[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta question


danz@wustl.edu a Ãcrit :
> We have a scenario that Iâm hoping OpenLDAP can offer a solution to.
> We are in the process of transitioning from one ldap authentication
> source to another for several of our applications.  During the
> transition we need to be able to authenticate users against one of two
> different ldap services.  Unfortunately our applications do not support
> the capability to try authentication against multiple services.
> Would an OpenLDAP setup be able to take the authentication request and
> attempt to validate it against 2 different backends?
> I should note that each of the ldap backends would have different OU
> structures and that a given userID would not exist in both backends.
>  Based on the slapd-meta man page SCENARIOS section it looks as though
> this may be possible.  The examples don't illustrate whether or not the
> OU structures need to be the same between the backends.

Assuming your authentication process starts by searching for a "userID"
in some LDAP tree to find a user's DN, and then attemps a bind operation
on that DN, I think you'll find the following setup useful.

Consider two backends, let's say ou=A,o=example and ou=B,o=example.
Whether these are local bdb backends or remote LDAP backends is of
little importance. By configuring A and B as "subordinate" to the higher
level database o=example you can set your authentication clients to
perform a search based on "o=example" for their userID, and OpenLDAP
will propagate the search to both backends. A sub-scoped search will
search the whole trees, regardless of OU structures.

In more detail, your slapd.conf could contain the following:

database        ldap
suffix          "ou=A,o=example"
uri ldap://a.example.com:389

database        ldap
suffix          "ou=B,o=example"
uri ldap://b.example.com:389

database        null
suffix          "o=example"
overlay glue

(The null database just serves as a placeholder, really. You could also
use a BDB database.)

Hope this helps,
Jonathan Clarke

Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com