[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: bind and search using different backends?

On Fri, 2005-12-16 at 18:41 +0000, Emmanuel Dreyfus wrote:
> Hello
> I'd like to use two backends for the same suffix, and have one querried for
> bind/unbind and the other for other operations such as search. Is it posible?

Could be; see below.

> The goal is to provide the directory from a bdb backend and the authentication
> through a shell backend. I tried this in my config file:
> database        shell
> subordinate
> suffix          "dc=example,dc=net"
> bind    	/usr/local/sbin/foo
> unbind  	/usr/local/sbin/foo
> database        bdb
> suffix          "dc=example,dc=net"
> directory       /var/openldap/openldap-data
> index   objectClass     eq
> But slapd does not want to start because the two databases serve the same
> namecontext. Did I misunderstood how the subordinate statement works? Am I
> trying to do something that cannot be done?
> If it cannot be done that way, I'm looking for other ideas. 

Yes, it cannot be done that way.

> 1) Have the shell backend implementing searches by querrying another 
> database. It seems I could even query the same LDAP server if I rewrite
> the suffix. That does not sounds very exciting but it seems to be a 
> possible way.

In fact, that's the idea: have a global slapo-rwm (*) that rewrites
binds one way and doesn't touch other ops, so that the shell backend is
selected for binds and the regular backend is selected for other ops;
something like (just checked with an LDAP database that binds on AD with
an entirely different naming context)

# before any database
overlay			rwm
# only massage the bindDN, let the rest pass thru
rwm-rewriteContext	bindDN
rwm-rewriteRule		"^(.+,)?dc=suffix$" "$1dc=bind" ":@"

# The "real", local database
database		bdb
suffix			"dc=suffix"
# ...

# The "bind" database
database		shell
suffix			"dc=bind"
# only allow binds
restrict		read write extended
# ...

I might turn this into a test, and you should definitely consider
writing a FAQ entry <http://www.openldap.org/faq/> if you follow this

> 2) write an overlay. This seems the hard way, but as I understood, I can 
> hook my custom code for bind/unbind operations. There does not seem to be
> many documentation available on the API, is there?

I've done it in quite a few cases (e.g. to redirect auth to some
external, not-quite-so-LDAPv3 DSA like eTrust DS (a clone of OpenLDAP
2.0, BTW), that had to be authoritative for authentication, and using
SASL was not an option...).  This is the preferred solution if your
specific stuff can be written directly in C into the overlay, so you
skip over the odds of using shell (perl, whatever).


(*) global overlays require OpenLDAP >= 2.3

Ing. Pierangelo Masarati
Responsabile Open Solution

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it