Hi. I'm new to this list, but risk diving right in with a question:
I am wondering whether the following scenario is possible to implement using OpenLDAP:
We are a sub-organization within a larger organization and want to perform authentication against the central LDAP server yet augment query results with attributes from from the DIT of our own LDAP server. In effect, providing a virtual DIT hiding the details of which attributes comes from where to the applications using it.
It is not just a matter of delegation, more of a selective merge of the attributes available in the 2 DITs. An example:
Central DIT: cn: someone userPassword: something mail: someone@somewhere.orgmailto:someone@somewhere.org irrelevantAttribute: whatever
Our DIT: uid: someone inProjects: someProject, someOtherProject
Virtual DIT (auth'ed against Central DIT): uid: someone mail: someone@somewhere.orgmailto:someone@somewhere.org inProjects: someProject, someOtherProject
Commercial products such as the Symlabs Directory Extender promise such capabilities but I'd like to stick with an open solution in at all possible. I guess it might possibly be implemented in a custom back_perl handler, but is it possible to achieve using fx back_meta or some other "native" OpenLDAP configuration?
Thanks in advance, //\ads Troest
Mads Orbesen Troest wrote:
Hi. I’m new to this list, but risk diving right in with a question:
I am wondering whether the following scenario is possible to implement using OpenLDAP:
Yes, read the slapo-translucent(5) manpage.
openldap-software@openldap.org
-
Howard Chu -
Mads Orbesen Troest