Hello,
we have a web application that autenticates via openldap. Now a second hospital should use this same application, but they have their own autentication server, active directory in this case.
In our network the users authenticate giving their username ( amoroder in my case ) and password. Is it possible to configure openldap to redirect the bind request to the remote server when the username contains an extension like jsmith@remote ? Does this work with AD as second/remote authentication server ?
Thank you very much Andreas
Andreas Moroder wrote:
we have a web application that autenticates via openldap. Now a second hospital should use this same application, but they have their own autentication server, active directory in this case.
You can setup a separate database with back-ldap as a LDAP reverse proxy to AD and glue them together as subordinates of a common superior database. Depending on namespaces of DNs and user IDs rewriting could be needed.
Ciao, Michael.
Andreas Moroder andreas.moroder@sb-brixen.it writes:
Hello,
we have a web application that autenticates via openldap. Now a second hospital should use this same application, but they have their own autentication server, active directory in this case.
In our network the users authenticate giving their username ( amoroder in my case ) and password. Is it possible to configure openldap to redirect the bind request to the remote server when the username contains an extension like jsmith@remote ? Does this work with AD as second/remote authentication server ?
What you are requesting is some sort of X.500 DAP services plus the service of a virtual directory. This could partly be achieved with OpenLDAP, it would be easier to put a virtual directory in front of OpenLDAP and AD and have all users to authenticate against the virtual directory[1].
-Dieter
Footnotes: [1] http://penrose.safehaus.org/Home
Dieter Kluenter wrote:
Andreas Moroderandreas.moroder@sb-brixen.it writes:
Hello,
we have a web application that autenticates via openldap. Now a second hospital should use this same application, but they have their own autentication server, active directory in this case.
In our network the users authenticate giving their username ( amoroder in my case ) and password. Is it possible to configure openldap to redirect the bind request to the remote server when the username contains an extension like jsmith@remote ? Does this work with AD as second/remote authentication server ?
What you are requesting is some sort of X.500 DAP services plus the service of a virtual directory. This could partly be achieved with OpenLDAP,
It can be entirely achieved with OpenLDAP. Using the rewrite overlay to map usernames, you can then relay the requests to either a local DB or back-ldap.
it would be easier to put a virtual directory in front of OpenLDAP and AD and have all users to authenticate against the virtual directory[1].
OpenLDAP is already capable of acting as a virtual directory....
-Dieter
Footnotes: [1] http://penrose.safehaus.org/Home
Dieter Kluenter wrote:
Andreas Moroder andreas.moroder@sb-brixen.it writes:
Hello,
we have a web application that autenticates via openldap. Now a second hospital should use this same application, but they have their own autentication server, active directory in this case.
In our network the users authenticate giving their username ( amoroder in my case ) and password. Is it possible to configure openldap to redirect the bind request to the remote server when the username contains an extension like jsmith@remote ? Does this work with AD as second/remote authentication server ?
What you are requesting is some sort of X.500 DAP services plus the service of a virtual directory.
"Virtual directory", yet another buzz-word (sigh!). After the buzz-word "meta directory" was burnt out we badly needed this. ;-) Sorry, but such terms implicate that you can buy a full-featured off-the-shelf solution without thinking about what you really need. That's simply not true.
This could partly be achieved with OpenLDAP, it would be easier to put a virtual directory in front of OpenLDAP and AD and have all users to authenticate against the virtual directory[1].
No matter what you put in front (OpenLDAP can do it) you have to use your brain and think about name spaces of AD and the user IDs and put the result of that into a configuration (e.g. OpenLDAP's slapd.conf).
Ciao, Michael.
openldap-technical@openldap.org
-
Andreas Moroder -
Dieter Kluenter -
Howard Chu -
Michael Ströder