Re: Translucent proxy and changing upstream DNs

[Howard Chu <hyc@symas.com>]

Sullivan, Daniel [AAA] wrote:
> Hi, Howard,
>
> Thank you for taking the time to email me.  This is exactly what I would like to do.  Would you be able to tell me where the mapping of the objects is created?  It is in the configuration for the translucent overlay?  I do not see a configuration option for this:

There is no existing code that does this mapping, you will have to write that 
yourself. I was merely pointing out that these are the correct attributes to use.
> http://linux.die.net/man/5/slapo-translucent
>
> I appreciate your help.
>
> Best,
>
> Dan
>
> > On Mar 23, 2016, at 4:03 AM, Howard Chu <hyc@symas.com> wrote:
> >
> > Sullivan, Daniel [AAA] wrote:
> > > Hi,
> > >
> > > Please forgive my ignorance if this is a stupid question; I have only been messing around with OpenLDAP for a few days, but I believe I hit a roadblock that somebody must have seen somewhere.
> > >
> > > Basically, I am planning on using a translucent proxy to augment the attribute set served up by an external LDAP provider. Specifically I am provisioning uidNumber and gidNumbers for AD accounts.  I cannot populate the upstream RFC2307 attributes.  My problem is this; it is my understanding that a translucent proxy is going to match records in the local and remote databases based on DN.  Admins are going to be moving user and group objects around upstream, which will reliably break the mapping between local and remote databases after the objects with uidNumber and gidNumbers are populated into the local database.
> > >
> > > I can think of a couple of algorithms that would reconcile this, although they would require custom coding and maintaining a localized external view of the data (i.e. in a SQL database).   So, I suppose my question is this;
> > >
> > > Is there an elegant way to solve this problem, for example, having the translucent proxy map by an attribute other than DN, such as an AD SID?
> > >
> > > I appreciate your time and input :-)
> >
> > You could map the AD objectGUID to an OpenLDAP entryUUID. They are semantically the same anyway, although AD uses a different text representation for the value.
> >
> > --
> >   -- Howard Chu
> >   CTO, Symas Corp.           http://www.symas.com
> >   Director, Highland Sun     http://highlandsun.com/hyc/
> >   Chief Architect, OpenLDAP  http://www.openldap.org/project/
>
> ********************************************************************************
> This e-mail is intended only for the use of the individual or entity to which
> it is addressed and may contain information that is privileged and confidential.
> If the reader of this e-mail message is not the intended recipient, you are
> hereby notified that any dissemination, distribution or copying of this
> communication is prohibited. If you have received this e-mail in error, please
> notify the sender and destroy all copies of the transmittal.
>
> Thank you
> University of Chicago Medicine and Biological Sciences
> ********************************************************************************


--
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/