On Thu, Apr 15, 2010 at 09:02:42AM -0500, Ian Gillman wrote:
In other words, database A (DBa) has user A's (Ua) credentials and database B (DBb) has user B's (Ub) credentials. We would like to be able to talk to either DBa or DBb and get back the user credentials and authentication for both Ua and Ub.
Is there some way I can set up OpenLDAP to be able to try and authenticate a user request locally and then, if that fails, to authenticate the request remotely without the requestor having to know about the remote database? We do not want to replicate information between the databases.
You could set up each database to chain requests to the other so that clients do not need to be aware of the separation. The clients would need to use a base DN in their search requests that covers both dataases, so you may need to create a new suffix to cover that or use slapd-relay and slapo-rwm to remap the DIT.
I dont think there is any easy way to force the search to use local data first, so you may have problems if the link between the two servers goes down.
Andrew