And the practical way to have a legacy namespace translation working together with a nice new LDAP server seems to be:
ldapmaster.example.com <- This is shiney, new namespace, ppolicy and anything else. It has no legacy crap on it at all.
ldaplegacy.example.com <- Translation server on different machine with a config roughly like:
slapd.conf ####################################################################### # This is the main slapd configuration file. See slapd.conf(5) for more # info on the configuration options.
####################################################################### # Global Directives:
# Features to permit allow bind_anon_cred bind_anon_dn update_anon
# Schema and objectClass definitions include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args #loglevel config sync stats ACL parse loglevel sync stats
# The maximum number of entries that is returned for a search operation sizelimit 5000 tool-threads 1
# Where the dynamically loaded modules are stored modulepath /usr/lib/ldap moduleload back_ldap moduleload back_relay moduleload rwm
# TLS TLSCipherSuite SECURE256:!AES-128-CBC TLSCACertificateFile /etc/ssl/certs/CA-example.com.pem TLSCertificateFile /etc/ldap/ssl/ldaplegacy.example.com.crt TLSCertificateKeyFile /etc/ldap/ssl/ldaplegacy.example.com.key
# Overlays overlay rwm rwm-rewriteEngine on
backend ldap
####################################################################### # Global ACLs #
# Note - we are read only as we are a legacy translation proxy. by * auth
# The admin dn has full write access, everyone else # can read everything. Local unix domain socket (root only) # Can do everything access to * by * read
####################################################################### # Main example.com relay #
database ldap suffix dc=new,dc=example,dc=com uri ldap://ldapmaster.example.com/
####################################################################### # Virtual maps - compatibility with cch.kcl.a.cuk only #
# # These are all used by old apache + mod_ldap configs #
# # map ou=staff,dc=old to dc=new # database relay suffix "ou=staff,dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com" # # map ou=external,dc=old to dc=new # database relay suffix "ou=external,dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com"
# Ensure read access to the base for things like # supportedSASLMechanisms. access to dn.base="" by * read
# The userPassword by default can be changed # by the entry owning it if they are authenticated. # This ACL must be first or password leakage will happen!!! access to attrs=userPassword,shadowLastChange
######################################################################
It's limited - no write passthough - but that's not a problem for me. I can switch NSS and PAM linux clients over to the new schema and server fairly easily. This is a catchall for the misc crap - and once I have enough logging enabled I will be able to locate what is asking for what LDAP records and hunt down the remaining bad config.
Then when the legacy stuff is gone, ldaplegacy gets turned off - no changes to ldapmaster - simples :)