[Date Prev][Date Next]
Re: OpenLDAP's Backend Rewrite Engine
Michael Gale <email@example.com> writes:
> Thank you, Dieter. For reasons outside of my control, I can't place a
> "rootpw" or a "rootdn" attribute in the configuration file. Suffix
> massaging works when the bind is for one user with privileges for both
> DNs. I have a situation where the user may be different every time a
> bind is attempted. For example, when a user attempts to authenticate
> his/herself they will submit their credentials to
> "ldap://public.com". They will attempt a bind on that server using a
> DN "cn=user1,cn=Administrators,dc=test,dc=com". I would like the
> server "ldap://public.com" to proxy the bind for
> "ldap://mixedmaster.mixeddomain.com" using the same credentials but
> under a different DN "cn=user1,cn=Users,dc=mixeddomain,dc=com".
> The server "ldap://mixedmaster.mixeddomain.com" would then return
> success or failure to "ldap://public.com" who would then return
> success of failure to the client.
> Can this be done? If yes, do the rules I posted earlier (below) make
> any sense? I'm certainly missing something, I'm just not sure where
> to go from here.
As far as I remember, rootdn and rootpw are only necessary if write
operations are involved, a have this parameters in my slapd.conf
because of proxycaching.
Proxying authentication can be done, see man slapd-ldap(5), the
parameters idassert-bind and proxyAuthz, but I have never tested a sort
triple step proxy authentication.
Dieter Klünter | Systemberatung
GPG Key ID:01443B53