[Date Prev][Date Next]
RE: LDAP proxy with features
> -----Original Message-----
> From: Pierangelo Masarati [mailto:firstname.lastname@example.org]
> Sent: Monday, December 05, 2005 10:05
> To: Pratt, Benjamin E.
> Cc: email@example.com
> Subject: Re: LDAP proxy with features
> > Hello. A few months ago I tried setting up an OpenLDAP server to:
> > 1. Act as a proxy to several other LDAP servers.
> > 2. Accept LDAP requests and convert them to LDAPS requests
> before going
> > to backend servers.
> > 3. Allow attribute mapping for specific attributes to
> certain backend
> > directories.
> > I was running OpenLDAP 2.2 and had points 2 and 3 working great but
> > point 1 was a problem because many of the other LDAP
> attributes didn't
> > pass through the proxy.
> > This week I started looking into this again and saw a posting to the
> > list from a user who said that OpenLDAP 2.3 resolves this issue. I
> > upgraded and yes, the proxying of attributes to the backend
> server issue
> > was resolved. Unfortunately points 2 and 3 were broken.
> I'd restate this as "I was unable to make them work"; the
> code, as far as
> my intensive recent testing concern, is fully functional. In
> fact, your
> configuration looks broken in a few points.
> > I installed the FreeBSD port using the command:
> > make CONFIGURE_ARGS="--enable-ldap=yes --enable-meta=yes
> > --enable-rewrite=yes --enable-rwm=yes --with-tls=openssl"
> install clean
> > My slapd.conf file contains:
> > database ldap
> > lastmod off
> > suffix "DC=university,DC=edu"
> > directory /var/db/openldap-data
> > rwm-map attribute displayName cn
> > uri "ldap://220.127.116.11 ldap://18.104.22.168
> > ldap://22.214.171.124"
> > When I change the uri to point to protocols ldaps (e.g.
> > ldaps://126.96.36.199) the proxy breaks. Also, I used to have "map
> > attribute displayName cn" working but now the configuration
> appears to
> > be rwm-map but that is not working.
> > Are my install options correct for LDAPS? Is a proxy conversion from
> > LDAP to LDAPS still possible?
> yes, as per documentation of slapd.conf(5), ldap.conf(5) and
> slapd-ldap(5). In detail, the proxy (back-ldap) is using the libldap
> client library as a client, and thus its configuration,
> specifically with
> respect to TLS, should follow the directives in ldap.conf(5).
> I suspect
> you took the misfunctionality as broken code and you didn't
> the real reason of the misbehaving, which is 99% likely to be
> related to
> > Am I using the map attribute options correctly?
> > If not, what is the
> > correct way?
> The slapo-rwm(5) overlay requires explicit instantiation by
> "overlay rwm";
> otherwise, all the rwm-map directive is likely to result is a warning.
> > I appreciate any help that the community has to offer. If I need to
> > provide any more info please let me know. Thanks.
> In general, moving between minor version numbers requires
> resurfing thru
> the documentation, because things happen to change, most of
> the time they
> improve. Otherwise ther would be no reason to have 2.3, we'd still be
> playing with 2.0.
> Pierangelo Masarati
I am sorry for my mis-speaking. I intended to say that my setup was
broken and not the application. I am sorry for my poor choice of words.
I thank you for the help and will continue to look deeper.
The only configuration file I ended up changing was slapd.conf. After I
changed "map attribute" to read "rwm-map attribute" I was able to run
slaptest with no errors whether I was pointing at a backend server via
ldap or ldaps.