Hi!
There a two directories: 1. o=inside 2. o=outside
Inside there the local entries, i.e. for persons
dn: employeenumber=1,ou=people,o=inside mail: user@inside ...
Outside is the CA's directory. The user's certificate is there under a DN with the mail address in it.
dn: mail=user@inside,ou=foo,o=outside usercertificate:: xxxxxxxxx ...
Now CA's usercertificate must appear in the user's entry:
dn: employeenumber=1,ou=people,o=inside mail: user@inside usercertificate:: xxxxxxxxx ...
But: Outside directories can only be reached by an ldap proxy. So there is a third server working as a proxy with ldap-meta backend. By now a can manually search for certificates, which are 'suffixmassage'd into ou=ca,o=outside.
dn: mail=user@inside,ou=ca,o=inside mail: user@inside usercertificate:: xxxxxxxxx ...
As far as I understand, slapo-translucent could add the usercertificate attribute to user's entry. But how to tell slapo-translucent to search by attribute mail to find the corresponding entry in (ou=ca,o=inside or) o=outside? Can / must this be done with slapo-rwm?
I can guess the outside DN from the user's mail attribute. (But not vice versa; I can only search for the inside entry by attribute mail.) So I know what entry I want / what to search for. But does this help me? [uri filter?]
client: search for certificate of employee #1 | | --search-->
inside: outside: dn: employeenumber=1,ou=people,o=inside mail: user@inside --search--> mail: user@inside ... <--return-- usercertificate:: xxxxxxxxx | | --return--> dn: employeenumber=1,ou=people,o=inside mail: user@inside usercertificate:: xxxxxxxxx ...
Hans