On Thu, Apr 28, 2016 at 11:05:03AM -0400, Aaron Richton wrote: > >But we're having a migration phase during which we need to proxy > >one subtree of our database from an old backend service. So > >everything else comes from those two backends but one branch; it > >comes from a third one. And that would require back-meta, I think. > >So apparently we'll have to think a way around that, maybe by just > >copying those entries over using a perl script or something... > > Depends what you're doing. Perhaps multiple subordinate back-ldap's > (maybe with a back-null at the top to glue everything together)? > And/or create the three back-ldap's under (perhaps unpublished) > unique suffix, then back-relay everything together?
I tried subordinate back-ldaps, sth like this: --- database ldap suffix ou=foo,ou=bar,dc=dom,dc=ain uri ldap://migration.server/ overlay rwm rwm-suffixmassage "ou=foo,ou=bar,dc=dom,dc=ain" "ou=some,o=thing" tls propagate database ldap suffix dc=dom,dc=ain uri ldap://backend-1.server/ ldap://backend-2.server/ tls propagate --- And it mostly worked. Except when I tried to do a subtree search like so: ldapsearch -xZZH ldap://ldap-proxy.server -b ou=bar,dc=dom,dc=ain 'uid=sth_in_migr_server' it returned nothing, whereas ldapsearch -xZZH ldap://ldap-proxy.server -b ou=foo,ou=bar,dc=dom,dc=ain 'uid=sth_in_migr_server' returned the entry. With back-meta, I can base the search on a branch that resides on one backend server and it also searches other backend servers that contain sub-branches of that branch; the first kind of search worked. Then I tried gluing things together with back-relay. Sth like this. --- database relay suffix o=testing overlay rwm rwm-suffixmassage "ou=really,o=testing" "ou=some,o=thing" rwm-suffixmassage "o=testing" "ou=bar,dc=dom,dc=ain" database ldap suffix ou=some,o=thing uri ldap://migration.server/ tls propagate database ldap suffix dc=dom,dc=ain uri ldap://backend-1.server/ ldap://backend-2.server/ tls propagate --- But the result was similar. ldapsearch -xZZH ldap://ldap-proxy.server -b o=testing 'uid=sth_in_migr_server' ->nothing found ldapsearch -xZZH ldap://ldap-proxy.server -b ou=really,o=testing 'uid=sth_in_migr_server' ->found entry (and of course, if I put the rwm-suffixmassage lines in the reverse order, -b ou=really,o=testing resulted in "no such object" because there really isn't a subtree 'ou=really,ou=bar,dc=dom,dc=ain" on the backend servers) So apparently, I can use back-ldap to proxy a separate branch of my database to a separate server, but I cannot expect subtree searches based on somewhere else to contain that separate branch? Thanks again for the suggestions. --Janne -- Janne Peltonen <[email protected]> PGP Key ID: 0x9CFAC88B Consider membership of the Hospitality Club (http://www.hospitalityclub.org)
