Thank you Pierangelo, the fact whoami is an exop makes it all clear. I am glad this is correct and not bad config on my part :)
Cheers Tim Pierangelo Masarati <[email protected]> wrote: > >> OK - must be missing something really basic - and I am new to LDAP... >> >> I have a server (ldapmaster) that serves >> >> dc=new,dc=example,dc=com >> >> and a seperate server, ldaplegacy, that uses slapd-ldap + rwm to >> proxy-translate requests aimed at: >> >> dc=old,dc=example,dc=com >> >> >> So: >> >> ldapsearch -x -b dc=old,dc=example,dc=com -H ldap://ldaplegacy/ >> >> returns >> ... >> # me, people, old.example.com >> dn: uid=me,ou=people,dc=old,dc=example,dc=com >> objectClass: top >> objectClass: inetOrgPerson >> ... >> >> nice - exactly as expected. >> >> But >> >> ldapwhoami -x -W -D uid=me,ou=people,dc=old,dc=example,dc=com -H >> ldap://ldaplegacy/ >> >> returns (after successful bind) >> >> dn:uid=me,ou=people,dc=new,dc=example,dc=com >> >> >> Why doesn't the DN get translated? >> >> >> The config section that's relevant on ldaplegacy is: >> >> slapd.conf >> ############################### >> ... >> database relay >> suffix "dc=old,dc=example,dc=com" >> relay "dc=new,dc=example,dc=com" >> overlay rwm >> rwm-suffixmassage "dc=new,dc=example,dc=com" >> ... >> ############################### >> >> >> I thought I needed more magic to translate the replies, but that >*looks* >> like it is happening with ldapsearch??? > >There are two good reasons: > >1) what you get back is the *real* identity, i.e. the unmapped one. > >2) whoami is an extended operation. The fact that its "payload" is a >DN >is not known to slapo-rwm, as this is an extension of the protocol. >Since >whoami is now part of the standard, slapo-rwm could know about it >(patches >are welcome); in any case, I think point (1) still applies; assuming >the >behavior your desire is legitimate, whether it takes place or not >should >be at least configurable, as there are many good reasons for (1) to be >available. > >p. > >-- >Pierangelo Masarati >Associate Professor >Dipartimento di Ingegneria Aerospaziale >Politecnico di Milano -- Sent from my Android phone with K-9 Mail. Please excuse my brevity.
