Hello list,
I have been trying to use translucent overlay to merge attributes between a remote and a local server (both 2.4.23).
From the slapo-translucent man page i read:
"Attributes may be specified as both local and remote if desired."
and
"In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client."
The thing is that if i specify an attribute (objectclass) to be both local and remote, i can only get/search for the local entries. Choosing either separately will work as advertised though.
Again, i ask if this is a bug, a subtlety i have missed or this is not supposed to work with objectClass attribute?
Please advise,
Hugo Monteiro.
Hugo Monteiro wrote:
Hello list,
I have been trying to use translucent overlay to merge attributes between a remote and a local server (both 2.4.23).
From the slapo-translucent man page i read:
"Attributes may be specified as both local and remote if desired."
and
"In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client."
The thing is that if i specify an attribute (objectclass) to be both local and remote, i can only get/search for the local entries. Choosing either separately will work as advertised though.
Again, i ask if this is a bug, a subtlety i have missed or this is not supposed to work with objectClass attribute?
Re-read the manpage. 1st paragraph.
"Entries retrieved from a remote LDAP server may have some or all attributes overridden, or new attributes added, by entries in the local database before being presented to the client."
This overlay does not merge attributes, it replaces them.
On 02/22/2011 02:07 AM, Howard Chu wrote:
Hugo Monteiro wrote:
Hello list,
I have been trying to use translucent overlay to merge attributes between a remote and a local server (both 2.4.23).
From the slapo-translucent man page i read:
"Attributes may be specified as both local and remote if desired."
and
"In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client."
The thing is that if i specify an attribute (objectclass) to be both local and remote, i can only get/search for the local entries. Choosing either separately will work as advertised though.
Again, i ask if this is a bug, a subtlety i have missed or this is not supposed to work with objectClass attribute?
Hello Howard,
Re-read the manpage. 1st paragraph.
"Entries retrieved from a remote LDAP server may have some or all attributes
overridden, or new attributes added, by entries in the local database before being presented to the client."
This overlay does not merge attributes, it replaces them.
In that case, i would understand that if i specified the objectClass attribute to be both remote and local, i would be able to perform queries which would match locally stored values, and in the event that there wasn't any satifying stored values, then the query would be made on the remote database.
in slapd.conf i have
translucent_remote objectClass,description,sambaLMPassword,sambaNTPassword translucent_local description,objectClass,sambaSID,sambaPrimaryGroupSID,sambaAcctFlags,sambaHomeDrive,sambaHomePath,sambaLogonScript,sambaProfilePath,sambaAcctFlags,sambaPwdLastSet,sambaPwdCanChange,sambaPwdMustChange,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaBadPasswordCount,sambaBadPasswordTime,sambaLogonHours,sambaHomeDrive,sambaLogonScript,sambaProfilePath,sambaUserWorkstations,sambaHomePath,sambaDomainName,sambaMungedDial,sambaPasswordHistory,sambaSID,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,sambaNextUserRid,sambaNextGroupRid,sambaNextRid,sambaAlgorithmicRidBase
and as an example:
ldapsearch -b "ou=grupos,dc=fct,dc=unl,dc=pt" -h remoteserver -x "(cn=agt)" # extended LDIF # # LDAPv3 # base <ou=grupos,dc=fct,dc=unl,dc=pt> with scope subtree # filter: (cn=agt) # requesting: ALL #
# 0, grupos, fct.unl.pt dn: uniqueIdentifier=0,ou=grupos,dc=fct,dc=unl,dc=pt displayName: agentes cn: agt uniqueIdentifier: 0 gidNumber: 1000 objectClass: top objectClass: grupoUNL objectClass: posixGroup
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
ldapsearch -b "ou=grupos,dc=fct,dc=unl,dc=pt" -h localhost -x "(cn=agt)" # extended LDIF # # LDAPv3 # base <ou=grupos,dc=fct,dc=unl,dc=pt> with scope subtree # filter: (cn=agt) # requesting: ALL #
# 0, grupos, fct.unl.pt dn: uniqueIdentifier=0,ou=grupos,dc=fct,dc=unl,dc=pt displayName: agentes cn: agt uniqueIdentifier: 0 gidNumber: 1000 objectClass: top objectClass: grupoUNL objectClass: posixGroup objectClass: sambaGroupMapping sambaSID: S-1-5-21-1327543176-3185848629-1254536839-1000 sambaGroupType: 2
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
So far so good. But when i try to filter per objectClass:
ldapsearch -b "ou=grupos,dc=fct,dc=unl,dc=pt" -h localhost -x "(&(objectClass=sambaGroupMapping)(cn=agt))" # extended LDIF # # LDAPv3 # base <ou=grupos,dc=fct,dc=unl,dc=pt> with scope subtree # filter: (&(objectClass=sambaGroupMapping)(cn=agt)) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Hopefully i was able to explain the hurt that i'm feeling. =)
I am i wrong to assume that local rewrites don't go beyond the entry retrieval? If this is not the role for translucent, is there any other way i can accomplish this?
