Re: Back-ldap

[Pierangelo Masarati <ando@sys-net.it>]

oclc ldap wrote:

> Hello,
> We use openldap 2.1.25 and I am trying to setup back-ldap.
>
> I have two existing servers dc=domain1,dc=org and other
> dc=application1,dc=applications,dc=domain1,dc=org.
> I have set up referrals for these and they seem to work ok.
>
> I have an application that cannot handle referrals so I was planning 
> to set
> up a back-ldap instance to proxy requests to these servers.
>
> I have a couple of questions
> 1) Few examples that I found on the mailing list have a rootdn in the
> database ldap declaration. Is this required?

No.  It's nearly useless.

> 2) Both the servers do not allow anonymous access and I cannot have a 
> user
> common to both the servers. How do you bind to the servers?
> If I give the dn with the right ACLs for the first server it reads the 
> first
> server and cannot login into the next one.

The "right" solution is use code out of the CVS; in detail
the "identity assertion" feature (idassert-* diretives in
slapd.ldap(5) man page, which exactly deals with this type
of problems.  Of course, it's not a solution I would recommend
for full production unless you know exactly what you're doing.

Other workarounds imply that you hack the code to make
anonymous/locally bound connections to the proxy bind with
some other identity to the remote server (which, indeed, is
exactly what idassert does).

> I am sure this would be a typical scenario for a referral setup but I
> couldn't find an answer on the net.

It is. See above. p.





   SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497