Re: OpenLDAP as proxy for another LDAP-Server

[Philip Guenther <guenther+ldapsoft@sendmail.com>]

On Thu, 15 May 2008, Andrew Findlay wrote:
...
> I have a similar requirement at the moment except that I only want to
> use the second LDAP server to authenticate for a small proportion of the
> entries in the first one. The namespaces are very different. I think
> it can be done with a combination of rwm, back-ldap/back-meta and
> slapd-relay, but this seems rather complex when all I really need is
> 'pass-through authentication'.
>
> I will report back to the list if I come up with a workable solution,
> but in the mean time does anyone have any pointers to a neat way of
> doing this?

How about by using saslauthd?  Configure the users that need pass-through 
authentication with userPassword values in the form "{SASL}user@domain", 
put "pwcheck_method: saslauthd" in the sasl/slapd.conf file, and configure 
saslauthd to authenticate against the backend server.  That gives you both 
complete control over who gets passed through (only those with the {SASL} 
format) and complete flexibility in the mapping of frontend users to 
backend users (by tweaking the "user@domain" in each user's userPassword 
attribute).


Philip Guenther