[Date Prev][Date Next] [Chronological] [Thread] [Top]

back-ldap ACL help needed!

To: <openldap-software@OpenLDAP.org>
Subject: back-ldap ACL help needed!
From: "Luc Germain" <Luc.Germain@USherbrooke.ca>
Date: Wed, 10 Dec 2003 18:00:02 -0500
Importance: Normal

I'm trying to configure an ldap proxy using back-ldap to allow access to a
subset of entries and attributes from our main ldap servers to serve as a
campus directory for email softwares.

For example, we want to allow only the entries that have the attribute value
employeeType=staff to be visible. I can do this by adding an ACL on the
proxy like this:

access to dn.subtree="ou=people,dc=example,dc=com"
filter=(!(employeeType=staff))
	by * none

However, the ACL will only work if the value of the attribute employeeType
is received from the backend server.

For example, the following requests work OK:
ldapsearch "(|(mail=Joe*)(cn=Joe*))" 
ldapsearch "(|(mail=Joe*)(cn=Joe*))" mail cn employeeType

but this request (which is what most clients will do) does not return any
results since the attribute employeeType is empty:
ldapsearch "(|(mail=Joe*)(cn=Joe*))" mail cn 

Is there a way to force the proxy to request the list of attributes required
in the ACLs even if the client does not request them? Is that possible with
a rewriteRule? 

Or is there a better way to do this?

Thanks for any help!

Luc.
--
Luc Germain, analyst
Service des technologies de l'information
Université de Sherbrooke, Sherbrooke (Québec) Canada  
email: Luc.Germain@USherbrooke.ca

Prev by Date: Re: ACL List New bee
Next by Date: Slurpd over SSL revisited
Index(es):
- Chronological
- Thread