Re: OpenLDAP's Backend Rewrite Engine

["Dieter Kluenter" <dieter@dkluenter.de>]

Michael Gale <michaelg@xandros.com> writes:

> Thank you, Dieter.  For reasons outside of my control, I can't place a
> "rootpw" or a "rootdn" attribute in the configuration file.  Suffix
> massaging works when the bind is for one user with privileges for both
> DNs.  I have a situation where the user may be different every time a
> bind is attempted.  For example, when a user attempts to authenticate
> his/herself they will submit their credentials to
> "ldap://public.com";. They will attempt a bind on that server using a
> DN "cn=user1,cn=Administrators,dc=test,dc=com".  I would like the
> server "ldap://public.com"; to proxy the bind for
> "ldap://mixedmaster.mixeddomain.com"; using the same credentials but
> under a different DN "cn=user1,cn=Users,dc=mixeddomain,dc=com".
>
> The server "ldap://mixedmaster.mixeddomain.com"; would then return
> success or failure to "ldap://public.com"; who would then return
> success of failure to the client.
>
> Can this be done?  If yes, do the rules I posted earlier (below) make
> any sense?  I'm certainly missing something, I'm just not sure where
> to go from here.

As far as I remember, rootdn and rootpw are only necessary if write
operations are involved, a have this parameters in my slapd.conf
because of proxycaching.
Proxying authentication can be done, see man slapd-ldap(5), the
parameters idassert-bind and proxyAuthz, but I have never tested a sort
triple step proxy authentication.

-Dieter

-- 
Dieter Klünter | Systemberatung
http://www.dkluenter.de
GPG Key ID:01443B53