Further Capabilities

< Day Day Up >

Further Capabilities

The proxy hack end has more capabilities than just forwarding an LDAP request; however, I will mention just two of them, the map and rewrite directives.

The map directive allows you to map an attribute/objectclass from the proxy server to an attribute/objectclass on the directory server. It also allows you to filter out attributes coming from the directory server. The syntax is

map {attribute  objectclass} [<local name>  *] {<foreign

name

>

The star (*) has a particular meaning. As the main page states, if the local or foreign name is "*," the name is preserved; if local name is omitted, the foreign name is removed. Therefore, the three lines

map attribute cn * map attribute sn * map attribute

would map sn and cn on themselves , and remove any other attribute coming from the directory server.

The rewrite directive allows you to rewrite strings moving back and forth between client and directory server. The rewriting is executed according to a set of rules, which are formulated using regular expressions. The basic syntax is:

RewriteRule <regular expression> <substitution pattern> [ <flags> ]

You can read more about this module on the main page delivered with the OpenLDAP distribution.

< Day Day Up >

The Meta Back End

The LDAP back end provides your OpenLDAP server with the capabilities of a proxy server, and two additional back ends deliver rewrite and masquerading abilities that complete the proxy OpenLDAP server. The meta back end is compiled with the configure instruction

--enable-met

The meta back end requires the rewrite engine code to be compiled, which is achieved with the instruction

--enable-rewrit

The meta hack end extends the functionality of the LDAP (proxy) back end, and they also share pieces of source code. You must compile the LDAP back end in the OpenLDAP executable. Following is the shell script that prepares OpenLDAP for compilation:

#!/usr/bin/sh # # Name : ConfigLdapServer.sh # Author : Reinhard E. Voglmaier # Date : 27.04.2003 # Version : 2.1 # Description : Configure OpenLDAP compilation/installation # # Server

Name

, used later in the configure switches Server=proxy Main=ldap CC=gcc \ CPPFLAGS="-I/usr/local/BerkeleyDB.4.1/include" \ LDFLAGS="-L/usr/local/BerkeleyDB.4.1/lib" \ ./configure \ --bindir=/usr/local/${Server}/bin \ --sbindir=/usr/local/${Server}/sbin \ --libexecdir=/usr/local/${Server}/libexec \ --libdir=/usr/local/${Server}/lib \ --localstatedir=/usr/local/${Server}/var \ --sysconfdir=/usr/local/$(Server)/etc \ --mandir=/usr/local/${Main)/man \ --includedir=/usr/local/${Main}/include \ --datadir=/usr/local/$Main)/share \ --disable-bdb \

--enable-rewrite

\

--enable-ldap

\

--enable-meta

What is the difference between the proxy back end enabled with mod-ldap and the meta back end? The mod-ldap proxy back end is intended for proxying with one proxy only. The meta back end allows you to proxy to more than one LDAP server. It also helps you in masquerading the traffic between the actual LDAP servers and the clients . This means that the client has no idea which LDAP server answers its requests , nor how this LDAP server is configured. You will wonder why hiding this information can be useful. Imagine you use the proxy server on the Internet as the entry point for a directory used also for protected information. Using a proxy server that hides information from outside entry helps to protect this information. The view given to the users coming from outside disables any unauthorized request to the directory server that holds the information.

If you need more information about the meta back end, look at the manual pages of OpenLDAP distributed with the source text of the OpenLDAP distribution.

< Day Day Up >