[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openldap-technical
Subject:    proxy/backend pointers
From:       David LaPorte <david () davidlaporte ! org>
Date:       2018-01-10 16:16:10
Message-ID: 1FDAACB7-6BFD-4AC7-A09F-DB6456CF7AA1 () davidlaporte ! org
[Download RAW message or body]


Sorry to re-send to the list, but I'm hopeful someone might have some thoughts on \
whether this might be possible!  

We have an old unsupported application that authenticates users using an LDAP bind.  \
The credential used for authentication (and what all the internal authorizations are \
tied to) is employee ID.  We are moving to LDAP directory that uses email address \
instead of employee ID as the DN - the employee ID is still present as an attribute \
in the new directory and the password remains the same.  Since I can't modify the \
problematic application, it's not going away anytime soon, and it's the last thing \
holding up migration to the new directory system, I'm hoping that I can use OpenLDAP \
as a shim between the application and the new directory to do something like the \
following:

* Collect credentials (employee_id, password) during bind
* using a privileged service account, search/bind against the new directory to map \
                employee ID attribute to email address DN (like mod_authz_ldap does \
                it)
* return the success/failure as result of original bind

I would appreciate any ideas or pointers if this is possible or if there might be a \
better way.  

Thanks in advance!
Dave

David LaPorte
david(a)davidlaporte.org



[prev in list] [next in list] [prev in thread] [next in thread]