[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Bind/search more than one tree and server

Slapo-chain says that binds can't be chased -- "Any time a referral is returned (except for bind operations), it chased by using an instance of the ldap backend." 
Would some other method for authenticating users in LDAP be necessary (or better) for the scenario I described?


-----Original Message-----
From: openldap-technical-bounces+craig.schneider=gdc4s.com@OpenLDAP.org [mailto:openldap-technical-bounces+craig.schneider=gdc4s.com@OpenLDAP.org] On Behalf Of Dieter Kluenter
Sent: Sunday, May 31, 2009 12:27 AM
To: openldap-technical@openldap.org
Subject: Re: Bind/search more than one tree and server

"Schneider, Thomas-P65851" <Craig.Schneider@gdc4s.com> writes:

> I am seeking a solution to be able to bind to, and search more than 
> one tree and server per request using Linux. My goal is to maintain 
> separate groups of user accounts on an OpenLDAP server -- e.g. local 
> and network.  The groups of users can have overlapping posixAccount 
> uid attributes, but will have unique uidNumber attributes. My main use 
> case is authentication, which requires checking a remote LDAP server 
> first -- currently AD which requires attribute re-mapping), then 
> network tree on the local LDAP (openldap) if not in remote server, 
> then the local tree on local server if not in the first tree. I have 
> tried referrals and rewrites, but nothing I've tried worked.  It looks 
> like the creation of a custom overlay will work, but I'd rather not go 
> down that path. I have also tried using PAM, but pam_ldap is limited to one configuration per service (modifying pam_ldap is an option at this point).

man slapo-chain(5).


Dieter Klünter | Systemberatung
sip: +49.180.1555.7770535