[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Filter on DN

Dieter Kluenter <dieter@dkluenter.de> 08/23/04 01:46pm
>Imobach Gonzßlez Sosa <igonzalez@becarios.ulpgc.es> writes:
>> Hi all,
>> We have an OpenLDAP server to authenticate our users. The namespace
is divided 
>> into three "organizations":
>> ou=Students,ou=Personal,dc=XXX,dc=XXX
>> ou=Teachers,ou=Personal,dc=XXX,dc=XXX
>> ou=Administrative,ou=Personal,dc=XXX,dc=XXX
>> We have also two IMAP servers: the first one, authenticate users
>> "ou=Students". That's right and works fine. But, the other one, have
>> authenticate against Teachers and Administrative. So, I need a
filter to 
>> search only in those namespaces.
>> Is this possible? Any ideas?
>Would groups be a sufficient aproache? Either static or dynamic
>groups. Say a group cn=staff with teachers and administration staff
>members and a group cn=students, with all students as member.
>Dieter Klnnter | Systemberatung
>Tel.: +49.40.64861967
>Fax : +49.40.64891521
Hello Imobach,

What authentication mechanism does your IMAP server use (saslauthd,
ploader, PAM, etc)? What attribute is it searching for for
authentication (eMailAddress, mailLocalAddress, uid, etc.)? If your
concern is only IMAP authentication, you must be using either the e-mail
address or some unique uid, or is there a chance that the same info
would be found in the Students tree and the Teachers/Administrative
trees? If, for example you are searching for the e-mail address, it
_must_ be unique by default and you do not need to limit the search.

You could also limit the search by the user that the IMAP server binds
as. In your access statements the user (for instance)
cn=IMAPStudents,ou=Servers,dc=XXX,dc=XXX would have access only to the
ou=Students branch and the Student's IMAP server would bind as
cn=IMAPStudents..., and the cn=IMAPTeachers,ou=Servers,dc=XXX,dc=XXX
user would have access to the ou=Teachers and ou=Administrative branches
and their IMAP server would bind as cn=IMAPTeachers....

Another possibility (what I do) is to have slave ldap servers on each
IMAP server with only the parts it is interested in replicated to it;
i.e. the Students IMAP server would only have
ou=Students,ou=Personal,dc=XXX,dc=XXX and the other IMAP server would
have the other two branches. That way, all the authentication queries
are done on the local machine (possibly using a unix socket rather than
a tcp socket).

This, of course does not address other uses of the LDAP database, only
your original question.