Re: ldap (openldap) dynamic subtree combination for responses

[Howard Chu <hyc@symas.com>]

vlad florentino wrote:
> LDAP Server: OpenLDAP 2.4.24
> 
> Linux Distro: Fedora 15
> 
> (I believe this question is generally about returning properties in
> subentries, when performing searches on a parent entry, in a way that's

You mean "child entries" not "subentries".

> transparent to clients making the requests. However, I have worded my question
> to be based on my specific usecase.)
> 
> ------------------------------------------------------------------------------
> 
> Hi,
> 
> I have successfully configure the Linux sssd service to fetch user loging
> information from an LDAP directory service (which happens to be in the same
> machine). The file to configure for this lives at /etc/sssd/sssd.conf
> 
> I have tested that I can create a linux user account in the LDAP directory, by
> creating an entry under the relevant DN. That node includes the objectClass
> 'posixAccount'.
> 
> |ou=people
>    |
>    - uid=1000 # This entry has the objectClass 'posixAccount'
> |
> 
> performing a:
> 
> |getent passwd | grep the-ldap-based-linux-username
> |
> 
> yields correct information.
> 
> Now, for my problem:
> 
> I'm trying to configure the LDAP directory such that credentials information
> is not duplicated. I would like to define the entries like so:
> 
> |ou=people
>    |
>    - uid=1000 # No possixAccount objectClass
>      |
>      + cn=contact-info # contact stuff ...
>      - cn=account      # contains subtrees for account related stuff.
>        |
>        - cn=credentials     # Fields: uid, userPassword, uidNumber, gidNumber
>        - cn=linux-account   # Fields: homeDirectory, loginShell, ...
>        - cn=windows-account # Fields: winHomeDirectory, sambaServerUrl, ...
>        - cn=samba-account   # Fields: space-quota, ...
> |
> 
> The point of what I'm trying to accomplish is that when ldap clients, such as
> the Linux sssd deamon, perform an account info search/fetch, they do so at the
> following node (not at it's subnodes):
> 
> | cn=account,uid=1000,ou=people
> |
> 
> And that, somehow, the OpenLDAP server would know to combine the info
> contained in the relevant subentries of cn=account, and return those to the
> client, as if those extries existed at cn=account.
> 
> This would work, of course, if I were to place all the info at the cn=account
> node. But, that's what I'm trying to avoid.
> 
> I've try a few things, which have all been unsuccessful.
> 
> Is it possible to do this with OpenLDAP (or LDAP in general)? If so, how?

That is not a feature of LDAP. Nor is this a typical usage. Why are you
partitioning the data like this, it looks like you're thinking of SQL. All of
the account info should simply be in the single entry.

> Regards,
> 
> Vlad
> 
> ------------------------------------------------------------------------------
> 
> PS:
> 
> A trick that I've found useful, and which can help in the final solution to
> the problem, is that the sssd deamon allows one to configure the name of the
> 'posixAccount'-like objectClass that it should use to locate account info. I
> noticed that I can tell it do look for a certain class, say c-linux-account,
> which I then define as an empty auxilary class. The daemon will successfully
> find entries, which contain this class. Then, if those entries contain
> properties named uid, userPassword, homeDirectory, etc, it will use those
> properties for their values. So, I can add that property to cn=account, and
> the deamon will find that entry correctly. I just now have to tell OpenLDAP to
> combine the entries below that node, and return them in the query.
> 


-- 
  -- Howard Chu
  CTO, Symas Corp.           http://www.symas.com
  Director, Highland Sun     http://highlandsun.com/hyc/
  Chief Architect, OpenLDAP  http://www.openldap.org/project/