[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Backend authentication

> something like that is possible, 
> but there are limitations and caveats you need to be aware 
> of.  If the local and the remote naming contexts share the 
> root portion, but they reside on separate trees, you should 
> be able to do something like:
> # FIXME: omitting a lot of mandatory
> # (but here irrelevant) directives
> database bdb
> suffix "ou=Local Stuff,dc=example,dc=com"
> subordinate
> database ldap
> suffix "dc=example,dc=com"
> uri "ldap://remote";
> There's no need to rebind and so, because as soon
> as one is bound remotely, it's identity is used
> throughout the (local) session.  The reverse is
> not true, i.e. if a user binds locally, it's identity
> is not (yet) propagated to remote servers.  HEAD code
> does this, with appropriate configuration directives
> and setup.
Both the local and remote services have the same tree structure.  The remote
service is NDS, the local is OpenLDAP (of course).  Ideally, all users will
be able to authenticate (even if they don't exist on my local server), but
the data will come from my server (if it exists).  

  Simon Oliver