[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap proxy resolution by rewriting in meta-backend

To: openldap-software@openldap.org
Subject: Re: ldap proxy resolution by rewriting in meta-backend
From: yamina <yamina.sirot@dgfip.finances.gouv.fr>
Date: Wed, 09 Dec 2009 13:01:48 +0100
Cc: Pierangelo Masarati <masarati@aero.polimi.it>
In-reply-to: <4B193C6D.5080409@aero.polimi.it>
References: <4B1916A7.1020206@dgfip.finances.gouv.fr> <4B193C6D.5080409@aero.polimi.it>
User-agent: Thunderbird 2.0.0.23 (X11/20090817)

Thanks a lot pour your answer.

I tried to have three "database ldap" and a database relay that woulddirect to only one, depending on the search filter.But I can't manage to quit the "database relay" paragraph when thecondition ".*-b" or "*-c" matches.For example, if "uid=toto-b", it should search through"ou=b,ou=mysociety", i.e. via the second "database ldap", but in spiteof the ":@", it does also the following "suffixmassage" so the searchbase in every case is "ou=a,ou=mysociety".Also the part beginning with "overlay rwm" and ending with"rwm-rewriteContext default" doesn't seem to make any difference.


My slapd.conf looks like:

database relay
suffix "ou=virtual,ou=mysociety"
overlay rwm
rwm-rewriteEngine on
rwm-rewriteContext searchFilter
rwm-suffixmassage ou=b,ou=mysociety
rwm-rewriteRule "(.*-b\))" "%1,ou=divers,ou=b,ou=mysociety" ":@"
rwm-suffixmassage "ou=b,ou=mysociety" "ou=c,ou=mysociety"
#rwm-rewriteRule     "ou=b,ou=mysociety" "ou=c,ou=mysociety"
rwm-rewriteRule "(.*-dgi\))" "%1,ou=personnes,ou=c,ou=mysociety" ":@"
rwm-suffixmassage "ou=c,ou=mysociety" "ou=a,ou=mysociety"
#rwm-rewriteRule            "ou=c,ou=mysociety" "ou=a,ou=mysociety"

database ldap
suffix ou=a,ou=mysociety
rebind-as-user
uri             ldap://127.0.0.1:390


database ldap
uri ldap://127.0.0.1:391
suffix "ou=b,ou=mysociety"
rebind-as-user
#overlay rwm
#rwm-rewriteEngine on
#rwm-rewriteContext searchFilter
#rwm-rewriteRule "^(.+),ou=b,ou=mysociety,c=fr$" "$1" ":@"
#rwm-rewriteContext default

database ldap
uri ldap://10.127.0.0.1:392
suffix "ou=c,ou=mysociety"
rebind-as-user



Pierangelo Masarati a écrit :

yamina wrote:
Hello,
I want to use the "LDAP Proxy resolution" mode related in the
"slapd-meta" man but I don't manage to make it works.
I wonder if it is implemented yet because I saw a message dated Fri, 16
Jan 2004 17:09:10 +0100 in which the same problem is not solved.
That man page is a copy and paste from a white paper. That feature isa TODO and should be removed from the man page.
You might be able to obtain something like that by using a proxy thatstatically maps a given subtree to a given server. Something like
database relay
suffix "dc=virtual"
overlay rwm
...
rwm rules that rewrite the base DN of a search based on the contentsof the filter (not a trivial rule, though) to a temporary DN like
(uid=*-b) -> $BASEDN,dc=server1
(uid=*-c) -> $BASEDN,dc=server2
...

Then add

database ldap
suffix "dc=server1"
overlay rwm
rwm-rewriteEngine on
rwm-rewiteContext searchDN
rwm-rewriteRule "^(.+),dc=server1$" "$1" "@:"
rwm-rewiteContext default

database ldap
suffix "dc=server2"
overlay rwm
rwm-rewriteEngine on
rwm-rewiteContext searchDN
rwm-rewriteRule "^(.+),dc=server2$" "$1" "@:"
rwm-rewiteContext default

...
and so on. The whole thing may need quite a bit of shakedown, and isgoing to be far from efficient, though.
p.


--
Cordialement,
Yamina SIROT
équipe PAMELA
0437918949

References:
- ldap proxy resolution by rewriting in meta-backend
  - From: yamina <yamina.sirot@dgfip.finances.gouv.fr>
- Re: ldap proxy resolution by rewriting in meta-backend
  - From: Pierangelo Masarati <masarati@aero.polimi.it>

Prev by Date: Re: ldapsearch with delay (on the same machine over TLS/SSL only)
Next by Date: custom auth
Index(es):
- Chronological
- Thread