> Stock OpenLDAP cannot do that; it does something similar with the > slapo-rwm(5) overlay (OpenLDAP 2.3; in OpenLDAP 2.2 that feature is > embedded in the proxy backend but the behavior is essentially analogous), > but only DN valued attributes can be munged.
I note that this question surfaces every now and then. I recall that when the functionality of the rwm was first introduced, it was confined to rewriting the proxied naming context, under the rationale that data munging wan not "ethical" because data belongs to owners, while the naming context in some sense belongs to whoever is in charge of administering the DSA, so it could be rewritten if required for the correct functionality of the DSA. A driving example was the need to migrate from an "o=Example,c=XX" to a "dc=example,dc=org" naming context layout allowing access to the same data under two different naming contexts by means of virtual views. However, I understand that administrators may need some munging capability for whatever reasons; yours is a clear example in those cases where one can only proxy existing, broken data and cannot fix the data at will. Since one issue that would arise by allowing arbitrary rewriting of attribute values is related to syntax compliance, we could think of an extension to the rwm overlay, or anything similar, that allows to define rewriting rules per attributeType, per syntax or so, including a(n optional?) consistency check after rewriting, much like it's currently done in slapo-rwm for DNs. If this approach sounds reasonable, and if there's consensus, I'd encourage you to submit an improvement request (a patch would be welcome) thru the ITS. p. -- Pierangelo Masarati mailto:[EMAIL PROTECTED] SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
