With OpenLDAP 2.3 and above this can be obtained by rewriting the DN of of bind requests before the database that will perform the operation is requested. OpenLDAP 2.3 or above is requested, because to perform DN rewriting before database selection, the slapo-rwm(5) overlay must be instantiated as global, a feature that was not available before OpenLDAP 2.3.
Consider, for example, a DSA with a local database serving the
dc=example,dc=com naming context, while simple bind requests should be redirected to a remote DSA serving the
dc=bind naming context.
The following essential slapd.conf(5) does the trick:
# before any database
# only massage the bindDN, let the rest pass thru
rwm-rewriteRule "^(.+,)?dc=example,dc=com$" "$1dc=bind" ":@"
# The "real", local database
# The "bind" database
# only allow binds
restrict read write extended
Note that a client that binds to the above DSA with a DN of
will actually be presented to the remote DSA listening on "ldaps://bind.example.com" as
Be sure you carefully read slapd.conf(5), slapo-rwm(5)
and the man pages of the backends you use, so that you understand
all the implications of the above configuration.
Replace the ldap database with a perl or shell database
to delegate authentication to some custom scripting code, or write your own backend and load it as a dynamic module (see
moduleload in slapd.conf(5) for details).