[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Meta to Ldap loopback not working.
- To: OpenLDAP-software@OpenLDAP.org
- Subject: Meta to Ldap loopback not working.
- From: "Matthew Stier" <Matthew.Stier@us.fujitsu.com>
- Date: Tue, 20 Dec 2005 12:41:20 -0500
- Organization: Fujitsu Network Communications
- User-agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7.12) Gecko/20050928
I am almost successfull in implementing a metadirectory server, however,
I am running into a "loopback" problem.
The purpose of this metadirectory is to query three other directory
servers (labelled NY, TX and CORP) and return a composite of their
results. The NY and TX directory servers permit anonymous access. The
CORP directory does not.
To implement this, the slapd.conf file I have created has two
'databases'. The first is the 'meta' database, and implements the
querying, and compositing the results. The second is the 'ldap'
database which is used to provide anonymous access to the non-anonymous
server.
I am using OpenLDAP 2.3.13 and it is running on port 3389 on the
'ldap.ny.example.com' server.
Here is a list of what works:
Queries to the 'ldap' proxy ("OU=Users,OU=Enterprise") work
Queries to the NY proxy (dc=ny,dc=example,dc=com) work
Queries to the TX proxy (dc=tx,dc=example,dc=com) work
Queries to the CORP proxy (dc=corp,dc=example,dc=com) fail
Queries to the 'meta' proxy (dc=example,dc=com) returns NY and TX.
(Should return NY, TX and CORP)
<slapd.conf>
include /opt/openldap/2.3.13/etc/openldap/schema/core.schema
include /opt/openldap/2.3.13/etc/openldap/schema/cosine.schema
include /opt/openldap/2.3.13/etc/openldap/schema/inetorgperson.schema
include /opt/openldap/2.3.13/etc/openldap/schema/ad.schema
pidfile /opt/openldap/2.3.13/var/run/slapd.pid
argsfile /opt/openldap/2.3.13/var/run/slapd.args
loglevel -1
access to *
by * read
allow bind_v2
defaultsearchbase "dc=example,dc=com"
lastmod off
readonly on
#######################################################################
# database definitions
#######################################################################
database meta
suffix "dc=example,dc=com"
uri "ldap://ldap.ny.example.com:3389/dc=corp,dc=example,dc=com";
suffixmassage "dc=corp,dc=example,dc=com" "OU=Users,OU=Enterprise"
uri "ldap://ldap.ny.example.com:389/dc=ny,dc=example,dc=com";
suffixmassage "dc=ny,dc=example,dc=com" "o=ny"
uri "ldap://ldap.tx.example.com:389/dc=tx,dc=example,dc=com";
suffixmassage "dc=tx,dc=example,dc=com" "o=tx"
database ldap
suffix "OU=Users,OU=Enterprise"
uri ldap://ldap.fnc.net.local:3268/
acl-bind
bindmethod=simple
binddn="CN=LDAP Search Only User,OU=Users,OU=Enterprise"
credentials="<LDAP SEARCH Only password>"
authzID="LDAP Search Only User"
idassert-bind
bindmethod=simple
binddn="CN=LDAP Search Only User,OU=Users,OU=Enterprise"
credentials="LDAP Search Only User"
mode=none
# This controls what attribs can be accessed by the LDAP proxy.
# The last rwm-map line maps all other attributes to nothing.
overlay rwm
rwm-map objectclass account user
rwm-map attribute uid sAMAccountname
rwm-map attribute cn name
rwm-map attribute sn sn
rwm-map attribute mail mail
rwm-map attribute company company
rwm-map attribute entry entry
rwm-map attribute givenName givenName
rwm-map attribute telephoneNumber telephoneNumber
rwm-map attribute *
</slapd.conf>
--
Matthew Lee Stier * Fujitsu Network Communications
Unix Systems Administrator | Two Blue Hill Plaza
Ph: 845-731-2097 Fx: 845-731-2011 | Sixth Floor
Matthew.Stier@us.fujitsu.com * Pearl River, NY 10965
begin:vcard
fn:Matthew Stier
n:Stier;Matthew
org:Fujitsu Network Communications
adr;quoted-printable:;;Two Blue Hill Plaza=0D=0A=
Sixth Floor;Pearl River;New York;10965;United States of America
email;internet:Matthew.Stier@us.fujitsu.com
title:Principal Engineer
tel;work:845-731-2097
tel;fax:845-731-2011
tel;cell:845-893-0575
x-mozilla-html:FALSE
version:2.1
end:vcard