Hallvard B Furuseth wrote: > Pierangelo Masarati writes: >> 3) any other request is served by the relay database, > > Hopefully except requests to read entries local to the server: > - the root DSE: Search with DN "", scope=base > (other scopes should go to the relay database), > - cn=Subschema.
In this case, yes: the local rootDSE and cn=subschema are accessed as usual; it's the scope == base that allows the frontend to intercept them. > Is there a way to get the other ldap server's version of these? > Or this LDAP server's, if the above are not exceptions from (3:-)? You should configure a proxy like this database ldap suffix "cn=remote" uri "ldap://remote"; overlay rwm rwm-suffixmassage "" so that anything rooted at "cn=remote" is rewritten stripping the trailing "cn=remote"; requests for "cn=remote", scope == base will return the remote server's rootDSE; requests for "cn=subschema,cn=remote", scope == base will return the remote server's subschema. Note that in principle custom code could intercept requests for the local rootDSE and subschema by means of a global overlay, so that such requests are handled by the overlay before the frontend gets a chance to handle them. This is yet another side-effect of global overlays that should be documented. For example, slapo-rwm(5), if configured as global so that it always adds a trailing DN to each request, something like overlay rwm rwm-suffixmassage "" "dc=extra" would prevent rootDSE and subschema from being accessed... maybe this should be documented. p. Ing. Pierangelo Masarati OpenLDAP Core Team SysNet s.r.l. via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it --------------------------------------- Office: +39 02 23998309 Mobile: +39 333 4963172 Email: [EMAIL PROTECTED] ---------------------------------------
