[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Backend authentication



> Some time ago you kindly offered the attached advice regarding delegated
> authentication.
>
> What I want to do is run my own local LDAP service for information but use
> a
> remote LDAP service for the authentication process: to the user it should
> appear that they are authenticating with my LDAP service - i.e. they are
> not
> aware of the 3rd party service.
>
> Another list member suggested:
>
> database bdb
> suffice  "ou=HooHa,ou=...,dc=nakedgeeks,dc=ru"
> directory /var/lib/ldap
> ...
> subordinate
>
> databse ldap
> lastmod off
> user    "ldap://master";
> rebind-as-user
>
> Does this make any sense?

not too much; in any case, something like that is possible, but there are
limitations and caveats you need to be aware of.  If the local and the
remote naming contexts share the root portion, but they reside on separate
trees, you should be able to do something like:

# FIXME: omitting a lot of mandatory
# (but here irrelevant) directives
database bdb
suffix "ou=Local Stuff,dc=example,dc=com"
subordinate

database ldap
suffix "dc=example,dc=com"
uri "ldap://remote";

There's no need to rebind and so, because as soon
as one is bound remotely, it's identity is used
throughout the (local) session.  The reverse is
not true, i.e. if a user binds locally, it's identity
is not (yet) propagated to remote servers.  HEAD code
does this, with appropriate configuration directives
and setup.

I don't know if this applies to your case.

p.

-- 
Pierangelo Masarati
mailto:pierangelo.masarati@sys-net.it


    SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497