I have a new requirement to proxy requests to a partner's LDAP (3rd party), based on organization. These request come into my slave servers. The slaves are chaining referrals to a single master (for my company's users).
I have set up the proxy using back-ldap, along with the rewrite/map overlay (to massage the domain and map attrs). All requests to the partner's LDAP will be read-only.
First question: Is back-ldap the correct approach for this? Is there a better way? This set-up is fairly simple and it 'seems' to be working.
Second question: If this is the way, are there any rules that apply as far as where the chain overlay (order) should appear in slapd.conf?
Here's a portion my slave slapd.conf (with openldap 2.3.43):
modulepath /usr/lib/openldap moduleload ppolicy.la moduleload rwm.la
#=================================================================== # chain to master for updates overlay chain
chain-uri ldap://172.1.1.1 chain-idassert-bind bindmethod="simple"
binddn="cn=ldapChain,o=myorg,dc=mycompany,dc=net" credentials="chainsecret" mode="self"
chain-max-depth 2 chain-return-error TRUE chain-rebind-as-user TRUE
#=================================================================== # back-ldap (partner database)
database ldap uri "ldap://172.2.2.2" suffix "o=partnerorg,dc=mycompany,dc=net" lastmod off
#=================================================================== # Rewrite/map overlay overlay rwm
rwm-suffixmassage "o=partnerorg,dc=mycompany,dc=net" "o=partnerorg,dc=partner,dc=net" rwm-map objectclass top top rwm-map objectclass person person rwm-map objectclass posixAccount posixAccount rwm-map attribute DiagAccessLevel gecos rwm-map attribute DiagGroup description <etc, snip>
#=================================================================== # Local database definitions
database bdb suffix "dc=mycompany,dc=net" rootdn "cn=ldaproot,dc=mycompany,dc=net" rootpw bigsecret
lastmod on directory /var/lib/ldap mode 0660 checkpoint 100 30
# Indices to maintain for this database index objectclass,entryCSN,entryUUID eq,pres <etc>
#------------------------------------------------------------------- # ACLs for this database access to attrs=userPassword by self write by group.exact="cn=administrators,o=myorg,dc=mycompany,dc=net" write by dn.sub="o=partnerorg,dc=partner,dc=net" none by anonymous auth by * none
access to * by group.exact="cn=administrators,o=myorg,dc=mycompany,dc=net" write by dn.sub="o=partnerorg,dc=partner,dc=net" none by anonymous none by * read
#=================================================================== syncrepl rid=004 type=refreshAndPersist provider=ldap://172.1.1.1 retry="30 10 300 3" searchbase="dc=mycompany,dc=net" filter="(objectClass=*)" scope=sub schemachecking=off bindmethod=simple binddn="cn=syncRepl,o=myorg,dc=mycompany,dc=net" credentials="secretsync"
updateref ldap://172.1.1.1
Thanks in advance, John
This message is confidential to Prodea Systems, Inc unless otherwise indicated or apparent from its nature. This message is directed to the intended recipient only, who may be readily determined by the sender of this message and its contents. If the reader of this message is not the intended recipient, or an employee or agent responsible for delivering this message to the intended recipient:(a)any dissemination or copying of this message is strictly prohibited; and(b)immediately notify the sender by return message and destroy any copies of this message in any form(electronic, paper or otherwise) that you have.The delivery of this message and its information is neither intended to be nor constitutes a disclosure or waiver of any trade secrets, intellectual property, attorney work product, or attorney-client communications. The authority of the individual sending this message to legally bind Prodea Systems is neither apparent nor implied,and must be independently verified.
openldap-technical@openldap.org
-
John Kane