My hint, hint didn’t work at all, it appears, so I’ve had to implement LDAP triggers on my own. :-) Motivation is an “almost real-time” synchronization of certain attribute types between OpenLDAP and AD (urgh.). I’ve already got a working prototype, and it is looking very good. I’ve created a SLAPI plugin for OpenLDAP with an embedded Lua engine. (Lua is fantastically cool: I got involved with it on writing on PowerDNS Recursor, for my book.) What my SLAPI plugin (code name is Tulua (no, not the Colombian city – rather “to Lua”) ) does is:

  • Load a Lua script at runtime, and reload it whenever the script file changes.
  • Call a Lua function for each LDAP add, modify and delete, passing it a Lua table (a variable) with the DN, entryCSN, attribute types and values.
  • On an LDAP modify, if the type givenname, say, is modified, call a Lua function post_attribute_givenname if that exists. If the function returns a value, replace the directory’s entry with that value.

What can this be used for? Some ideas:

  • Notification (i.e. triggering) on addition, deletion and modification of LDAP entries.
  • Post-modification of LDAP attribute types, controlled by a Lua script. (This is very cool.)

I still have a lot to do of course:

  • Fully understand the Lua stack.
  • Fully understand SLAPI, which, in the case of OpenLDAP, is not documented. For example, I haven’t as yet been able to determine a difference between preop and postop, if there is one.
  • Understand the threading model within a SLAPI plugin: do I have to understand? Does it concern me?
  • Ensure the DIT isn’t trashed. :-)
  • Test what happens if my SLAPI plugin is on the receiving end of a replication. (It mustn’t modify LDAP entries then.)
  • More code, more testing.

If you have any ideas you’d like to see implemented, shout. If I have the time (and the knowledge) to do so, I’ll be pleased to.

LDAP, OpenLDAP, trigger, and Lua :: 11 Jul 2008 :: e-mail