OK - must be missing something really basic - and I am new to LDAP...
I have a server (ldapmaster) that serves
dc=new,dc=example,dc=com
and a seperate server, ldaplegacy, that uses slapd-ldap + rwm to proxy-translate requests aimed at:
dc=old,dc=example,dc=com
So:
ldapsearch -x -b dc=old,dc=example,dc=com -H ldap://ldaplegacy/
returns ... # me, people, old.example.com dn: uid=me,ou=people,dc=old,dc=example,dc=com objectClass: top objectClass: inetOrgPerson ...
nice - exactly as expected.
But
ldapwhoami -x -W -D uid=me,ou=people,dc=old,dc=example,dc=com -H ldap://ldaplegacy/
returns (after successful bind)
dn:uid=me,ou=people,dc=new,dc=example,dc=com
Why doesn't the DN get translated?
The config section that's relevant on ldaplegacy is:
slapd.conf ############################### ... database relay suffix "dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com" ... ###############################
I thought I needed more magic to translate the replies, but that *looks* like it is happening with ldapsearch???
Cheers!
Tim
OK - must be missing something really basic - and I am new to LDAP...
I have a server (ldapmaster) that serves
dc=new,dc=example,dc=com
and a seperate server, ldaplegacy, that uses slapd-ldap + rwm to proxy-translate requests aimed at:
dc=old,dc=example,dc=com
So:
ldapsearch -x -b dc=old,dc=example,dc=com -H ldap://ldaplegacy/
returns ... # me, people, old.example.com dn: uid=me,ou=people,dc=old,dc=example,dc=com objectClass: top objectClass: inetOrgPerson ...
nice - exactly as expected.
But
ldapwhoami -x -W -D uid=me,ou=people,dc=old,dc=example,dc=com -H ldap://ldaplegacy/
returns (after successful bind)
dn:uid=me,ou=people,dc=new,dc=example,dc=com
Why doesn't the DN get translated?
The config section that's relevant on ldaplegacy is:
slapd.conf ############################### ... database relay suffix "dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com" ... ###############################
I thought I needed more magic to translate the replies, but that *looks* like it is happening with ldapsearch???
There are two good reasons:
1) what you get back is the *real* identity, i.e. the unmapped one.
2) whoami is an extended operation. The fact that its "payload" is a DN is not known to slapo-rwm, as this is an extension of the protocol. Since whoami is now part of the standard, slapo-rwm could know about it (patches are welcome); in any case, I think point (1) still applies; assuming the behavior your desire is legitimate, whether it takes place or not should be at least configurable, as there are many good reasons for (1) to be available.
p.
Thank you Pierangelo,
the fact whoami is an exop makes it all clear. I am glad this is correct and not bad config on my part :)
Cheers
Tim
Pierangelo Masarati masarati@aero.polimi.it wrote:
OK - must be missing something really basic - and I am new to LDAP...
I have a server (ldapmaster) that serves
dc=new,dc=example,dc=com
and a seperate server, ldaplegacy, that uses slapd-ldap + rwm to proxy-translate requests aimed at:
dc=old,dc=example,dc=com
So:
ldapsearch -x -b dc=old,dc=example,dc=com -H ldap://ldaplegacy/
returns ... # me, people, old.example.com dn: uid=me,ou=people,dc=old,dc=example,dc=com objectClass: top objectClass: inetOrgPerson ...
nice - exactly as expected.
But
ldapwhoami -x -W -D uid=me,ou=people,dc=old,dc=example,dc=com -H ldap://ldaplegacy/
returns (after successful bind)
dn:uid=me,ou=people,dc=new,dc=example,dc=com
Why doesn't the DN get translated?
The config section that's relevant on ldaplegacy is:
slapd.conf ############################### ... database relay suffix "dc=old,dc=example,dc=com" relay "dc=new,dc=example,dc=com" overlay rwm rwm-suffixmassage "dc=new,dc=example,dc=com" ... ###############################
I thought I needed more magic to translate the replies, but that
*looks*
like it is happening with ldapsearch???
There are two good reasons:
what you get back is the *real* identity, i.e. the unmapped one.
whoami is an extended operation. The fact that its "payload" is a
DN is not known to slapo-rwm, as this is an extension of the protocol. Since whoami is now part of the standard, slapo-rwm could know about it (patches are welcome); in any case, I think point (1) still applies; assuming the behavior your desire is legitimate, whether it takes place or not should be at least configurable, as there are many good reasons for (1) to be available.
p.
-- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
openldap-technical@openldap.org
-
Pierangelo Masarati -
Tim Watts