[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: modify dn while replication

> Pierangelo Masarati wrote:
>>It could be possible, but it's going to be rather clumsy;
>>it depends on whether there's a clear way you can extract
>>a filtering attribute from the DN, e.g. the "uid=<smtg>"
>>part, to do:
>>rewriteMap      ldap uidMap "ldap:///<naming context>?uid?sub"
>>rewriteRule     "^(uid=[^,]+)(,.*)$$" "%1-%{uidMap(%1)}%2" ":@I"
> OK thanks a lot for the example :-), I'll try out, but before one
> question, where should I put
> these rewrite rules, in the replica section of the master ? this way :
> replica         host=
>                 suffix="ou=people,dc=int-evry,dc=fr"
> attr!="posixAccount,shadowAccount,loginShell,homeDirectory,uidNumber,gidNumber,gecos"
>                 binddn="cn=replicator,ou=people,dc=int-evry,dc=fr"
> bindmethod=simple   credentials=secret
>                 rewriteMap      ldap uidMap
> "ldap:///ou=People,dc=int-evry,dc=fr?uid?one";
>                 rewriteRule     "^(uid=[^,]+)(,.*)$$"
> "%1-%{uidMap(%1)}%2" ":@I"
> replogfile /var/lib/ldap/replica/replogfile
> or on a dediceted ldap or meta backend ? sorry for beeing so ignorant,
> but it's the first time I play with the rewrite engine ! by the way, I
> suspect I need a " rewriteEngine on" somewhere, in slapd.conf ?

Sorry, my answer was incomplete.  Yes, you need to replicate
thru a proxy server, e.g. a server in between the master and
the slave so that

master --> m2s-proxy: uid=test,... ==> uid=test-number,... --> slave

you need to figure out what you intend to do with referrals
from slave to master; if you need to rewrite as well, then
you need another proxy to revert the massaging.

slave --> s2m-proxy: uid=test-number,... ==> uid=test,... --> master

the proxy needs to be a back-ldap compiled with --enable-rewrite,
and needs to be configured with

database ldap
uri ldap://<slave>
lastmod on
rewriteEngine on
rewriteContext default
<rules as in example>


if the proxy is used also for normal operations,
you'll need to deal with other rewrite contexts,
e.g. searchBase, searchFilter, compareDN,
compareAttrDN if you want any rewriting to occur
in these cases.

you'll also need to deal with searchResults and more,
otherwise they'll be treated with the default rules.
see slapd-meta(5) in the REWRITE section for what
rewrite contexts are active.  otherwise you can add

rewriteContext searchBase
rewriteContext searchFilter
rewriteContext compareDN
rewriteContext compareAttrDN

rewriteContext searchResult
rewriteContext searchAttrDN
rewriteContext matchedDN

if you don't want any rewrite to occur for these
rewrite contexts.

On the contrary, the default rewriting should occur
for any write operation; the default naming context
is picked if you don't specify any.

Note: the "lastmod on" should work since the target
is a replica; it is important wince you want the
replica to be in sync with the master also in terms
of timestamps.


Pierangelo Masarati