[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Hooks and Integration

Rik Herrin wrote:
  I was wondering if the following is doable using
OpenLDAP.  Is it possible for the server to obtain
information and store it in an entry when the user
authenticates against it?

Your question is poorly specified, which indicates that your objective is poorly conceived and you really have no idea what you're asking for. Using my psychic abilities I'm going to do your thinking for you and take a stab at answering anyway.

  For example, when a user
logs in, would it be possible to configure the
OpenLDAP server to obtain things such as the IP and
store them in one of the user's attributes?  I wanted
to do this so that I can integrate OpenLDAP with
iptables or any other service (perhaps a proxy
service).  Thanks for your time.

Since you are talking about iptables it appears you're interested in what happens after a user logs into a Linux system. The fact that LDAP is used to verify the user's authentication to Linux is incidental. In this scenario, what you're looking for is purely an application-level concern. I.e., the module that performs the Linux authentication using LDAP should be responsible for squirreling away whatever other information you're interested in maintaining. Note that in this scenario it is impossible for the LDAP server to *gather* any useful information about the *user's* IP address; the only thing the LDAP server sees is the IP address of the Linux machine requesting the authentication. Only the Linux machine knows the actual IP address of the user. Also, even if the LDAP server could somehow divine the necessary information about the user, the information is of no value to the LDAP server itself. It is up to your application-side code to query the attributes anyway. So all of the development required to implement this feature you desire rests on the application side.

When you take the time to think through the actual flow of information and steps needed to process it, it's all pretty obvious. No need to wonder.

 -- Howard Chu
 Chief Architect, Symas Corp.  http://www.symas.com
 Director, Highland Sun        http://highlandsun.com/hyc
 OpenLDAP Core Team            http://www.openldap.org/project/