[Date Prev][Date Next]
Re: rewrite a login into a dn in simple bind
--On Thursday, October 09, 2003 2:00 PM -0400 Ace Suares <firstname.lastname@example.org>
A way out could be to make a separate tree (or an entirely separate
database) where you store the dn and the uid, and since you control that
database, you can give access to it by anonymous, to find the dn, and
then bind to the 'real' database with the found dn and the password.
Obviously, keeping the second database in sync with the main database
will be a pain. It could be done, but it seems there are various
obstacles in your way.
One solution to this, would be if OpenLDAP would allow you to populate only
portions of a tree. That currently isn't possible in 2.1. It is, however,
possible in 2.2 if you use syncRepl instead of slurpd. Since the slave
drives the update process, and can only update what it is allowed to access
on the master, you can make different replicas contain different amounts of
data -- in essence, you could have a replica that contained only the dn and
uid (plus the required operational attributes).
Principal Software Developer
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html