Hello everyone.
Well, I have a scenario with three LDAP servers. This scenario
represents a practical structure of a multi-campus institution.
For example:
Each server of each campus has the following contexts instantiated name
in a backend hdb:
Campus 1: dc = a, dc = institution, dc = org
Campus 2: dc = b, dc = institution, dc = org
Campus 3: dc = c, dc = institution, dc = org
Each campus only manages your server, but allows that queries to other
remote servers. They must present themselves as a single directory,
transparent to user queries.
I tried using the backend target with the suffix dc=institution,dc=org
to perform a masking of the name.
In practice the target backend (server instantiated in the campus) is
like this:
database meta
suffix "dc=institution,dc=org"
uri "ldap: / / localhost /dc=a"
idassert-bind bindmethod=simple
binddn="cn=reader,dc=a"
credentials="readera"
rebind-as-user yes
suffixmassage "dc=institution,dc=org" "dc=a"
# Remote Server - b
uri "ldap: / /10.0.0.2/dc=b"
idassert-bind bindmethod=simple
binddn="cn = reader,dc = b"
credentials = "leitorb"
rebind-as-user yes
suffixmassage "dc=institution,dc=org" "dc=b"
lastmod off
# Remote server - c
uri "ldap: / /10.0.0.3/dc=c"
idassert-bind bindmethod=simple
binddn="cn=reader,dc = c"
credentials = "leitorc"
rebind-as-user yes
suffixmassage "dc=institution,dc = org" "dc=b"
lastmod off
When performing a general consultation to dc=institution,dc=org all
data from the three campuses were merged and the query returned.
example:
ldapsearch -x -D cn=reader,dc=a -W -b dc=institution,dc=org "cn=reader "
the result is:
cn = reader, dc = institution, dc = org
cn = reader, dc = institution, dc = org
cn = reader, dc = institution, dc = org
3 results appear, each encontraddo in three different bases. The problem
is that have the same DN.
Assuming that this structure is used to authentication user and a user
can log in at any institution, be it home or away, if any two users with
uid=john (eg: uid=john,dc=a and uid=john,dc=b) when performing a search
using the meta backend, duplicate the results appear.
Someone with experience in using the meta backend, give me a hint how to
implement this scenario without causing an Replication DNs?
Suddenly a way to make the server does not store a new entry if it is
equal to an existing (masquerading under the proxy target)?
The main objective of this implementation is to implement a distributed
model that guarantees
1 - administrative independence for each campus (just write in your
base, but read all)
2 - Allow users to authenticate to the system, inside or outside their
home institution.
Finally, it would be possible to use the backend relay, after which the
main role of the backend?
Thanks in advance.
Luizmarceloo!