From: Gavin Henry Date: Fri, 29 Aug 2008 22:20:45 +0000 (+0000) Subject: Translucent Overlay docs X-Git-Tag: ACLCHECK_0~1405 X-Git-Url: https://git.sur5r.net/?a=commitdiff_plain;h=c38d449391ac674dc64ee1ee44fe76973db3e387;p=openldap Translucent Overlay docs --- diff --git a/doc/guide/admin/aspell.en.pws b/doc/guide/admin/aspell.en.pws index de69b610a9..ccc95a11d5 100644 --- a/doc/guide/admin/aspell.en.pws +++ b/doc/guide/admin/aspell.en.pws @@ -1,4 +1,4 @@ -personal_ws-1.1 en 1668 +personal_ws-1.1 en 1674 commonName bla Masarati @@ -6,8 +6,8 @@ subjectAltName api usnCreated BhY -olcSyncrepl olcSyncRepl +olcSyncrepl adamsom adamson CER @@ -39,8 +39,8 @@ DIB dev reqNewSuperior librewrite -memberOf memberof +memberOf BSI updateref buf @@ -64,9 +64,9 @@ reqcert CRP postread csn +laura checkpass xvfB -laura neverDerefaliases dns DN's @@ -90,8 +90,8 @@ dlopen eng AttributeValue attributevalue -EOF DUA +EOF inputfile DSP refreshDone @@ -127,10 +127,10 @@ iff contextCSN auditModify auditSearch -openldap OpenLDAP -resultCode +openldap resultcode +resultCode sysconfig indices blen @@ -144,6 +144,7 @@ iscritical qbuaQ gss ZKKuqbEKJfKSXhUbHG +employeeType invalidAttributeSyntax subtree Kartik @@ -169,13 +170,13 @@ argv kdz notAllowedOnRDN hostport -starttls StartTLS +starttls ldb servercredp ldd -ipv IPv +ipv hyc joe bindmethods @@ -207,8 +208,8 @@ libpath acknowledgements jts createTimestamp -LLL MIB +LLL OpenSSL openssl LOF @@ -248,10 +249,10 @@ Subbarao aeeiib oidlen submatches -olc PEM -PDU +olc OLF +PDU LDAPSchemaExtensionItem auth Pierangelo @@ -267,8 +268,8 @@ cleartext numattrsets requestDN caseExactSubstringsMatch -PKI NSS +PKI olcSyncProvConfig ple NTP @@ -291,9 +292,9 @@ rdn wZFQrDD OTP olcSizeLimit -pos -sbi PRD +sbi +pos pre sudoadm stringal @@ -313,8 +314,8 @@ bvec HtZhZS TBC stringbv -Sep SHA +Sep ptr conn pwd @@ -331,8 +332,8 @@ myOID supportedSASLMechanism supportedSASLmechanism realnamingcontext -SMD UCD +SMD keytab portnumber uncached @@ -345,8 +346,8 @@ sasldb UCS searchDN keytbl -tgz UDP +tgz freemods prepend nssov @@ -364,22 +365,22 @@ crit objectClassViolation ssf ldapfilter -rwm -TOC vec +TOC +rwm pwdChangedTime tls peernamestyle xpasswd -tmp SRP +tmp SSL dupbv CPUs SRV entrymods -rwx sss +rwx reqNewRDN nopresent rebindproc @@ -407,6 +408,7 @@ wildcards uri tty url +sambaGroupMapping XED sortKey UTF @@ -419,6 +421,7 @@ txt UTR XER olcDbIDLcacheSize +roomNumber namespace LDAPControl dbconfig @@ -440,8 +443,8 @@ pseudorootdn MezRroT GDBM LIBRELEASE -DSAs DSA's +DSAs realloc booleanMatch compareTrue @@ -501,8 +504,8 @@ pwdMinLength iZ ldapdelete xyz -RDBMs rdbms +RDBMs extparam mk ng @@ -511,6 +514,7 @@ FIPS NL logfiles mr +octetStringSubstringsMatch ok mv LTVERSION @@ -566,8 +570,8 @@ ZZ LDVERSION testAttr backend -backend's backends +backend's BerValues Solaris structs @@ -579,9 +583,9 @@ ostring policyDN testObject pwdMaxAge -bindDn -bindDN binddn +bindDN +bindDn distributedOperation schemachecking strvals @@ -624,14 +628,14 @@ IEEE regex SIGINT slappasswd -errAbsObject errABsObject +errAbsObject ldapexop -objectidentifier objectIdentifier +objectidentifier deallocators -MirrorMode mirrormode +MirrorMode loopDetect SIGHUP authMethodNotSupported @@ -648,8 +652,8 @@ filtercomp expr syntaxes memrealloc -returnCode returncode +returnCode OpenLDAP's exts bitstringa @@ -673,8 +677,8 @@ lastName lldap cachesize slapauth -attributetype attributeType +attributetype GSER olcDbNosync typedef @@ -691,11 +695,11 @@ monitoredObject TLSVerifyClient noidlen LDAPNOINIT -pwdGraceAuthNLimit pwdGraceAuthnLimit +pwdGraceAuthNLimit hnPk -userPassword userpassword +userPassword noanonymous LIBVERSION symas @@ -714,9 +718,9 @@ IMAP organisations rewriteMap monitoredInfo -modrdn -ModRDN modrDN +ModRDN +modrdn HREF DQTxCYEApdUtNXGgdUac inline @@ -731,8 +735,8 @@ reqReferral rlookups siiiib LTSTATIC -timeLimitExceeded timelimitExceeded +timeLimitExceeded XKYnrjvGT subtrees unixODBC @@ -744,8 +748,8 @@ reqDN dnstyle inet schemas -pwdPolicySubEntry pwdPolicySubentry +pwdPolicySubEntry reqId backsql scanf @@ -807,6 +811,7 @@ syncrepl dbnum operationsError homePhone +octetStringOrderingMatch testTwo BmIwN ldif @@ -1083,8 +1088,8 @@ noop errObject XXLIBS reqAssertion -PDUs nops +PDUs baseObject bvecadd perl @@ -1204,6 +1209,7 @@ LxsdLy lastmod integerOrderingMatch RowVersioning +sambaGroupType searchEntryDN pwdLockout sbin @@ -1367,6 +1373,7 @@ malloc XLIBS freeit invalidDNSyntax +sambaSID zeilenga addAttrDN syncdata @@ -1383,7 +1390,6 @@ SSHA mandir RXER SSFs -octetStringOrderingMatch auditCompare pEntry strongAuthNotSupported @@ -1460,6 +1466,7 @@ libodbcpsql LDAPObjectClass sockurl somevalue +businessCategory getpid monitorIsShadow confidentialityRequired @@ -1591,12 +1598,12 @@ jpegPhoto supportedSASLMechanisms ACLs reqMethod -authzID -authzid authzId +authzid +authzID hasSubordintes -proxycache proxyCache +proxycache slaptest olcLogLevel LDAPDN @@ -1621,8 +1628,8 @@ wBDARESEhgVG multi aaa ldaprc -updatedn UpdateDN +updatedn LDAPBASE LDAPAPIFeatureInfo authzTo @@ -1657,13 +1664,12 @@ BCP baz params generalizedTimeOrderingMatch -octetStringSubstringsMatch ber slimit ali attributeoptions BfQ uidNumber -CAs CA's +CAs namingContext diff --git a/doc/guide/admin/overlays.sdf b/doc/guide/admin/overlays.sdf index d25921ca47..48dd94d02a 100644 --- a/doc/guide/admin/overlays.sdf +++ b/doc/guide/admin/overlays.sdf @@ -1102,16 +1102,132 @@ H2: Translucent Proxy H3: Overview -This overlay can be used with a backend database such as slapd-bdb (5) +This overlay can be used with a backend database such as {{:slapd-bdb}}(5) to create a "translucent proxy". -Content of entries retrieved from a remote LDAP server can be partially -overridden by the database. +Entries retrieved from a remote LDAP server may have some or all attributes +overridden, or new attributes added, by entries in the local database before +being presented to the client. + +A search operation is first populated with entries from the remote LDAP server, +the attributes of which are then overridden with any attributes defined in the +local database. Local overrides may be populated with the add, modify, and +modrdn operations, the use of which is restricted to the root user of the +translucent local database. + +A compare operation will perform a comparison with attributes defined in the +local database record (if any) before any comparison is made with data in the +remote database. H3: Translucent Proxy Configuration +There are various options available with this overlay, but for this example we +will demonstrate adding new attributes to a remote entry and also searching +against these newly added local attributes. For more information about overriding remote +entries and search configuration, please see {{:slapo-translucent(5)}} + +Note: The Translucent Proxy overlay will disable schema checking in the local +database, so that an entry consisting of overlay attributes need not adhere + to the complete schema. + +First we configure the overlay in the normal manner: +> include /usr/local/etc/openldap/schema/core.schema +> include /usr/local/etc/openldap/schema/cosine.schema +> include /usr/local/etc/openldap/schema/nis.schema +> include /usr/local/etc/openldap/schema/inetorgperson.schema +> +> pidfile ./slapd.pid +> argsfile ./slapd.args +> +> modulepath /usr/local/libexec/openldap +> moduleload back_bdb.la +> moduleload back_ldap.la +> moduleload translucent.la +> +> database bdb +> suffix "dc=suretecsystems,dc=com" +> rootdn "cn=trans,dc=suretecsystems,dc=com" +> rootpw secret +> directory ./openldap-data +> +> index objectClass eq +> +> overlay translucent +> translucent_local carLicense +> +> uri ldap://192.168.X.X:389 +> lastmod off +> acl-bind binddn="cn=admin,dc=suretecsystems,dc=com" credentials="blahblah" + +You will notice the overlay directive and a directive to say what attribute we +want to be able to search against in the local database. We must also load the +ldap backend which will connect to the remote directory server. + +Now we take an example LDAP group: + +> # itsupport, Groups, suretecsystems.com +> dn: cn=itsupport,ou=Groups,dc=suretecsystems,dc=com +> objectClass: posixGroup +> objectClass: sambaGroupMapping +> cn: itsupport +> gidNumber: 1000 +> sambaSID: S-1-5-21-XXX +> sambaGroupType: 2 +> displayName: itsupport +> memberUid: ghenry +> memberUid: joebloggs + +and create an LDIF file we can use to add our data to the local database, using + some pretty strange choices of new attributes for demonstration purposes: + +> [ghenry@suretec test_configs]$ cat test-translucent-add.ldif +> dn: cn=itsupport,ou=Groups,dc=suretecsystems,dc=com +> businessCategory: frontend-override +> carLicense: LIVID +> employeeType: special +> departmentNumber: 9999999 +> roomNumber: 41L-535 + +Searching against the proxy gives: + +> [ghenry@suretec test_configs]$ ldapsearch -x -H ldap://127.0.0.1:9001 "(cn=itsupport)" +> # itsupport, Groups, OxObjects, suretecsystems.com +> dn: cn=itsupport,ou=Groups,ou=OxObjects,dc=suretecsystems,dc=com +> objectClass: posixGroup +> objectClass: sambaGroupMapping +> cn: itsupport +> gidNumber: 1003 +> SAMBASID: S-1-5-21-XXX +> SAMBAGROUPTYPE: 2 +> displayName: itsupport +> memberUid: ghenry +> memberUid: joebloggs +> roomNumber: 41L-535 +> departmentNumber: 9999999 +> employeeType: special +> carLicense: LIVID +> businessCategory: frontend-override + +Here we can see that the 5 new attributes are added to the remote entry before +being returned to the our client. + +Because we have configured a local attribute to search against: + +> overlay translucent +> translucent_local carLicense + +we can also search for that to return the completely fabricated entry: + +> ldapsearch -x -H ldap://127.0.0.1:9001 (carLicense=LIVID) + +This is an extremely feature because you can then extend a remote directory server +locally and also search against the local entries. + +Note: Because the translucent overlay does not perform any DN rewrites, the local + and remote database instances must have the same suffix. Other configurations +will probably fail with No Such Object and other errors H3: Further Information