upstream/openldap
1
0
Fork 0
mirror of https://git.openldap.org/openldap/openldap.git synced 2025-12-29 19:19:35 -05:00
Code Issues Projects Releases Packages Wiki Activity Actions

Translucent Overlay docs

Browse source
This commit is contained in:
Gavin Henry 2008-08-29 22:20:45 +00:00
parent e5b96f2c76
commit c38d449391
2 changed files with 171 additions and 49 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

98
doc/guide/admin/aspell.en.pws
View file

@ -1,4 +1,4 @@
personal_ws-1.1 en 1668
personal_ws-1.1 en 1674
commonName
bla
Masarati
@ -6,8 +6,8 @@ subjectAltName
api
usnCreated
BhY
olcSyncrepl
olcSyncRepl
olcSyncrepl
adamsom
adamson
CER
@ -39,8 +39,8 @@ DIB
dev
reqNewSuperior
librewrite
memberOf
memberof
memberOf
BSI
updateref
buf
@ -64,9 +64,9 @@ reqcert
CRP
postread
csn
laura
checkpass
xvfB
laura
neverDerefaliases
dns
DN's
@ -90,8 +90,8 @@ dlopen
eng
AttributeValue
attributevalue
EOF
DUA
EOF
inputfile
DSP
refreshDone
@ -127,10 +127,10 @@ iff
contextCSN
auditModify
auditSearch
openldap
OpenLDAP
resultCode
openldap
resultcode
resultCode
sysconfig
indices
blen
@ -144,6 +144,7 @@ iscritical
qbuaQ
gss
ZKKuqbEKJfKSXhUbHG
employeeType
invalidAttributeSyntax
subtree
Kartik
@ -169,13 +170,13 @@ argv
kdz
notAllowedOnRDN
hostport
starttls
StartTLS
starttls
ldb
servercredp
ldd
ipv
IPv
ipv
hyc
joe
bindmethods
@ -207,8 +208,8 @@ libpath
acknowledgements
jts
createTimestamp
LLL
MIB
LLL
OpenSSL
openssl
LOF
@ -248,10 +249,10 @@ Subbarao
aeeiib
oidlen
submatches
olc
PEM
PDU
olc
OLF
PDU
LDAPSchemaExtensionItem
auth
Pierangelo
@ -267,8 +268,8 @@ cleartext
numattrsets
requestDN
caseExactSubstringsMatch
PKI
NSS
PKI
olcSyncProvConfig
ple
NTP
@ -291,9 +292,9 @@ rdn
wZFQrDD
OTP
olcSizeLimit
pos
sbi
PRD
sbi
pos
pre
sudoadm
stringal
@ -313,8 +314,8 @@ bvec
HtZhZS
TBC
stringbv
Sep
SHA
Sep
ptr
conn
pwd
@ -331,8 +332,8 @@ myOID
supportedSASLMechanism
supportedSASLmechanism
realnamingcontext
SMD
UCD
SMD
keytab
portnumber
uncached
@ -345,8 +346,8 @@ sasldb
UCS
searchDN
keytbl
tgz
UDP
tgz
freemods
prepend
nssov
@ -364,22 +365,22 @@ crit
objectClassViolation
ssf
ldapfilter
rwm
TOC
vec
TOC
rwm
pwdChangedTime
tls
peernamestyle
xpasswd
tmp
SRP
tmp
SSL
dupbv
CPUs
SRV
entrymods
rwx
sss
rwx
reqNewRDN
nopresent
rebindproc
@ -407,6 +408,7 @@ wildcards
uri
tty
url
sambaGroupMapping
XED
sortKey
UTF
@ -419,6 +421,7 @@ txt
UTR
XER
olcDbIDLcacheSize
roomNumber
namespace
LDAPControl
dbconfig
@ -440,8 +443,8 @@ pseudorootdn
MezRroT
GDBM
LIBRELEASE
DSAs
DSA's
DSAs
realloc
booleanMatch
compareTrue
@ -501,8 +504,8 @@ pwdMinLength
iZ
