> OK - must be missing something really basic - and I am new to LDAP... > > I have a server (ldapmaster) that serves > > dc=new,dc=example,dc=com > > and a seperate server, ldaplegacy, that uses slapd-ldap + rwm to > proxy-translate requests aimed at: > > dc=old,dc=example,dc=com > > > So: > > ldapsearch -x -b dc=old,dc=example,dc=com -H ldap://ldaplegacy/ > > returns > ... > # me, people, old.example.com > dn: uid=me,ou=people,dc=old,dc=example,dc=com > objectClass: top > objectClass: inetOrgPerson > ... > > nice - exactly as expected. > > But > > ldapwhoami -x -W -D uid=me,ou=people,dc=old,dc=example,dc=com -H > ldap://ldaplegacy/ > > returns (after successful bind) > > dn:uid=me,ou=people,dc=new,dc=example,dc=com > > > Why doesn't the DN get translated? > > > The config section that's relevant on ldaplegacy is: > > slapd.conf > ############################### > ... > database relay > suffix "dc=old,dc=example,dc=com" > relay "dc=new,dc=example,dc=com" > overlay rwm > rwm-suffixmassage "dc=new,dc=example,dc=com" > ... > ############################### > > > I thought I needed more magic to translate the replies, but that *looks* > like it is happening with ldapsearch???
There are two good reasons: 1) what you get back is the *real* identity, i.e. the unmapped one. 2) whoami is an extended operation. The fact that its "payload" is a DN is not known to slapo-rwm, as this is an extension of the protocol. Since whoami is now part of the standard, slapo-rwm could know about it (patches are welcome); in any case, I think point (1) still applies; assuming the behavior your desire is legitimate, whether it takes place or not should be at least configurable, as there are many good reasons for (1) to be available. p. -- Pierangelo Masarati Associate Professor Dipartimento di Ingegneria Aerospaziale Politecnico di Milano
