On Thu, 15 May 2008, Andrew Findlay wrote:
...
I have a similar requirement at the moment except that I only want to
use the second LDAP server to authenticate for a small proportion of the
entries in the first one. The namespaces are very different. I think
it can be done with a combination of rwm, back-ldap/back-meta and
slapd-relay, but this seems rather complex when all I really need is
'pass-through authentication'.
I will report back to the list if I come up with a workable solution,
but in the mean time does anyone have any pointers to a neat way of
doing this?
How about by using saslauthd? Configure the users that need pass-through
authentication with userPassword values in the form "[EMAIL PROTECTED]",
put "pwcheck_method: saslauthd" in the sasl/slapd.conf file, and configure
saslauthd to authenticate against the backend server. That gives you both
complete control over who gets passed through (only those with the {SASL}
format) and complete flexibility in the mapping of frontend users to
backend users (by tweaking the "[EMAIL PROTECTED]" in each user's userPassword
attribute).
Philip Guenther
