I have two LDAP servers (ActiveDirectory) with users:
On AD horns-and-hooves.org: cn=Jane Smith,ou=users,dc=horns-and-hooves,dc=org cn: jane.smith@contoso.com
On AD bells-and-whistles.com: cn=John Snow,ou=users,ou=europe,dc=bells-and-whistles,dc=com mail: john.snow@contoso.com
And for mail system, I need to grab some of those users to single OpenLDAP database (dc=internal), add some mail system-specific attributes (that dont exist in source ADs) and add passthrough authentication for them to the AD server where they belong. Like this:
cn=jane.smith,ou=horns-and-hooves,dc=internal mailQuota: 10 imapHost: imap1 mail: jane.smith@contoso.com sourceOrg: horns-and-hooves
cn=john.snow,ou=bells-and-whistles,dc=internal mailQuota: 20 imapHost: imap2 mail:: john.snow@contoso.com sourceOrg: bells-and-whistles
I expect algorithm like this: First, I manually create users in OpenLDAP directory without passwords with correct attributes.
When Jane makes simple_bind to OpenLDAP server, the server determines if user is related to horns-and-hooves organization or to bells-and-whistles. If "horns-and-hooves" then server makes a search against ldap://horns-and-hooves.org:389/dc=horns-and-hooves,dc=org for '(mail=$1)' where $1 is value of mail from `mail` attribute. it finds one item, OpenLDAP tries to make bind to ldap://horns-and-hooves.org:389 with DN of item found and password provided by Jane to OpenLDAP. If "bells-and-whistles" then backend server is ldap://bells-and-whistles.com:389/dc=bells-and-whistles,dc=com , other is same.
How server determines if user is a hosn-an-hooves user or bells-and-whistles user - based on some attriburte value (sourceOrg) or based on DN value (ou=horns-and-hooves,dc=internal vs ou=bells-and-whistles,dc=internal) - IDK if any of this is possible.
Does this algorithm implementation requires SALSd, or it can be done with OpenLDAP-only?
Could you please help me getting this configuration done?