|
Hello,
I've three servers with three different LDAP suffixes: ou=users, ou=ldap1 and ou=ldap2. Servers with ou=ldap1 and ou=ldap2 also have a replica of the ou=users suffix LDAP0 : ou=users,dc=test,dc=com LDAP1 : ou=ldap1,dc=test,dc=com and ou=users,dc=test,dc=com LDAP2 : ou=ldap2,dc=test,dc=com and ou=users,dc=test,dc=com Each application client, depending on which suffix needs to be accessed, connects to an instance or another. I want to unify access using ldap proxy. It seems that slapd-meta fits my requirements. I've configured this targets: # LDAP0 suffix "ou=users,dc=test,dc=com" uri "ldap://host1:389/ou=users,dc=test,dc=com" # LDAP1 suffix "ou=ldap1,dc=test,dc=com" uri "ldap://host2:389/ou=ldap1,dc=test,dc=com" # LDAP2 suffix "ou=ldap2,dc=test,dc=com" uri "ldap://host3:389/ou=ldap2,dc=test,dc=com" If the client binds the proxy with cn=user1,ou=users,dc=test,dc=com, it's authenticated successfully against ldap0 and can access to ou=users,dc=test,dc=com, but if tries to access ou=ldap1,dc=test,dc=com or ou=ldap2,dc=test,dc=com it binds anonymously to the targets and can not access anything. I've tried idassert-bind and works perfectly, but I was wondering if I can avoid the use of a "pseudo-root identity" who had privileges to assert the client's identity. As LDAP1 and LDAP2 have the ou=users suffix could authenticate the credentials of the users who bounds the proxy. I don't know if it's possible with slapd-meta, but the idea is that client's user/password will be send directly to targets for binding so there's no need of id assertion. The proxy simply passthrough the user/password to the targets. Is this possible or I have to use idassert-bind? Thanks |