[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: ldap && rwm && pcache && transparent



*bump* No ideas anyone?

On Wed, 14 Sep 2011 20:53:03 +0200, Turbo Fredriksson wrote:
I'm trying to proxy an AD and an OpenLDAP server on a
separate machine to get a 'combined' view.


First problem (or the primary one?) is that the DN doesn't
match.

   AD: cn=turbo,ou=Office,ou=Users,ou=org1,dc=org2,dc=company,dc=tld
   OL: uid=turbo,ou=People,dc=org3,dc=company,dc=tld

We have absolutely no write/modify access to the AD (we
barely got search/compare access to parts of the AD!

And the OL server... There's way to much work to modify
(as in massaging the DB and reload it) that (at the moment).
It's also running 2.3 at the moment, and we don't want to
upgrade that any time soon.


The theory is/was to:

   1. Setup a LDAP/META proxy to the AD to act as the
      'local' DB.
   2. Rewrite the AD DNs to match the OL DB
   3. Cache some common queries
   4. Glue the OL DB with the AD DB, the OL acting as
      the 'remote' DB.

Unfortunately, I can't get step four to work. Any queries
seem to loop to the localhost.


I guess I could use rwm on the OL server to massage the
DN (before it's presented to clients and the proxy), but
I much rather do any rewrite etc on my new proxy server
if possible.

OR

Setup a second OL server on the current OL server, but
on a different port (hidden), which proxies the main
OL and rewrites the DN to match the AD. This hidden server
could then be proxied by the new LDAP proxy, cached etc...


But either of the alternative solution isn't pretty :).

I'll have to maintain and support THREE LDAP servers
(one DB and two proxies), which seems a little to much
work.

And besides, the OL have all the UNIX (posixAccount etc)
stuff (only), with very few users (most of the organization
don't need UNIX accounts) and most of the clients is configured
to use that when searching etc. There's also other reasons
why we would like to keep the OL server layout...


Parts of my slapd.conf:


#######################################################################

database			ldap
suffix				"dc=company,dc=tld"
rootdn				"cn=Manager,dc=company,dc=tld"
rootpw				"secret"

# ---------------------------------------------------------------------
##### Active Directory Server (will act as LOCAL DB)
uri				ldap://ad.company.tld

idassert-bind			bindmethod=simple
			 binddn
="cn=unixldap,ou=service,ou=users,ou=selud,dc=rd,dc=company,dc=tld"
			credentials="Secret1"
			mode=none
idassert-authzFrom		"*"

# ---------------------------------------------------------------------
#### Rewrite/Remap
# http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5941#followup7
overlay				rwm
rwm-rewriteEngine		yes
rwm-normalize-mapped-attrs	yes

rwm-map				attribute uid sAMAccountName
rwm-map				attribute gecos displayName
rwm-map				attribute workPhone telephoneNumber
rwm-map				attribute address1 streetAddress
rwm-map				attribute city l
rwm-map				attribute state st
rwm-map				attribute zip postalCode
rwm-map				attribute country co
rwm-map				attribute c country
rwm-map				attribute distinguishedName entryDN
rwm-map				objectclass inetOrgPerson user
rwm-map				objectclass groupOfNames group

rwm-rewriteContext		searchEntryDN
rwm-rewriteRule			"cn=(.*)?ou=Office,ou=Users,ou=ORG1,dc=ORG2,(.*)"
"uid=$1ou=People,dc=ORG3,$2" ":@"

rwm-rewriteContext		searchAttrDN alias searchEntryDN
rwm-rewriteContext		matchedDN alias searchEntryDN

# ---------------------------------------------------------------------
#### Proxy Cache
overlay				pcache
pcache				hdb 2500 3 1 300

pcacheAttrset 0 uid uidNumber gidNumber cn sn givenName distinguishedName
pcacheAttrset			1 c physicalDeliveryOfficeName streetAddress mail
pcacheAttrset			2 uid uidNumber gidNumber cn sn givenName
distinguishedName c physicalDeliveryOfficeName streetAddress mail

pcacheTemplate			(uid=) 0 3600
pcacheTemplate			(cn=) 0 3600
pcacheTemplate			(|(uid=)(cn=)) 0 3600
pcacheTemplate			(|(cn=)(uid=)) 0 3600
pcacheTemplate			(objectClass=) 2 3600
pcacheTemplate			(|(objectClass=)(cn=)) 2 3600
pcacheTemplate			(gecos=) 1 3600
pcacheTemplate			(&(sn=)(givenName=)) 1 3600

cachesize			20
directory			/usr/local/turbo/var/openldap-data
index				objectClass eq
index				cn,sn,uid,mail	pres,eq,sub

# ---------------------------------------------------------------------
#### Translucent Proxy
overlay				translucent
translucent_strict		yes
#translucent_local
uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail
#translucent_remote
uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail

### OpenLDAP Server (will act as REMOTE DB)
uri				"ldap://ol.company.tld/";
network-timeout			3
chase-referrals			no

acl-bind			binddn="cn=Manager,dc=company,dc=tld" credentials="secret"
idassert-bind			bindmethod=simple
			binddn="cn=Manager,dc=company,dc=tld"
			credentials="Secret2"
			mode=none
idassert-authzFrom		"*"


#######################################################################


Disclaimer: Much of this haven't been optimized yet. I'll
fine tune and tweak stuff once I could get it to work...

--
Life sucks and then you die