I'm trying to extend an ldap directory using the translucent overlay, like many before me:
http://www.openldap.org/lists/openldap-software/200802/msg00128.html http://www.openldap.org/lists/openldap-software/200802/msg00267.html http://www.openldap.org/lists/openldap-software/200511/msg00216.html http://www.openldap.org/lists/openldap-software/200707/msg00471.html
Before version 2.4.8, this wasn't possible. Howard Chu seems to have fixed this in rev 1.40 (before release 2.4.8) of translucent.c: http://www.openldap.org/devel/cvsweb.cgi/servers/slapd/overlays/translucent.... (http://www.openldap.org/lists/openldap-bugs/200712/msg00109.html)
Although it seems to have been fixed, I cannot get it to work on my setup. I use the packaged v2.4.10 in Debian testing. My config:
# Config start include /etc/ldap/schema/core.schema include /etc/ldap/schema/cosine.schema include /etc/ldap/schema/nis.schema include /etc/ldap/schema/inetorgperson.schema
pidfile /var/run/slapd/slapd.pid argsfile /var/run/slapd/slapd.args loglevel none
modulepath /usr/lib/ldap moduleload back_hdb moduleload back_ldap moduleload translucent
sizelimit 500 tool-threads 1
backend hdb backend ldap
database hdb directory /var/lib/ldap/translucent suffix "dc=example,dc=com" rootdn "cn=admin,dc=mybranch,dc=example,dc=com" rootpw "admin"
overlay translucent uri "ldap://172.27.27.37" idassert-bind bindmethod=simple binddn="cn=admin,dc=example,dc=com" credentials="admin" mode=none idassert-authzFrom "dn.subtree:dc=example,dc=com" # Config end
This works perfectly fine for searches where the entry is remote. Changing entries works fine well, with the results stored in the local translucent db. Adding new entries works, but they are not returned on searches. I check this by running slapcat.
So, it boils down to these questions: * Does Howard's patch not fully implement the searching? * Is my config wrong? * There is probably other ways to do this, perhaps using a meta ldap backend. With multiple backends, what determines where writes go? Probably where the object is based, but what about new objects? * Is it cleaner to keep my "branch" of the tree under a subdomain, such as mybranch.example.com using rwm, or should they all be on the main example.com domain? * Examples for exotic overlays are very scarce. It would be very helpful if anyone could provide their configuration file.
sven
openldap-technical@openldap.org
-
Sven Ulland