[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Back-ldap

oclc ldap wrote:

We use openldap 2.1.25 and I am trying to setup back-ldap.

I have two existing servers dc=domain1,dc=org and other
I have set up referrals for these and they seem to work ok.

I have an application that cannot handle referrals so I was planning to set
up a back-ldap instance to proxy requests to these servers.

I have a couple of questions
1) Few examples that I found on the mailing list have a rootdn in the
database ldap declaration. Is this required?

No. It's nearly useless.

2) Both the servers do not allow anonymous access and I cannot have a user
common to both the servers. How do you bind to the servers?
If I give the dn with the right ACLs for the first server it reads the first
server and cannot login into the next one.

The "right" solution is use code out of the CVS; in detail the "identity assertion" feature (idassert-* diretives in slapd.ldap(5) man page, which exactly deals with this type of problems. Of course, it's not a solution I would recommend for full production unless you know exactly what you're doing.

Other workarounds imply that you hack the code to make
anonymous/locally bound connections to the proxy bind with
some other identity to the remote server (which, indeed, is
exactly what idassert does).

I am sure this would be a typical scenario for a referral setup but I couldn't find an answer on the net.

It is. See above. p.

   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497