one more followup question. i want the "meta" database on the external server contacted via tls/ssl. if I set:
uri "ldap://directory.company.com/ou=People,o=company,c=US"
things work perfectly, however if i set:
uri "ldaps://directory.company.com/ou=People,o=company,c=US"
i get "server is unavailable" when i do things like ldapwhoami. is there something i can configure in my ldap.conf to allow ldaps authentication to the server defined in my "meta" stanza?
--stephen
On 1/22/07, Stephen Agar seagar@gmail.com wrote:
wow....thanks a bunch, that worked perfectly.
--stephen
On 1/22/07, Aaron Richton <richton@nbcs.rutgers.edu > wrote:
Try something more like:
database meta suffix "ou=people,o=company,c=US" subordinate
database bdb suffix "o=company,c=US"
see if that does what you want...
On Mon, 22 Jan 2007, Stephen Agar wrote:
I have an LDAP server with a base "o=company, c=us". There is another
server which controls "ou=people,o=company,c=us", so in slapd.conf i
have
the following:
database bdb suffix "o=company,c=US" rootdn "cn=Manager,o=company,c=US" rootpw ******* directory /usr/var/openldap-data # Indices to maintain index objectClass eq index ou,cn,uid eq,pres,sub
#meta test database meta suffix "ou=people,o=company,c=US" uri
"ldap://directory.company.com/ou=People,o=company,c=US"
When I try to start slapd, I get: /etc/openldap/slapd.conf: line 84: <suffix> namingContext "o=company,c=US" already served by a preceding
bdb
database serving namingContext "o=company,c=US". Am I misusing meta?
Can I
not proxy binds/lookups to specific OUs to a secondary LDAP? I
understand
what the message is saying, but don't think I understand the proper
use of
meta.
For example, I have an ou=groups that contains "groupofnames" and the members of those groups are like
"uid=123456,ou=people,o=company,c=us". So I
want ou = groups owned on my server, then the when specific members
try to
bind, they are proxied to this external LDAP server that serves ou=people,o=company,c=us and contains their uids and passwords. Am I
going
about this the wrong way? Is there a way to accomplish what im trying
to do?
Thanks in advance... --stephen