On Thu, Apr 28, 2016 at 11:05:03AM -0400, Aaron Richton wrote:
But we're having a migration phase during which we need to proxy one subtree of our database from an old backend service. So everything else comes from those two backends but one branch; it comes from a third one. And that would require back-meta, I think. So apparently we'll have to think a way around that, maybe by just copying those entries over using a perl script or something...
Depends what you're doing. Perhaps multiple subordinate back-ldap's (maybe with a back-null at the top to glue everything together)? And/or create the three back-ldap's under (perhaps unpublished) unique suffix, then back-relay everything together?
I tried subordinate back-ldaps, sth like this:
--- database ldap suffix ou=foo,ou=bar,dc=dom,dc=ain uri ldap://migration.server/ overlay rwm rwm-suffixmassage "ou=foo,ou=bar,dc=dom,dc=ain" "ou=some,o=thing" tls propagate
database ldap suffix dc=dom,dc=ain uri ldap://backend-1.server/ ldap://backend-2.server/ tls propagate ---
And it mostly worked. Except when I tried to do a subtree search like so:
ldapsearch -xZZH ldap://ldap-proxy.server -b ou=bar,dc=dom,dc=ain 'uid=sth_in_migr_server'
it returned nothing, whereas
ldapsearch -xZZH ldap://ldap-proxy.server -b ou=foo,ou=bar,dc=dom,dc=ain 'uid=sth_in_migr_server'
returned the entry. With back-meta, I can base the search on a branch that resides on one backend server and it also searches other backend servers that contain sub-branches of that branch; the first kind of search worked.
Then I tried gluing things together with back-relay. Sth like this.
--- database relay suffix o=testing overlay rwm rwm-suffixmassage "ou=really,o=testing" "ou=some,o=thing" rwm-suffixmassage "o=testing" "ou=bar,dc=dom,dc=ain"
database ldap suffix ou=some,o=thing uri ldap://migration.server/ tls propagate
database ldap suffix dc=dom,dc=ain uri ldap://backend-1.server/ ldap://backend-2.server/ tls propagate ---
But the result was similar.
ldapsearch -xZZH ldap://ldap-proxy.server -b o=testing 'uid=sth_in_migr_server'
->nothing found
ldapsearch -xZZH ldap://ldap-proxy.server -b ou=really,o=testing 'uid=sth_in_migr_server'
->found entry
(and of course, if I put the rwm-suffixmassage lines in the reverse order, -b ou=really,o=testing resulted in "no such object" because there really isn't a subtree 'ou=really,ou=bar,dc=dom,dc=ain" on the backend servers)
So apparently, I can use back-ldap to proxy a separate branch of my database to a separate server, but I cannot expect subtree searches based on somewhere else to contain that separate branch?
Thanks again for the suggestions.
--Janne