[Date Prev][Date Next]
Re: slapd-relay and slapo-rwm questions
Quanah Gibson-Mount wrote:
Haven't checked, but if you don't force real database selection at
startup, it will find its way by selecting the database for each
operation (maybe not the most efficient option...)
The same rules for slapd.conf ordering still apply - the most specific
DN's must appear before the less specific DN. So you must define
If you put it before the database hdb definition, then it cannot find
the dc=stanford,dc=edu database, and slapd fails to start.
/usr/local/etc/openldap/slapd.conf: line 72: cannot find database of
relay dn "cn=people,dc=stanford,dc=edu" in "relay <dn> [massage]" line
so that's a non-starter.
That __should__ do it.
My understand is that is the point of this bit of configuration?
relay cn=people,dc=stanford,dc=edu massage
but that doesn't do it.
We got to a point where schema is essential for all internal operations
-- and I wouldn't back off --; for this purposes, we rather developed
tools to munch and digest the worst schema sources ever. I rather
prefer having control on what is getting in, and especially on what's
pushed out. Note that in order to push out search results you don't
need to know matching rules for attributes; but you will to accept
filters. So a best practice consists in knowing the schema for all
items, and generate dummy schema for unknown items with something like
"octetStringMatch" as equality rule, so that it smoothly passes frontend
filter validation. Any overlay would be useless at this point, since
overlays cannot take control __before__ filter validation, or when
determining if an attribute was requested. I can share some of those
tools if you want to try them (too busy to release them "officially",
(3) How do you map attributes to attribute names that don't exist in
your schema? Since this is really about what gets displayed back to
client, I don't see why there is a requirement that the mapped-to
attribute name must exist in your schema.
Everything that the local slapd returns directly to a client must exist
in the local slapd's schema. You can only get away with using undefined
schema elements when forwarding queries to a remote server, and even
you shouldn't - you should import the remote schema into the local
Remember, we don't support "schemachecking off" any more - we expect
everything that we touch to have valid schema definitions.
I don't see why it is necessary for whatever the attribute gets mapped
*to* to exist in the local schema. I don't see why I should be forced
to load mozilla's schema, for example, to rewrite attributes I have in
my server to what mozilla wants, or why I should create some bogus
"display-name" attribute just so I can rewrite "displayName" to
"display-name" for outlook. To me, the whole idea here, is I want to
present to the client attributes that are syntax correct in the
underlying DB, since they are forced to be there, as whatever I want
the end client to see them as. As is, this whole overlay becomes
worthless to me without that ability.
Ing. Pierangelo Masarati
OpenLDAP Core Team
Via Dossi, 8 - 27100 Pavia - ITALIA