[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: openldap and service permissions



On Tue Feb 22 2005 at 08:36:49 CET, myren wrote:

> >>I'd like large grained control over my services like FTP & Samba. 
> >>They're set up to use LDAP for user authentication.  I'd like to be 
> >>able to enable and disable services on a per user basis.  Eventually 
> >>I'd like to enable and disable on a per group basis as well.
...
> Cant you just add some attribute to the user schema for each service and 
> check that?  That doesnt seem all that heavily relational.

We have an attribute called `service' in each person's entry. This multi-
valued attribute type holds a word for each service (e.g.: 'ftp', 'samba',
'squid', etc.) and we modify (or simply configure) the server program to
query that attribute type, with a filter such as

	(&(objectclass=person)(uid=jdoe)(service=ftp))

Has been doing the trick wonderfully for a number of services.

	-JP