'Re: proxy + backend meta + rewrite'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-software
Subject:    Re: proxy + backend meta + rewrite
From:       Pierangelo Masarati <ando () sys-net ! it>
Date:       2006-08-31 20:38:25
Message-ID: 44F748C1.5020506 () sys-net ! it
[Download RAW message or body]

Johann Heymes wrote:
> Hello,
>
> Context: 
>
> We have 2 directories, 1 Microsoft for domain domain1.fr, 1 Notes for
> domain domain2.fr. In reality, we have more domains and 3 directories
> but the problem remains the same.
>
>
> We have an application which can produce only one type of request like
> the following : ldapsearch -Wxy /tmp/pwdfile -h 127.0.0.1 -D
> "cn=robot,dc=foo,dc=com" -b "dc=foo,dc=com"
> "(attributMail=jhe@domain1.fr)"
>
> We planed to use an intelligent proxy LDAP with rewriting
> functionalities (openLDAP with backend meta and rewrite rule) to be
> able to "adapt" the LDAP query to the context (the domain): select the
> right directory and use the right attribute name. Moreover, to be able
> to query to 2 LDAP (in a cluster) instead of one for high availability
> needs.
>
> But we don't know how to do this, and not even if it's possible.
>
>
> We have thought to a configuration slapd.conf like that :
> ---------------------- 
> backend meta
> database meta
> suffix "dc=foo,dc=com"
> lastmod off
> rootdn "cd=robot,dc=foo,dc=com"
> rootpw "*****"
>
> uri "ldap://ldap1_domain1:389/dc=ad,dc=foo,dc=com" uri "ldap://ldap2_domain1:389/dc=ad,dc=foo,dc=com"
> rewriteEngine on
> suffixmassage "dc=ad,dc=foo,dc=com" "dc=domain1,dc=fr"
> pseudorootdn "cn=subRobot,dc=domain1,dc=fr"
> pseudorootpw "*****"
>
> uri "ldap://ldap1_domain2:389/dc=notes,dc=foo,dc=com" "ldap://ldap2_domain2:389/dc=notes,dc=foo,dc=com"
> rewriteEngine on
> suffixmassage "dc=notes,dc=foo,dc=com" "dc=domain2,dc=fr"
> pseudorootdn "cn=subRobot,dc=domain2,dc=fr"
> pseudorootpw "*****"
>   
> ---------------------- 
>
> So how it's possible to rewrite the search request -b "dc=foo,dc=com"
> "(attributMail=jhe@domain1.fr)" to -b "dc=ad,ou=users,dc=foo,dc=com"
> "(userPrincipalName=jhe@domain1.fr)"
>
> or the search request -b "dc=foo,dc=com"
> "(attributMail=jhe@domain2.fr)" to -b
> "dc=notes,ou=Utilisateurs,dc=foo,dc=com" "(mail=jhe@domain2.fr)"
>   
You're not too far from optimal; try

database meta
suffix "dc=foo,dc=com"
rootdn "cd=robot,dc=foo,dc=com"
rootpw "*****"

uri "ldap://ldap1_domain1:389/dc=ad,dc=foo,dc=com ldap://ldap2_domain1:389/"
suffixmassage "dc=ad,dc=foo,dc=com" "dc=domain1,dc=fr"
pseudorootdn "cn=subRobot,dc=domain1,dc=fr"
pseudorootpw "*****"
map attribute attributMail userPrincipalName
 
uri "ldap://ldap1_domain2:389/dc=notes,dc=foo,dc=com ldap://ldap2_domain2:389/"
suffixmassage "dc=notes,dc=foo,dc=com" "dc=domain2,dc=fr"
pseudorootdn "cn=subRobot,dc=domain2,dc=fr"
pseudorootpw "*****"
map attribute attributMail mail


>
> Note : I already noted a problem with the use of unknown attributes by
> the proxy openldap such as userPrincipalName
>   
All you need to do is define that attribute in the local schema.  You 
can grab it from AD by inspecting the schema via LDAP.  As far as I 
remember, schema in AD does not report matching rules; this would 
prevent slapd from allowing those attrs, for example, in filters.  
You'll need to invent some appropriate matching rule (at least for 
EQUALITY) in case you cannot find any specific reference.
> Note: Currently I use an openldap package powered by ubuntu dapper and
> another build powered by redhat el 4 but If it is necessary to rebuild
> from  cvs, it's not a problem.
>   
I hope you don't need to rebuild from the CVS!  A decent, recent 2.3 
version should suffice.  Note that, for heavy duty operation, nothing 
earlier than the latest 2.3 should be used, because 2.3 was specifically 
strengthened both in the proxy and in the libldap bits.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic