Re: OpenLDAP as proxy for another LDAP-Server

["Dieter Kluenter" <dieter@dkluenter.de>]

Andrew Findlay <andrew.findlay@skills-1st.co.uk> writes:

> On Wed, May 14, 2008 at 10:49:02AM +0200, Dieter Kluenter wrote:
>
>> Just to make sure, there are two directories, one that provides
>> information on authentication and authorization, the second directory
>> provides some additional iformation. If that is your request, than you
>> may have a look at the translucent overlay.
>
> That would depend on whether the two servers had identical namespaces
> (tree layout, choice of RDN etc).
>
> I have a similar requirement at the moment except that I only want to
> use the second LDAP server to authenticate for a small proportion of the
> entries in the first one. The namespaces are very different. I think
> it can be done with a combination of rwm, back-ldap/back-meta and
> slapd-relay, but this seems rather complex when all I really need is
> 'pass-through authentication'.
>
> I will report back to the list if I come up with a workable solution,
> but in the mean time does anyone have any pointers to a neat way of
> doing this?

I have done similar with back-sql

database        sql
suffix          "dc=example,dc=com"
rootdn          "cn=Manager,dc=example,dc=com"
...

database        relay
suffix          "ou=sql-user,o=avci,c=de"
relay           dc=example,dc=com
overlay         rwm
rwm-rewriteEngine       on
rwm-rewriteMap <rules>
subordinate

database        hdb
suffix          "o=avci,c=de"
rootdn          "cn=admin,o=avci,c=de"
...

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:8EF7B6C6