[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: slapd-meta question




Thanks for the feedback.

Is it correct to state that with your example there must be a common element in the suffix in order for this to work?
database        ldap
suffix          "ou=A,o=example"
subordinate
uri ldap://a.example.com:389

database        ldap
suffix          "ou=B,o=example"
subordinate
uri ldap://b.example.com:389

database        null
suffix          "o=example"
overlay glue


Pierangelo provided the following example which would seem to indicate that there need not be any commonality in the suffix although this example does not make use of the "null" database entry:
database ldap
suffix "ou=Old"
uri "ldap://old.server"

database ldap
suffix "dc=new"
uri "ldap://new.server"


In our case the suffixes would be:
New server ou=Persons,dc=subdomainA,dc=domain,dc=edu
Old server   ou=users,ou=ais
 
As you can see there is no commonality between the 2.

Thanks again for the help.

Regards,
Dan



Jonathan Clarke <jclarke@linagora.com>

06/03/2008 12:46 AM

To
danz@wustl.edu
cc
openldap-technical@openldap.org
Subject
Re: slapd-meta question





Hi,

danz@wustl.edu a Ãcrit :
> We have a scenario that Iâm hoping OpenLDAP can offer a solution to.
>
> We are in the process of transitioning from one ldap authentication
> source to another for several of our applications.  During the
> transition we need to be able to authenticate users against one of two
> different ldap services.  Unfortunately our applications do not support
> the capability to try authentication against multiple services.
>
> Would an OpenLDAP setup be able to take the authentication request and
> attempt to validate it against 2 different backends?
>
> I should note that each of the ldap backends would have different OU
> structures and that a given userID would not exist in both backends.
>  Based on the slapd-meta man page SCENARIOS section it looks as though
> this may be possible.  The examples don't illustrate whether or not the
> OU structures need to be the same between the backends.

Assuming your authentication process starts by searching for a "userID"
in some LDAP tree to find a user's DN, and then attemps a bind operation
on that DN, I think you'll find the following setup useful.

Consider two backends, let's say ou=A,o=example and ou=B,o=example.
Whether these are local bdb backends or remote LDAP backends is of
little importance. By configuring A and B as "subordinate" to the higher
level database o=example you can set your authentication clients to
perform a search based on "o=example" for their userID, and OpenLDAP
will propagate the search to both backends. A sub-scoped search will
search the whole trees, regardless of OU structures.

In more detail, your slapd.conf could contain the following:

database        ldap
suffix          "ou=A,o=example"
subordinate
uri ldap://a.example.com:389

database        ldap
suffix          "ou=B,o=example"
subordinate
uri ldap://b.example.com:389

database        null
suffix          "o=example"
overlay glue

(The null database just serves as a placeholder, really. You could also
use a BDB database.)

Hope this helps,
Jonathan
--
Jonathan Clarke

Open Source Software Assurance (OSSA) - Groupe LINAGORA
27 rue de Berri, 75008 Paris
TÃl: 01 58 18 68 28, fax: 01 58 18 68 29
http://www.linagora.com - http://www.08000linux.com