[Date Prev][Date Next]
Re: SASL support in back-ldap & back-meta (ITS#3022)
- To: <firstname.lastname@example.org>
- Subject: Re: SASL support in back-ldap & back-meta (ITS#3022)
- From: "Pierangelo Masarati" <email@example.com>
- Date: Mon, 15 Mar 2004 19:44:21 +0100 (CET)
- Cc: <openldap-devel@OpenLDAP.org>
- Importance: Normal
- In-reply-to: <200403151727.i2FHRPYT075403@boole.openldap.org>
- References: <200403151727.i2FHRPYT075403@boole.openldap.org>
> Full_Name: Quanah Gibson-Mount
> Version: 2.2.6
> OS: Solaris 8
> URL: ftp://ftp.openldap.org/incoming/
> Submission from: (NULL) (188.8.131.52)
> I think it would be very useful to have SASL support in the back-ldap &
> back-meta backends. I have a few cases where I think this would be
> 1) Have an application on a VLAN that cannot see the directory service.
> As a workaround, set up a back-ldap server on the bridge between VLAN &
> normal internet, that can see both systems. The application does a bind
> to the back-ldap server, which either (a) forwards the credentials of
> the application via the back-ldap server to the directory service, or
> (b) does a bind to the back-ldap server, which then does its own bind
> (GSSAPI) to the directory service. The directory service in this case
> has ACL's for the back-ldap server, and returns attributes accordingly.
> 2) Replication to AD via back-ldap & back-meta and GSSAPI. AD supports
> GSSAPI binds, and could be replicated to via GSSAPI. Unfortunately, AD
> has its own custom schema. So what I would like to be able to do, is
> set up a backend server that would replicate to AD via schema mappings
> in back-meta and/or back-ldap. Something I'm not quite sure on there
> are little schema bits like SN being singular instead of multiple in AD,
> but I suppose that is a seperate issue.
about AD considering not only SN, but also CN and other identity
fields, I had similar experience. It was not a big issue to us,
but it might be worth enabling back-ldap (and coming soon
rewrite-remap overlay) to handle values as well (e.g. reduce
multiple instances of an attribute to single value, or do
modrdn-like operations when rewriting the DN of entries, i.e.
if the rewrite alters the RDN of an entry during addition or
modification, allow to rewrite the distinguished values
of the naming attributes accordingly.