[Date Prev][Date Next] [Chronological] [Thread] [Top]

Proxy cache and rewrite rules

To: OpenLDAP Software List <openldap-software@OpenLDAP.org>
Subject: Proxy cache and rewrite rules
From: Dave Horsfall <daveh@ci.com.au>
Date: Fri, 10 Mar 2006 16:31:30 +1100 (EST)
Archive: No

I'm trying to get a proxy cache to work with a meta backend that does 
rewrites.  The idea is that a bunch of non-overlapping directories are 
searched en masse with a dummy base of "dc=AdminView" (not my choice of 
suffix) and the actual entries returned.

So, we have something like:

#
# This constructs a view of *all* directories.
#
database	meta
access	to * by * read
suffix	"dc=AdminView"

uri	"ldapi://%2fvar%2frun%2fopenldap%2fldapi/dc=AdminView"
rewriteEngine	on
rewriteContext	default
rewriteRule	"(.*)dc=AdminView$" "%1dc=au,dc=cordoors,dc=dev" ":"
rebind-as-user	true
acl-authcDN	"cn=Manager,dc=au,dc=cordoors,dc=dev"
acl-passwd	"XXX"

uri	"ldapi://%2fvar%2frun%2fopenldap%2fldapi/dc=AdminView"
rewriteEngine	on
rewriteContext	default
rewriteRule	"(.*)dc=AdminView$" "%1dc=id,dc=cordoors,dc=dev" ":"
rebind-as-user	true
acl-authcDN	"cn=Manager,dc=id,dc=cordoors,dc=dev"
acl-passwd	"XXX"

Etc.  The "dc=dev" indicates our development system (again, not my 
choice).  It rebinds against itself (ldapi turned out to be more efficient 
than a network connection) and searches the "real" directories 
"dc=au,dc=cordoors,dc=dev" etc.

This works marvellously, although I have a feeling that it could be done a 
better way.  Anyway, I then configured a proxy cache:

overlay		pcache
proxycache	bdb 1000 1 100 60
proxyattrset	0 ciApp ciAppType ciHost ciStatus ciPortNum ciDBPath description ciAppVar ciDomainMember cn
proxytemplate	(&(objectClass=)(ciApp=)) 0 3600
proxycache-directory	/var/tmp/AdminViewCache
proxycache-index	objectClass eq
proxycache-index	cn,ciApp,ciAppType,ciHost,ciStatus,ciPortNum,ciDBPath,description,ciAppVar,ciDomainMember pres,eq,sub

and promply ran into the issue in ITS #4411 (SLAPD went into a loop).

Howard's diagnosis was:

> OK, stepping thru with gdb I see there's something looping because it's 
> trying to write the entry ciApp=orck,dc=au,dc=cordoors,dc=dev into the 
> cache database, but you've defined that DB to have the suffix 
> dc=AdminView. The syncrepl_add_glue function is treating the DN 
> incorrectly because it expected the entry to have a suffix equal to the 
> DB suffix. Basically your rewrite rule isn't affecting the searchResult 
> context, so the entry has the wrong DN, and it becomes a case of GIGO 
> from there on.

OK, I understand that, and I've tried a few things (most of which sent 
SLAPD into a loop again, but I'm not reporting it as a bug because it's 
clearly a bad configuration) with no luck.

If I rewrote the result so it would be cached, wouldn't the application
then see the rewritten result?  I want to search several non-overlapping
dirctories, and have the actual entry returned; it seems to be that this won't
fit with the concept of the proxy cache.

Can this actually be done?

-- 
Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 9552-5509 (d) -5500 (sw)
Corinthian Engrng P/L, Ste 54 Jones Bay Whf, 26-32 Pirrama Rd, Pyrmont 2009, AU

Prev by Date: Naming context in slapd-meta URI
Next by Date: Re: Naming context in slapd-meta URI
Index(es):
- Chronological
- Thread