Re: backend relay with empty suffix

[Pierangelo Masarati <ando@sys-net.it>]

Hallvard B Furuseth wrote:
> Pierangelo Masarati writes:
>> 3) any other request is served by the relay database,
> 
> Hopefully except requests to read entries local to the server:
> - the root DSE: Search with DN "", scope=base
>   (other scopes should go to the relay database),
> - cn=Subschema.

In this case, yes: the local rootDSE and cn=subschema are accessed as
usual; it's the scope == base that allows the frontend to intercept them.

> Is there a way to get the other ldap server's version of these?
> Or this LDAP server's, if the above are not exceptions from (3:-)?

You should configure a proxy like this

database	ldap
suffix		"cn=remote"
uri		"ldap://remote";
overlay		rwm
rwm-suffixmassage	""

so that anything rooted at "cn=remote" is rewritten stripping the
trailing "cn=remote"; requests for

	"cn=remote", scope == base

will return the remote server's rootDSE; requests for

	"cn=subschema,cn=remote", scope == base

will return the remote server's subschema.

Note that in principle custom code could intercept requests for the
local rootDSE and subschema by means of a global overlay, so that such
requests are handled by the overlay before the frontend gets a chance to
handle them.  This is yet another side-effect of global overlays that
should be documented.  For example, slapo-rwm(5), if configured as
global so that it always adds a trailing DN to each request, something like

overlay		rwm
rwm-suffixmassage	"" "dc=extra"

would prevent rootDSE and subschema from being accessed... maybe this
should be documented.

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.r.l.
via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
---------------------------------------
Office:  +39 02 23998309
Mobile:  +39 333 4963172
Email:   pierangelo.masarati@sys-net.it
---------------------------------------