[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Nested meta-backends
On Wed, 8 Jun 2005, Pierangelo Masarati wrote:
> The example is not really clear; however, as far as I understand, you
> should be able to do that provided you can design a hierarchy of
> suffixes that doesn't cause conflicts, and at the expense of multiple
> translations from internal to LDAP and viceversa of all operations...
> You could do something like
OK, I guess I was hiding too much information; for obvious reasons I
didn't want to mention the actual domains etc, but I've realised that I
don't understand some concepts that your examples have highlighted.
> database meta
> suffix ou=View1
> uri ldap://host1.example.com/ou=View1
> uri ldap://host2.example.com/ou=View1
I'm confused by the requirement that the naming context end in the suffix;
I found that if it doesn't, I get an obscure "error 80".
Intuitively (for me anyway), that example above says to search those URIs,
with a search base of "View1" (which likely doesn't exist), and glue them
together, calling it "View1".
> database meta
> suffix ""
> uri ldap://localhost/ou=View1
> uri ldap://localhost/ou=View2
And here's another confusing bit. I can see that the naming context sort
of ends in the suffix (i.e. all strings end in a null string), but was the
choice of "" purely arbitrary?
> should do the trick, although I wouldn't recommend it for high
> performances.
Performance won't be an issue (yet), as it's low-volume traffic.
Let's see if I can make my problem clearer. Hope it's not too long...
Host "host1.example.com" provides suffixes "dc=au,dc=example,dc=com",
"dc=sg,dc=example,dc=com" (as a slave), "dc=network,dc=net,dc=au", and
"dc=group,dc=org,dc=au".
Over on host2.example.com, we have "dc=secret,dc=com,dc=au" (for political
reasons it's on a separate server, even though it's in the same rack).
The important bits in their slapd.conf files would be:
host1.example.com:
database bdb
include /usr/local/etc/openldap/example-master.acl
suffix "dc=au,dc=example,dc=com"
rootdn "cn=Manager,dc=au,dc=example,dc=com"
rootpw secret
directory /usr/local/openldap-data/example.com/au
database bdb
include /usr/local/etc/openldap/example-slave.acl
suffix "dc=sg,dc=example,dc=com"
rootdn "cn=Manager,dc=sg,dc=example,dc=com"
rootpw secret
directory /usr/local/openldap-data/example.com/sg
syncrepl rid=1 ...
updateref ldap://ldap.sg.example.com:389
database bdb
include /usr/local/etc/openldap/example-master.acl
suffix "dc=example,dc=com"
rootdn "cn=Manager,dc=example,dc=com"
rootpw secret
directory /usr/local/openldap-data/example.com/master
This last one just contains referrals such as:
dn: dc=au,dc=example,dc=com
objectClass: extensibleObject
objectClass: referral
objectClass: top
dc: au
ref: ldap://host1.example.com/dc=au,dc=example,dc=com
It could probably be done better with a meta-backend, once I understand
them better.
database bdb
include /usr/local/etc/openldap/network-master.acl
suffix "dc=network,dc=net,dc=au"
rootdn "cn=Manager,dc=network,dc=net,dc=au"
rootpw secret
directory /usr/local/openldap-data/network.net.au
database bdb
include /usr/local/etc/openldap/group-master.acl
suffix "dc=group,dc=org,dc=au"
rootdn "cn=Manager,dc=group,dc=org,dc=au"
rootpw secret
directory /usr/local/openldap-data/group.org.au
On host2.example.com, slapd.conf would be obvious, so I won't include it.
Now, with one client operation, we want to search Network, Group, and
Secret, to see who hosts a particular application; something like
"ldapsearch ... -b ou=UserView (objectClass=Apps) Appl=PogoSticks".
We want results to come back unmolested e.g. I want to see something like
"dn: Appl=PogoSticks,ou=Applications,dc=secret,dc=com,dc=au" instead of
"dn: Appl=PogoSticks,ou=Applications,ou=UserView", which means a rewrite
rule.
So, host1 would also have (ignore the access rule; it will change):
database meta
access to * by * read
suffix "ou=UserView"
lastmod off
uri "ldap://host1.example.com/ou=UserView";
rewriteEngine on
rewriteContext default
rewriteRule "(.*)ou=UserView$" "%1dc=network,dc=net,dc=au" ":"
rebind-as-user
binddn "cn=Manager,dc=network,dc=net,dc=au"
bindpw secret
uri "ldap://host1.example.com/ou=UserView";
rewriteEngine on
rewriteContext default
rewriteRule "(.*)ou=UserView$" "%1dc=group,dc=org,dc=au" ":"
rebind-as-user
binddn "cn=Manager,dc=group,dc=org,dc=au"
bindpw secret
uri "ldap://host2.example.com/ou=UserView";
rewriteEngine on
rewriteContext default
rewriteRule "(.*)ou=UserView$" "%1dc=secret,dc=com,dc=au" ":"
rebind-as-user
binddn "cn=Manager,dc=secret,dc=com,dc=au"
bindpw secret
The above works, but I have a feeling it could be done in a better way.
Now, my problem is that I want to define an administrative view of *all*
suffixes, called "ou=AdminView", without duplicating all those lines; in
other words, I want to glue "dc=example,dc=com" and "ou=UserView" together
(or indeed, any other arbitrary view I may create).
I tried this:
database meta
access to * by * read
suffix "ou=AdminView"
lastmod off
uri "ldap://host1.example.com/ou=AdminView";
rewriteEngine on
rewriteContext default
rewriteRule "(.*)ou=AdminView$" "%1dc=example,dc=com" ":"
rebind-as-user
binddn "cn=Manager,dc=example,dc=com"
bindpw secret
uri "ldap://host1.example.com/ou=UserView";
rewriteEngine on
rewriteContext default
rewriteRule "(.*)ou=AdminView$" "%1ou=UserView" ":"
rebind-as-user
binddn "cn=Manager,dc=example,dc=com"
bindpw secret
And I was getting the infamous "error 80", which I've learned happens when
there's a mismatch between the suffix and the naming context.
So, what should the last meta look like? I worked around it by simply
repeating the "UserView" configuration, but that's ugly.
--
Dave Horsfall DTM VK2KFU daveh@ci.com.au Ph: +61 2 8425-5508 (d) -5500 (sw)
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia