ldap && rwm && pcache && transparent

Wed, 14 Sep 2011 13:18:42 -0700 

I'm trying to proxy an AD and an OpenLDAP server on a
separate machine to get a 'combined' view.


First problem (or the primary one?) is that the DN doesn't
match.

   AD: cn=turbo,ou=Office,ou=Users,ou=org1,dc=org2,dc=company,dc=tld
   OL: uid=turbo,ou=People,dc=org3,dc=company,dc=tld

We have absolutely no write/modify access to the AD (we
barely got search/compare access to parts of the AD!

And the OL server... There's way to much work to modify
(as in massaging the DB and reload it) that (at the moment).
It's also running 2.3 at the moment, and we don't want to
upgrade that any time soon.


The theory is/was to:

   1. Setup a LDAP/META proxy to the AD to act as the
      'local' DB.
   2. Rewrite the AD DNs to match the OL DB
   3. Cache some common queries
   4. Glue the OL DB with the AD DB, the OL acting as
      the 'remote' DB.

Unfortunately, I can't get step four to work. Any queries
seem to loop to the localhost.


I guess I could use rwm on the OL server to massage the
DN (before it's presented to clients and the proxy), but
I much rather do any rewrite etc on my new proxy server
if possible.

OR

Setup a second OL server on the current OL server, but
on a different port (hidden), which proxies the main
OL and rewrites the DN to match the AD. This hidden server
could then be proxied by the new LDAP proxy, cached etc...


But either of the alternative solution isn't pretty :).

I'll have to maintain and support THREE LDAP servers
(one DB and two proxies), which seems a little to much
work.

And besides, the OL have all the UNIX (posixAccount etc)
stuff (only), with very few users (most of the organization
don't need UNIX accounts) and most of the clients is configured
to use that when searching etc. There's also other reasons
why we would like to keep the OL server layout...


Parts of my slapd.conf:

#######################################################################

database                        ldap
suffix                          "dc=company,dc=tld"
rootdn                          "cn=Manager,dc=company,dc=tld"
rootpw                          "secret"

# ---------------------------------------------------------------------
##### Active Directory Server (will act as LOCAL DB)
uri                             ldap://ad.company.tld

idassert-bind                   bindmethod=simple
binddn ="cn=unixldap,ou=service,ou=users,ou=selud,dc=rd,dc=company,dc=tld" 
                                credentials="Secret1"
                                mode=none
idassert-authzFrom              "*"

# ---------------------------------------------------------------------
#### Rewrite/Remap
# http://www.openldap.org/its/index.cgi/Software%20Bugs?id=5941#followup7
overlay                         rwm
rwm-rewriteEngine               yes
rwm-normalize-mapped-attrs      yes

rwm-map                         attribute uid sAMAccountName
rwm-map                         attribute gecos displayName
rwm-map                         attribute workPhone telephoneNumber
rwm-map                         attribute address1 streetAddress
rwm-map                         attribute city l
rwm-map                         attribute state st
rwm-map                         attribute zip postalCode
rwm-map                         attribute country co
rwm-map                         attribute c country
rwm-map                         attribute distinguishedName entryDN
rwm-map                         objectclass inetOrgPerson user
rwm-map                         objectclass groupOfNames group

rwm-rewriteContext              searchEntryDN
rwm-rewriteRule "cn=(.*)?ou=Office,ou=Users,ou=ORG1,dc=ORG2,(.*)" "uid=$1ou=People,dc=ORG3,$2" ":@" 

rwm-rewriteContext              searchAttrDN alias searchEntryDN
rwm-rewriteContext              matchedDN alias searchEntryDN

# ---------------------------------------------------------------------
#### Proxy Cache
overlay                         pcache
pcache                          hdb 2500 3 1 300
pcacheAttrset 0 uid uidNumber gidNumber cn sn givenName distinguishedName 
pcacheAttrset                   1 c physicalDeliveryOfficeName streetAddress 
mail
pcacheAttrset 2 uid uidNumber gidNumber cn sn givenName distinguishedName c physicalDeliveryOfficeName streetAddress mail 

pcacheTemplate                  (uid=) 0 3600
pcacheTemplate                  (cn=) 0 3600
pcacheTemplate                  (|(uid=)(cn=)) 0 3600
pcacheTemplate                  (|(cn=)(uid=)) 0 3600
pcacheTemplate                  (objectClass=) 2 3600
pcacheTemplate                  (|(objectClass=)(cn=)) 2 3600
pcacheTemplate                  (gecos=) 1 3600
pcacheTemplate                  (&(sn=)(givenName=)) 1 3600

cachesize                       20
directory                       /usr/local/turbo/var/openldap-data
index                           objectClass eq
index                           cn,sn,uid,mail  pres,eq,sub

# ---------------------------------------------------------------------
#### Translucent Proxy
overlay                         translucent
translucent_strict              yes
#translucent_local uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail #translucent_remote uid,uidNumber,gidNumber,cn,sn,givenName,distinguishedName,mail 

### OpenLDAP Server (will act as REMOTE DB)
uri                             "ldap://ol.company.tld/";
network-timeout                 3
chase-referrals                 no

acl-bind                        binddn="cn=Manager,dc=company,dc=tld" 
credentials="secret"
idassert-bind                   bindmethod=simple
                                binddn="cn=Manager,dc=company,dc=tld"
                                credentials="Secret2"
                                mode=none
idassert-authzFrom              "*"

#######################################################################


Disclaimer: Much of this haven't been optimized yet. I'll
fine tune and tweak stuff once I could get it to work...

--
Life sucks and then you die

Reply via email to