[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: subordinate referrals for an OpenLDAP->AD

To: "Shahzad, Saleem" <ShahzadS@csps.com>
Subject: Re: subordinate referrals for an OpenLDAP->AD
From: Robert Petkus <rpetkus@bnl.gov>
Date: Fri, 30 Sep 2005 11:55:02 -0400
Cc: OpenLDAP software list <openldap-software@OpenLDAP.org>
In-reply-to: <0742ACF7121C064FABA7F16A2FCBFA0504C6BF94@luke04.genesis.csps.com>
References: <0742ACF7121C064FABA7F16A2FCBFA0504C6BF94@luke04.genesis.csps.com>
User-agent: Mozilla Thunderbird 1.0.2-1.3.3 (X11/20050513)

Shahzad, Saleem wrote:

We were looking at proxy or subordinate referrals for an OpenLDAP->AD
integration.
On subordinate referrals I found that not all the applications I tried to
integrate work well with it (none actually).
For proxies the issue I found was that I could not proxy to a name that was a superset of the base dn. For example if I had a base dn of "dc=example,dc=com" then I could not proxy to another server via "dc=internal,dc=example,dc=com", but I could do "dc=internal,dc=example2,dc=com".

You can do this sort of proxy with the meta backend by specifying a separate uri list for each superset (dc=internalx,dc=example,dc=com) rather than creating a proxy for the base (dc=example,dc=com) # Query the appropriate backend servers suffix "dc=internal,dc=example,dc=com" uri "ldap://server1/internal,dc=example,dc=com ldap://server2 ldap://server3 ldap://server4"; suffix "dc=internal2,dc=example,dc=com" uri "ldap://server3/dc=internal,dc=example,dc=com ldap://server2 ldap://server1";

This is will work for mapping attributes but not if you want to use the pcache overlay which wants only one suffix.

It would be great if LDAP Proxy Resolution was implemented as suggested in the man page as a possible evolution...

Cheers,
Robert

If there is something I missed and this can be done I would be very curious to know.

Prev by Date: Re: LDAP replication using slurpd
Next by Date: Re: LDAP replication using slurpd
Index(es):
- Chronological
- Thread