[Date Prev][Date Next] [Chronological] [Thread] [Top]

caching authentication proxy

Hi list,

I need to replicate information from a remote LDAP server, however the target server populates the userPassword field with '*********' and stores credentials in a custom SASL backend to auth SASL binds and simple binds.

What I need is:

a) enable clients to do simple binds to my openldap server

b) the openldap server should continue to work when the network
   link/remote server is down.

The solution to point a) would be using back-ldap with rebind-as-user=yes as all identities exist on the remote server (no idassert necessary right?). Point b) seems trickier however. The proxycache overlay might provide some redundancy when the remote server is down but this is far from ideal since high values for cache ttl will prevent changes on the remote server to be visible. What I don't know is whether proxy-cache caches bind information. If it doesn't, this setup is a nogo ;(

Ideally, slapd would try to authenticate the client locally and if that fails ask the remote server and update the local entry on success. But this smells like it needs an overlay.

I apologize if the description is a bit vague, or my assumptions are wrong. I haven't explored all possibilities yet but would like to avoid errors early in the design.

thanks Paul