OpenLDAP Proxy -- rwm-map vs map

  sonic0002        2018-02-02 20:36:02       9,417        0    

OpenLDAP proxy is used to proxy ldap request and response between clients and servers, different servers may have different representations/attributes to mean the same thing. For example, in one LDAP server, the firstName may be represented by firstName, it may be represented by givenName in a different server. However, from the client perspective, it only wants to get the firstName, it doesn't care about the backend attributes.

In this case, attribute mapping can help provide a virtual view of the backend data. In another post OpenLDAP Proxy -- Tricks and tips, we have introduced how attribute mapping works using overlay rwm. This one works really well when we have only one backend LDAP server to be proxied.

However,what if we have configured two or more LDAP servers for the database meta backend? Since rwm-map will apply the mapping globally but not server based, it would be problematic that the attribute mapping may not work for some server. Let's see how this would happen.

Assuming two LDAP servers have been configured in the OpenLDAP proxy meta backend and the attributes in these two servers are:

Server 1

firtsName: myFirstName
sn: myLastName

Server 2

givenName: myFirstName
lastName: myLastName

In OpenLDAP proxy, givenName is mapped to firstName.

overlay rwm
rwm-map attribute firstName givenName

When running a ldapsearch to get the firstName attribute, firstName will first be mapped to givenName and OpenLDAP proxy will send the attribute givenName to server 1 but apparently server 1 doesn't have attribute givenName, hence it will return nothing. In server 2, since it has givenName, the name value will be returned. This behavior is not expected, apparently we would expect that both servers should return the firstName. 

It seems rwm-map cannot resolve this problem. Fortunately, if you read the slapd-meta man page closely, you will find it provides a map option which can provide attribute mapping at a server base.

map {attribute|objectclass} [<local name>|*] {<foreign name>|*}
  This  maps object classes and attributes as in the LDAP backend.

What this means is that you can map different attribute names to the same local attribute name for different servers. For the firstName, if below configuration is made.

uri  "server1"
suffixmassage "local" "target"
map attribute firstName firstName    #Can be ignored as well

uri "server2"
suffixmassage "local" "target"
map attribute firstName givenName

For server 1, firstName will be mapped to firstName and for server 2 the givenName will be mapped to firstName and the client will see values returned from both servers when ldapsearch request is made. This is exactly what is expected.

Just a caution, backend ldap doesn't support map anymore, instead you should rwm-map. This is working since database ldap is meant to proxy to one LDAP server when any request is made.

Hope this helps.

LDAP  OPENLDAP PROXY  OPENLDAP  MAP  RWM-MAP 

       

  RELATED


  0 COMMENT


No comment for this article.



  RANDOM FUN

When backend doing frontend