[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP and "reverse" wildcards

15 apr 2009 kl. 09.43 skrev Howard Chu:

Pierangelo Masarati wrote:
Kjell Gustafsson wrote:

We are using OpenLDAP (openldap-server-2.4.11-bdb) and Berkley DB
in a project.

LDAP is used to store subscribernumbers and the address of the ippbx
where the
subscriber is registered. Typically every subscriber have a separate DN
in the
LDAP-database. We have a serverfunction that do ldap-searches for
subscribernumbers to retrieve the ippbx-address. This part is going to
working as is.

Now we want to be able to have a "wildcard"-entry in LDAP, that points
to an
address also. This entry shall respond to any ldap-search matching the

Let me give an example:

We have, let's say four ippbx's with prefixes 111, 222, 333&  444. A
number consist of the prefix and five more digits. Each subscriber can
be registered
in any ippbx and still be reachable. The prefix indicates the subscribers

Now we want to use a gateway to another telephone-system. We don't want to have all of the subscribers from that system registered in LDAP, so we want a "wildcard"-entry saying that if you dial 99912345 LDAP should have an
999xxxx pointing to the gateway for the subscribers in the other
The response to the ldap-search should contain the the gateway address
to the
telephone-system regardless of the number entered. So if I dial 99912345 I
should get the same response as if I dial 99967890.

The response shall have the same format as in the ippbx-solution. We
want the ldap
DIT to look the same for the wildcard and the others - the DN shall look
the same.
We don't want to change the serverfunction we are using today.

So - finally my question:

Would it be possible to solve this with OpenLDAP and if so - how can it
be done?

The best way to handle this would be to move the logic towards the
application. If you want LDAP (and OpenLDAP) do handle it, you need to
move your application's logic into OpenLDAP.  This requires to write
some code.  You need to be able to intercept operations that requests
external numbers, and return a referral to the system that is able to
handle that request. Optionally, you can chain the request, so that the
client doesn't even need to handle the referral itself.

It might be pretty straightforward by defining an overlay that does the The Right Thing (TM); of course, the devil is in the details, as usual.

<commercial>You might need expert support to have this done quick and

Yes, most of the logic belongs in the application, but you can get some help from LDAP if you design your DIT properly.

Remember that a directory is a hierarchical name space; if you don't take advantage of that fact then you may as well just use an RDBMS.

Telephone numbers are also a hierarchical name space; there's a natural mapping that makes this problem simple:

Given a user with subscriber number xxx-yyyyy just split the number into two components:

This is pretty much how our DIT is designed.

Make the application always transform its lookups to match this naming scheme. Then, for users who are "local" to the system, you do a base search on exactly their number. For 123-4567, lookup

If it exists, you get the result back immediately. If the query is 999-12345 and only the prefix exists, then your lookup for
will fail, and the result will come back with a matchedDN of prefix=999,ou=subscribers,dc=example,dc=com

If I understand you correctly I should have the following:

one entry per number and prefix for each of the subscribers I want to register separately, i.e.







and so on, plus one entry for "the unknowns" like this



Then your app just has to look up the matchedDN entry, and proceed from there. "Wildcards" are unnecessary.

  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/