[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta question

To: danz@wustl.edu
Subject: Re: slapd-meta question
From: Jonathan Clarke <jclarke@linagora.com>
Date: Tue, 03 Jun 2008 07:46:58 +0200
Cc: openldap-technical@openldap.org
In-reply-to: <OFE699C66F.65B6894C-ON8625745C.00604722-8625745C.00617A72@aismail.wustl.edu>
Organization: Linagora
References: <OFE699C66F.65B6894C-ON8625745C.00604722-8625745C.00617A72@aismail.wustl.edu>
User-agent: Thunderbird 2.0.0.14 (X11/20080505)

Hi,

danz@wustl.edu a Ãcrit :
> We have a scenario that Iâm hoping OpenLDAP can offer a solution to.
> 
> We are in the process of transitioning from one ldap authentication
> source to another for several of our applications.  During the
> transition we need to be able to authenticate users against one of two
> different ldap services.  Unfortunately our applications do not support
> the capability to try authentication against multiple services.
> 
> Would an OpenLDAP setup be able to take the authentication request and
> attempt to validate it against 2 different backends?
> 
> I should note that each of the ldap backends would have different OU
> structures and that a given userID would not exist in both backends.
>  Based on the slapd-meta man page SCENARIOS section it looks as though
> this may be possible.  The examples don't illustrate whether or not the
> OU structures need to be the same between the backends.

Assuming your authentication process starts by searching for a "userID"
in some LDAP tree to find a user's DN, and then attemps a bind operation
on that DN, I think you'll find the following setup useful.

Consider two backends, let's say ou=A,o=example and ou=B,o=example.
Whether these are local bdb backends or remote LDAP backends is of
little importance. By configuring A and B as "subordinate" to the higher
level database o=example you can set your authentication clients to
perform a search based on "o=example" for their userID, and OpenLDAP
will propagate the search to both backends. A sub-scoped search will
search the whole trees, regardless of OU structures.

In more detail, your slapd.conf could contain the following:

database        ldap
suffix          "ou=A,o=example"
subordinate
uri ldap://a.example.com:389

database        ldap
suffix          "ou=B,o=example"
subordinate
uri ldap://b.example.com:389

database        null
suffix          "o=example"
overlay glue

(The null database just serves as a placeholder, really. You could also
use a BDB database.)

Hope this helps,
Jonathan
-- 
Jonathan Clarke

Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com

Follow-Ups:
- Re: slapd-meta question
  - From: danz@wustl.edu

References:
- slapd-meta question
  - From: danz@wustl.edu

Prev by Date: Re: Custom Schema
Next by Date: Re: could not hard reconnect to LDAP server - Server is unavailable
Index(es):
- Chronological
- Thread