Multiple LDAP Servers

Pierangelo Masarati ando at sys-net.it
Sat Jun 24 04:13:25 EDT 2006 

On Fri, 2006-06-23 at 11:26 +0200, Sebastien Bonnegent wrote:
> Hello,
> 
> We have 2 different LDAP servers (no replica) with different users in it. We want configure
> Cyrus-sasl to ask both.
> 
> A detailed version will be :
> 
> Is USER in LDAP1 ?
> -> Yes, SUCCESS
> -> No, Is USER in LDAP2 ?
>        -> Yes, SUCCESS
>        -> No, USER refused
> 
> Do you think that it is possible ? Have you an idea to do this ?

Not sure with cyrus-sasl (I suspect no); I'd suggest using some sort of
(smart) proxying that allows your LDAP client (the cyrus-sasl in your
case) to see the two DSAs as a single DSA that acts as an entry point
for the two branches.

The following of this answer is off-topic here, as it addresses how to
glue together different databases to present them in a single view.  As
such, it's specific to the software you use to provide the view of your
two DSAs.

In this case, I'd suggest you move further discussion to LDAP software-
specific mailing lists and post here a pointer to that discussion in
case you find a good solution to your issue, for future reference.

if you're using OpenLDAP, you could use the slapo-glue(5) overlay to
glue together separate databases (either can be a proxy to the real
DSA), or slapd-meta(5) to obtain a similar behavior (recommended if the
two DSAs don't share any portion of their naming context and they reside
in separate servers).  In both cases, a search for USER on PROXY would
be spawned to the most appropriate DSA based on the search base.  If
that spans both DSAs, the search will occur simultaneously on both
systems.  In this latter case, it's up to you to ensure the uniqueness
of USER across both systems.  You may discuss details on <openldap-
software at openldap.org>, but first have a look at the archives, the FAQ
and the man pages you've been pointed to.

I'm not aware of details about smart proxying and gluing in other DSA
implementations; I know FDS (and Sun ONE and other clones of NDS) do
implement some proxy functionality, but I don't know whether they allow
any means of merging different trees/naming contexts or not.

p.




Ing. Pierangelo Masarati
Responsabile Open Solution
OpenLDAP Core Team

SysNet s.n.c.
Via Dossi, 8 - 27100 Pavia - ITALIA
http://www.sys-net.it
------------------------------------------
Office:   +39.02.23998309          
Mobile:   +39.333.4963172
Email:    pierangelo.masarati at sys-net.it
------------------------------------------

More information about the Cyrus-sasl mailing list