLDAP (I looked at the OpenLDAP administration guide but found nothing
> about back-ldap or proxy)? I also spotted a FAQ "how do I use the LDAP
> backend" but it is not really helpful as a starting point.
I think back-ldap meets most if not all your requirements,
at least in the HEAD version; unfortunately there's little
documentation apart from what you mentioned.
> Could someone tell me in a few words
> - WHAT are back-<xxx> (e.g. back-ldap, back-shell)?
> . are they the modules between the LDAP interface and the backend
> . if yes, where are these modules' APIs documented?
They're backends to the front-end slapd. You can compile them into
one static slapd or as run-time loaded modules. Each back-XXX
implements a backend type, which is declared in the configuration
of slapd by the "backend XXX" directive (for general backend-specific
configuration) and instantiated by the "database XXX" directive
(for each database specific configuration).
The module API is documented by the code itself.
> - what are their main features?
Each backend provides a set of operations divided in 3 main areas:
- implement LDAP operations (abandon, add, bind, compare, delete,
extended, modify, modrdn, search, unbind, ...)
- implement helper operations (group and attribute ACL check,
operational and more)
- implement utility operations (entry put, entry get and so)
> - what is "suffixmassage"?
This is specific to back-ldap and back-meta (a sort of super
back-ldap): it allows to modify the naming context of the entries
that are being proxied: a proxy with naming context "dc=example,dc=com"
may be proxying a server with naming context "o=Example,c=US";
suffix massage takes care of rewriting the naming context both ways.
back-ldap and back-meta currently perform a more comprehensive, regex
based rewriting of the operation data (dn, filter and dn-valued
attributes), plus attribute mapping and so.
Dr. Pierangelo Masarati | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale | fax: +39 02 2399 8334
Politecnico di Milano | mailto:email@example.com
via La Masa 34, 20156 Milano, Italy | http://www.aero.polimi.it/~masarati