[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question to meta-backend / ldap-backend

To: openldap-software@openldap.org
Subject: Re: Question to meta-backend / ldap-backend
From: Wilhelm Meier <wilhelm.meier@fh-kl.de>
Date: Sun, 26 Oct 2008 08:22:26 +0100
Cc: Dieter Kluenter <dieter@dkluenter.de>
Content-disposition: inline
In-reply-to: <871vy4ijs8.fsf@rubin.l4b.de>
References: <200810251220.35926.wilhelm.meier@fh-kl.de> <871vy4ijs8.fsf@rubin.l4b.de>
User-agent: KMail/1.9.10

Am Samstag 25 Oktober 2008 schrieb Dieter Kluenter:
> Wilhelm Meier <wilhelm.meier@fh-kl.de> writes:
> > Hi,
> >
> > I think this is a relative simple question but I did not use the
> > meta/ldap-backend before.
> >
> > We have an openldap-server for user authentification. The user
> > bind as
> >
> > uid=<user>,ou=Benutzer,dc=kmux,dc=de
> >
> > where <user> is the actual username.
> >
> > We have a diffent application where only users of a special
> > posixGroup "Archiv" should be valid. The application is not
> > capable of doing some sort of filtering.
> >
> > So, I thought it must be passoble to do this filtering with the
> > meta or ldap-backup using the original ldap-db:
> >
> > the filter should look like:
> >
> > (&(cn=Archiv)(memberUid=<user>)(objectClass=posixGroup))
> >
> > where <user> is the username as above.
>
> You don't provide an example of the applications searchstring, so
> only as a general hint, the rewrite engine of back-ldap, back-meta
> or back-relay might meet your requirements, man slapo-rwm(5), man
> slapd-meta(5), slapd-relay(5) provide some information.

The structure of the DIT is that we have the users below 
ou=Benutzer,dc=kmux,dc=de with dn as described above. They are of 
ObjectClass posixAccount, ...

Then we have the PosixGroups below ou=Gruppen,dc=kmux,dc=de, e.g. 
cn=Archiv,ou=Gruppen,dc=kmux,dc=de. The posixGroup objectClass has 
the user-objects as the multi-value attribute memberUid. This is the 
normal case for pam-authentification.

My simple thought was to transparently "filter out" the user-objects 
not belonging to the correct posixGroup: construct an DIT where all 
non-"Archiv" user are not visible, for the example above.

The application users should then bind to the meta-ldap uri with a 
different base-dn, e.g. ou=Archiv,dc=kmux,dc=de.

This leads to the generell problem to make all the users of posixGroup 
xyz visible under the ou=xyz,ou=Gruppen, ...

Thanks in advance for any hints! 
-- 
Wilhelm

Follow-Ups:
- Re: Question to meta-backend / ldap-backend
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

References:
- Question to meta-backend / ldap-backend
  - From: Wilhelm Meier <wilhelm.meier@fh-kl.de>
- Re: Question to meta-backend / ldap-backend
  - From: "Dieter Kluenter" <dieter@dkluenter.de>

Prev by Date: Some entries not syncing to slave using syncrepl
Next by Date: R: Question to meta-backend / ldap-backend
Index(es):
- Chronological
- Thread