[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: (Was ITS#4333) crash in back meta



> If this is is the case, I'm not sure I understand its usefulness: since
> both DBs are in the same instance of slapd I'd assume the smae
> administrator is administering both; or, are you trying to allow
> augmenting a shadow database with local data?

It's not administration; it's more a representation of political view,
perhaps. Consider

(all on one server)
database hdb; suffix "ou=faculty,dc=rutgers,dc=edu"; subordinate
database hdb; suffix "ou=students,dc=rutgers,dc=edu"; subordinate
database hdb; suffix "dc=rutgers,dc=edu"
(could be on same server back-relay, could be elsewhere back-ldap)
database hdb; suffix "o=OpenLDAP Conference at Rutgers,c=US";

Now, let's say the OpenLDAP Conference was held on Rutgers campus, and
access is to be made available to the union of anybody in the o=OpenLDAP
and anybody in the dc=rutgers,dc=edu--we want to join all those suffixes
together into our metadirectory. Two quick ideas:

* start hosting suffix="" and use that as a search base
* host o=OpenLDAP Conference,c=US with some glue (translucent, glue,
back-relay, back-meta, etc.) that somehow connects the valid dc=rutgers users
[of course this will need a rewrite or my client will likely be confused
at getting a dc=edu from a c=US base?]

The first one should work trivially. The second one is what I was getting
at with the translucency before (although I'm starting to see it might not
be best). But let's extend the problem. Say Rutgers is extremely kind this
year and also hosts:

database hdb; suffix "o=Apache Conference at Rutgers,c=US";

and makes the same decision that all dc=rutgers are welcome there. Now
approach 1 is not as useful: if I suffix "" then those Apache people will
?sub into the OpenLDAP hdb, and we certainly don't want that! So we're
back to making some flavor of massaging glue, probably:

database hdb; suffix "o=Apache Conference at Rutgers,c=US";
	glue-sub "dc=rutgers,dc=edu" suffixmassage

Actually, that might even have worked with the <2.3.7 slapo-glue. I'm not
so sure about how to approach it today (possibly tons of rewriteRules, but
what connects the two hdb? meta?). I admit this also tends down a path of
quite a bit of rope. (No "suffixmassage" on that last example would be
quite silly, and is exactly why "subordinate" is the case today, if I
remember?)