one more followup question. i want the "meta" database on the external server contacted via tls/ssl.
if I set:
uri "ldap://directory.company.com/ou=People,o=company,c=US"
things work perfectly, however if i set:
uri "ldaps://directory.company.com/ou=People,o=company,c=US"
i get "server is unavailable" when i do things like ldapwhoami. is there something i can configure in my
ldap.conf to allow ldaps authentication to the server defined in my "meta" stanza?
--stephen
wow....thanks a bunch, that worked perfectly.
--stephenOn 1/22/07, Aaron Richton < richton@nbcs.rutgers.edu > wrote:Try something more like:
database meta
suffix "ou=people,o=company,c=US"
subordinate
database bdb
suffix "o=company,c=US"
see if that does what you want...
On Mon, 22 Jan 2007, Stephen Agar wrote:
> I have an LDAP server with a base "o=company, c=us". There is another
> server which controls "ou=people,o=company,c=us", so in slapd.conf i have
> the following:
>
> database bdb
> suffix "o=company,c=US"
> rootdn "cn=Manager,o=company,c=US"
> rootpw *******
> directory /usr/var/openldap-data
> # Indices to maintain
> index objectClass eq
> index ou,cn,uid eq,pres,sub
>
> #meta test
> database meta
> suffix "ou=people,o=company,c=US"
> uri "ldap://directory.company.com/ou=People,o=company,c=US"
>
>
> When I try to start slapd, I get: /etc/openldap/slapd.conf: line 84:
> <suffix> namingContext "o=company,c=US" already served by a preceding bdb
> database serving namingContext "o=company,c=US". Am I misusing meta? Can I
> not proxy binds/lookups to specific OUs to a secondary LDAP? I understand
> what the message is saying, but don't think I understand the proper use of
> meta.
>
> For example, I have an ou=groups that contains "groupofnames" and the
> members of those groups are like "uid=123456,ou=people,o=company,c=us". So I
> want ou = groups owned on my server, then the when specific members try to
> bind, they are proxied to this external LDAP server that serves
> ou=people,o=company,c=us and contains their uids and passwords. Am I going
> about this the wrong way? Is there a way to accomplish what im trying to do?
>
>
> Thanks in advance...
> --stephen
>