[Date Prev][Date Next]
Proxy cache and rewrite rules
I'm trying to get a proxy cache to work with a meta backend that does
rewrites. The idea is that a bunch of non-overlapping directories are
searched en masse with a dummy base of "dc=AdminView" (not my choice of
suffix) and the actual entries returned.
So, we have something like:
# This constructs a view of *all* directories.
access to * by * read
rewriteRule "(.*)dc=AdminView$" "%1dc=au,dc=cordoors,dc=dev" ":"
rewriteRule "(.*)dc=AdminView$" "%1dc=id,dc=cordoors,dc=dev" ":"
Etc. The "dc=dev" indicates our development system (again, not my
choice). It rebinds against itself (ldapi turned out to be more efficient
than a network connection) and searches the "real" directories
This works marvellously, although I have a feeling that it could be done a
better way. Anyway, I then configured a proxy cache:
proxycache bdb 1000 1 100 60
proxyattrset 0 ciApp ciAppType ciHost ciStatus ciPortNum ciDBPath description ciAppVar ciDomainMember cn
proxytemplate (&(objectClass=)(ciApp=)) 0 3600
proxycache-index objectClass eq
proxycache-index cn,ciApp,ciAppType,ciHost,ciStatus,ciPortNum,ciDBPath,description,ciAppVar,ciDomainMember pres,eq,sub
and promply ran into the issue in ITS #4411 (SLAPD went into a loop).
Howard's diagnosis was:
> OK, stepping thru with gdb I see there's something looping because it's
> trying to write the entry ciApp=orck,dc=au,dc=cordoors,dc=dev into the
> cache database, but you've defined that DB to have the suffix
> dc=AdminView. The syncrepl_add_glue function is treating the DN
> incorrectly because it expected the entry to have a suffix equal to the
> DB suffix. Basically your rewrite rule isn't affecting the searchResult
> context, so the entry has the wrong DN, and it becomes a case of GIGO
> from there on.
OK, I understand that, and I've tried a few things (most of which sent
SLAPD into a loop again, but I'm not reporting it as a bug because it's
clearly a bad configuration) with no luck.
If I rewrote the result so it would be cached, wouldn't the application
then see the rewritten result? I want to search several non-overlapping
dirctories, and have the actual entry returned; it seems to be that this won't
fit with the concept of the proxy cache.
Can this actually be done?
Dave Horsfall DTM VK2KFU firstname.lastname@example.org Ph: +61 2 9552-5509 (d) -5500 (sw)
Corinthian Engrng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU