[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: ACLs: restrict by IP and user
On Thu, Apr 28, 2016 at 11:05:03AM -0400, Aaron Richton wrote:
> >But we're having a migration phase during which we need to proxy
> >one subtree of our database from an old backend service. So
> >everything else comes from those two backends but one branch; it
> >comes from a third one. And that would require back-meta, I think.
> >So apparently we'll have to think a way around that, maybe by just
> >copying those entries over using a perl script or something...
>
> Depends what you're doing. Perhaps multiple subordinate back-ldap's
> (maybe with a back-null at the top to glue everything together)?
> And/or create the three back-ldap's under (perhaps unpublished)
> unique suffix, then back-relay everything together?
I tried subordinate back-ldaps, sth like this:
---
database ldap
suffix ou=foo,ou=bar,dc=dom,dc=ain
uri ldap://migration.server/
overlay rwm
rwm-suffixmassage "ou=foo,ou=bar,dc=dom,dc=ain" "ou=some,o=thing"
tls propagate
database ldap
suffix dc=dom,dc=ain
uri ldap://backend-1.server/ ldap://backend-2.server/
tls propagate
---
And it mostly worked. Except when I tried to do a subtree search like
so:
ldapsearch -xZZH ldap://ldap-proxy.server -b ou=bar,dc=dom,dc=ain 'uid=sth_in_migr_server'
it returned nothing, whereas
ldapsearch -xZZH ldap://ldap-proxy.server -b ou=foo,ou=bar,dc=dom,dc=ain 'uid=sth_in_migr_server'
returned the entry. With back-meta, I can base the search on a branch
that resides on one backend server and it also searches other backend
servers that contain sub-branches of that branch; the first kind of
search worked.
Then I tried gluing things together with back-relay. Sth like this.
---
database relay
suffix o=testing
overlay rwm
rwm-suffixmassage "ou=really,o=testing" "ou=some,o=thing"
rwm-suffixmassage "o=testing" "ou=bar,dc=dom,dc=ain"
database ldap
suffix ou=some,o=thing
uri ldap://migration.server/
tls propagate
database ldap
suffix dc=dom,dc=ain
uri ldap://backend-1.server/ ldap://backend-2.server/
tls propagate
---
But the result was similar.
ldapsearch -xZZH ldap://ldap-proxy.server -b o=testing 'uid=sth_in_migr_server'
->nothing found
ldapsearch -xZZH ldap://ldap-proxy.server -b ou=really,o=testing 'uid=sth_in_migr_server'
->found entry
(and of course, if I put the rwm-suffixmassage lines in the reverse
order, -b ou=really,o=testing resulted in "no such object" because there
really isn't a subtree 'ou=really,ou=bar,dc=dom,dc=ain" on the backend
servers)
So apparently, I can use back-ldap to proxy a separate branch of my
database to a separate server, but I cannot expect subtree searches
based on somewhere else to contain that separate branch?
Thanks again for the suggestions.
--Janne
--
Janne Peltonen <janne.peltonen@helsinki.fi> PGP Key ID: 0x9CFAC88B
Consider membership of the Hospitality Club (http://www.hospitalityclub.org)