Re: Redirect bind requests to another server

[Pierangelo Masarati <ando@sys-net.it>]

Simon Maier wrote:

> I have a question about a special LDAP setup, we want to implement at
> the university computing centre. The story as it's intended to be:
> 
> We're running a groupware application (openxchange), which uses a LDAP
> server (openldap 2.2.23 on Suse 9.3) to authenticate its users (mainly
> members of the computing centre) and to store contacts, group
> memberships of the users and some of the user settings. This server
> runs on the same machine as the groupware itself.
> 
> There is another LDAP server (i don't know the version used there), that
> holds the centralized password and account name of all users at the
> university for various authentication purposes. This server only
> accepts bind requests.
> 
> The goal is to authenticate the users against the central LDAP server
> but to store the settings etc. on the local server. There is one
> additional problem, the naming contexts on the servers do not match
> each other. To give you a basic idea I reproduced this with "generic"
> names:
> 
> central: cn=user.account,ou=peopl,o=my organisation,c=acountry
> local:uid=user.account,ou=Users,ou=OxObjects,dc=my,dc=groupware,dc=server,dc=acountry
> 
> Is there a way to accomplish this?
> 
> If this is a RTFM question, please excuse me asking, but I'm not very
> familiar with openldap

There are different methods to obtain exactly what you need, or
something similar.  None of them is exactly straightforward, but perhaps
the best one consists in using a global instance of the slapo-rwm(3)
overlay that, by rewriting the bindDN, diverts bind requests to an
instance of back-ldap that binds to the remote server.  Other operations
would be directed to a local storage without any DN rewriting.

Something like:

<slapd.conf>
# before any "database" directive
# to make things shorter, use
# central: "cn=user.account,ou=peopl,o=central"
# local: "uid=user.account,ou=Users,dc=local"

overlay			rwm
rwm-rewriteEngine	on
# rewrite bind requests
rwm-rewriteContext	bind
rwm-rewriteRule		"^uid=([^,]+),ou=Users,dc=local"
			"cn=$1,ou=peopl,o=central" ":@"
# don't rewrite the rest
rwm-rewriteContext	default

database		ldap
# trap requests rewritten for the central server; do not allow
# direct read/write
suffix			"o=central"
uri			"ldap://central/";
restrict		read write

database		bdb
# handle requests for the local database
suffix			"dc=local"
directory		/dir
# ...
</slapd.conf>

Make sure DNs like the rootdn of the local database don't get rewritten,
otherwise you might be no longer able to bind with that identity.  The
"restrict" statement restricts read/write operations, so that the
"o=central" database cannot be directly used other than for binds.

> By the way, we're planing to upgrade the server to a later version of
> the operating system, so answers for openldap 2.3.27 would be helpful
> too.

This needs at least 2.3 because of the global overlay that rewrites
things; actually, slapo-rwm(5) should be rather used with 2.4 because in
2.3 it suffers from some design problems, but in the above illustrated
example it should just be fine.

Another option would be to write your own overlay that diverts binds to
the central server while lets anything else pass thru.  We did something
similar to proxy a remote server that needed special mucking that
couldn't be accomplished with slapo-rwm(5).

p.



Ing. Pierangelo Masarati
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309
Mobile:   +39.333.4963172
Email:    pierangelo.masarati@sys-net.it
------------------------------------------