We have a situation where we have 2 OpenLDAP databases containing usernames, passwords etc... for two distinct entities. We would like to be able to send an authentication request to one of the databases and have it return yes or no based upon the information in both databases.
In other words, database A (DBa) has user A's (Ua) credentials and database B (DBb) has user B's (Ub) credentials. We would like to be able to talk to either DBa or DBb and get back the user credentials and authentication for both Ua and Ub.
Is there some way I can set up OpenLDAP to be able to try and authenticate a user request locally and then, if that fails, to authenticate the request remotely without the requestor having to know about the remote database? We do not want to replicate information between the databases.
Thanks Ian Gillman Senior Network Administrator Monroe Clinic 608-324-1416 ian.gillman@monroeclinic.org
CONFIDENTIALITY NOTICE: ------------------------ This message and any included attachments are from Monroe Clinic and are for the sole use of the intended recipient(s).
This message may contain confidential and privileged information. Unauthorized review, use, disclosure or distribution is strictly prohibited and may be unlawful.
If you are not the intended recipient, please promptly delete this message and notify the sender of the delivery error by e-mail or you may call Monroe Clinic at (608)324-1000 or (608)324-2000.
On Thursday, 15 April 2010 15:02:42 Ian Gillman wrote:
We have a situation where we have 2 OpenLDAP databases containing usernames, passwords etc... for two distinct entities.
You don't say so explicitly, but it seems you mean you have 2 servers, each with a (different) database.
We would like to be able to send an authentication request to one of the databases and have it return yes or no based upon the information in both databases.
In other words, database A (DBa) has user A's (Ua) credentials and database B (DBb) has user B's (Ub) credentials. We would like to be able to talk to either DBa or DBb and get back the user credentials and authentication for both Ua and Ub.
Is there some way I can set up OpenLDAP to be able to try and authenticate a user request locally and then, if that fails, to authenticate the request remotely without the requestor having to know about the remote database? We do not want to replicate information between the databases.
Have you looked at the meta backend? Specifically, the SCENARIOS section of slapd-meta(5).
Regards, Buchan
On Thu, Apr 15, 2010 at 09:02:42AM -0500, Ian Gillman wrote:
In other words, database A (DBa) has user A's (Ua) credentials and database B (DBb) has user B's (Ub) credentials. We would like to be able to talk to either DBa or DBb and get back the user credentials and authentication for both Ua and Ub.
Is there some way I can set up OpenLDAP to be able to try and authenticate a user request locally and then, if that fails, to authenticate the request remotely without the requestor having to know about the remote database? We do not want to replicate information between the databases.
You could set up each database to chain requests to the other so that clients do not need to be aware of the separation. The clients would need to use a base DN in their search requests that covers both dataases, so you may need to create a new suffix to cover that or use slapd-relay and slapo-rwm to remap the DIT.
I dont think there is any easy way to force the search to use local data first, so you may have problems if the link between the two servers goes down.
Andrew
openldap-software@openldap.org
-
Andrew Findlay -
Buchan Milne -
Ian Gillman