Sorry to re-send to the list, but I'm hopeful someone might have some thoughts on whether this might be possible!
We have an old unsupported application that authenticates users using an LDAP bind. The credential used for authentication (and what all the internal authorizations are tied to) is employee ID. We are moving to LDAP directory that uses email address instead of employee ID as the DN - the employee ID is still present as an attribute in the new directory and the password remains the same. Since I can't modify the problematic application, it’s not going away anytime soon, and it’s the last thing holding up migration to the new directory system, I'm hoping that I can use OpenLDAP as a shim between the application and the new directory to do something like the following:
* Collect credentials (employee_id, password) during bind * using a privileged service account, search/bind against the new directory to map employee ID attribute to email address DN (like mod_authz_ldap does it) * return the success/failure as result of original bind
I would appreciate any ideas or pointers if this is possible or if there might be a better way.
Thanks in advance! Dave
David LaPorte david@davidlaporte.org
openldap-technical@openldap.org