I haven't done this myself, but I suspect you'd want to use the translucent proxy backend instead of the normal back_ldap one. Check the man page for slapo-translucent.
On Wed, Feb 12, 2014 at 9:24 AM, Ingo Mailinglists < [email protected]> wrote: > Hi List, > > I am currently stuck with setting up OpenLDAP servers to fully address > my use case. I hope someone here can point me in the right direction. I > think it comes down to the point at where I do not know how to use the > memberOf overlay with an LDAP proxy (back_ldap). > > First the use case: > * I have a corporate OpenLDAP server that holds entries for our employees > * There are also multiple http-based services which are allowed to be > used after successful user authentication and given that group > membership requirements are met. > * The http-based services need to be accessed by both internal employees > (those for which entries are stored in the corporate OpenLDAP server) > and external people (for which there are no user entries yet). > > The task is to come up with an approach that supports the following: > * allow the http-based services to authenticate both internal and > external users against an OpenLDAP server > * allow authorization based on group memberships > * entries that represent external people are not allowed to be stored in > the existing corporate OpenLDAP server > * entries that represent group memberships are not allowed to be stored > in the existing corporate OpenLDAP server > * in general, no changes to the corporate OpenLDAP server are allowed at > all > > Here is my approach so far: > * I have set up a new OpenLDAP server with two databases. > * The first is a local hdb database. The suffix is set to a subordinate > of the corporate OpenLDAP server. > * The second is a ldap database, which points to and has the same suffix > as the corporate OpenLDAP server. > > The purpose of the local hdb database is twofold > * it should store entries for external people > * it should store the group memberships for both external people and > employees from my own company > > I did some tests with Apache 2.2.22, mod_ldap and mod_authnz_ldap. I can > authenticate both types of users (external from hdb and internal from > ldap). I can even authorize them based on their group membership (using > groupOfNames stored in the local hdb database). The group membership > check also works for user entries that are proxied via the ldap database > backend. > > However, the approach fails for services that need the memberOf overlay > for making authorization decisions based on group membership (ownCloud > is such an example). I have enabled the memberOf overlay for the local > hdb database. So external users are not the problem. However, I cannot > enable it for the ldap database, as I am not allowed to make any changes > to the user entries of the corporate OpenLDAP server. That is, I am not > allowed to add the memberOf attribute to the respective entries - even > if ACLs would allow me to do so. > > Now this is the point where I am stuck. Basically, I am looking for a > way to add the memberOf attribute to proxied user entries locally on my > new OpenLDAP server, without affecting the entries in the corporate > OpenLDAP server. > > Any help that might point me in the right direction is highly appreciated. > > Thanks, > Ingo > >