Regards,
Hugo Monteiro.
On 02/22/2011 10:16 AM, Hugo Monteiro wrote:
On 02/22/2011 02:07 AM, Howard Chu wrote:
Hugo Monteiro wrote:
Hello list,
I have been trying to use translucent overlay to merge attributes between a remote and a local server (both 2.4.23).
From the slapo-translucent man page i read:
"Attributes may be specified as both local and remote if desired."
and
"In any case, both the local and remote entries corresponding to a search result will be merged before being returned to the client."
The thing is that if i specify an attribute (objectclass) to be both local and remote, i can only get/search for the local entries. Choosing either separately will work as advertised though.
Again, i ask if this is a bug, a subtlety i have missed or this is not supposed to work with objectClass attribute?
Hello Howard,
Re-read the manpage. 1st paragraph.
"Entries retrieved from a remote LDAP server may have some or all attributes
overridden, or new attributes added, by entries in the local database before being presented to the client."
This overlay does not merge attributes, it replaces them.
In that case, i would understand that if i specified the objectClass attribute to be both remote and local, i would be able to perform queries which would match locally stored values, and in the event that there wasn't any satifying stored values, then the query would be made on the remote database.
in slapd.conf i have
translucent_remote objectClass,description,sambaLMPassword,sambaNTPassword translucent_local description,objectClass,sambaSID,sambaPrimaryGroupSID,sambaAcctFlags,sambaHomeDrive,sambaHomePath,sambaLogonScript,sambaProfilePath,sambaAcctFlags,sambaPwdLastSet,sambaPwdCanChange,sambaPwdMustChange,sambaLogonTime,sambaLogoffTime,sambaKickoffTime,sambaBadPasswordCount,sambaBadPasswordTime,sambaLogonHours,sambaHomeDrive,sambaLogonScript,sambaProfilePath,sambaUserWorkstations,sambaHomePath,sambaDomainName,sambaMungedDial,sambaPasswordHistory,sambaSID,sambaPrimaryGroupSID,sambaSIDList,sambaGroupType,sambaNextUserRid,sambaNextGroupRid,sambaNextRid,sambaAlgorithmicRidBase
and as an example:
ldapsearch -b "ou=grupos,dc=fct,dc=unl,dc=pt" -h remoteserver -x "(cn=agt)" # extended LDIF # # LDAPv3 # base <ou=grupos,dc=fct,dc=unl,dc=pt> with scope subtree # filter: (cn=agt) # requesting: ALL #
# 0, grupos, fct.unl.pt dn: uniqueIdentifier=0,ou=grupos,dc=fct,dc=unl,dc=pt displayName: agentes cn: agt uniqueIdentifier: 0 gidNumber: 1000 objectClass: top objectClass: grupoUNL objectClass: posixGroup
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
ldapsearch -b "ou=grupos,dc=fct,dc=unl,dc=pt" -h localhost -x "(cn=agt)" # extended LDIF # # LDAPv3 # base <ou=grupos,dc=fct,dc=unl,dc=pt> with scope subtree # filter: (cn=agt) # requesting: ALL #
# 0, grupos, fct.unl.pt dn: uniqueIdentifier=0,ou=grupos,dc=fct,dc=unl,dc=pt displayName: agentes cn: agt uniqueIdentifier: 0 gidNumber: 1000 objectClass: top objectClass: grupoUNL objectClass: posixGroup objectClass: sambaGroupMapping sambaSID: S-1-5-21-1327543176-3185848629-1254536839-1000 sambaGroupType: 2
# search result search: 2 result: 0 Success
# numResponses: 2 # numEntries: 1
So far so good. But when i try to filter per objectClass:
ldapsearch -b "ou=grupos,dc=fct,dc=unl,dc=pt" -h localhost -x "(&(objectClass=sambaGroupMapping)(cn=agt))" # extended LDIF # # LDAPv3 # base <ou=grupos,dc=fct,dc=unl,dc=pt> with scope subtree # filter: (&(objectClass=sambaGroupMapping)(cn=agt)) # requesting: ALL #
# search result search: 2 result: 0 Success
# numResponses: 1
Hopefully i was able to explain the hurt that i'm feeling. =)
I am i wrong to assume that local rewrites don't go beyond the entry retrieval? If this is not the role for translucent, is there any other way i can accomplish this?
Regards,
Hugo Monteiro.
To reply myself, the problem relied on indexes. Running slapindex fixed things.
Best Regards and sorry for the noise,
Hugo Monteiro.
openldap-technical@openldap.org