[Date Prev][Date Next]
caching authentication proxy
I need to replicate information from a remote LDAP server, however the
target server populates the userPassword field with '*********' and
stores credentials in a custom SASL backend to auth SASL binds and
What I need is:
a) enable clients to do simple binds to my openldap server
b) the openldap server should continue to work when the network
link/remote server is down.
The solution to point a) would be using back-ldap with
rebind-as-user=yes as all identities exist on the remote server (no
idassert necessary right?). Point b) seems trickier however. The
proxycache overlay might provide some redundancy when the remote server
is down but this is far from ideal since high values for cache ttl will
prevent changes on the remote server to be visible. What I don't know is
whether proxy-cache caches bind information. If it doesn't, this setup
is a nogo ;(
Ideally, slapd would try to authenticate the client locally and if that
fails ask the remote server and update the local entry on success. But
this smells like it needs an overlay.
I apologize if the description is a bit vague, or my assumptions are
wrong. I haven't explored all possibilities yet but would like to avoid
errors early in the design.