On Thu, 15 May 2008, Andrew Findlay wrote: ...
I have a similar requirement at the moment except that I only want to use the second LDAP server to authenticate for a small proportion of the entries in the first one. The namespaces are very different. I think it can be done with a combination of rwm, back-ldap/back-meta and slapd-relay, but this seems rather complex when all I really need is 'pass-through authentication'.
I will report back to the list if I come up with a workable solution, but in the mean time does anyone have any pointers to a neat way of doing this?
How about by using saslauthd? Configure the users that need pass-through authentication with userPassword values in the form "{SASL}user@domain", put "pwcheck_method: saslauthd" in the sasl/slapd.conf file, and configure saslauthd to authenticate against the backend server. That gives you both complete control over who gets passed through (only those with the {SASL} format) and complete flexibility in the mapping of frontend users to backend users (by tweaking the "user@domain" in each user's userPassword attribute).
Philip Guenther