[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Syncrepl + suffixmassage + uniqueMember

To: Steffen Kaiser <vm5015995887542392v@vmail.inf.h-brs.de>, openldap-technical@openldap.org
Subject: Re: Syncrepl + suffixmassage + uniqueMember
From: Michael Ströder <michael@stroeder.com>
Date: Fri, 27 Jul 2018 09:30:27 +0200
In-reply-to: <alpine.DEB.2.11.1807261434420.3785@pc-2m63>
References: <alpine.DEB.2.11.1807261434420.3785@pc-2m63>
User-agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1

Attribute 'uniqueMember' has LDAP syntax "Name And Optional UID"(1.3.6.1.4.1.1466.115.121.1.34). I would not expect slapo-memberof andslapo-rwm's rwm-suffixmassage to work with that.


Use group entries based on groupOfNames with attribute 'member' instead.

Ciao, Michael.

On 07/26/2018 02:41 PM, Steffen Kaiser wrote:

currently we have three OpenLDAP servers in multi-master mode and withMemberOf .


Currently, the base DN is dc=oldorgname,dc=de. The name of the
organization changed and all entries should be accessable through base
dc=neworgname,dc=de and all attributes with DNs as value shall return
this new base.

First I tried relay with rwm in this configuration:

dn: cn=module{1},cn=config
changetype: modify
add: olcmoduleload
olcModuleLoad: back_relay.la

dn: olcDatabase={2}relay,cn=config
changetype: add
objectClass: olcRelayConfig
olcSuffix: dc=neworgname,dc=de
olcRelay: dc=oldorgname,dc=de

dn: olcOverlay=rwm,olcDatabase={2}relay,cn=config
changetype: add
objectClass: olcRwmConfig
olcRwmRewrite: rwm-suffixmassage "dc=oldorgname,dc=de"


But this caused slapd to dump core at different entries, when I query
the whole database as administrator pulling all attributes. As this module
is "experimental", so I went another way.

Should I try another config?

Second, I tried to create a consumer server with a separate database
using and suffixmassage.

olcSyncrepl: {2}rid=004 provider=ldap://server:389/ bindmethod=simpl
  e binddn="cn=dn" credentials="pwd" s
  earchbase="dc=oldorgname,dc=de" scope=sub schemachecking=on type=re
  freshAndPersist retry="5 2 30 2 60 +" interval=00:00:00:30 timeout=0
network-time
  out=0  keepalive=0:0:0 attrs="*,+" suffixmassage="dc=neworgname,dc=de"


The sync proceeded, but I ended with uniqueMember attributes with the
old base:

dn: cn=team,ou=groups,dc=ou,dc=neworgname,dc=de
uniqueMember: uid=user,ou=peolple,dc=ou,dc=oldorgname,dc=de

The value of the attribute "member" gets rewritten into the new orgname.

Ist this a bug or intentional behaviour?

Kind regards,



--
Michael Ströder                 Klauprechtstr. 11
Dipl.-Inform.                   D-76137 Karlsruhe, Germany
Tel.: +49 721 8304316           Mobil: +49 170 2391920
E-Mail: michael@stroeder.com    https://www.stroeder.com

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

References:
- Syncrepl + suffixmassage + uniqueMember
  - From: Steffen Kaiser <vm5015995887542392v@vmail.inf.h-brs.de>

Prev by Date: Re: Replication mutli-master via DNS record ?
Next by Date: python-ldap validate LDAPObject.modify_ext_s
Index(es):
- Chronological
- Thread