RE: Backend authentication

["Howard Chu" <hyc@highlandsun.com>]

> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Simon Oliver

> I have read-only access to a "master" LDAP server, but don't have the
> authority to create objects or extend the schema of the LDAP
> server.  I plan
> to setup my own local LDAP server (OpenLDAP 2.1.22).

Always use the latest release when creating a fresh installation. 2.1.22 is
old.

> However, I would like
> to utilize the "master" server for authentication purposes so
> that when
> users change their "master" password they can still log into
> my local LDAP
> server.

> Is this possible?

Yes, using back-ldap.

> Ideally I would prefer to setup a "shadow" system: if an
> object has a value
> in the local server then use that, otherwise lookup the value in the
> "master" server.  Again, is this possible?

Almost, in 2.2.4. The proxy-cache overlay in 2.2.4 provides part of this, but
it doesn't allow you to create objects locally. I suppose it may be feasible
to extend the overlay, but there are issues wrt the local and remote trees
getting out of sync.

If you can restrict your local objects to a separate subtree from the remote
master, then you can just use back-ldap glued to a local backend.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support