[Date Prev][Date Next]
RE: Split attributes across servers
> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of Steve Sullivan
> We'd like to have two servers, each containing part of the
> attributes of a given dn. For example,
> for a given dn: uid=babs,ou=people,dc=example,dc=org
> the server: ldap://public_server
> would contain the public info for babs, say: uid, sn, cn, title
> and the server: ldap://secure_server
> would contain the private info for babs, say: homePhone, jpegPhoto
> We want some users only to see the public info,
> which is easy with the standard LDAP auth mechanisms.
> But we want other users to see ALL the attributes,
> public and secure, as a single integrated record.
> Is there a way to integrate these two servers so they
> could return a single record with ALL the attributes?
The function you want is usually a feature of a meta-directory service. This
feature is not currently present in OpenLDAP.
> The reason is that different institutions will host the
> servers, and the secure server folks don't want to manage the
> public info, and the public server folks don't want to know
> the secure info.
> Is there a way to do this? I read over the the docs on slurpd,
> but didn't see one.
In OpenLDAP 2.2 a read-only service can easily be created by overlaying
back-ldap on top of a local database backend (or another back-ldap instance,
for that matter). The overlay would issue any received search requests to
both the underlying backends and merge the results before sending them to the
client. Supporting writes/updates would require a bit more work, defining the
schema elements that are contributed by each partition. Note - no such
overlay code exists at the moment, but it wouldn't take much effort to write
-- Howard Chu
Chief Architect, Symas Corp. Director, Highland Sun
Symas: Premier OpenSource Development and Support