local/global userPassword

[Arvid Requate <arvid@Team.OWL-Online.DE>]

Hi,

I have a few seamingly related questions:
- how can I have identical userPasswords on different DN's
- how do I transparently realize a kind of subset structure for
  userprofiles?

Background Information:

I'm deploying openLDAP in an environment where on user can have
several homedirectories on different machines.

We want do have a global user profile with a mailadress as DN:
mail=<user@domain>,ou=people,o=<org>
which stores inetOrgPerson information and holds a default userPassword.

We also need local profiles for every account with the DN
uid=<user>,ou=<domain>,o=<org>
which stores uid etc.

What we also want to do is:
use pam_ldap which searches for uid=<user> under DN: ou=<domain>,o=<org>

Now, pam will not find a userPassword there. Problem.
Is it possible to get the server to chase a kind of symbolic link to
the userPassword attribute of the global profile here?
(optimal would be if it does this only if there's no local userPassword)
I can't figure out how to implement this using referrals or aliases
(btw. are aliases automatically chased down by openLDAP? what are they
 good for?), what I would like to have is a symbolic link which the
 server automatically replaces by the attribute/value pair pointed to.

Or a kind of subset mechanism, where the local entry inherits the attributes
of another.

The only way I can imagine this would be to modify pam_ldap to chase
down "seeAlso" attributes.


Thanks for your ideas
	Arvid Requate
-- 
"You might write faster code in C, but you'll write code faster in Perl"
-- 
"You might write faster code in C, but you'll write code faster in Perl"