[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: same objects in multiple ou?

To: Brian Candler <B.Candler@pobox.com>
Subject: Re: same objects in multiple ou?
From: Joe Comeaux <joe.comeaux@gmail.com>
Date: Tue, 1 Feb 2011 10:28:52 -0600
Cc: openldap-technical@openldap.org
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:in-reply-to:references:date :message-id:subject:from:to:cc:content-type; bh=HPFJ6C85T9oCOfJvC6LcQb8hf0Ulv6LccMfZG+wf/7s=; b=MzMywT45/nbNcsCep8VEePzDq26+QZixfYr+txgqClbFcYHW1iJxSt3cytiFivPGCl PDIEEXh2CK/fuJeiKGen92vgCfadreD9jOBffxN8p1fPHNMy/oKrtiQjXC/7fB8vySyJ wIaJqEy5FaMWyM2wtUAtIJuj4ETynKjafyX7U=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=QMU22jLXBdWffm/1hLRRDTmPTn9p3WNC/R5lq4MfCuSER8gKYD6AST7Lur/2jCcw2p +OCxlPcTsu4dW7vRPVRedGYSHIAZ1SinVr6aBEn7HkHtJBlnE5c/S5Wk8TSquv1GfNNa G3hDjVwQYqfGlFHd5SQm93LzbBlDShtW7Yx2Q=
In-reply-to: <20110201124053.GB3622@talktalkplc.com>
References: <AANLkTinty-Q09zqHbaEEQSyfu8iJgH0euF+tSEVbVg9y@mail.gmail.com> <20110131201949.GA5146@dan.olp.net> <AANLkTinkj4663=RUr_t3McrBXAe9M58JJHDjqbiOPJ6g@mail.gmail.com> <20110201124053.GB3622@talktalkplc.com>

> You might be able to get some ideas from here:
> http://mailman.mit.edu/pipermail/kerberos/2011-January/016989.html
> You should bear in mind that ultimately you're going to have some sort of
> "password" stored in a file somewhere on the client machine - whether it be
> a Kerberos keytab, or the private key for a TLS certificate, or something
> else.  Anyone who has root on the client box will be able to use those
> credentials.
> (Or, if you don't store it in the filesystem, you'll have to prompt the user
> to type it in every time the system starts up)
>
> When you realise this, perhaps a fixed bindDN+password doesn't seem so bad
> after all. You only need to grant it just enough access to do searches to
> map username to DN, after all.

I think I may end up just storing a name+password on workstations that
need any kind of search access to the directory. But if I can get
authz-regexp working I may not need to store passwords on anything.

I'm having a lot of trouble just getting just a basic regexp example
working though.
I dont have any kind of slapd.conf set up, so I'm injecting the
updates through ldapmodify. Here's what I've tried :
#ldapmodify -Y EXTERNAL -H ldapi:///
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
dn: cn=config
add: olcAuthzRegexp
olcAuthzRegexp: uid=jrambo,ou=users,dc=example,dc=com
uid=jrambo,ou=it,ou=users,dc=example,dc=com

modifying entry "cn=config"

#ldapsearch -x -H "ldap://voss.worleyco.com/"; -b "dc=worleyco,dc=com"
-D "uid=jrambo,ou=Users,dc=example,dc=com" -W
Enter LDAP Password:
ldap_bind: Invalid credentials (49)

I'm assuming that with the above instruction, requests to bind with
uid=jrambo,ou=users,dc=example,dc=com should translate to
uid=jrambo,ou=it,ou=users,dc=example,dc=com, but it doesnt appear to
be working for me. Am I missing something simple? I've restarted
slapd, verify that the object exists, credentials are valid, etc.

# rambo, IT, Users, example.com
dn: uid=jrambo,ou=IT,ou=Users,dc=example,dc=com
uid: jrambo
objectClass: account
objectClass: posixAccount
cn: jrambo
loginShell: /bin/bash
homeDirectory: /home/jrambo
uidNumber: 10000
gidNumber: 548

-Joe

Follow-Ups:
- Re: same objects in multiple ou?
  - From: Dan White <dwhite@olp.net>

References:
- Re: same objects in multiple ou?
  - From: Brian Candler <B.Candler@pobox.com>

Prev by Date: Re: same objects in multiple ou?
Next by Date: Re: same objects in multiple ou?
Index(es):
- Chronological
- Thread