Hi,
I have been looing into LDAP for a few days now (I am fairly new to it) and here is what I am attempting to do (but I haven't figured out if it is possible).
Currently I have access to an LDAP server that I use with apache/subversion to control access. This works but I would like to add some things, such as group information into LDAP to simplify some configuration (I have more applciations other than apache/subversion that need LDAP authendication).
I am not able to get changes made to the server that I have access to so what I figured would make sense is to inplement my own openldap server and add the group info there. I don't want to have the passwords in my own LDAP server, I want to pass password requests onto the upstream server.
So, is it possible for an openldap server to pass some requests onto another server and still provide other information to clients?
Hopefully that is clear :-)
Thanks,
..darcy
"D'Arcy Smith" ds.bcit@gmail.com writes:
Hi,
I have been looing into LDAP for a few days now (I am fairly new to it) and here is what I am attempting to do (but I haven't figured out if it is possible).
Currently I have access to an LDAP server that I use with apache/subversion to control access. This works but I would like to add some things, such as group information into LDAP to simplify some configuration (I have more applciations other than apache/subversion that need LDAP authendication).
I am not able to get changes made to the server that I have access to so what I figured would make sense is to inplement my own openldap server and add the group info there. I don't want to have the passwords in my own LDAP server, I want to pass password requests onto the upstream server.
So, is it possible for an openldap server to pass some requests onto another server and still provide other information to clients?
Hopefully that is clear :-)
This is feasable, in principle :-). OpenLDAP supports external authentication mechanisms and proxy authentication and authorization. But your task is rather hard to design in a real world. It depends on the abilities of your remote LDAP server and your authentication environment.
-Dieter
Hello,
Dieter Kluenter wrote:
"D'Arcy Smith" ds.bcit@gmail.com writes:
[...]
So, is it possible for an openldap server to pass some requests onto another server and still provide other information to clients?
This is feasable, in principle :-).
[...]
Maybe he could set up two backends like
backend ldap suffix ou=people,dc=... subordinate ...
backend bdb suffix dc=... ...
This way the Queries for User accounts below ou=people would be forwarded to the other LDAP server and he could add eg. ou=group,dc=... to the bdb backend.
At least in theory.
Read man pages slapd-ldap et al.
bye Christian
D'Arcy Smith wrote:
Hi,
I have been looing into LDAP for a few days now (I am fairly new to it) and here is what I am attempting to do (but I haven't figured out if it is possible).
Currently I have access to an LDAP server that I use with apache/subversion to control access. This works but I would like to add some things, such as group information into LDAP to simplify some configuration (I have more applciations other than apache/subversion that need LDAP authendication).
I am not able to get changes made to the server that I have access to so what I figured would make sense is to inplement my own openldap server and add the group info there. I don't want to have the passwords in my own LDAP server, I want to pass password requests onto the upstream server.
So, is it possible for an openldap server to pass some requests onto another server and still provide other information to clients?
This is possible - see http://www.openldap.org/faq/data/cache/1299.html for an example of how to divert bind requests to another LDAP server.
Rgds, Ray
Hopefully that is clear :-)
Thanks,
..darcy
openldap-software@openldap.org
-
Christian Marg -
D'Arcy Smith -
Dieter Kluenter -
Raymond B. Edah