Reputation: 515
Chaining Authentication with LDAP
I have the following two ldap (slapd) servers:
company.com
- ou=users,dc=company,dc=com
- uid=employee1
- uid=employee2
opensourceproject.com
- ou=users,dc=opensourceproject,dc=com
- uid=member1
- uid=member2
What I want to achieve is, that a client (bugzilla, svn, etc) can transparently query the opensourceproject.com ldap for users on both servers. A query could be: "check authenticationof uid=employee1", sent by a client to the opensourceproject.com ldap server. The server should now look into his list and see if the user is available, if not chain to the company.com ldap and look there, if exists: return the result.
Is it possible to achieve this? Most clients need a search base to find the member, so i'd probably be issung the search on ou=users,dc=opensourceproject,dc=com, which does not exist on the company.com server, so i'm not sure how to connect the two trees. If I use an empty searchbase, will that work? I imagine I could run into all sorts of trouble for binding.
Is it possible to make this work with ldap? If yes, how?
Upvotes: 1
Views: 2208
Answers (1)
Reputation: 11132
There exist at least four possible solutions:
- The LDAP client must execute two searches, one with a base object corresponding to the location of users on one server, and the other with a base object corresponding to the location of users on the other server; search scopes, filters, and attributes to retrieve must be adjusted for each server. This solution, while workable, is poor form because the LDAP clients must be aware of two different sets of information (one for each server), which renders the solution unscalable, fragile, and brittle. Also there is the question of policy: which authentication should be used if an authentication ID exists of both servers?
- Use of an LDAP proxy server that supports DN mapping wherein the proxy server can transform queries of
dc=opensourceproject,dc=comto queries ofdc=company,dc=com. Such a product can be purchased from UnboundID. The above policy question applies. - Use of a synchronization server to combine the data on both servers and deposit the results in a third server which is queried by LDAP clients. The policy question above is then managed by the synchronization server.
- Combine the data on the two servers manually.
Upvotes: 3
Related Questions
- How to use Form based LDAP authentication in apache
- LDAP server configuration
- LDAP, Anonymous auth
- Setting up LDAP authorization using OpenLDAP
- Feasibility with LDAP
- authentication using LDAP
- Authenticate user in LDAP server
- Using LDAP not only for authentication but for storing data
- OpenLDAP Authentication
- Java LDAP Authentication