ldapdelete
xyz
RDBMs
rdbms
RDBMs
extparam
mk
ng
@ -511,6 +514,7 @@ FIPS
NL
logfiles
mr
octetStringSubstringsMatch
ok
mv
LTVERSION
@ -566,8 +570,8 @@ ZZ
LDVERSION
testAttr
backend
backend's
backends
backend's
BerValues
Solaris
structs
@ -579,9 +583,9 @@ ostring
policyDN
testObject
pwdMaxAge
bindDn
bindDN
binddn
bindDN
bindDn
distributedOperation
schemachecking
strvals
@ -624,14 +628,14 @@ IEEE
regex
SIGINT
slappasswd
errAbsObject
errABsObject
errAbsObject
ldapexop
objectidentifier
objectIdentifier
objectidentifier
deallocators
MirrorMode
mirrormode
MirrorMode
loopDetect
SIGHUP
authMethodNotSupported
@ -648,8 +652,8 @@ filtercomp
expr
syntaxes
memrealloc
returnCode
returncode
returnCode
OpenLDAP's
exts
bitstringa
@ -673,8 +677,8 @@ lastName
lldap
cachesize
slapauth
attributetype
attributeType
attributetype
GSER
olcDbNosync
typedef
@ -691,11 +695,11 @@ monitoredObject
TLSVerifyClient
noidlen
LDAPNOINIT
pwdGraceAuthNLimit
pwdGraceAuthnLimit
pwdGraceAuthNLimit
hnPk
userPassword
userpassword
userPassword
noanonymous
LIBVERSION
symas
@ -714,9 +718,9 @@ IMAP
organisations
rewriteMap
monitoredInfo
modrdn
ModRDN
modrDN
ModRDN
modrdn
HREF
DQTxCYEApdUtNXGgdUac
inline
@ -731,8 +735,8 @@ reqReferral
rlookups
siiiib
LTSTATIC
timeLimitExceeded
timelimitExceeded
timeLimitExceeded
XKYnrjvGT
subtrees
unixODBC
@ -744,8 +748,8 @@ reqDN
dnstyle
inet
schemas
pwdPolicySubEntry
pwdPolicySubentry
pwdPolicySubEntry
reqId
backsql
scanf
@ -807,6 +811,7 @@ syncrepl
dbnum
operationsError
homePhone
octetStringOrderingMatch
testTwo
BmIwN
ldif
@ -1083,8 +1088,8 @@ noop
errObject
XXLIBS
reqAssertion
PDUs
nops
PDUs
baseObject
bvecadd
perl
@ -1204,6 +1209,7 @@ LxsdLy
lastmod
integerOrderingMatch
RowVersioning
sambaGroupType
searchEntryDN
pwdLockout
sbin
@ -1367,6 +1373,7 @@ malloc
XLIBS
freeit
invalidDNSyntax
sambaSID
zeilenga
addAttrDN
syncdata
@ -1383,7 +1390,6 @@ SSHA
mandir
RXER
SSFs
octetStringOrderingMatch
auditCompare
pEntry
strongAuthNotSupported
@ -1460,6 +1466,7 @@ libodbcpsql
LDAPObjectClass
sockurl
somevalue
businessCategory
getpid
monitorIsShadow
confidentialityRequired
@ -1591,12 +1598,12 @@ jpegPhoto
supportedSASLMechanisms
ACLs
reqMethod
authzID
authzid
authzId
authzid
authzID
hasSubordintes
proxycache
proxyCache
proxycache
slaptest
olcLogLevel
LDAPDN
@ -1621,8 +1628,8 @@ wBDARESEhgVG
multi
aaa
ldaprc
updatedn
UpdateDN
updatedn
LDAPBASE
LDAPAPIFeatureInfo
authzTo
@ -1657,13 +1664,12 @@ BCP
baz
params
generalizedTimeOrderingMatch
octetStringSubstringsMatch
ber
slimit
ali
attributeoptions
BfQ
uidNumber
CAs
CA's
CAs
namingContext

