[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: subordinate referrals for an OpenLDAP->AD

Shahzad, Saleem wrote:

We were looking at proxy or subordinate referrals for an OpenLDAP->AD

On subordinate referrals I found that not all the applications I tried to
integrate work well with it (none actually).

For proxies the issue I found was that I could not proxy to a name that was
a superset of the base dn. For example if I had a base dn of
"dc=example,dc=com" then I could not proxy to another server via
"dc=internal,dc=example,dc=com", but I could do

You can do this sort of proxy with the meta backend by specifying a separate uri list for each superset (dc=internalx,dc=example,dc=com) rather than creating a proxy for the base (dc=example,dc=com)
# Query the appropriate backend servers
suffix "dc=internal,dc=example,dc=com"
uri "ldap://server1/internal,dc=example,dc=com ldap://server2 ldap://server3 ldap://server4";
suffix "dc=internal2,dc=example,dc=com"
uri "ldap://server3/dc=internal,dc=example,dc=com ldap://server2 ldap://server1";

This is will work for mapping attributes but not if you want to use the pcache overlay which wants only one suffix.

It would be great if LDAP Proxy Resolution was implemented as suggested in the man page as a possible evolution...


If there is something I missed and this can be done I would be very curious
to know.