Hi!
So here we go again. I've posted yesterday to this list and explained my
little problem. Strictly speaking it's not very easy to explain nor to
understand. So I thought that it would be better to provide you with a
little example-environment. vi-edited config files say more than
thousand words ;-)
Now I'll explain this environment a bit: I've got two LDAP-servers: 'A'
and 'B'.
'A' has the following content:
dc=intracom,dc=net
|
+--ou=a
| |
| +--ou=users
| |
| +--uid=cju
|
+--cn=Manager
Server 'B' has the following content:
ou=b,dc=intracom,dc=net
|
+--ou=people
| |
| +--cn=cju
| |
| +--cn=test
|
+--cn=Manager
Server 'B' has got very restrictive ACLs:
access to dn.subtree="ou=people,ou=b,dc=intracom,dc=net"
by self read
by anonymous auth
by * none
access to *
by users read
by * none
An authenticated user may only view his own user-object and doesn't has
the possibility to view other defined users. Anonymous binds are not
allowed.
Now I would like to integrate server 'B' in server 'A', so that the
structure looks the following way on server 'A':
dc=intracom,dc=net
|
+--ou=a
| |
| +--ou=users
| |
| +--uid=cju
|
+--ou=b
| |
| +--ou=people
| | |
| | +--cn=cju
| | |
| | +--cn=test
| |
| +--cn=Manager
|
+--cn=Manager
The users defined on both servers share the same credentials and the
same user-ID. Their user-IDs are only saved in different attributes
(because the object have got different Classes - in my example both
user-objects have got at least the class person, but in the real world
they have got really different classes). So I have to rewrite the DNs of
the objects from e.g.
uid=([^,]+),ou=users,ou=a,dc=intracom,dc=net
to
cn=%1,ou=people,ou=b,dc=intracom,dc=net
Server 'B' can't "speak" another authentication-mechanism than simple
authentication. So I don't have the possibility to use Kerberos or
another way to authenticate.
Do I have any chance to get this working with back-ldap or back-meta?
bye
Chris
------------------------------------------------------------------------
# LDIF of server 'A'
dn: dc=intracom,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
dc: intracom
o: Home network
dn: cn=Manager,dc=intracom,dc=net
objectClass: top
objectClass: organizationalRole
cn: Manager
dn: ou=a,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: a
dn: ou=users,ou=a,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: users
dn: uid=cju,ou=users,ou=a,dc=intracom,dc=net
objectClass: top
objectClass: person
objectClass: posixAccount
uid: cju
cn: Christian Jung
sn: Jung
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cju
userPassword: secret
------------------------------------------------------------------------
# /etc/openldap/slapd.conf of server 'A'
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/slapd.pid
argsfile /var/run/slapd.args
#database meta
#suffix "ou=test,o=saarstahl,c=DE"
#subordinate
#uri "ldap://socks.intracom.net/ou=test,o=saarstahl,c=DE"
database ldbm
suffix "dc=intracom,dc=net"
rootdn "cn=Manager,dc=intracom,dc=net"
rootpw secret
directory /var/lib/ldap
index objectClass eq
------------------------------------------------------------------------
# LDIF of server 'B'
dn: ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: b
dn: cn=Manager,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalRole
cn: Manager
dn: ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: people
dn: cn=cju,ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: person
cn: cju
sn: Jung
userPassword: secret
dn: cn=test,ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: person
cn: test
sn: This user shouldn't be displayed if you're logged in as cju
userPassword: secrettoo
------------------------------------------------------------------------
# /etc/openldap/slapd.conf of server 'B'
include /etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema
pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args
loglevel -1
access to dn.subtree="ou=people,ou=b,dc=intracom,dc=net"
by self read
by anonymous auth
by * none
access to *
by users read
by * none
database ldbm
suffix "ou=b,dc=intracom,dc=net"
rootdn "cn=Manager,ou=b,dc=intracom,dc=net"
rootpw secret
directory /var/lib/ldap
index objectClass eq