On Mon, 20 Mar 2006, Aaron Richton wrote: >I had some fun with this a while back. Lots of syntax that you think would >work (and likely will work with better rwm/glue interaction) eventually >run into one ITS or another like Howard noted below. I don't remember >getting anywhere useful with back-relay. In the end, the simplest config >was the one that worked: > >database hdb >subordinate >suffix "ou=local,dc=example,dc=com" > >database ldap >suffix "dc=example,dc=com"
That didn't work for me. With a setup like your example, if I bind as cn=user,ou=a,dc=example,dc=com it seemed like the search base would get stuck as ou=a,dc=example,dc=com and I couldn't retrieve cn=foo,ou=b,dc=example,dc=com (though cn=foo,ou=local... worked fine). What I ended up doing was this: database meta suffix "dc=example,dc=com" uri "ldaps://example.com/dc=example,dc=com" subtree-exclude "ou=groups,dc=example,dc=com" uri "ldap://localhost/ou=groups,dc=example,dc=com"; suffixmassage "ou=groups,dc=example,dc=com" "ou=groups,dc=local" database ldif suffix "ou=groups,dc=local" directory /var/ldap/local I like the configuration syntax for back-meta, but it seems like there ought to be a better way to do the loopback connection, but using both back-relay and back-ldap/meta seemed like too much additional complexity. -- Eric Irrgang - UT Austin ITS Unix Systems - (512)475-9342
