Re: Multiple databases

[David J N Begley <david@avarice.nepean.uws.edu.au>]

Earlier today, Matthew Geddes wrote:

> To: Open LDAP Mailing list <openldap-software@OpenLDAP.org>

Strictly speaking, this isn't OpenLDAP-specific and thus should either be on
the openldap-general mailing list, or one of the mailing lists dedicated to
the use of pam_ldap/nss_ldap modules.

Check the OpenLDAP mailing list archives for some previous discussion on the
use of these modules.  If using PADL Software's pam_ldap/nss_ldap modules,
check the README files for details on their mailing list(s).

> I am planning on using PAM_LDAP on Linux to give centralised account
> administration. I have a two mail servers, one for students that can
> only send 120K e-mails and another non-restricted server for staff.
> Obviously I don't want the students to have an account on the staff
> machine. Is there any way of keeping these two seperate, yet still allow
> both groups to have access to the other servers?

The first option that springs to mind is to have some context "a" representing
all users, wherein two subcontexts "b" (staff) and "c" (students) reside.
Place all your students/staff in the appropriate subcontext.

On the staff-only mail server, have the base DN set to context "b".

On the students-only mail server, have the base DN set to context "c".

On servers to which access is required for all users, set the base DN to
context "a", thus covering both groups.

How's that?

(PADL Software's pam_ldap module also supports a "host" attribute for access
control, but the view of an "account" might still be possible via nss_ldap as 
far as email is concerned - you might want to check this.)


dave