[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap 2.1 and alias/referral

On Thu, 2004-10-28 at 11:12, Ricardo Kirkner wrote:
> Hi.
> I am trying to create some alias objects in my ldap server, but whenever 
> I do so, I get errors.
> For example, if I try to insert the following record
> dn: uid=myuser,ou=branchB,o=myorg
> objectClass: alias
> aliasedObjectName: uid=myuser,ou=branchA,o=myorg
> I get an error telling me that the uid attribute is missing. If I add 
> the uid attribute to the ldif, I get an error telling me that the uid 
> attribute is not allowed.
> I also tried to insert referrals instead of alias, but I get the same 
> results.
> Can anyone tell me what is going wrong? Are alias objects supported in 
> OpenLDAP 2.1.x?
> Maybe I am doing the wrong approach. I tried to use aliases, because I 
> want to be able to give different permissions to the same person, based 
> on different contexts (e.g. I want to allow user 1 to login to host A 
> and C, but not to B,D and E)
> I thought on having a branch for each host, and inserting aliases into 
> this branch for the people allowed to access that host (the host would 
> lookup users on its branch)
> Is this the preferred way? or is there a better way of doing this?
> Thanks,
> ricardo

We specify an attribute (for you, maybe localHostAccess).  Perhaps, your
user should have:
dn: uid=myuser,ou=people,o=myorg
objectClass: myLocalObjectClass
localHostAccess: hostA
localHostAccess: hostB

Then, at the host, we specify a user filter to describe who has access. 
For example, on hostA, you might use a filter:

This follows well with the concept of "single user, multiple roles".


Matthew J. Smith <matt.smith@uconn.edu>
University of Connecticut ITS
PGP Key: http://web.uconn.edu/dotmatt/matt.asc

Attachment: signature.asc
Description: This is a digitally signed message part