RE: LDAP proxy with features

["Pratt, Benjamin E." <bepratt@stcloudstate.edu>]

> -----Original Message-----
> From: Pierangelo Masarati [mailto:ando@sys-net.it] 
> Sent: Monday, December 05, 2005 10:05
> To: Pratt, Benjamin E.
> Cc: openldap-software@openldap.org
> Subject: Re: LDAP proxy with features
> 
> 
> > Hello. A few months ago I tried setting up an OpenLDAP server to:
> >
> > 1. Act as a proxy to several other LDAP servers.
> > 2. Accept LDAP requests and convert them to LDAPS requests 
> before going
> > to backend servers.
> > 3. Allow attribute mapping for specific attributes to 
> certain backend
> > directories.
> >
> > I was running OpenLDAP 2.2 and had points 2 and 3 working great but
> > point 1 was a problem because many of the other LDAP 
> attributes didn't
> > pass through the proxy.
> >
> > This week I started looking into this again and saw a posting to the
> > list from a user who said that OpenLDAP 2.3 resolves this issue. I
> > upgraded and yes, the proxying of attributes to the backend 
> server issue
> > was resolved. Unfortunately points 2 and 3 were broken.
> 
> I'd restate this as "I was unable to make them work"; the 
> code, as far as
> my intensive recent testing concern, is fully functional.  In 
> fact, your
> configuration looks broken in a few points.
> 
> >
> > I installed the FreeBSD port using the command:
> >
> > make CONFIGURE_ARGS="--enable-ldap=yes --enable-meta=yes
> > --enable-rewrite=yes --enable-rwm=yes --with-tls=openssl" 
> install clean
> >
> > My slapd.conf file contains:
> >
> > database        ldap
> > lastmod         off
> > suffix          "DC=university,DC=edu"
> > directory       /var/db/openldap-data
> > rwm-map attribute displayName cn
> > uri             "ldap://193.18.49.200 ldap://193.18.49.201
> > ldap://193.18.49.202";
> >
> > When I change the uri to point to protocols ldaps (e.g.
> > ldaps://193.18.49.200) the proxy breaks. Also, I used to have "map
> > attribute displayName cn" working but now the configuration 
> appears to
> > be rwm-map but that is not working.
> >
> > Are my install options correct for LDAPS? Is a proxy conversion from
> > LDAP to LDAPS still possible?
> 
> yes, as per documentation of slapd.conf(5), ldap.conf(5) and
> slapd-ldap(5).  In detail, the proxy (back-ldap) is using the libldap
> client library as a client, and thus its configuration, 
> specifically with
> respect to TLS, should follow the directives in ldap.conf(5). 
>  I suspect
> you took the misfunctionality as broken code and you didn't 
> investigate
> the real reason of the misbehaving, which is 99% likely to be 
> related to
> misconfiguration.
> 
> >
> > Am I using the map attribute options correctly?
> 
> No.
> 
> > If not, what is the
> > correct way?
> 
> The slapo-rwm(5) overlay requires explicit instantiation by 
> "overlay rwm";
> otherwise, all the rwm-map directive is likely to result is a warning.
> 
> >
> > I appreciate any help that the community has to offer. If I need to
> > provide any more info please let me know. Thanks.
> 
> In general, moving between minor version numbers requires 
> resurfing thru
> the documentation, because things happen to change, most of 
> the time they
> improve.  Otherwise ther would be no reason to have 2.3, we'd still be
> playing with 2.0.
> 
> p.
> 
> -- 
> Pierangelo Masarati
> mailto:pierangelo.masarati@sys-net.it
> 
<snip>

I am sorry for my mis-speaking. I intended to say that my setup was
broken and not the application. I am sorry for my poor choice of words.
I thank you for the help and will continue to look deeper.

The only configuration file I ended up changing was slapd.conf. After I
changed "map attribute" to read "rwm-map attribute" I was able to run
slaptest with no errors whether I was pointing at a backend server via
ldap or ldaps.

Ben