Hi all,
Our OpenLDAP deployment serves multible bases (suffixes).
dc=ourcompany,dc=ru
ou=People
cn=john
dc=ourclient1,dc=ru
ou=People
cn=jim
dc=ourclient2,dc=com
...
dc=ourclient3,dc=net
...
We are on a way of integration of most our services with LDAP.
Modern software like Jabberd2 can derive base DN from username. For
example, when JID = somebody@ourclient1.ru logs on, Jabber server takes
"ourclient1.ru", looks up the appropriate base DN in its config file,
gets dn="dc=ourclient1,dc=ru", searches this base for an entry with uid
== somebody, and rebinds with
dn="cn=Somebody,ou=People,dc=ourclient1,dc=ru", thus making possible
LDAP authentication against multiple base DNs (important!)
Legacy software like Courier mail server is not aware of multiple base
DNs. In order to make use of LDAP authentication in Courier, we
introduce "ou=Domains,dc=ourcompany,dc=ru", and try to make all other
suffixes available under this DN. Like this:
dc=ourcompany,dc=ru
ou=People
cn=john
cn=...
ou=Domains
dc=ourclient1,dc=ru
ou=People
cn=jim
The scheme needs not be exactly like the above. We just want
"cn=jim,ou=People,dc=ourclient1,dc=ru" and others to be returned when
ldapsearch'ing -b "ou=Domains,dc=ourcompany,dc=ru" -s sub
"(objectClass=person)".
I will ask you please to help me choose the appropriate combination of
OpenLDAP mechanisms to accomplish this.
Once I thought that putting referrals to ou=Domains,dc=ourcompany,dc=ru
and making slapd chase them internally with slapo-chain will help. But
now I see that slapo-chain (as of 2.3.6) is deprecated, moved to
back_ldap, and controlled by some LDAP_CONTROL_X_CHAINING_BEHAVIOR, and
enabled only in devel builds. Is there any way to enforce server-side
chaining, like it was in <= 2.3.4? (In this case we just have to process
referrals internally, because we cannot rely on referral handling on
client-side - in most cases client software like Courier or Apache is
not aware of referrals, and ignores them.)