Running back-perl and hdb/bdb in the same suffix

[José Miguel Parrella Romero <joseparrella@gmail.com>]

Hi,

I've written a Perl class to be used with back-perl. I'm able to load
this class from slapd.conf using a different suffix than my
traditional hdb database. Say, for example, my hdb database is serving
the dc=my,dc=net suffix, and my Perl is serving dc=perl,dc=my,dc=net.

This effectively prevents me from "catching" user password
modifications in dc=my,dc=net. If I use the subordinate keyword on my
Perl database I'm able to see searches spanning through my
dc=perl,dc=my,dc=net, but then again, modifications on users in
dc=my,dc=net aren't seen by the Perl backend.

I've tried different approaches for this, but as of now I guess my
only chance is to actually "proxy" the LDAP operations from Perl using
the LDAP library to the dc=my,dc=net suffix in order to get a seamless
experience and achieve my goal of user password manipulation. This is
what I've seen in (really old) projects such as acctsync in
Sourceforge.

So, my question is: can I use both backends in the same suffix, so
only some LDAP operations get overriden in Perl and others "pass
through" the physical backend? And if not, what would be your strategy
to achieve this goal?

My last plan is to store passwords in plaintext, create an ACL to
prevent everyone but a non-human role to read userPassword and move
along, but I'd feel terrible about this.

By the way, thanks for making such an awesome piece of software.

Jose