[Date Prev][Date Next] [Chronological] [Thread] [Top]

is proxying based on objectclass possible with back-ldap or back-meta?


I'm trying to selectively resolve posixAccount attributes on an OpenLDAP
server and have everything else proxied to an upstream NDS/LDAP server, is
this possible?

the NDS server handles "o=nds" and it contains user details, passwords etc
and the OpenLDAP handles "o=unix" serving up posixAccount attributes,
mainly for the uidNumber gidNumber, no userPassword (shadowAccount)

a perl script compares NDS with UNIX and creates a posixAccount with
uidNumber gidNumber etc if the user is in NDS but not on the openldap

in openldap the default searchbase is set to O=NDS so by default things
are proxied off to the upstream NDS server

but what I want to do is when a search request comes in for posixAccount
in the searchbase o=NDS I want to translate that into a lookup in the
O=UNIX searchbase - thus the posixaccounts get resolved by openldap

ie cn=username,ou=xxx,ou=yyy,o=nds becomes uid=username,ou=people,o=unix
and when the details for this DN are looked up the posixAccount attributes
can be obtained - but I *only* want this when looking up posixAccounts

to handle the password binding I want to map shadowAccount to an
objectclass that is on the NDS server - say 'inetOrgPerson' or 'person' -
as the unix ldap bits will do a search in the shadowAccount objectclass
when it looks for a dn to bind against

my slapd.conf thus far looks like (openldap 2.1.15 btw)

include  /usr/local/etc/openldap/schema/core.schema
include  /usr/local/etc/openldap/schema/misc.schema
include  /usr/local/etc/openldap/schema/cosine.schema
include  /usr/local/etc/openldap/schema/inetorgperson.schema
include  /usr/local/etc/openldap/schema/nis.schema
include  /usr/local/etc/openldap/schema/solaris.schema

pidfile  /var/openldap/slapd.pid
argsfile /var/openldap/slapd.args

loglevel 256

defaultsearchbase       "o=nds"

database        meta
suffix          "o=nds"
dncache-ttl     forever
lastmod         off

uri             ldap://bne-nw1/o=nds
pseudorootdn    "cn=admin,o=nds"
pseudorootpw    secretnds
#map            objectclass shadowaccount inetorgperson

#--not working bit--
#uri             ldap://bne-nw1/o=nds
# what i want here is a someway of intercepting lookups for posixaccounts
# and direct them to the local openldap instead of sending it off to
# the NDS server - which the NDS server can't resolve
#rewriteEngine  on
#rewriteContext  searchFilter
#rewriteRule    (.*objectclass=posixAccount.*)  ????????
#rewriteRule     "(cn=[^,]+),.*,o=nds"         "ldap://localhost/%1,ou=people,o=unix";

database        bdb
suffix          "o=unix"
rootdn          "cn=root,o=unix"
rootpw          secretpw
directory       /var/openldap/data

index           cn,sn,uid       pres,eq,approx,sub
index           uidnumber       pres,eq
index           gidnumber       pres,eq
index           objectClass     eq


does this make sense? is this possible? am I dreaming? Yes I could
incorporate the posixAccount stuff into NDS but this we want to avoid

thanks if you can help, or at least tell this isn't possible