Discussion:
Authenticating with multiple databases
Ian Gillman
2010-04-15 14:02:42 UTC
Permalink
We have a situation where we have 2 OpenLDAP databases containing usernames, passwords etc... for two distinct entities. We would like to be able to send an authentication request to one of the databases and have it return yes or no based upon the information in both databases.

In other words, database A (DBa) has user A's (Ua) credentials and database B (DBb) has user B's (Ub) credentials. We would like to be able to talk to either DBa or DBb and get back the user credentials and authentication for both Ua and Ub.

Is there some way I can set up OpenLDAP to be able to try and authenticate a user request locally and then, if that fails, to authenticate the request remotely without the requestor having to know about the remote database? We do not want to replicate information between the databases.

Thanks
Ian Gillman
Senior Network Administrator
Monroe Clinic
608-324-1416
***@monroeclinic.org



CONFIDENTIALITY NOTICE:
------------------------
This message and any included attachments are from Monroe Clinic and are for the sole use of the intended recipient(s).

This message may contain confidential and privileged information.
Unauthorized review, use, disclosure or distribution is strictly prohibited and may be unlawful.

If you are not the intended recipient, please promptly delete this message and notify the sender of the delivery error by e-mail or
you may call Monroe Clinic at (608)324-1000 or (608)324-2000.
Andrew Findlay
2010-04-16 09:13:55 UTC
Permalink
Post by Ian Gillman
In other words, database A (DBa) has user A's (Ua) credentials and database B (DBb) has user B's (Ub) credentials. We would like to be able to talk to either DBa or DBb and get back the user credentials and authentication for both Ua and Ub.
Is there some way I can set up OpenLDAP to be able to try and authenticate a user request locally and then, if that fails, to authenticate the request remotely without the requestor having to know about the remote database? We do not want to replicate information between the databases.
You could set up each database to chain requests to the other so that
clients do not need to be aware of the separation. The clients would
need to use a base DN in their search requests that covers both
dataases, so you may need to create a new suffix to cover that or use
slapd-relay and slapo-rwm to remap the DIT.

I dont think there is any easy way to force the search to use local
data first, so you may have problems if the link between the two
servers goes down.

Andrew
--
-----------------------------------------------------------------------
| From Andrew Findlay, Skills 1st Ltd |
| Consultant in large-scale systems, networks, and directory services |
| http://www.skills-1st.co.uk/ +44 1628 782565 |
-----------------------------------------------------------------------
Buchan Milne
2010-04-16 08:36:21 UTC
Permalink
Post by Ian Gillman
We have a situation where we have 2 OpenLDAP databases containing
usernames, passwords etc... for two distinct entities.
You don't say so explicitly, but it seems you mean you have 2 servers, each
with a (different) database.
Post by Ian Gillman
We would like to be
able to send an authentication request to one of the databases and have it
return yes or no based upon the information in both databases.
In other words, database A (DBa) has user A's (Ua) credentials and database
B (DBb) has user B's (Ub) credentials. We would like to be able to talk to
either DBa or DBb and get back the user credentials and authentication for
both Ua and Ub.
Is there some way I can set up OpenLDAP to be able to try and authenticate
a user request locally and then, if that fails, to authenticate the
request remotely without the requestor having to know about the remote
database? We do not want to replicate information between the databases.
Have you looked at the meta backend? Specifically, the SCENARIOS section of
slapd-meta(5).

Regards,
Buchan

Loading...