Re: back-ldap with glue overlay

[Eric Irrgang <erici@motown.cc.utexas.edu>]

On Mon, 20 Mar 2006, Aaron Richton wrote:

>I had some fun with this a while back. Lots of syntax that you think would
>work (and likely will work with better rwm/glue interaction) eventually
>run into one ITS or another like Howard noted below. I don't remember
>getting anywhere useful with back-relay. In the end, the simplest config
>was the one that worked:
>
>database hdb
>subordinate
>suffix "ou=local,dc=example,dc=com"
>
>database ldap
>suffix "dc=example,dc=com"

That didn't work for me.  With a setup like your example, if I bind as
cn=user,ou=a,dc=example,dc=com it seemed like the search base would get
stuck as ou=a,dc=example,dc=com and I couldn't retrieve
cn=foo,ou=b,dc=example,dc=com (though cn=foo,ou=local... worked fine).

What I ended up doing was this:

database        meta
suffix          "dc=example,dc=com"
uri             "ldaps://example.com/dc=example,dc=com"
subtree-exclude "ou=groups,dc=example,dc=com"
uri             "ldap://localhost/ou=groups,dc=example,dc=com";
suffixmassage   "ou=groups,dc=example,dc=com" "ou=groups,dc=local"

database        ldif
suffix          "ou=groups,dc=local"
directory       /var/ldap/local


I like the configuration syntax for back-meta, but it seems like there
ought to be a better way to do the loopback connection, but using both
back-relay and back-ldap/meta seemed like too much additional complexity.


-- 
Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342