[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Metadirectory building problems



> Hi all,
>
> I am currently trying to build a basic meta directory. It should
> (non-anonymously-) bind to some other directories, and I want to have some
> attribute mapping.
> I'm wondering if this is possible with OpenLDAP. I checked out various
> versions of OpenLDAP for that scenario, but all of them fail in a special
> case - or it's me who is failing, please enlighten me.
>
> I give an overview of what I've seen so far:
> openldap-2.2.17/18 and 2.2.x-cvs:
>         slapd-ldap works,
>         attribute mapping works,
>         idassert-* directives not working (unknown directive
> "idassert-method"...)

idassert-* is in back-ldap HEAD only.

>
> openldap-2.x-cvs from 11/26/2004:
>         slapd-ldap works,
>         idassert-* directive without error/warning message (but doesn't
> seem to work - probably my fault),
>         attribute mapping does not work (No error, but no mapping)

In HEAD as of a couple of weeks ago, attribute mapping has been delegated
to the rwm overlay.  You need to enable that overlay, add the "overlay
rwm" directive and prefix the DN rewrite and attribute mapping directives
with "rwm-", as stated in the man pages that come with HEAD code.

>
> If I want to use both functions, binding-functions and attribute mapping,
> I am in a dilemma.
>
>
> slapd-meta is crashing for all versions beyond 2.2.17.
> This is a reproducible story: If OpenLDAP queries the back-end directory
> (in this case a Domino Server) and is receiving a large entry (in this
> case the Domino Certificate) the server dies with a Segmentation fault.

I suggest you file an ITS with specific debug info.  Please use the latest
release code from the CVS (OPENLDAP_REL_ENG_2_2), since HEAD is currently
undergoing major reworking and occasionally could be in an unstable state.
In any case, back-meta does not support identity assertion, so it's not
going to be of help for your purposes.  I'm checking the possibility to
rewrite identity assertion as an overlay, so it can be stacked on top of
back-meta as well, but there are some architectural problems, so it's not
going to be available any soon.

>
> My questions now:
> - Am I doing something wrong? Do I have the wrong imagination of how to
do this?

Yes, ... but likely it's not your fault!

> - Isn't this possible at the current point of OpenLDAP development?

Should be, according to the above answer.

> - Is there another possibility of letting OpenLDAP bind non-anonymously to
> another server?

2.2.18 and so allow the proxyauthzdn/proxyauthzpw directives, which
represent a sort of embrional identity assertion.  The identity they
represent is used by back-ldap to bind to the remote server whenever the
back-ldap instance is not the authorizing database for the identity that
performs an operation, i.e.: you have two database, db-A and db-B, and
db-B is a back-ldap, and the client is binding as an identity stored in
db-A followed by an operation on db-B; if proxyauthzdn/proxyauthzpw is
defined, db-B should bind as proxyauthzdn and assert the client's identity
to the remote server via the proxyAuthz control.  Note that the remote
server must allow proxyAuthz (authz-policy from) and the proxyauthzdn
authzTo must allow the authorization to the client's identity, which
usually is not present in the remote server.  If this suffices, you can
defer identity assertion to when it's released ;)

>
>
>
> If you need more information regarding my setup, don't hesitate to ask.
> Any help, hints, pointer to further documentation and so on is highly
> appreciated.

See above.  Identity assertion is not documented yet, except for the bare
description of the configure statements in slapd-ldap(5) and for test028
that may serve as an essential guideline.  I plan to write some more
documentation some time.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497