[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: back-meta + example



Hi!

Sorry! I've forgotten something:
A user should have the possibility, to bind to server 'A' and make a search on all the information located on both servers without chasing referrals.


His UserDN should be converted to that of server 'B' and he should be authenticated with the credentials given by the user for server 'A' (plaintext authentication).

Of course that's not possible...

However - have a nice day!


bye Chris


Christian Jung wrote:
Hi!

So here we go again. I've posted yesterday to this list and explained my little problem. Strictly speaking it's not very easy to explain nor to understand. So I thought that it would be better to provide you with a little example-environment. vi-edited config files say more than thousand words ;-)

Now I'll explain this environment a bit: I've got two LDAP-servers: 'A' and 'B'.

'A' has the following content:

dc=intracom,dc=net
    |
    +--ou=a
    |    |
    |    +--ou=users
    |         |
    |         +--uid=cju
    |
    +--cn=Manager

Server 'B' has the following content:

ou=b,dc=intracom,dc=net
    |
    +--ou=people
    |    |
    |    +--cn=cju
    |    |
    |    +--cn=test
    |
    +--cn=Manager

Server 'B' has got very restrictive ACLs:

access to dn.subtree="ou=people,ou=b,dc=intracom,dc=net"
    by self read
    by anonymous auth
    by * none

access to *
    by users read
    by * none

An authenticated user may only view his own user-object and doesn't has the possibility to view other defined users. Anonymous binds are not allowed.

Now I would like to integrate server 'B' in server 'A', so that the structure looks the following way on server 'A':

dc=intracom,dc=net
    |
    +--ou=a
    |    |
    |    +--ou=users
    |         |
    |         +--uid=cju
    |
    +--ou=b
    |    |
    |    +--ou=people
    |    |    |
    |    |    +--cn=cju
    |    |    |
    |    |    +--cn=test
    |    |
    |    +--cn=Manager
    |
    +--cn=Manager

The users defined on both servers share the same credentials and the same user-ID. Their user-IDs are only saved in different attributes (because the object have got different Classes - in my example both user-objects have got at least the class person, but in the real world they have got really different classes). So I have to rewrite the DNs of the objects from e.g.

uid=([^,]+),ou=users,ou=a,dc=intracom,dc=net

to

cn=%1,ou=people,ou=b,dc=intracom,dc=net

Server 'B' can't "speak" another authentication-mechanism than simple authentication. So I don't have the possibility to use Kerberos or another way to authenticate.

Do I have any chance to get this working with back-ldap or back-meta?


bye Chris


------------------------------------------------------------------------

# LDIF of server 'A'

dn: dc=intracom,dc=net
objectClass: top
objectClass: dcObject
objectClass: organization
dc: intracom
o: Home network

dn: cn=Manager,dc=intracom,dc=net
objectClass: top
objectClass: organizationalRole
cn: Manager

dn: ou=a,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: a

dn: ou=users,ou=a,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: users

dn: uid=cju,ou=users,ou=a,dc=intracom,dc=net
objectClass: top
objectClass: person
objectClass: posixAccount
uid: cju
cn: Christian Jung
sn: Jung
uidNumber: 1000
gidNumber: 1000
homeDirectory: /home/cju
userPassword: secret




------------------------------------------------------------------------

# /etc/openldap/slapd.conf of server 'A'

include	/etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema

pidfile		/var/run/slapd.pid
argsfile	/var/run/slapd.args

#database meta
#suffix "ou=test,o=saarstahl,c=DE"
#subordinate
#uri "ldap://socks.intracom.net/ou=test,o=saarstahl,c=DE";

database ldbm
suffix "dc=intracom,dc=net"
rootdn "cn=Manager,dc=intracom,dc=net"
rootpw secret
directory /var/lib/ldap

index objectClass eq


------------------------------------------------------------------------

# LDIF of server 'B'

dn: ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: b

dn: cn=Manager,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalRole
cn: Manager

dn: ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: organizationalUnit
ou: people

dn: cn=cju,ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: person
cn: cju
sn: Jung
userPassword: secret

dn: cn=test,ou=people,ou=b,dc=intracom,dc=net
objectClass: top
objectClass: person
cn: test
sn: This user shouldn't be displayed if you're logged in as cju
userPassword: secrettoo


------------------------------------------------------------------------

# /etc/openldap/slapd.conf of server 'B'

include	/etc/openldap/schema/core.schema
include /etc/openldap/schema/cosine.schema
include /etc/openldap/schema/nis.schema

pidfile		/var/run/slapd/slapd.pid
argsfile	/var/run/slapd/slapd.args

loglevel -1


access to dn.subtree="ou=people,ou=b,dc=intracom,dc=net" by self read by anonymous auth by * none

access to *
    by users read
    by * none


database ldbm suffix "ou=b,dc=intracom,dc=net" rootdn "cn=Manager,ou=b,dc=intracom,dc=net" rootpw secret directory /var/lib/ldap index objectClass eq