Hi,
I plan to set up a meta directory. It looks like a normal one according to the openldap descriptions so I was surprised that I was unable to find any howto/faq/forum entry/mailing about it.
Let me describe it:
I have a heterogeneous system and want to have a common ldap system for it. Here is what I have now:
Two AD domains An openldap db for a software with internal users.
My aim: - To be able to authenticate a domain user from either AD. - To have non-AD users as well. - To have non-AD attributes for all three.
So for authentication:
If user is an AD user -> authenticate from appropriate DC If user is a non-AD one -> authenticate from openldap
If I want non-AD attribute added to AD users as well. If an attribute doesn't exist for an AD user in openldap ask the appropriate DC.
This way I could user AD users and their groups through openldap, have independent non-AD users and have attributes for all users in openldap local db regardless of authentication source.
Have I missed something and this is too 'exotic'?
Example: ad1.company.com -> AD1 users, authenticates from DC1 ad2.company.com -> AD2 users, authenticates from DC2 ldap.company.com -> 'other' users, authenticates from openldap local db
Attributes mapped. If user is an AD one and attribute doesn't exists in local DB, proxy the query to AD.
Thanks in advance Gidobo
No ideas?
I tried to set up a single AD + local version with meta.
meta -> domain, com ad, domain, com -> AD ldap, domain, com -> localhost with configured with hdb
It doesn't seem to work though :/
Bests Gidobo
On Mon, Jun 28, 2010 at 1:05 AM, Gidobo 69 gidobo69@gmail.com wrote:
Hi,
I plan to set up a meta directory. It looks like a normal one according to the openldap descriptions so I was surprised that I was unable to find any howto/faq/forum entry/mailing about it.
Let me describe it:
I have a heterogeneous system and want to have a common ldap system for it. Here is what I have now:
Two AD domains An openldap db for a software with internal users.
My aim:
- To be able to authenticate a domain user from either AD.
- To have non-AD users as well.
- To have non-AD attributes for all three.
So for authentication:
If user is an AD user -> authenticate from appropriate DC If user is a non-AD one -> authenticate from openldap
If I want non-AD attribute added to AD users as well. If an attribute doesn't exist for an AD user in openldap ask the appropriate DC.
This way I could user AD users and their groups through openldap, have independent non-AD users and have attributes for all users in openldap local db regardless of authentication source.
Have I missed something and this is too 'exotic'?
Example: ad1.company.com -> AD1 users, authenticates from DC1 ad2.company.com -> AD2 users, authenticates from DC2 ldap.company.com -> 'other' users, authenticates from openldap local db
Attributes mapped. If user is an AD one and attribute doesn't exists in local DB, proxy the query to AD.
Thanks in advance Gidobo
openldap-technical@openldap.org
-
Gidobo 69