Clone LDAP to non UCS-Server?

ldap
openldap

#1

Hello all,

I would like to use the authentication data of UCS in a other web server to do some authentication with LDAP.
What is the most simple way to do that? I failed by importing the UCS schema files into the other openldap server. The schema conversion created a {0}core.ldif as starting point. Importing this into openldap failed because I have not the right to modification to core (of course).

Any hints?


#2

May you would use your webserver as ldap-client.
And use libpam-ldap for this. With this you can use the authentication data without the need
to replicate it to an additional openldap server.
You can use this link as a starting point.

Best Reguards


#3

Thanks for your suggestion. This indeed is a simple idea, but the problem is that the UCS is a private installation behind an ordinary DSL connection, while “the other” server is a public machine on the Internet. And I wouldn’t like to make authentication services of this public machine directly depend on a bunch of conditions (DSL up and running, DynDNS running, VM host OK, …).
Thus the idea of decoupling via cloning.


#4

Hey,

that’s what UCS servers with the role ‘DC Slave’ are there for. They contain a copy of the LDAP directory. It’s replicated automatically from the DC Master, and in case of outages changes are queued until the connection’s up again.

The usual scenario is to run a DC Slave at the hoster, too, to make your web apps connect to the DC Slave and to establish a VPN between the hoster & your main office.

m.


#5

Thanks for this idea. While replication at this level would surely work well, it creates a huge amount of work (complete re-install of the hoster machine as UCS base) and security considerations (public machine with a VPN connection to the private net) on the other side.

Maybe I cannot circumvent a solution like this. I’ll ask the OpenLDAP people if they can help my getting the schemas imported correctly and then look what could be the way to go.