[Date Prev][Date Next] [Chronological] [Thread] [Top]

translucent overlay with local-only entries



I'm trying to extend an ldap directory using the translucent overlay,
like many before me:

http://www.openldap.org/lists/openldap-software/200802/msg00128.html
http://www.openldap.org/lists/openldap-software/200802/msg00267.html
http://www.openldap.org/lists/openldap-software/200511/msg00216.html
http://www.openldap.org/lists/openldap-software/200707/msg00471.html

Before version 2.4.8, this wasn't possible. Howard Chu seems to have
fixed this in rev 1.40 (before release 2.4.8) of translucent.c:
http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/overlays/translucent.c
(http://www.openldap.org/lists/openldap-bugs/200712/msg00109.html)

Although it seems to have been fixed, I cannot get it to work on my
setup. I use the packaged v2.4.10 in Debian testing. My config:

# Config start
include         /etc/ldap/schema/core.schema
include         /etc/ldap/schema/cosine.schema
include         /etc/ldap/schema/nis.schema
include         /etc/ldap/schema/inetorgperson.schema

pidfile         /var/run/slapd/slapd.pid
argsfile        /var/run/slapd/slapd.args
loglevel        none

modulepath      /usr/lib/ldap
moduleload      back_hdb
moduleload      back_ldap
moduleload      translucent

sizelimit 500
tool-threads 1

backend         hdb
backend         ldap

database hdb
directory /var/lib/ldap/translucent
suffix "dc=example,dc=com"
rootdn "cn=admin,dc=mybranch,dc=example,dc=com"
rootpw "admin"

overlay translucent
uri "ldap://172.27.27.37";
idassert-bind
 bindmethod=simple
 binddn="cn=admin,dc=example,dc=com"
 credentials="admin"
 mode=none
idassert-authzFrom "dn.subtree:dc=example,dc=com"
# Config end

This works perfectly fine for searches where the entry is remote.
Changing entries works fine well, with the results stored in the local
translucent db. Adding new entries works, but they are not returned on
searches. I check this by running slapcat.

So, it boils down to these questions:
* Does Howard's patch not fully implement the searching?
* Is my config wrong?
* There is probably other ways to do this, perhaps using a meta
 ldap backend. With multiple backends, what determines where writes
 go? Probably where the object is based, but what about new objects?
* Is it cleaner to keep my "branch" of the tree under a subdomain,
 such as mybranch.example.com using rwm, or should they all be on the
 main example.com domain?
* Examples for exotic overlays are very scarce. It would be very
 helpful if anyone could provide their configuration file.

sven