Hi,
I'd like to set up an LDAP backend toward a remote LDAP server. The base DN of the searches for the remote server is runtime information and can be any valid DN. I used slapd-ldap and found slapo-rwm which seems like doing exactly what I need so I configured a suffixmassage, where I replace the local DN to the remote base DN. So far so good, I got everything working. I even applied some more manipulations on searches and results by rwm. I was almost done except for one (not so) tiny thing: I wanted to have local overrides on certain attributes. I was glad to encounter slapo-translucent as it documents:
"Entries retrieved from a remote LDAP server may have some or all attributes overridden, or new attributes added, by entries in the local database before being presented to the client".
I started to set it up, but for me it looks like impossible to combine it with rwm. I used the following example to set up translucent: http://www.openldap.org/lists/openldap-technical/201205/msg00125.html
I tried to apply rwm together with translucent like 1) first. I thought this is the ideal setup since I want the suffixmassage only when I turn to the remote LDAP and I want the suffixmassage to be reverted when back from remote.
---
1)
dn: olcOverlay=rwm,olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config
And the result was: adding new entry "olcOverlay=rwm,olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config" ldap_add: Object class violation (65)
I was a bit disappointed but tried other combinations as well.
2)
dn: olcOverlay={0}translucent,olcDatabase={2}hdb,cn=config dn: olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={2}hdb,cn=config dn: olcOverlay={1}rwm,olcDatabase={2}hdb,cn=config
This one resulted in suffixmassage for remote ldap, but also for the translucent local hdb search, which is obviously not a valid dn for the local DB. As an extra I also faced ITS#5941 ( http://www.openldap.org/its/index.cgi/Software%20Bugs?selectid=5941)
3)
dn: olcOverlay={0}rwm,olcDatabase={2}hdb,cn=config dn: olcOverlay={1}translucent,olcDatabase={2}hdb,cn=config dn: olcDatabase={0}ldap,olcOverlay={1}translucent,olcDatabase={2}hdb,cn=config
This one resulted in intact suffix for ldap and a suffixmassage for local, which is again useless for my case.
---
I also tried to look at if I can use the obsolete suffixmassage option of the slapd-ldap, but that does not seem to have an olc schema by looking at the source. After these trials my conclusion was that I have to find a completely different way of doing this.
Is it not possible to do a suffixmassage on an ldap backend over translucent? For me this is so much a basic use case that I am surprised. Can someone explain if this is a known missing feature or an intentional limitation? If the latter, why?
Any proposal how to solve local overrides inside slapd? (I wouldn't like to run two slapd to separate rwm from translucent)
Thanks and Regards, Balazs Kovacs
ps: using OpenLDAP 2.4.28 on an Ubuntu 12.04 LTS