[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: backend relay with empty suffix
Hallvard B Furuseth wrote:
> Pierangelo Masarati writes:
>> 3) any other request is served by the relay database,
>
> Hopefully except requests to read entries local to the server:
> - the root DSE: Search with DN "", scope=base
> (other scopes should go to the relay database),
> - cn=Subschema.
In this case, yes: the local rootDSE and cn=subschema are accessed as
usual; it's the scope == base that allows the frontend to intercept them.
> Is there a way to get the other ldap server's version of these?
> Or this LDAP server's, if the above are not exceptions from (3:-)?
You should configure a proxy like this
database ldap
suffix "cn=remote"
uri "ldap://remote"
overlay rwm
rwm-suffixmassage ""
so that anything rooted at "cn=remote" is rewritten stripping the
trailing "cn=remote"; requests for
"cn=remote", scope == base
will return the remote server's rootDSE; requests for
"cn=subschema,cn=remote", scope == base
will return the remote server's subschema.
Note that in principle custom code could intercept requests for the
local rootDSE and subschema by means of a global overlay, so that such
requests are handled by the overlay before the frontend gets a chance to
handle them. This is yet another side-effect of global overlays that
should be documented. For example, slapo-rwm(5), if configured as
global so that it always adds a trailing DN to each request, something like
overlay rwm
rwm-suffixmassage "" "dc=extra"
would prevent rootDSE and subschema from being accessed... maybe this
should be documented.
p.
Ing. Pierangelo Masarati
OpenLDAP Core Team
SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office: +39 02 23998309
Mobile: +39 333 4963172
Email: pierangelo.masarati@sys-net.it
---------------------------------------