122
doc/guide/admin/overlays.sdf
View file

@ -1102,16 +1102,132 @@ H2: Translucent Proxy
H3: Overview
This overlay can be used with a backend database such as slapd-bdb (5)
This overlay can be used with a backend database such as {{:slapd-bdb}}(5)
to create a "translucent proxy".
Content of entries retrieved from a remote LDAP server can be partially
overridden by the database.
Entries retrieved from a remote LDAP server may have some or all attributes
overridden, or new attributes added, by entries in the local database before
being presented to the client.
A search operation is first populated with entries from the remote LDAP server,
the attributes of which are then overridden with any attributes defined in the
local database. Local overrides may be populated with the add, modify, and
modrdn operations, the use of which is restricted to the root user of the
translucent local database.
A compare operation will perform a comparison with attributes defined in the
local database record (if any) before any comparison is made with data in the
remote database.
H3: Translucent Proxy Configuration
There are various options available with this overlay, but for this example we
will demonstrate adding new attributes to a remote entry and also searching
against these newly added local attributes. For more information about overriding remote
entries and search configuration, please see {{:slapo-translucent(5)}}
Note: The Translucent Proxy overlay will disable schema checking in the local
database, so that an entry consisting of overlay attributes need not adhere
to the complete schema.
First we configure the overlay in the normal manner:
> include /usr/local/etc/openldap/schema/core.schema
> include /usr/local/etc/openldap/schema/cosine.schema
> include /usr/local/etc/openldap/schema/nis.schema
> include /usr/local/etc/openldap/schema/inetorgperson.schema
>
> pidfile ./slapd.pid
> argsfile ./slapd.args
>
> modulepath /usr/local/libexec/openldap
> moduleload back_bdb.la
> moduleload back_ldap.la
> moduleload translucent.la
>
> database bdb
> suffix "dc=suretecsystems,dc=com"
> rootdn "cn=trans,dc=suretecsystems,dc=com"
> rootpw secret
> directory ./openldap-data
>
> index objectClass eq
>
> overlay translucent
> translucent_local carLicense
>
> uri ldap://192.168.X.X:389
> lastmod off
> acl-bind binddn="cn=admin,dc=suretecsystems,dc=com" credentials="blahblah"
You will notice the overlay directive and a directive to say what attribute we
want to be able to search against in the local database. We must also load the
ldap backend which will connect to the remote directory server.
Now we take an example LDAP group:
> # itsupport, Groups, suretecsystems.com
> dn: cn=itsupport,ou=Groups,dc=suretecsystems,dc=com
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: itsupport
> gidNumber: 1000
> sambaSID: S-1-5-21-XXX
> sambaGroupType: 2
> displayName: itsupport
> memberUid: ghenry
> memberUid: joebloggs
and create an LDIF file we can use to add our data to the local database, using
some pretty strange choices of new attributes for demonstration purposes:
> [ghenry@suretec test_configs]$ cat test-translucent-add.ldif
> dn: cn=itsupport,ou=Groups,dc=suretecsystems,dc=com
> businessCategory: frontend-override
> carLicense: LIVID
> employeeType: special
> departmentNumber: 9999999
> roomNumber: 41L-535
Searching against the proxy gives:
> [ghenry@suretec test_configs]$ ldapsearch -x -H ldap://127.0.0.1:9001 "(cn=itsupport)"
> # itsupport, Groups, OxObjects, suretecsystems.com
> dn: cn=itsupport,ou=Groups,ou=OxObjects,dc=suretecsystems,dc=com
> objectClass: posixGroup
> objectClass: sambaGroupMapping
> cn: itsupport
> gidNumber: 1003
> SAMBASID: S-1-5-21-XXX
> SAMBAGROUPTYPE: 2
> displayName: itsupport
> memberUid: ghenry
> memberUid: joebloggs
> roomNumber: 41L-535
> departmentNumber: 9999999
> employeeType: special
> carLicense: LIVID
> businessCategory: frontend-override
Here we can see that the 5 new attributes are added to the remote entry before
being returned to the our client.
Because we have configured a local attribute to search against:
> overlay translucent
> translucent_local carLicense
we can also search for that to return the completely fabricated entry:
> ldapsearch -x -H ldap://127.0.0.1:9001 (carLicense=LIVID)
This is an extremely feature because you can then extend a remote directory server
locally and also search against the local entries.
Note: Because the translucent overlay does not perform any DN rewrites, the local
and remote database instances must have the same suffix. Other configurations
will probably fail with No Such Object and other errors
H3: Further Information