[Date Prev][Date Next]
Re: slapd-meta question
email@example.com a Ãcrit :
> We have a scenario that Iâm hoping OpenLDAP can offer a solution to.
> We are in the process of transitioning from one ldap authentication
> source to another for several of our applications. During the
> transition we need to be able to authenticate users against one of two
> different ldap services. Unfortunately our applications do not support
> the capability to try authentication against multiple services.
> Would an OpenLDAP setup be able to take the authentication request and
> attempt to validate it against 2 different backends?
> I should note that each of the ldap backends would have different OU
> structures and that a given userID would not exist in both backends.
> Based on the slapd-meta man page SCENARIOS section it looks as though
> this may be possible. The examples don't illustrate whether or not the
> OU structures need to be the same between the backends.
Assuming your authentication process starts by searching for a "userID"
in some LDAP tree to find a user's DN, and then attemps a bind operation
on that DN, I think you'll find the following setup useful.
Consider two backends, let's say ou=A,o=example and ou=B,o=example.
Whether these are local bdb backends or remote LDAP backends is of
little importance. By configuring A and B as "subordinate" to the higher
level database o=example you can set your authentication clients to
perform a search based on "o=example" for their userID, and OpenLDAP
will propagate the search to both backends. A sub-scoped search will
search the whole trees, regardless of OU structures.
In more detail, your slapd.conf could contain the following:
(The null database just serves as a placeholder, really. You could also
use a BDB database.)
Hope this helps,
Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com