DIT changes with dn virtual transformations

Here is a summary of a common deployment scenario with Sun Directory Proxy Server:

LDAP entries are grouped by location in the DIT, e.g user entries are located under ou=north,ou=people,dc=company, dc=com or  ou=south,ou=people,dc=company, dc=com or ou=east,ou=people,dc=company, dc=com or ou=west,ou=people,dc=company, dc=com based on user physical location.

Later, for sake of simplicity, the DIT is flatten so that every user entry is stored immediatly under ou=people, dc=company, dc=com

New applications are aware of the DIT structure change but DPS is used so that legacy applications expecting the location container node can operate w/o problem.

The dn mapping needed can be achieved by using virtual data transformations as described  in http://docs.sun.com/app/docs/doc/820-2765/virtual_transformations?a=view

Let's assume that
- you have a data view DV1 with viewBase (suffix) set to dc=company,dc=com.
- entry location (north, east,...) is always available in each entry in attribute 'location'
- entry uid=*,ou=(north|south|east|west),ou=people,dc=company,dc=com mapped to uid=*,ou=people,dc=company,dc=com

You have to create a virtual data transformation on the 'dn' for data view DV1. For inbound traffic (requests), the proxy must get rid of the ou=(north|south|east|west) node. For outbound traffic (responses), the proxy gerenates a (fake) ou=(north|south|east|west)  from the content of the 'location' attribute of each entry.

Here is the dpconf command to do that:

dpconf add-virtual-transformation -h <host> -p <port> -d <proxy manager> DV1 mapping attr-value-mapping dn internal-value:uid=\${uid},ou=people view-value:uid=\${uid},ou=\${location},ou=people

Note: you might have to escape some characters (e.g $) in the command below depending on the command interpreter you are using. In the example above, I used \$ instead of plain $.
Note2: dn patterns used in virtual transformations must not contain the data view viewBase (dc=company,dc=com in this case) as it is implicit.


Posted on: Dec 19, 2008

Posted by: Sylvain Duloutre

Category: Virtual Directory & Sun Directory Proxy Server

Permanent link to this entry

Comments:

We (Western Michigan University in USA) are doing something like this for the data feed to our Cisco VoIP Call Manager for phone numbers. We store the 10 digit phone number in the directory, but the Call Manager needs just the last 5 digits for intra-campus calls. So, a telephoneNumber of "269 387-1000" becomes "7-1000" when the Call Manager retrieves an entry via the DPS.

Our current issue is that the call manager's search filter can not be modified and does an overly broad search. We have about 3,000 of our 125,000 entries with campus phone numbers. It's current search returns almost 100,000 entries. We want like to logically AND an additional search filter onto what it supplies, but so far have not figured out how to do that. Any suggestions?

Posted by Derek Diget on January 24, 2009 at 04:36 AM CET #

This is clearly a feature that is missing in the product.
I envision to add the possibility to modify the search filter and scope in addition to the base dn and attribute name & content in a future release.

What is the exact search filter used by the call manager ? Would be useful for me to have the real use case. Does the call manager perform several kind of searches or only one ? (wondering what would be the best way to configure such a request rewriting feature)

Thanks in advance.

Posted by Sylvain Duloutre on January 27, 2009 at 01:15 PM CET #

I posted the search filter question to the directroy server forums. See "DPS: logically AND search filter" at <http://forums.sun.com/thread.jspa?threadID=5363511 >.

Thanks.

Posted by Derek Diget on January 28, 2009 at 09:20 PM CET #

Post a Comment:
  • HTML Syntax: NOT allowed

This blog copyright 2009 by Sylvain Duloutre