Hi! On Thu, Apr 20, 2006 at 09:34:52AM +0200, Pierangelo Masarati wrote: > > I need "rewrite rule". For example, when client try authorize as > > uid=A,ou=all-users,o=org I want check this uid in two containers: > > uid=A,ou=local-users,o=org and uid=A,ou=ext-users,o=org. Is it > > possible? > > > > I read about referral and subordinate. But I want use it on one server > > and in one database. Is it possible? > > Yes, although not trivial. You should try something like > > database <any> > suffix "ou=local-users,o=org" > > # ... > > database <any> > suffix "ou=ext-users,o=org" > > # ... > > database meta > suffix "ou=all-users,o=org" > > uri "ldap:///ou=all-users,o=org" > suffixmassage "ou=all-users,o=org" "ou=local-users,o=org" > > uri "ldap:///ou=all-users,o=org" > suffixmassage "ou=all-users,o=org" "ou=ext-users,o=org"
I try to play with meta backend, but not get result. My current config: ... access to dn.regex="^(.+)o=oil([^,]+)$" attrs=userPassword,sambaLMPassword,sambaNTPassword by anonymous auth by self write by dn.exact,expand="uid=ldap-sync,ou=virtusers,o=oil$2" read by dn.exact,expand="uid=fbsd-samba-admin,ou=virtusers,o=oil$2" read by * none access to * by * read database bdb suffix "o=oilspace" ... syncrepl rid=001 ... database bdb suffix "o=oil-space" overlay ppolicy overlay accesslog overlay syncprov ... database meta suffix "o=oilspace-all" rebind-as-user yes lastmod off uri ldap://fbsd/o=oilspace-all suffixmassage "o=oilspace-all" "o=oilspace" uri ldap://fbsd/o=oilspace-all suffixmassage "o=olspace-all" "o=oil-space" Config litle complex -- it's my experimental sandbox, but, may be, detailed description of config can be important for help. When I try: $ ldapsearch -ZxD uid=dkirhlarov,ou=users,o=oilspace -H ldap://fbsd -s one -Wb ou=users,o=oilspace-all -vvLLL 'uid=...' 'cn' I have two scenarios: 1. When record present in both backend databases I get: dn: uid=dkirhlarov,ou=users,o=oilspace-all cn: Dmitriy dn: uid=dkirhlarov,ou=users,o=oilspace-all cn: Dmitriy dn: uid=dkirhlarov,ou=users,o=oilspace-all cn: Dmitriy dn: uid=dkirhlarov,ou=users,o=oilspace-all cn: Dmitriy dn: uid=dkirhlarov,ou=users,o=oilspace-all cn: Dmitriy dn: uid=dkirhlarov,ou=users,o=oilspace-all cn: Dmitriy .... It work very slow (some internal timeouts?) and look like as loop. 2. record present in second database. In this case I never get result. In both cases connection to ldap server not closed. I'm continue re-reading slapd-meta(5), but it not help now. :) My system is: FreeBSD 6.1-PRERELEASE openldap-server-2.3.21 Can somebody help me? WBR -- Dmitriy Kirhlarov OILspace, 26 Leninskaya sloboda, bld. 2, 2nd floor, 115280 Moscow, Russia P:+7 495 105 7247 ext.203 F:+7 495 105 7246 E:[EMAIL PROTECTED] OILspace - The resource enriched - www.oilspace.com