Hi,

I've written a Perl class to be used with back-perl. I'm able to load this class from slapd.conf using a different suffix than my traditional hdb database. Say, for example, my hdb database is serving the dc=my,dc=net suffix, and my Perl is serving dc=perl,dc=my,dc=net.

This effectively prevents me from "catching" user password modifications in dc=my,dc=net. If I use the subordinate keyword on my Perl database I'm able to see searches spanning through my dc=perl,dc=my,dc=net, but then again, modifications on users in dc=my,dc=net aren't seen by the Perl backend.

I've tried different approaches for this, but as of now I guess my only chance is to actually "proxy" the LDAP operations from Perl using the LDAP library to the dc=my,dc=net suffix in order to get a seamless experience and achieve my goal of user password manipulation. This is what I've seen in (really old) projects such as acctsync in Sourceforge.

So, my question is: can I use both backends in the same suffix, so only some LDAP operations get overriden in Perl and others "pass through" the physical backend? And if not, what would be your strategy to achieve this goal?

My last plan is to store passwords in plaintext, create an ACL to prevent everyone but a non-human role to read userPassword and move along, but I'd feel terrible about this.

By the way, thanks for making such an awesome piece of software.

Jose