Re: rewrite a login into a dn in simple bind

[Quanah Gibson-Mount <quanah@stanford.edu>]

--On Thursday, October 09, 2003 2:00 PM -0400 Ace Suares <ace@suares.nl> 
wrote:

> A way out could be to make a separate tree (or an entirely separate
> database)  where you store the dn and the uid, and since you control that
> database, you  can give access to it by anonymous, to find the dn, and
> then bind to the  'real' database with the found dn and the password.
> Obviously, keeping the second database in sync with the main database
> will be  a pain. It could be done, but it seems there are various
> obstacles in your  way.

One solution to this, would be if OpenLDAP would allow you to populate only 
portions of a tree.  That currently isn't possible in 2.1.  It is, however, 
possible in 2.2 if you use syncRepl instead of slurpd.  Since the slave 
drives the update process, and can only update what it is allowed to access 
on the master, you can make different replicas contain different amounts of 
data -- in essence, you could have a replica that contained only the dn and 
uid (plus the required operational attributes).

--Quanah

--
Quanah Gibson-Mount
Principal Software Developer
ITSS/TSS/Computing Systems
ITSS/TSS/Infrastructure Operations
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html