[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
OpenLDAP's Backend Rewrite Engine
So, I decided to try the proxy approach, and I would like to rewrite a
DN from this:
"cn=<user name>,cn=Administrators,dc=test,dc=com"
to this:
"cn=<user name>,cn=Users,dc=mixeddomain,dc=com"
I would like to perform a simple substitution where the user name from
one DN gets copied to another. I am using a rewrite context for a
client -> server operation, but I'm pretty sure the following is not right:
database ldap
rewriteEngine On
rewriteContext bindDn
rewriteRule "cn=(.*),cn=Administrators,dc=test,dc=com"
"cn=%1,cn=Users,dc=mixeddomain,dc=com"
rebind-as-user
uri ldap://mixedmaster.mixeddomain.com/
I'm a little lost as to what rules/contexts/uris are required in the
"slapd.conf" file. Any help would be greatly appreciated.
Michael
Michael Gale wrote:
OpenLDAP Community,
We have two LDAP servers on our network. One is an OpenLDAP server,
and the other is an Active Directory server. I have been
investigating how to authenticate against Active Directory through the
OpenLDAP server, and after several days of reading fragmented pieces
of information, I am admittedly confused.
I have read about a couple of different options such as OpenLDAP's
back-end or meta server, setting up a proxy, but I am still unsure
which option to use. Regrettably, there is little cohesive
information for establishing such a relationship, so I would love some
advice. First let me describe this relationship between the two servers.
The OpenLDAP server will hold various bits of information about the
users of our network, service configurations, etc. Basically, it
contains the user name and small groupings of unrelated information.
I want this server to be the only "point of contact" for our users and
software. In other words, nobody needs to know about the Active
Directory, except for the OpenLDAP server of course.
The Active Directory has user names and passwords. I am looking for a
way to authenticate our users against the Active Directory. There are
a few ground rules for this relationship:
1) I don't want services or users to contact the ADS server directly.
2) I don't want to synchronize passwords between the two servers.
3) I cannot replace the ADS with OpenLDAP.
Is there a preferred way to handle this situation? Can this be
achieved through OpenLDAP?
Many thanks for your time,
Michael