Hi,
danz@wustl.edu a écrit :
We have a scenario that I’m hoping OpenLDAP can offer a solution to.
We are in the process of transitioning from one ldap authentication source to another for several of our applications. During the transition we need to be able to authenticate users against one of two different ldap services. Unfortunately our applications do not support the capability to try authentication against multiple services.
Would an OpenLDAP setup be able to take the authentication request and attempt to validate it against 2 different backends?
I should note that each of the ldap backends would have different OU structures and that a given userID would not exist in both backends. Based on the slapd-meta man page SCENARIOS section it looks as though this may be possible. The examples don't illustrate whether or not the OU structures need to be the same between the backends.
Assuming your authentication process starts by searching for a "userID" in some LDAP tree to find a user's DN, and then attemps a bind operation on that DN, I think you'll find the following setup useful.
Consider two backends, let's say ou=A,o=example and ou=B,o=example. Whether these are local bdb backends or remote LDAP backends is of little importance. By configuring A and B as "subordinate" to the higher level database o=example you can set your authentication clients to perform a search based on "o=example" for their userID, and OpenLDAP will propagate the search to both backends. A sub-scoped search will search the whole trees, regardless of OU structures.
In more detail, your slapd.conf could contain the following:
database ldap suffix "ou=A,o=example" subordinate uri ldap://a.example.com:389
database ldap suffix "ou=B,o=example" subordinate uri ldap://b.example.com:389
database null suffix "o=example" overlay glue
(The null database just serves as a placeholder, really. You could also use a BDB database.)
Hope this helps, Jonathan