Is it correct to state that with your
example there must be a common element in the suffix in order for this
to work?
database ldap
suffix "ou=A,o=example"
subordinate
uri ldap://a.example.com:389
database ldap
suffix "ou=B,o=example"
subordinate
uri ldap://b.example.com:389
database null
suffix "o=example"
overlay glue
Pierangelo provided the following example
which would seem to indicate that there need not be any commonality in
the suffix although this example does not make use of the "null"
database entry:
database ldap
suffix "ou=Old"
uri "ldap://old.server"
database ldap
suffix "dc=new"
uri "ldap://new.server"
In our case the suffixes would be:
New server ou=Persons,dc=subdomainA,dc=domain,dc=edu
Old server ou=users,ou=ais
As you can see there is no commonality
between the 2.
Thanks again for the help.
Regards,
Dan
Jonathan Clarke <jclarke@linagora.com>
06/03/2008 12:46 AM
To
danz@wustl.edu
cc
openldap-technical@openldap.org
Subject
Re: slapd-meta question
Hi,
danz@wustl.edu a Ãcrit :
> We have a scenario that Iâm hoping OpenLDAP can offer a solution
to.
>
> We are in the process of transitioning from one ldap authentication
> source to another for several of our applications. During the
> transition we need to be able to authenticate users against one of
two
> different ldap services. Unfortunately our applications do not
support
> the capability to try authentication against multiple services.
>
> Would an OpenLDAP setup be able to take the authentication request
and
> attempt to validate it against 2 different backends?
>
> I should note that each of the ldap backends would have different
OU
> structures and that a given userID would not exist in both backends.
> Based on the slapd-meta man page SCENARIOS section it looks
as though
> this may be possible. The examples don't illustrate whether
or not the
> OU structures need to be the same between the backends.
Assuming your authentication process starts by searching for a "userID"
in some LDAP tree to find a user's DN, and then attemps a bind operation
on that DN, I think you'll find the following setup useful.
Consider two backends, let's say ou=A,o=example and ou=B,o=example.
Whether these are local bdb backends or remote LDAP backends is of
little importance. By configuring A and B as "subordinate" to
the higher
level database o=example you can set your authentication clients to
perform a search based on "o=example" for their userID, and OpenLDAP
will propagate the search to both backends. A sub-scoped search will
search the whole trees, regardless of OU structures.
In more detail, your slapd.conf could contain the following:
database ldap
suffix "ou=A,o=example"
subordinate
uri ldap://a.example.com:389
database ldap
suffix "ou=B,o=example"
subordinate
uri ldap://b.example.com:389
database null
suffix "o=example"
overlay glue
(The null database just serves as a placeholder, really. You could also
use a BDB database.)
Hope this helps,
Jonathan
--
Jonathan Clarke
Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com