I used suffix massage to combine customer LDAP with my local LDAP server;
this allows us to have internal users. Documentation on doing this is very
sparse.
Client side; sssd points at dc=local.
# BDB database definitions
#######################################################################
#local database b
database bdb
idlcachesize 50000
suffix "dc=b,dc=com"
rootdn "cn=adm,dc=b,dc=com"
rootpw {SSHA}xx
cachesize 50000
dirtyread
dbnosync
checkpoint 128 15
idlcachesize 50000
index objectClass eq
#database meta - COMBINES the LDAP DATABASES
database meta
suffix "dc=local"
rootdn "cn=adm,dc=local"
rootpw {SSHA}xx
#internal LDAP
uri "ldap://127.0.0.1/ou=internal,dc=local";
lastmod off
suffixmassage "ou=internal,dc=local" "dc=b,dc=com"
#external - customer LDAP
#uncomment lines and only change vars inside [] to match env
#
#uri "ldap://[myldap]/ou=external,dc=local";
#lastmod off
#suffixmassage "ou=external,dc=local" "[dc=a,dc=a,dc=com]"
#
*Jason K Cafarelli*
Desk: (508) 637-5705 (primary)
Mobile: (508) 215-9712
[email protected]
On Fri, Jan 8, 2016 at 5:48 AM, M. P. <[email protected]>
wrote:
> Hi,
>
> We are on a process of merging datas from a remote database to a local
> database. The two databases have the same base dn. To ease this process, I
> thought for a way to make a union of the remote database and the local
> database until remote datas are merged to local database. From my reading I
> found this thread
> http://thread.gmane.org/gmane.network.openldap.technical/11893 that is
> something that correspond I think to what I want.
>
> The practical part is done on a debian jessie 8.2 with openldap
> 2.4.40+dfsg-1+deb8u1 version. The local database definition is like this.
>
> # Entry 1: olcDatabase={2}mdb,cn=config
> dn: olcDatabase={2}mdb,cn=config
> objectclass: olcDatabaseConfig
> objectclass: olcMdbConfig
> olcaccess: ...
> olcdatabase: {2}mdb
> olcdbdirectory: /var/lib/ldap/base_dn
> olcdbindex: ...
> olcdbmaxsize: 104857600
> olclimits: ...
> olcrootdn: cn=admin,dc=base,dc=dn
> olcrootpw: {SSHA}.......
> olcsuffix: dc=base,dc=dn
> olcsyncrepl: ...
> olcupdateref: ldap://master.ldap.server/
>
> To this database definition I have added this part to make translucent
> work.
>
> # ldapadd -Y EXTERNAL -H ldapi:/// << EOF
> dn: olcOverlay=translucent,olcDatabase={2}mdb,cn=config
> objectClass: olcConfig
> objectClass: olcOverlayConfig
> objectClass: olcTranslucentConfig
> objectClass: top
> olcOverlay: translucent
> EOF
>
> # ldapadd -Y EXTERNAL -H ldapi:/// << EOF
> dn: olcDatabase=ldap,olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config
> objectClass: olcConfig
> objectClass: olcLDAPConfig
> objectClass: olcTranslucentDatabase
> objectClass: olcDatabaseConfig
> olcDbURI: ldap://remote-ldap.server
> olcDbIDAssertBind: bindmethod="simple" binddn="cn=binddn,dc=base,dc=dn"
> credentials="onepassword" mode="self"
> EOF
>
> With this configuration, I can see on the local server, the entries that
> are available on the remote server only, an ldapsearch does not return
> entries available on the local server. Is this the normal behavior ?
>
> Another problem is that when I restart slapd, I have an error like this
>
> slapd[3440]: @(#) $OpenLDAP: slapd (Sep 11 2015 15:11:55)
> $#012#011buildd@babin
> :/build/openldap-nFTO9j/openldap-2.4.40+dfsg/debian/build/servers/slapd
> slapd[3441]: syncprov_db_open: invalid config, lastmod must be enabled
> slapd[3441]: backend_startup_one (type=mdb, suffix="dc=linkeo,dc=com"):
> bi_db_open failed! (-1)
> slapd[3441]: DIGEST-MD5 common mech free
> slapd[3441]: slapd stopped.
>
> I have to reload config without dn:
> olcOverlay=translucent,olcDatabase={2}mdb,cn=config and dn:
> olcDatabase=ldap,olcOverlay={3}translucent,olcDatabase={2}mdb,cn=config
> entries to make slapd start properly.
>
> Can somebody tell me what I have done wrong ?
>
> Thanks,
> --
> ------------
>
> M. P.
>
>
