On Fri, 2005-12-16 at 18:41 +0000, Emmanuel Dreyfus wrote: > Hello > > I'd like to use two backends for the same suffix, and have one querried for > bind/unbind and the other for other operations such as search. Is it posible?
Could be; see below. > > The goal is to provide the directory from a bdb backend and the authentication > through a shell backend. I tried this in my config file: > > database shell > subordinate > suffix "dc=example,dc=net" > bind /usr/local/sbin/foo > unbind /usr/local/sbin/foo > > database bdb > suffix "dc=example,dc=net" > directory /var/openldap/openldap-data > index objectClass eq > > But slapd does not want to start because the two databases serve the same > namecontext. Did I misunderstood how the subordinate statement works? Am I > trying to do something that cannot be done? > > If it cannot be done that way, I'm looking for other ideas. Yes, it cannot be done that way. > > 1) Have the shell backend implementing searches by querrying another > database. It seems I could even query the same LDAP server if I rewrite > the suffix. That does not sounds very exciting but it seems to be a > possible way. In fact, that's the idea: have a global slapo-rwm (*) that rewrites binds one way and doesn't touch other ops, so that the shell backend is selected for binds and the regular backend is selected for other ops; something like (just checked with an LDAP database that binds on AD with an entirely different naming context) # before any database overlay rwm # only massage the bindDN, let the rest pass thru rwm-rewriteContext bindDN rwm-rewriteRule "^(.+,)?dc=suffix$" "$1dc=bind" ":@" # The "real", local database database bdb suffix "dc=suffix" # ... # The "bind" database database shell suffix "dc=bind" # only allow binds restrict read write extended # ... I might turn this into a test, and you should definitely consider writing a FAQ entry <http://www.openldap.org/faq/> if you follow this path. > 2) write an overlay. This seems the hard way, but as I understood, I can > hook my custom code for bind/unbind operations. There does not seem to be > many documentation available on the API, is there? I've done it in quite a few cases (e.g. to redirect auth to some external, not-quite-so-LDAPv3 DSA like eTrust DS (a clone of OpenLDAP 2.0, BTW), that had to be authoritative for authentication, and using SASL was not an option...). This is the preferred solution if your specific stuff can be written directly in C into the overlay, so you skip over the odds of using shell (perl, whatever). p. (*) global overlays require OpenLDAP >= 2.3 Ing. Pierangelo Masarati Responsabile Open Solution SysNet s.n.c. Via Dossi, 8 - 27100 Pavia - ITALIA http://www.sys-net.it ------------------------------------------ Office: +39.02.23998309 Mobile: +39.333.4963172 Email: [EMAIL PROTECTED] ------------------------------------------
