Hi,
I'd like to set up an LDAP backend toward a remote LDAP
server. The base DN of the searches for the remote server is runtime
information and can be any valid DN. I used slapd-ldap and found
slapo-rwm which seems like doing exactly what I need so I configured a
suffixmassage, where I replace the local DN to the remote base DN. So
far so good, I got everything working. I even applied some more
manipulations on searches and results by rwm. I was almost done except
for one (not so) tiny thing: I wanted to have local overrides on certain
attributes. I was glad to encounter slapo-translucent as it documents:
"Entries
retrieved from a remote LDAP server may have some or all attributes
overridden, or new attributes added, by entries in the local database
before being presented to the client".
I started to set it up,
but for me it looks like impossible to combine it with rwm. I used the
following example to set up translucent:
http://www.openldap.org/lists/openldap-technical/201205/msg00125.htmlI
tried to apply rwm together with translucent like 1) first. I thought
this is the ideal setup since I want the suffixmassage only when I turn
to the remote LDAP and I want the suffixmassage to be reverted when back
from remote.
---
1)
dn: olcOverlay=rwm,olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config
And the result was:
adding new entry "olcOverlay=rwm,olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={1}hdb,cn=config"
ldap_add: Object class violation (65)
I was a bit disappointed but tried other combinations as well.
2)
dn: olcOverlay={0}translucent,olcDatabase={2}hdb,cn=config
dn: olcDatabase={0}ldap,olcOverlay={0}translucent,olcDatabase={2}hdb,cn=config
dn: olcOverlay={1}rwm,olcDatabase={2}hdb,cn=config
This
one resulted in suffixmassage for remote ldap, but also for the
translucent local hdb search, which is obviously not a valid dn for the
local DB.
As an extra I also faced ITS#5941 (
http://www.openldap.org/its/index.cgi/Software%20Bugs?selectid=5941)
3)
dn: olcOverlay={0}rwm,olcDatabase={2}hdb,cn=config
dn: olcOverlay={1}translucent,olcDatabase={2}hdb,cn=config
dn: olcDatabase={0}ldap,olcOverlay={1}translucent,olcDatabase={2}hdb,cn=config
This one resulted in intact suffix for ldap and a suffixmassage for local, which is again useless for my case.
---
I
also tried to look at if I can use the obsolete suffixmassage option of
the slapd-ldap, but that does not seem to have an olc schema by looking
at the source.
After these trials my conclusion was that I have to find a completely different way of doing this.
Is
it not possible to do a suffixmassage on an ldap backend over
translucent? For me this is so much a basic use case that I am
surprised. Can someone explain if this is a known missing feature or an
intentional limitation? If the latter, why?
Any proposal how to solve local overrides inside slapd? (I wouldn't like to run two slapd to separate rwm from translucent)
Thanks and Regards,
Balazs Kovacs
ps: using OpenLDAP 2.4.28 on an Ubuntu 12.04 LTS