Hi,
I'd like to set up an LDAP backend toward a remote LDAP server. The base DN
of the searches for the remote server is runtime information and can be any
valid DN. I used slapd-ldap and found slapo-rwm which seems like doing
exactly what I need so I configured a suffixmassage, where I replace the
local DN to the remote base DN. So far so good, I got everything working. I
even applied some more manipulations on searches and results by rwm. I was
almost done except for one (not so) tiny thing: I wanted to have local
overrides on certain attributes. I was glad to encounter slapo-translucent
as it documents:
"Entries retrieved from a remote LDAP server may have some or all
attributes overridden, or new attributes added, by entries in the local
database before being presented to the client".
I started to set it up, but for me it looks like impossible to combine it
with rwm. I used the following example to set up translucent:
http://www.openldap.org/lists/openldap-technical/201205/msg00125.html
I tried to apply rwm together with translucent like 1) first. I thought
this is the ideal setup since I want the suffixmassage only when I turn to
the remote LDAP and I want the suffixmassage to be reverted when back from
remote.
---
1)
dn:
olcOverlay=rwm,olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config
And the result was:
adding new entry
"olcOverlay=rwm,olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config"
ldap_add: Object class violation (65)
I was a bit disappointed but tried other combinations as well.
2)
dn: olcOverlay={0}translucent,olcDatabase={2}hdb,cn=config
dn:
olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={2}hdb,cn=config
dn: olcOverlay={1}rwm,olcDatabase={2}hdb,cn=config
This one resulted in suffixmassage for remote ldap, but also for the
translucent local hdb search, which is obviously not a valid dn for the
local DB.
As an extra I also faced ITS#5941 (
http://www.openldap.org/its/index.cgi/Software%20Bugs?selectid=5941)
3)
dn: olcOverlay={0}rwm,olcDatabase={2}hdb,cn=config
dn: olcOverlay={1}translucent,olcDatabase={2}hdb,cn=config
dn:
olcDatabase={0}ldap,olcOverlay={1}translucent,olcDatabase={2}hdb,cn=config
This one resulted in intact suffix for ldap and a suffixmassage for local,
which is again useless for my case.
---
I also tried to look at if I can use the obsolete suffixmassage option of
the slapd-ldap, but that does not seem to have an olc schema by looking at
the source.
After these trials my conclusion was that I have to find a completely
different way of doing this.
Is it not possible to do a suffixmassage on an ldap backend over
translucent? For me this is so much a basic use case that I am surprised.
Can someone explain if this is a known missing feature or an intentional
limitation? If the latter, why?
Any proposal how to solve local overrides inside slapd? (I wouldn't like to
run two slapd to separate rwm from translucent)
Thanks and Regards,
Balazs Kovacs
ps: using OpenLDAP 2.4.28 on an Ubuntu 12.04 LTS