Re: Roles in OpenLDAP with back-sql

[Dan White <dwhite@olp.net>]

(CCing the list)

On 09/07/12 17:02 +0200, David Rose wrote:
> On 09/07/2012 04:17 PM, Dan White wrote:
> > On 09/07/12 15:59 +0200, David Rose wrote:
> > > Hi everyone,
> > >
> > > Is anybody know if it's possible to define roles in OpenLDAP using
> > > back-sql?
> > >
> > > Here's the thing, we need to prevent some of our users to see
> > > "everything".  We need to filter results for some groups of users. But
> > > we need these rules in the database (Postgres) to be able to change
> > > them dynamically.
> >
> > Consider using the dynamic slapd-config backend instead. See chapters 5
> > and 8 of the OpenLDAP Administrator's Guide.
>
> We have a WebApp that stores all its data in Pg and we'd like to access
> it using LDAP without having to replicate the database. And AFAIK
> slapd-config and back-sql aren't compatible.

I don't know.

> > > Problem is that, currently, when a user send a search query, OpenLDAP
> > > does not include in any way the DN of the user who made the query.
> >
> > That seems counterintuitive. Are your users binding anonymously? If so,
> > don't do that.
>
> None of our users are bind anonymously. They're logged in, LDAP knows
> who's logged in, but doesn't tell Pg when a search query is passed.

How do they 'log in'. Do they bind using user credentials directly to the
LDAP server, or do they log in to a website? If the latter, then see if
your webapp supporting binding *using the user's credentials* when querying
the ldap server. Or see if it supports binding with an authz identity
matching the user.

--
Dan White