[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: get_ava: illegal value with translucent proxy

To: petteri.j.heinonen@kolumbus.fi
Subject: Re: get_ava: illegal value with translucent proxy
From: masarati@aero.polimi.it
Date: Wed, 29 Jul 2009 21:33:42 +0200 (CEST)
Cc: openldap-technical@openldap.org
Importance: Normal
In-reply-to: <929469.698521248782653138.JavaMail.petteriheinonen@kolumbus.fi>
References: <929469.698521248782653138.JavaMail.petteriheinonen@kolumbus.fi>
User-agent: SquirrelMail/1.4.9a

> Ok, thanks for the clarification. I guess that my goal to have an Active
> Directory proxied properly is not going to happen. I would need a complete
> AD schema for OpenLDAP, and that's probably now available anywhere.

Well, this may not be entirely true, although I'm not 100% sure this works
as intended in your case.  In fact, slapd is relatively picky about
knowing a definition of entities it needs to use.  In your case, the
objectClass you're using in the filter, and any attribute you may use in a
filter.  However, as soon as data whose definition is not known are
returned by a proxy, slapd can live with them under the assumption they
won't be used for anything special.  So if you search an entry

dn: cn=Some Name,dc=some,dc=org
objectClass: fancyObject
cn: Some Name
fancyAttr: fancy stuff

using the objectClass or fancyAttr in the filter, they need to be known by
slapd; however, if you just search for anything below dc=some,dc=org, and
that entry is returned by the proxy, slapd will record fancyObject and
fancyAttr for future reference, although in a non-persistent manner (the
next time you start slapd you'll need it to learn again about their
existence).

p.

References:
- Re: get_ava: illegal value with translucent proxy
  - From: Petteri Heinonen <petteri.j.heinonen@kolumbus.fi>

Prev by Date: Re: Mirror mode with additional consumer
Next by Date: Member-of plugin support for nested membership
Index(es):
- Chronological
- Thread