Hi and thank you for reading my message,
I'm curious if anyone uses both rwm and chain overlays in a single OpenLDAP instance or if they once considered doing so but have taken a different approach? My experimentation using rwm with the chain overlay is similar to this link - http://www.openldap.org/lists/openldap-bugs/201108/msg00070.html.
Using OpenLDAP (2.3.43), I've configured an hdb database with referrals and chaining to allow clients to search multiple sources. OpenLDAP also has ldap databases that proxy to the chained sources to test credentials via bind. The suffixes of the ldap databases match the suffixes of the chained referral sources.
I'd like to configure OpenLDAP to enable authentication for multiple applications and define a DSE for each app. Some apps will need to utilize chaining and referrals, some won’t. Toward that end, I’m hoping to rewrite suffixes to a base that is similar to what a client requested. If a client specifies a search base of cn=App1,o=MyOrg,dc=org and a search for uid=jsmith23, through chained referrals that search might reach ldaps://server1/ou=Domain Users,dc=Staff,o=MyOrg,dc=edu and ldaps://server2/ou=Students,o=MyOrg,dc=edu. Given a match from server1, I’d like the client to see a dn like uid=jsmith23,ou=Staff,ou=App1,o=MyOrg,dc=edu – instead of uid=jsmith23,ou=Domain Users, dc=Staff,o=MyOrg,dc=edu.
I understand how to rewrite a base, configure chaining, ldap proxy, but am stuck trying to accomplish both chaining and rewriting (per the link above).
One approach I'm considering is running separate instances of OpenLDAP - one to do the rewriting and a second to do referrals and chaining. That feels like an overly complicated path - any pointers would be greatly appreciated.