I am seeking a solution to be able to bind to, and search more than one tree and server per request using Linux. My goal is to maintain separate groups of user accounts on an OpenLDAP server -- e.g. local and network. The groups of users can have overlapping posixAccount uid attributes, but will have unique uidNumber attributes. My main use case is authentication, which requires checking a remote LDAP server first -- currently AD which requires attribute re-mapping), then network tree on the local LDAP (openldap) if not in remote server, then the local tree on local server if not in the first tree. I have tried referrals and rewrites, but nothing I've tried worked. It looks like the creation of a custom overlay will work, but I'd rather not go down that path. I have also tried using PAM, but pam_ldap is limited to one configuration per service (modifying pam_ldap is an option at this point).
Thanks, Craig
"Schneider, Thomas-P65851" Craig.Schneider@gdc4s.com writes:
I am seeking a solution to be able to bind to, and search more than one tree and server per request using Linux. My goal is to maintain separate groups of user accounts on an OpenLDAP server -- e.g. local and network. The groups of users can have overlapping posixAccount uid attributes, but will have unique uidNumber attributes. My main use case is authentication, which requires checking a remote LDAP server first -- currently AD which requires attribute re-mapping), then network tree on the local LDAP (openldap) if not in remote server, then the local tree on local server if not in the first tree. I have tried referrals and rewrites, but nothing I've tried worked. It looks like the creation of a custom overlay will work, but I'd rather not go down that path. I have also tried using PAM, but pam_ldap is limited to one configuration per service (modifying pam_ldap is an option at this point).
man slapo-chain(5).
-Dieter
Slapo-chain says that binds can't be chased -- "Any time a referral is returned (except for bind operations), it chased by using an instance of the ldap backend." Would some other method for authenticating users in LDAP be necessary (or better) for the scenario I described?
Thanks, Craig
-----Original Message----- From: openldap-technical-bounces+craig.schneider=gdc4s.com@OpenLDAP.org [mailto:openldap-technical-bounces+craig.schneider=gdc4s.com@OpenLDAP.org] On Behalf Of Dieter Kluenter Sent: Sunday, May 31, 2009 12:27 AM To: openldap-technical@openldap.org Subject: Re: Bind/search more than one tree and server
"Schneider, Thomas-P65851" Craig.Schneider@gdc4s.com writes:
I am seeking a solution to be able to bind to, and search more than one tree and server per request using Linux. My goal is to maintain separate groups of user accounts on an OpenLDAP server -- e.g. local and network. The groups of users can have overlapping posixAccount uid attributes, but will have unique uidNumber attributes. My main use case is authentication, which requires checking a remote LDAP server first -- currently AD which requires attribute re-mapping), then network tree on the local LDAP (openldap) if not in remote server, then the local tree on local server if not in the first tree. I have tried referrals and rewrites, but nothing I've tried worked. It looks like the creation of a custom overlay will work, but I'd rather not go down that path. I have also tried using PAM, but pam_ldap is limited to one configuration per service (modifying pam_ldap is an option at this point).
man slapo-chain(5).
-Dieter
-- Dieter Klünter | Systemberatung http://www.dpunkt.de/buecher/2104.html sip: +49.180.1555.7770535 GPG Key ID:8EF7B6C6 53°08'09,95"N 10°08'02,42"E
openldap-technical@openldap.org
-
Dieter Kluenter -
Schneider, Thomas-P65851