[Date Prev][Date Next] [Chronological] [Thread] [Top]

back-meta + example

To: Pierangelo Masarati <ando@sys-net.it>
Subject: back-meta + example
From: Christian Jung <Christian.Jung@wanadoo.fr>
Date: Wed, 05 Mar 2003 22:33:27 +0100
Cc: OpenLDAP Software <openLDAP-software@OpenLDAP.org>
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2.1) Gecko/20021130

Hi!

So here we go again. I've posted yesterday to this list and explained my little problem. Strictly speaking it's not very easy to explain nor to understand. So I thought that it would be better to provide you with a little example-environment. vi-edited config files say more than thousand words ;-)

Now I'll explain this environment a bit: I've got two LDAP-servers: 'A' and 'B'.

'A' has the following content:

dc=intracom,dc=net
    |
    +--ou=a
    |    |
    |    +--ou=users
    |         |
    |         +--uid=cju
    |
    +--cn=Manager

Server 'B' has the following content:

ou=b,dc=intracom,dc=net
    |
    +--ou=people
    |    |
    |    +--cn=cju
    |    |
    |    +--cn=test
    |
    +--cn=Manager

Server 'B' has got very restrictive ACLs:

access to dn.subtree="ou=people,ou=b,dc=intracom,dc=net"
    by self read
    by anonymous auth
    by * none

access to *
    by users read
    by * none

An authenticated user may only view his own user-object and doesn't has the possibility to view other defined users. Anonymous binds are not allowed.

Now I would like to integrate server 'B' in server 'A', so that the structure looks the following way on server 'A':

dc=intracom,dc=net
    |
    +--ou=a
    |    |
    |    +--ou=users
    |         |
    |         +--uid=cju
    |
    +--ou=b
    |    |
    |    +--ou=people
    |    |    |
    |    |    +--cn=cju
    |    |    |
    |    |    +--cn=test
    |    |
    |    +--cn=Manager
    |
    +--cn=Manager

The users defined on both servers share the same credentials and the same user-ID. Their user-IDs are only saved in different attributes (because the object have got different Classes - in my example both user-objects have got at least the class person, but in the real world they have got really different classes). So I have to rewrite the DNs of the objects from e.g.

uid=([^,]+),ou=users,ou=a,dc=intracom,dc=net

to

cn=%1,ou=people,ou=b,dc=intracom,dc=net

Server 'B' can't "speak" another authentication-mechanism than simple authentication. So I don't have the possibility to use Kerberos or another way to authenticate.

Do I have any chance to get this working with back-ldap or back-meta?


bye
Chris

# LDIF of server 'A'

dn: dc=intracom,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
dc: intracom
o: Home network

dn: cn=Manager,dc=intracom,dc=net
objectClass: top
objectClass: organizationalRole
cn: Manager

dn: ou=a,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: a

dn: ou=users,ou=a,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: users

dn: uid=cju,ou=users,ou=a,dc=intracom,dc=net
objectClass: top
objectClass: person
objectClass: posixAccount
uid: cju
cn: Christian Jung
sn: Jung
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cju
userPassword: secret

# /etc/openldap/slapd.conf of server 'A'

include	/etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema

pidfile		/var/run/slapd.pid
argsfile	/var/run/slapd.args

#database meta
#suffix "ou=test,o=saarstahl,c=DE"
#subordinate
#uri "ldap://socks.intracom.net/ou=test,o=saarstahl,c=DE";

database ldbm
suffix "dc=intracom,dc=net"
rootdn "cn=Manager,dc=intracom,dc=net"
rootpw secret
directory /var/lib/ldap

index objectClass eq

# LDIF of server 'B'

dn: ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: b

dn: cn=Manager,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalRole
cn: Manager

dn: ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: people

dn: cn=cju,ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: person
cn: cju
sn: Jung
userPassword: secret

dn: cn=test,ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: person
cn: test
sn: This user shouldn't be displayed if you're logged in as cju
userPassword: secrettoo

# /etc/openldap/slapd.conf of server 'B'

include	/etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema

pidfile		/var/run/slapd/slapd.pid
argsfile	/var/run/slapd/slapd.args

loglevel -1


access to dn.subtree="ou=people,ou=b,dc=intracom,dc=net"
    by self read
    by anonymous auth
    by * none

access to *
    by users read
    by * none


database ldbm
suffix "ou=b,dc=intracom,dc=net"
rootdn "cn=Manager,ou=b,dc=intracom,dc=net"
rootpw secret
directory /var/lib/ldap
index objectClass eq

Follow-Ups:
- Re: back-meta + example
  - From: Christian Jung <Christian.Jung@wanadoo.fr>

Prev by Date: Re: Restricting Logon permission
Next by Date: RE: Restricting Logon permission
Index(es):
- Chronological
- Thread