[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: LDAP proxy


thank you very much for your very helpful answer. Much appreciated.

By the way, what is "HEAD"? Whre can I get the "HEAD version".

Thanks again

-----Original Message-----
From: Pierangelo Masarati [mailto:masarati@aero.polimi.it]
Sent: Saturday, April 13, 2002 5:33 AM
To: FOREST Laurent
Cc: 'OpenLDAP-software@OpenLDAP.org'
Subject: Re: LDAP proxy

FOREST Laurent writes: 

> Hello, 
> I am looking for an LDAP proxy that could:
> - authenticate LDAP clients (simple bind with encrypted username &
> - re-direct requests to an LDAP server (e.g. iPlanet Directory Server)
> - restrict the allowed operations to search requests
> - limit the number of returned entries for each search request to a
> configurable value
> - allow attribute renaming (nice-to-have feature, but not mandatory) 
> I saw many discussions in the mailing list about LDAP proxy and back-ldap,
> but I am totally confused at the moment. 
> Is there a decent documentation about implementation of LDAP proxy with
> OpenLDAP (I looked at the OpenLDAP administration guide but found nothing
> about back-ldap or proxy)? I also spotted a FAQ "how do I use the LDAP
> backend" but it is not really helpful as a starting point.

I think back-ldap meets most if not all your requirements,
at least in the HEAD version; unfortunately there's little
documentation apart from what you mentioned. 

> Could someone tell me in a few words
> - WHAT are back-<xxx> (e.g. back-ldap, back-shell)?
> 	. are they the modules between the LDAP interface and the backend
> databases?
> 	. if yes, where are these modules' APIs documented?

They're backends to the front-end slapd.  You can compile them into
one static slapd or as run-time loaded modules.  Each back-XXX
implements a backend type, which is declared in the configuration
of slapd by the "backend XXX" directive (for general backend-specific 
configuration) and instantiated by the "database XXX" directive
(for each database specific configuration). 

The module API is documented by the code itself. 

> - what are their main features?

Each backend provides a set of operations divided in 3 main areas:
 - implement LDAP operations (abandon, add, bind, compare, delete,
 extended, modify, modrdn, search, unbind, ...)
 - implement helper operations (group and attribute ACL check,
 operational and more)
 - implement utility operations (entry put, entry get and so) 

> - what is "suffixmassage"?

This is specific to back-ldap and back-meta (a sort of super
back-ldap): it allows to modify the naming context of the entries
that are being proxied: a proxy with naming context "dc=example,dc=com"
may be proxying a server with naming context "o=Example,c=US";
suffix massage takes care of rewriting the naming context both ways. 

back-ldap and back-meta currently perform a more comprehensive, regex
based rewriting of the operation data (dn, filter and dn-valued
attributes), plus attribute mapping and so. 


Dr. Pierangelo Masarati               | voice: +39 02 2399 8309
Dip. Ing. Aerospaziale                | fax:   +39 02 2399 8334
Politecnico di Milano                 | mailto:pierangelo.masarati@polimi.it
via La Masa 34, 20156 Milano, Italy   | http://www.aero.polimi.it/~masarati