[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Multiple Search Paths

Cory Petkovsek wrote:

On Thu, Oct 02, 2003 at 09:02:59AM -0400, Tibbetts, Ric wrote:

This is probably a quick & simple one.
I need to set up multiple search paths for user accounts.
I have several departments in my DIT that could contain department only accounts, as well as a general user base. So for any given user (within a domain), I need to do two searches (for login authentication).

My main user base is in (for example):


With department specific accounts in:


I did something like: ou=people,dc=petersen-arne,dc=com ou=reps,ou=people,dc=petersen-arne,dc=com ou=misc,ou=people,dc=petersen-arne,dc=com

Then in my libnss-ldap.conf I have:
base ou=People,dc=petersen-arne,dc=com
nss_base_passwd         ou=People,dc=petersen-arne,dc=com?sub
nss_base_shadow         ou=People,dc=petersen-arne,dc=com?sub
nss_base_group          ou=Group,dc=petersen-arne,dc=com?one

?sub being the operative key word.  I can authenticate against ou=people
and ou=*,ou=people.


I looked at using "sub" for the search scope, and it does work. But it opens a door I don't want.
My tree looks like:

          |                        |                            |
       dc=eng            dc=dev            dc=test

I keep the base users in ou=People,dc=ldap-test,dc=com
And then project specific accounts in (for example) ou=People,dc=eng,dc=mlb,dc=ldap-test,dc=com

But I don't want "everyone" to have access to them.
So if a box is in the dev area, they would not see the users for the eng area.
This is trivial on Solaris. In the profile, just do something like:

SolarisDataSearchDN "passwd:(ou=People,dc=ldap-test,dc=com),(ou=People,dc=eng,dc=mlb,dc=ldap-test,dc=com)"

I thought Linux would have an equivelant to that. It's exactly what I need, but I can't find an equiv.