Finn Blucher wrote:
I know this was discussed recently but there didn't seem to be a real answer so I'd like to kick if off again.
I would like to be able redirect user searches to two different LDAP servers depending on UID, so:
if a process searches for userA with a base of o=container, then the request is sent to ldap://10.0.0.1/ou=subA,o=container if a process searches for userB with a base of o=container, then the request is sent to ldap://10.0.0.2/ou=subB,o=container
I'd appreciate any information relating to weather I should be using the ldap or meta backend to achieve this. Mostly I'm having trouble understanding the best way to rewrite the searchDN based on the contents of the searchFilter.
Yes, this was already answered, and no, the searchDN can't be rewritten based on the contents of the searchFilter, unless you use multiple instances of slapo-rwm (don't know if it's allowed nor if it works, though; it shouldn't with OpenLDAP 2.3, but it might with OpenLDAP 2.4).
In any case, apart from some special cases I don't believe it's a good idea: assuming you have some easy means to group UIDs (e.g. name@domain, and distinguish them based on domain), a rule like
uid := name@domain1 => ask database 1 uid := name@domain2 => ask database 2
or even
uid := name@domain(.+) => ask database $1
how would you distinguish between filters like
"(uid=name@domain)"
and
"(&(filter)(!(uid=name@domain)))"
?
My point is that you will quickly end up with the need of something much smarter than a regex-based pattern/action tool.
p.
Ing. Pierangelo Masarati OpenLDAP Core Team
SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: pierangelo.masarati@sys-net.it ---------------------------------------