Hello, I want to use the "LDAP Proxy resolution" mode related in the "slapd-meta" man but I don't manage to make it works. I wonder if it is implemented yet because I saw a message dated Fri, 16 Jan 2004 17:09:10 +0100 in which the same problem is not solved. My slapd.conf looks like:
uri "ldap://127.0.0.1:390/ou=a,ou=mysociety,c=fr" ... rewriteRule '(.*-b))' 'ldap://127.0.0.1:391/ou=b,ou=mysociety ldap://ldap1.my.org/%0%27,c=fr' ldap://ldap1.my.org/%0%27 ':@' rewriteRule '(.*-c))' 'ldap:// ldap://ldap2.my.org/%0%27127.0.0.1:392/ou=c,ou=mysociety,c=fr' ldap://ldap1.my.org/%0%27 ':@'
in order that when I search for example for uid=toto-b, it would do it through openldap running on port 391, if I search for uid=titi-c, it would do it through openldap running on port 392 and if I search anything not ending by "-b" or "-c", il would do it through openldap running on port 390(target).
But the search nevers goes to the openldap running on ports 391 and 392. Any help would be mostly appreciated.
Kind regards
yamina wrote:
Hello, I want to use the "LDAP Proxy resolution" mode related in the "slapd-meta" man but I don't manage to make it works. I wonder if it is implemented yet because I saw a message dated Fri, 16 Jan 2004 17:09:10 +0100 in which the same problem is not solved.
That man page is a copy and paste from a white paper. That feature is a TODO and should be removed from the man page.
You might be able to obtain something like that by using a proxy that statically maps a given subtree to a given server. Something like
database relay suffix "dc=virtual" overlay rwm ...
rwm rules that rewrite the base DN of a search based on the contents of the filter (not a trivial rule, though) to a temporary DN like (uid=*-b) -> $BASEDN,dc=server1 (uid=*-c) -> $BASEDN,dc=server2 ...
Then add
database ldap suffix "dc=server1" overlay rwm rwm-rewriteEngine on rwm-rewiteContext searchDN rwm-rewriteRule "^(.+),dc=server1$" "$1" "@:" rwm-rewiteContext default
database ldap suffix "dc=server2" overlay rwm rwm-rewriteEngine on rwm-rewiteContext searchDN rwm-rewriteRule "^(.+),dc=server2$" "$1" "@:" rwm-rewiteContext default
...
and so on. The whole thing may need quite a bit of shakedown, and is going to be far from efficient, though.
p.
Thanks a lot pour your answer. I tried to have three "database ldap" and a database relay that would direct to only one, depending on the search filter. But I can't manage to quit the "database relay" paragraph when the condition ".*-b" or "*-c" matches. For example, if "uid=toto-b", it should search through "ou=b,ou=mysociety", i.e. via the second "database ldap", but in spite of the ":@", it does also the following "suffixmassage" so the search base in every case is "ou=a,ou=mysociety". Also the part beginning with "overlay rwm" and ending with "rwm-rewriteContext default" doesn't seem to make any difference.
My slapd.conf looks like:
database relay suffix "ou=virtual,ou=mysociety" overlay rwm rwm-rewriteEngine on rwm-rewriteContext searchFilter rwm-suffixmassage ou=b,ou=mysociety rwm-rewriteRule "(.*-b))" "%1,ou=divers,ou=b,ou=mysociety" ":@" rwm-suffixmassage "ou=b,ou=mysociety" "ou=c,ou=mysociety" #rwm-rewriteRule "ou=b,ou=mysociety" "ou=c,ou=mysociety" rwm-rewriteRule "(.*-dgi))" "%1,ou=personnes,ou=c,ou=mysociety" ":@" rwm-suffixmassage "ou=c,ou=mysociety" "ou=a,ou=mysociety" #rwm-rewriteRule "ou=c,ou=mysociety" "ou=a,ou=mysociety"
database ldap suffix ou=a,ou=mysociety rebind-as-user uri ldap://127.0.0.1:390
database ldap uri ldap://127.0.0.1:391 suffix "ou=b,ou=mysociety" rebind-as-user #overlay rwm #rwm-rewriteEngine on #rwm-rewriteContext searchFilter #rwm-rewriteRule "^(.+),ou=b,ou=mysociety,c=fr$" "$1" ":@" #rwm-rewriteContext default
database ldap uri ldap://10.127.0.0.1:392 suffix "ou=c,ou=mysociety" rebind-as-user
Pierangelo Masarati a écrit :
yamina wrote:
Hello, I want to use the "LDAP Proxy resolution" mode related in the "slapd-meta" man but I don't manage to make it works. I wonder if it is implemented yet because I saw a message dated Fri, 16 Jan 2004 17:09:10 +0100 in which the same problem is not solved.
That man page is a copy and paste from a white paper. That feature is a TODO and should be removed from the man page.
You might be able to obtain something like that by using a proxy that statically maps a given subtree to a given server. Something like
database relay suffix "dc=virtual" overlay rwm ...
rwm rules that rewrite the base DN of a search based on the contents of the filter (not a trivial rule, though) to a temporary DN like (uid=*-b) -> $BASEDN,dc=server1 (uid=*-c) -> $BASEDN,dc=server2 ...
Then add
database ldap suffix "dc=server1" overlay rwm rwm-rewriteEngine on rwm-rewiteContext searchDN rwm-rewriteRule "^(.+),dc=server1$" "$1" "@:" rwm-rewiteContext default
database ldap suffix "dc=server2" overlay rwm rwm-rewriteEngine on rwm-rewiteContext searchDN rwm-rewriteRule "^(.+),dc=server2$" "$1" "@:" rwm-rewiteContext default
...
and so on. The whole thing may need quite a bit of shakedown, and is going to be far from efficient, though.
p.
openldap-software@openldap.org
-
Pierangelo Masarati -
yamina