[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Filter proxies?



> Stock OpenLDAP cannot do that; it does something similar with the
> slapo-rwm(5) overlay (OpenLDAP 2.3; in OpenLDAP 2.2 that feature is
> embedded in the proxy backend but the behavior is essentially analogous),
> but only DN valued attributes can be munged.

I note that this question surfaces every now and then.  I recall that when
the functionality of the rwm was first introduced, it was confined to
rewriting the proxied naming context, under the rationale that data
munging wan not "ethical" because data belongs to owners, while the naming
context in some sense belongs to whoever is in charge of administering the
DSA, so it could be rewritten if required for the correct functionality of
the DSA.  A driving example was the need to migrate from an
"o=Example,c=XX" to a "dc=example,dc=org" naming context layout allowing
access to the same data under two different naming contexts by means of
virtual views.

However, I understand that administrators may need some munging capability
for whatever reasons; yours is a clear example in those cases where one
can only proxy existing, broken data and cannot fix the data at will. 
Since one issue that would arise by allowing arbitrary rewriting of
attribute values is related to syntax compliance, we could think of an
extension to the rwm overlay, or anything similar, that allows to define
rewriting rules per attributeType, per syntax or so, including a(n
optional?) consistency check after rewriting, much like it's currently
done in slapo-rwm for DNs.

If this approach sounds reasonable, and if there's consensus, I'd
encourage you to submit an improvement request (a patch would be welcome)
thru the ITS.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497