[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: Back-ldap
oclc ldap wrote:
Hello,
We use openldap 2.1.25 and I am trying to setup back-ldap.
I have two existing servers dc=domain1,dc=org and other
dc=application1,dc=applications,dc=domain1,dc=org.
I have set up referrals for these and they seem to work ok.
I have an application that cannot handle referrals so I was planning
to set
up a back-ldap instance to proxy requests to these servers.
I have a couple of questions
1) Few examples that I found on the mailing list have a rootdn in the
database ldap declaration. Is this required?
No. It's nearly useless.
2) Both the servers do not allow anonymous access and I cannot have a
user
common to both the servers. How do you bind to the servers?
If I give the dn with the right ACLs for the first server it reads the
first
server and cannot login into the next one.
The "right" solution is use code out of the CVS; in detail
the "identity assertion" feature (idassert-* diretives in
slapd.ldap(5) man page, which exactly deals with this type
of problems. Of course, it's not a solution I would recommend
for full production unless you know exactly what you're doing.
Other workarounds imply that you hack the code to make
anonymous/locally bound connections to the proxy bind with
some other identity to the remote server (which, indeed, is
exactly what idassert does).
I am sure this would be a typical scenario for a referral setup but I
couldn't find an answer on the net.
It is. See above. p.
SysNet - via Dossi,8 27100 Pavia Tel: +390382573859 Fax: +390382476497
- References:
- Back-ldap
- From: "oclc ldap" <oclcldap@hotmail.com>