Shahzad, Saleem wrote:
We were looking at proxy or subordinate referrals for an OpenLDAP->AD
integration.
On subordinate referrals I found that not all the applications I tried to
integrate work well with it (none actually).
For proxies the issue I found was that I could not proxy to a name
that was
a superset of the base dn. For example if I had a base dn of
"dc=example,dc=com" then I could not proxy to another server via
"dc=internal,dc=example,dc=com", but I could do
"dc=internal,dc=example2,dc=com".
You can do this sort of proxy with the meta backend by specifying a
separate uri list for each superset (dc=internalx,dc=example,dc=com)
rather than creating a proxy for the base (dc=example,dc=com)
# Query the appropriate backend servers
suffix "dc=internal,dc=example,dc=com"
uri "ldap://server1/internal,dc=example,dc=com
ldap://server2 ldap://server3 ldap://server4";
suffix "dc=internal2,dc=example,dc=com"
uri "ldap://server3/dc=internal,dc=example,dc=com
ldap://server2 ldap://server1";
This is will work for mapping attributes but not if you want to use the
pcache overlay which wants only one suffix.
It would be great if LDAP Proxy Resolution was implemented as suggested
in the man page as a possible evolution...
Cheers,
Robert
If there is something I missed and this can be done I would be very
curious
to know.
