Hi all,
I'm trying to setup a ldap server with openldap 2.3 and I need some lights about how to do it. I explain: My company already have a central ldap server (openldap 2.2) on which I can find all users and authenticate them, but the corresponding attributes (homedir, shell, gidnumber) aren't relevant for my department. My problem is that I want to use the central ldap serveur for authentification purpose and store locally the other datas. Yeah, it seems easy to solve using the rwm overlay and a ldap backend, but it isn't, because the users are located on different OUs on the remote ldap server. So there is the relevant part of my slapd.conf, which works great for the first user unit :
#################################### overlay rwm
rwm-rewriteEngine on rwm-rewriteContext bindDN
# path to the remote users : ou="unit_number",ou=people,dc=example,dc=com # path to the local users : cn=users,dc=local,dc=example,dc=com rwm-rewriteRule "^uid=([^,]+),cn=users,dc=local,dc=example,dc=com$" "uid=$1,ou=unit_1,ou=people,dc=example,dc=com" ":@"
# Database for remote Authentification database ldap suffix "ou=people,dc=example,dc=com" uri "ldap://remote-ldap.example.com:389/" restrict read write extended
# Local Database database bdb suffix "dc=local,dc=example,dc=com" ####################################
I tried to complete my setup by adding a line like : uri "ldap://remote- ldap.example.com:389/ou=people,dc=example,dc=com??sub?(&(objectClass=posixAccount)(uid=$1)) " but the ldap backend isn't designed to do that ^^
So, is there a way to work around it ?
Thanks for your help, Frava.
On Monday 10 December 2007 20:33:01 Frava wrote:
Hi all,
I'm trying to setup a ldap server with openldap 2.3 and I need some lights about how to do it. I explain: My company already have a central ldap server (openldap 2.2) on which I can find all users and authenticate them, but the corresponding attributes (homedir, shell, gidnumber) aren't relevant for my department. My problem is that I want to use the central ldap serveur for authentification purpose and store locally the other datas.
So, slapo-translucent may be a better option. Please consult the slapo-translucent man page.
Regards, Buchan
2007/12/10, Buchan Milne bgmilne@staff.telkomsa.net:
On Monday 10 December 2007 20:33:01 Frava wrote:
Hi all,
I'm trying to setup a ldap server with openldap 2.3 and I need some
lights
about how to do it. I explain: My company already have a central ldap server (openldap 2.2) on which I
can
find all users and authenticate them, but the corresponding attributes (homedir, shell, gidnumber) aren't relevant for my department. My
problem
is that I want to use the central ldap serveur for authentification
purpose
and store locally the other datas.
So, slapo-translucent may be a better option. Please consult the slapo-translucent man page.
Regards, Buchan
Thanks for your quick reply, I didn't see there was such overlay available. According to the man page, I guess it doesn't work exactly like I'd want to but I'll gave it a try.
Regards. Frava.
Hum, the translucent overlay allows to a user who's not on my local db to login -> I don't want to write up ACLs for some thousands of users!!! Well, I guess I did find the way that best suits my needs using the "rwm-rewriteMap" command :
########################
rwm-rewriteMap ldap uid2dn "ldap://remote-ldap.example.com:389/ou=people,dc=example,dc=com?dn?sub"
rwm-rewriteRule "^uid=([^,]+),cn=users,dc=local,dc=example,dc=com$"
"${uid2dn((&(objectClass=posixAccount)(uid=$1)))}" ":@I"
########################
That does all I wanted to ^^
Thanks for the support, Frava.
openldap-software@openldap.org
-
Buchan Milne -
Frava