translucent search and modify not working as expected

Steve Eckmann Wed, 10 Apr 2013 11:29:37 -0700

I am trying to "extend" a corporate Active Directory with application-specific 
user attributes by running a local OpenLDAP (2.4.34) with back-ldap and the 
translucent overlay. I can add local attributes associated with remote entries, 
and I can see these local attributes when searching on a remote attribute. But 
I cannot modify local attributes, and searching on a local attribute returns no 
results. For example, after


    ldapadd -x -H ldaps://localhost -D "cn=admin,dc=example,dc=com" -W -f 
addLocalUser.ldif

where "cn=admin,dc=example,dc=com" is the local rootdn and addLocalUser.ldif 
contains

    dn: cn=John Doe,ou=myOrg,dc=example,dc=com
    objectclass: organizationalPerson
    objectclass: myPerson
    myAttribute: somevalue

the search

    ldapsearch -x -H ldaps://localhost -LLL -b dc=example,dc=com \
       -D "cn=remoteuser,cn=Users,dc=example,dc=com" -W \
       '([email protected])' cn manager myattribute

(where remoteuser has read access on the remote directory and read/write access 
on the local directory) returns one entry with the expected cn, manager, and 
myattribute values. But the search

    ldapsearch -x -H ldaps://localhost -LLL -b dc=example,dc=com \
       -D "cn=admin,cn=Users,dc=example,dc=com" -W \
       '(myattribute=somevalue)' cn manager myattribute

returns nothing. And the modify commands

    ldapmodify -x -H ldaps://localhost \
       -D "cn=admin,dc=example,dc=com" -W -f modUser.ldif
    ldapmodify -x -H ldaps://localhost \
       -D "cn=remoteuser,cn=Users,dc=example,dc=com" -W -f modUser.ldif

where modUser.ldif contains

    dn: cn=John Doe,ou=myOrg,dc=example,dc=com
    changetype: modify
    replace: myAttribute
    myAttribute: anothervalue

both result in

    ldapmodify: No such object (32)
        additional info: attempt to modify nonexistent local record

I've read the relevant parts of the Admin Guide and the relevant man pages 
numerous times, along with everything I found via google. I've also studied the 
translucent overlay test cases. It looks like what I'm trying to do is a 
mainstream use case, so obviously I'm missing some crucial aspects of 
configuration. Here are the slapd.conf backend configs that I'm using (with 
name changes to match the examples above):

  database mdb
  suffix      "dc=example,dc=com"
  rootdn      "cn=admin,dc=example,dc=com"
  rootpw      {SSHA}blahblah
  directory   /opt/openldap-2.4/var/local-data
  index       objectClass      eq,pres
  index       myAttribute      eq,pres,sub

  overlay translucent
  uri                 "ldaps://ldap.example.com/"
  acl-bind            bindmethod=simple 
binddn=cn=remoteuser,cn=Users,dc=example,dc=com credentials={SSHA}blahblah 
tls_reqcert=demand
  idassert-bind       bindmethod=simple 
binddn=cn=remoteuser,cn=Users,dc=example,dc=com credentials={SSHA}blahblah 
mode=none tls_reqcert=demand
  idassert-authzFrom  dn.regex:.*
  rebind-as-user
  chase-referrals     yes
  translucent_local   cn,myAttribute
  translucent_remote  cn,mail

Are there glaring mistakes here? Thanks for reading this far :-)

Steve

translucent search and modify not working as expected

Reply via email to