[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Using back-ldap as a client-side proxy/cache



Neil Dunbar wrote:

On 7 Mar 2010, at 23:28, Howard Chu wrote:


And while nssov is really cute, since it exists in the same process space as
slapd, it doesn't end up triggering the pcache, which does gets fired upon
incoming LDAP requests from an external process (nslcd). It's probably that I
just suck, and didn't configure slapd quite right, but that's why I ended up
still using nslcd and slapd on the same box.

Hm, you probably have them configured in the wrong order. I specifically
designed nssov and pcache to work together, and they do.

OK - I'm stuck: yes - I realise I suck, but at the moment, I'm just spinning
on this one. Howard/Quanah/anyone - can you post a sample config which lashes
together nssov and pcache? At least it would help me see what's supposed to be
the order of events.

I think my config is about as simple as it gets, back-ldap proxying to our
real directory, then loading nssov, then pcache on a BDB backend (Although
I've tried reversing pcache and nssov to no avail). pcache configured to cache
the filters issued from nslcd/nssov.

The nssov overlay works perfectly - fetching passwd and group databases from
the directory like a champ.

Similarly, if I do an ldapsearch on the proxy, using the nslcd filters - all
is well, the local cache DB gets populated, with the right indices. If I fire
up nslcd pointing to ldapi:///, I get the both the system databases working
and caching working fine.

But nssov just doesn't seem to find its way through to the pcache. I can post
the config - but it's pretty much identical to the ones in Symas's AAA paper.
It's so annoying - I absolutely believe that I'm about a heartbeat away from
getting it cracked, but the final solution is beyond my tired brain.

This is the essence of it:

database	ldap
suffix          "dc=example,dc=com"
rootdn          "dc=example,dc=com"
rootpw		"secret"
uri		"ldap://localhost:9011/";

overlay		pcache
proxycache	bdb 100 2 6 1m
proxyattrset 0  	uid userPassword uidNumber gidNumber gecos
  cn homeDirectory loginShell objectClass
proxyattrset 1  	cn userPassword gidNumber memberUid
  uniqueMember objectClass
proxytemplate   	(&(objectclass=)(uid=)) 0 3600
proxytemplate   	(&(objectclass=)(uidnumber=)) 0 3600
proxytemplate   	(&(objectclass=)(gidnumber=)) 1 3600
proxytemplate   	(&(objectclass=)(|(memberuid=)(uniquemember=))) 1 3600
response-callback	head

cachesize 20
directory	/home/hyc/OD/hobj/tests/testrun/db.2.a
index		objectClass	eq
index		cn,sn,uid,mail	pres,eq,sub
index		uidnumber,gidnumber,uniquemember,memberuid eq

overlay nssov

--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/