[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: rewrite a login into a dn in simple bind

--On Thursday, October 09, 2003 2:00 PM -0400 Ace Suares <ace@suares.nl> wrote:

A way out could be to make a separate tree (or an entirely separate
database)  where you store the dn and the uid, and since you control that
database, you  can give access to it by anonymous, to find the dn, and
then bind to the  'real' database with the found dn and the password.
Obviously, keeping the second database in sync with the main database
will be  a pain. It could be done, but it seems there are various
obstacles in your  way.

One solution to this, would be if OpenLDAP would allow you to populate only portions of a tree. That currently isn't possible in 2.1. It is, however, possible in 2.2 if you use syncRepl instead of slurpd. Since the slave drives the update process, and can only update what it is allowed to access on the master, you can make different replicas contain different amounts of data -- in essence, you could have a replica that contained only the dn and uid (plus the required operational attributes).


Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html