[Date Prev][Date Next] [Chronological] [Thread] [Top]

proxy + backend meta + rewrite

To: openldap-software@OpenLDAP.org
Subject: proxy + backend meta + rewrite
From: Johann Heymes <johann.heymes@cyber-networks.fr>
Date: Wed, 30 Aug 2006 21:09:27 +0200
Organization: Cyber-Networks

Hello,

Context: 

We have 2 directories, 1 Microsoft for domain domain1.fr, 1 Notes for
domain domain2.fr. In reality, we have more domains and 3 directories
but the problem remains the same.


We have an application which can produce only one type of request like
the following : ldapsearch -Wxy /tmp/pwdfile -h 127.0.0.1 -D
"cn=robot,dc=foo,dc=com" -b "dc=foo,dc=com"
"(attributMail=jhe@domain1.fr)"

We planed to use an intelligent proxy LDAP with rewriting
functionalities (openLDAP with backend meta and rewrite rule) to be
able to "adapt" the LDAP query to the context (the domain): select the
right directory and use the right attribute name. Moreover, to be able
to query to 2 LDAP (in a cluster) instead of one for high availability
needs.

But we don't know how to do this, and not even if it's possible.


We have thought to a configuration slapd.conf like that :
---------------------- 
backend meta
database meta
suffix "dc=foo,dc=com"
lastmod off
rootdn "cd=robot,dc=foo,dc=com"
rootpw "*****"

uri "ldap://ldap1_domain1:389/dc=ad,dc=foo,dc=com"; uri "ldap://ldap2_domain1:389/dc=ad,dc=foo,dc=com";
rewriteEngine on
suffixmassage "dc=ad,dc=foo,dc=com" "dc=domain1,dc=fr"
pseudorootdn "cn=subRobot,dc=domain1,dc=fr"
pseudorootpw "*****"

uri "ldap://ldap1_domain2:389/dc=notes,dc=foo,dc=com"; "ldap://ldap2_domain2:389/dc=notes,dc=foo,dc=com";
rewriteEngine on
suffixmassage "dc=notes,dc=foo,dc=com" "dc=domain2,dc=fr"
pseudorootdn "cn=subRobot,dc=domain2,dc=fr"
pseudorootpw "*****"

---------------------- 

So how it's possible to rewrite the search request -b "dc=foo,dc=com"
"(attributMail=jhe@domain1.fr)" to -b "dc=ad,ou=users,dc=foo,dc=com"
"(userPrincipalName=jhe@domain1.fr)"

or the search request -b "dc=foo,dc=com"
"(attributMail=jhe@domain2.fr)" to -b
"dc=notes,ou=Utilisateurs,dc=foo,dc=com" "(mail=jhe@domain2.fr)"


Note : I already noted a problem with the use of unknown attributes by
the proxy openldap such as userPrincipalName

Note: Currently I use an openldap package powered by ubuntu dapper and
another build powered by redhat el 4 but If it is necessary to rebuild
from  cvs, it's not a problem.


Best regards,

-- 
Johann Heymes.
  Cyber-Networks -- Net2S Group
  Consultant SÃcuritÃ Informatique, IntÃgrateur de Solutions.
  100, Terrasse Boieldieu Tour Franklin -- La DÃfense 8 
  92042 Paris La DÃfense Cedex

TÃl. : 01 42 04 95 95         Fax  : 01 42 04 95 87
www  : http://www.cyber-networks.fr

Follow-Ups:
- Re: proxy + backend meta + rewrite
  - From: Pierangelo Masarati <ando@sys-net.it>

Prev by Date: Re: errant SASL/GSSAPI setup?
Next by Date: Re: errant SASL/GSSAPI setup?
Index(es):
- Chronological
- Thread