[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP as proxy for another LDAP-Server

On Thu, 15 May 2008, Andrew Findlay wrote:
I have a similar requirement at the moment except that I only want to
use the second LDAP server to authenticate for a small proportion of the
entries in the first one. The namespaces are very different. I think
it can be done with a combination of rwm, back-ldap/back-meta and
slapd-relay, but this seems rather complex when all I really need is
'pass-through authentication'.

I will report back to the list if I come up with a workable solution,
but in the mean time does anyone have any pointers to a neat way of
doing this?

How about by using saslauthd? Configure the users that need pass-through authentication with userPassword values in the form "{SASL}user@domain", put "pwcheck_method: saslauthd" in the sasl/slapd.conf file, and configure saslauthd to authenticate against the backend server. That gives you both complete control over who gets passed through (only those with the {SASL} format) and complete flexibility in the mapping of frontend users to backend users (by tweaking the "user@domain" in each user's userPassword attribute).

Philip Guenther