Sullivan, Daniel [AAA] wrote:
Hi,
Please forgive my ignorance if this is a stupid question; I have only been
messing around with OpenLDAP for a few days, but I believe I hit a roadblock
that somebody must have seen somewhere.
Basically, I am planning on using a translucent proxy to augment the attribute
set served up by an external LDAP provider. Specifically I am provisioning
uidNumber and gidNumbers for AD accounts. I cannot populate the upstream
RFC2307 attributes. My problem is this; it is my understanding that a
translucent proxy is going to match records in the local and remote databases
based on DN. Admins are going to be moving user and group objects around
upstream, which will reliably break the mapping between local and remote
databases after the objects with uidNumber and gidNumbers are populated into
the local database.
I can think of a couple of algorithms that would reconcile this, although they
would require custom coding and maintaining a localized external view of the
data (i.e. in a SQL database). So, I suppose my question is this;
Is there an elegant way to solve this problem, for example, having the
translucent proxy map by an attribute other than DN, such as an AD SID?
I appreciate your time and input :-)
You could map the AD objectGUID to an OpenLDAP entryUUID. They are
semantically the same anyway, although AD uses a different text representation
for the value.
--
-- Howard Chu
CTO, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc/
Chief Architect, OpenLDAP http://www.openldap.org/project/
