Hallvard B Furuseth wrote:
Pierangelo Masarati writes:
- any other request is served by the relay database,
Hopefully except requests to read entries local to the server:
- the root DSE: Search with DN "", scope=base (other scopes should go to the relay database),
- cn=Subschema.
In this case, yes: the local rootDSE and cn=subschema are accessed as usual; it's the scope == base that allows the frontend to intercept them.
Is there a way to get the other ldap server's version of these? Or this LDAP server's, if the above are not exceptions from (3:-)?
You should configure a proxy like this
database ldap suffix "cn=remote" uri "ldap://remote" overlay rwm rwm-suffixmassage ""
so that anything rooted at "cn=remote" is rewritten stripping the trailing "cn=remote"; requests for
"cn=remote", scope == base
will return the remote server's rootDSE; requests for
"cn=subschema,cn=remote", scope == base
will return the remote server's subschema.
Note that in principle custom code could intercept requests for the local rootDSE and subschema by means of a global overlay, so that such requests are handled by the overlay before the frontend gets a chance to handle them. This is yet another side-effect of global overlays that should be documented. For example, slapo-rwm(5), if configured as global so that it always adds a trailing DN to each request, something like
overlay rwm rwm-suffixmassage "" "dc=extra"
would prevent rootDSE and subschema from being accessed... maybe this should be documented.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------