H3: Overview
-This overlay can be used with a backend database such as slapd-bdb (5)
+This overlay can be used with a backend database such as {{:slapd-bdb}}(5)
to create a "translucent proxy".
-Content of entries retrieved from a remote LDAP server can be partially
-overridden by the database.
+Entries retrieved from a remote LDAP server may have some or all attributes
+overridden, or new attributes added, by entries in the local database before
+being presented to the client.
+
+A search operation is first populated with entries from the remote LDAP server,
+the attributes of which are then overridden with any attributes defined in the
+local database. Local overrides may be populated with the add, modify, and
+modrdn operations, the use of which is restricted to the root user of the
+translucent local database.
+
+A compare operation will perform a comparison with attributes defined in the
+local database record (if any) before any comparison is made with data in the
+remote database.
H3: Translucent Proxy Configuration
+There are various options available with this overlay, but for this example we
+will demonstrate adding new attributes to a remote entry and also searching
+against these newly added local attributes. For more information about overriding remote
+entries and search configuration, please see {{:slapo-translucent(5)}}
+
+Note: The Translucent Proxy overlay will disable schema checking in the local
+database, so that an entry consisting of overlay attributes need not adhere
+ to the complete schema.
+
+First we configure the overlay in the normal manner:
+> include /usr/local/etc/openldap/schema/core.schema
+> include /usr/local/etc/openldap/schema/cosine.schema
+> include /usr/local/etc/openldap/schema/nis.schema
+> include /usr/local/etc/openldap/schema/inetorgperson.schema
+>
+> pidfile ./slapd.pid
+> argsfile ./slapd.args
+>
+> modulepath /usr/local/libexec/openldap
+> moduleload back_bdb.la
+> moduleload back_ldap.la
+> moduleload translucent.la
+>
+> database bdb
+> suffix "dc=suretecsystems,dc=com"
+> rootdn "cn=trans,dc=suretecsystems,dc=com"
+> rootpw secret
+> directory ./openldap-data
+>
+> index objectClass eq
+>
+> overlay translucent
+> translucent_local carLicense
+>
+> uri ldap://192.168.X.X:389
+> lastmod off
+> acl-bind binddn="cn=admin,dc=suretecsystems,dc=com" credentials="blahblah"
+
+You will notice the overlay directive and a directive to say what attribute we
+want to be able to search against in the local database. We must also load the
+ldap backend which will connect to the remote directory server.
+
+Now we take an example LDAP group:
+
+> # itsupport, Groups, suretecsystems.com
+> dn: cn=itsupport,ou=Groups,dc=suretecsystems,dc=com
+> objectClass: posixGroup
+> objectClass: sambaGroupMapping
+> cn: itsupport
+> gidNumber: 1000
+> sambaSID: S-1-5-21-XXX
+> sambaGroupType: 2
+> displayName: itsupport
+> memberUid: ghenry
+> memberUid: joebloggs
+
+and create an LDIF file we can use to add our data to the local database, using
+ some pretty strange choices of new attributes for demonstration purposes:
+
+> [ghenry@suretec test_configs]$ cat test-translucent-add.ldif
+> dn: cn=itsupport,ou=Groups,dc=suretecsystems,dc=com
+> businessCategory: frontend-override
+> carLicense: LIVID
+> employeeType: special
+> departmentNumber: 9999999
+> roomNumber: 41L-535
+
+Searching against the proxy gives:
+
+> [ghenry@suretec test_configs]$ ldapsearch -x -H ldap://127.0.0.1:9001 "(cn=itsupport)"
+> # itsupport, Groups, OxObjects, suretecsystems.com
+> dn: cn=itsupport,ou=Groups,ou=OxObjects,dc=suretecsystems,dc=com
+> objectClass: posixGroup
+> objectClass: sambaGroupMapping
+> cn: itsupport
+> gidNumber: 1003
+> SAMBASID: S-1-5-21-XXX
+> SAMBAGROUPTYPE: 2
+> displayName: itsupport
+> memberUid: ghenry
+> memberUid: joebloggs
+> roomNumber: 41L-535
+> departmentNumber: 9999999
+> employeeType: special
+> carLicense: LIVID
+> businessCategory: frontend-override
+
+Here we can see that the 5 new attributes are added to the remote entry before
+being returned to the our client.
+
+Because we have configured a local attribute to search against:
+
+> overlay translucent
+> translucent_local carLicense
+
+we can also search for that to return the completely fabricated entry:
+
+> ldapsearch -x -H ldap://127.0.0.1:9001 (carLicense=LIVID)
+
+This is an extremely feature because you can then extend a remote directory server
+locally and also search against the local entries.
+
+Note: Because the translucent overlay does not perform any DN rewrites, the local
+ and remote database instances must have the same suffix. Other configurations
+will probably fail with No Such Object and other errors
H3: Further Information
projects / openldap / commitdiff