[Date Prev][Date Next] [Chronological] [Thread] [Top]

Should I be able to select an 'orphaned' DN from a translucent overlap proxy?

To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
Subject: Should I be able to select an 'orphaned' DN from a translucent overlap proxy?
From: "Sullivan, Daniel [AAA]" <dsullivan2@bsd.uchicago.edu>
Date: Thu, 31 Mar 2016 20:07:16 +0000
Accept-language: en-US
Content-id: <DC56FE13F784504F860441DE7447113D@uchospitals.edu>
Content-language: en-US
Thread-index: AQHRi4jsQzEvG7qhcUCpR/VDMtJqYQ==
Thread-topic: Should I be able to select an 'orphaned' DN from a translucent overlap proxy?

Hi,

I am writing to confirm the expected behavior of a translucent overlay proxy. I have the proxy working and can filter from the local database using the olcTranslucentLocal configuration option (I can see a merged record).

My question pertains to ‘orphaned data’. For example, I can arbitrarily add a record to the local database by DN using ldapadd, the glue records are created and I can see the record in the output of slapcat. My problem is that a search via ldapsearch does not return this record unless their is a matching DN in the remote database, even if I am filtering by an attribute specifed in olcTranslucentLocal . Is this the expected behavior?

There is more that one reason why I want to do this, but the lowest common denominator is that people are going to be moving records around upstream and I’d like to keep the local database tidy by blowing away records that no longer have a matching remote DN.

On that note, the second reason why I’m interested in doing this is to create an individual default group for each user in the local database. I was planning on creating an actual group for each user programmatically, and have no problem doing this. Is there a more elegant best practice way to facilitate this sort of thing (i.e. an overlay solution), or is just creating the groups the way to go?

I am using openldap-ltb.x86_64 2.4.44-2.el6. I appreciate your time and expertise.

Dan

********************************************************************************
This e-mail is intended only for the use of the individual or entity to which
it is addressed and may contain information that is privileged and confidential.
If the reader of this e-mail message is not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is prohibited. If you have received this e-mail in error, please
notify the sender and destroy all copies of the transmittal.

Thank you
University of Chicago Medicine and Biological Sciences
********************************************************************************

Prev by Date: Re: Question about ldap_init()/ldap_initialize() behavior with OpenLDAP
Index(es):
- Chronological
- Thread