[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
proxy/backend pointers
- To: "openldap-technical@openldap.org" <openldap-technical@openldap.org>
- Subject: proxy/backend pointers
- From: David LaPorte <david@davidlaporte.org>
- Date: Tue, 14 Nov 2017 14:04:32 +0000
- Accept-language: en-US
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=david@davidlaporte.org;
- Content-id: <B2202330D3463948BFDA30A607159784@namprd10.prod.outlook.com>
- Content-language: en-US
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=dlaporte.onmicrosoft.com; s=selector1-davidlaporte-org; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=/jnLi6dNHxNgM1WCM0qoBXtVMGBAtl5FGUEcPcwI734=; b=U1aEHpT6f8Ah7lqdsgy6toFoWbXhwWUJeFOz4xPPiMK9cjTskZYuHfF6dHhd+V+VHOfFiil88C2bbLzN73q//eeUelStsgLaGTKkny7J0psbccLryhq1MEOH0vXN5lKTOeVwu9Pncm5M1m6J0KgpLMnC/4w/+o0NL7hir3DIBJ8=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
- Thread-index: AQHTXVF+wUXJ7AwUMkWbVID0FNtE2g==
- Thread-topic: proxy/backend pointers
- User-agent: Microsoft-MacOutlook/f.28.0.171108
Hello,
I've done a bit of research, but having some difficulty determining if my use case is possible. Here's what I'm trying to do:
We have an old unsupported application that authenticates users using an LDAP bind. The credential used for authentication (and what all the internal authorizations are tied to) is employee ID. We are moving to LDAP directory that uses email address instead of employee ID as the DN - the employee ID is still present as an attribute in the new directory and the password remains the same. Since I can't modify the problematic application, it’s not going away anytime soon, and it’s the last thing holding up migration to the new directory system, I'm hoping that I can use OpenLDAP as a shim between the application and the new directory to do something like the following:
* Collect credentials (employee_id, password) during bind
* using a privileged service account, search/bind against the new directory to map employee ID attribute to email address DN (like mod_authz_ldap does it)
* return the success/failure as result of original bind
I would appreciate any ideas or pointers if this is possible or if there might be a better way.
Thanks in advance!
Dave
David LaPorte
david@davidlaporte.org