We're in the process of setting up a Jabber server on Amazon EC2 right now, and we'd like to have our internal users authenticate via LDAP so we don't have to create/manage a separate set of user accounts than the master directory in the office.
My question is: is there a way to copy, unidirectionally, a segment of our internal LDAP directory (the user accounts OU) to an external LDAP server and authenticate Jabber against that?
We're trying to work around having our externally hosted machines out in the cloud accessing our internal network directly... If we can replicate in one direction only a subset of the user accounts, then if that gets compromised we don't necessarily have a critical security breach into our internal network.
you can export part of your ldaptree with
ldapsearchto an ldif file and add it too your other ldap server withldapaddorldapmodify.there are also products which support automatic or semi automatic replication in one direction like the fedora directory server.
jabber can be authenticated against ldap, but i can't tell you how. perhaps someone else can answer this part.
Once you get an LDIF file created, ldapdiff (https://launchpad.net/ldapdiff) is an awesome tool for syncing changes between LDAP servers.
If I understand correctly, you want to "push" some accounts from your internal LDAP directory out to another directory in the cloud?
If your directory is OpenLDAP, you can set up partial replication, using a push based config. See their admin guide.
If not, you can use a synchronization tool, that will connect to your internal directory, query it for the accounts you want to push out, and connect to your directory in the cloud to update them there. Ldap Synchronization Connector (LSC) is one such tool that would do this, available as open source.