Howard, Christopher wrote: > I currently manage ldap for a subset of users at our organization for some > separate systems. The organization also uses ldap for all of its users. My > separate > ldap server uses different usernames for its users. I've been tasked with > getting rid of this separate ldap, migrating all of our systems over to the > central > ldap and having users use their normal organizational credentials. > > To that end, I've created a new ldap server as a translucent proxy. The > central ldap does not contain posix attributes. I'm not being permitted to > create them > and they are not willing to add them. I've tested with my new proxy that I > can search for a user, retrieve all of their back end ldap attributes and all > of my > local overlay attributes. The translucent proxy is working. > > Now I'm to the step of setting up sssd to authenticate users on linux hosts. > This is not working because sssd searches using a filter that contains > objectclass=posixAccount and uidNumber. I've ensured that those values are > in my overlay, but they do not exist in the back end ldap. As a result, I > get no > user returned from the search. I've changed sssd config to make > objectclass=person in the search filter, but that still leaves the uidNumber > issue. > > Is there any way around this? I've exhausted the documentation for sssd and > don't see it. Is there a way in the ldap proxy to handle this? Do I need to > set > olcTranslucentLocal to define the local only attributes?
Yes. That's what the manpage says. > My guess is I'll have the same issue with groups and gidNumber when I get to > that step of the process > as well. > > If this is a dead end, are there any other options to do what I need to do? > > Thank you, > > -Christopher -- -- Howard Chu CTO, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc/ Chief Architect, OpenLDAP http://www.openldap.org/project/
