[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: rwm/relay and ldapwhoami
> OK - must be missing something really basic - and I am new to LDAP...
>
> I have a server (ldapmaster) that serves
>
> dc=new,dc=example,dc=com
>
> and a seperate server, ldaplegacy, that uses slapd-ldap + rwm to
> proxy-translate requests aimed at:
>
> dc=old,dc=example,dc=com
>
>
> So:
>
> ldapsearch -x -b dc=old,dc=example,dc=com -H ldap://ldaplegacy/
>
> returns
> ...
> # me, people, old.example.com
> dn: uid=me,ou=people,dc=old,dc=example,dc=com
> objectClass: top
> objectClass: inetOrgPerson
> ...
>
> nice - exactly as expected.
>
> But
>
> ldapwhoami -x -W -D uid=me,ou=people,dc=old,dc=example,dc=com -H
> ldap://ldaplegacy/
>
> returns (after successful bind)
>
> dn:uid=me,ou=people,dc=new,dc=example,dc=com
>
>
> Why doesn't the DN get translated?
>
>
> The config section that's relevant on ldaplegacy is:
>
> slapd.conf
> ###############################
> ...
> database relay
> suffix "dc=old,dc=example,dc=com"
> relay "dc=new,dc=example,dc=com"
> overlay rwm
> rwm-suffixmassage "dc=new,dc=example,dc=com"
> ...
> ###############################
>
>
> I thought I needed more magic to translate the replies, but that *looks*
> like it is happening with ldapsearch???
There are two good reasons:
1) what you get back is the *real* identity, i.e. the unmapped one.
2) whoami is an extended operation. The fact that its "payload" is a DN
is not known to slapo-rwm, as this is an extension of the protocol. Since
whoami is now part of the standard, slapo-rwm could know about it (patches
are welcome); in any case, I think point (1) still applies; assuming the
behavior your desire is legitimate, whether it takes place or not should
be at least configurable, as there are many good reasons for (1) to be
available.
p.
--
Pierangelo Masarati
Associate Professor
Dipartimento di Ingegneria Aerospaziale
Politecnico di Milano