[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: OpenLDAP Hooks and Integration

Thank you Howard, Pierangelo, and Buchan for your
replies and your time.  I'll look into the links


--- Howard Chu <hyc@symas.com> wrote:

> Rik Herrin wrote:
> > Hi,
> >   I was wondering if the following is doable using
> > OpenLDAP.  Is it possible for the server to obtain
> > information and store it in an entry when the user
> > authenticates against it?
> Your question is poorly specified, which indicates
> that your objective 
> is poorly conceived and you really have no idea what
> you're asking for. 
> Using my psychic abilities I'm going to do your
> thinking for you and 
> take a stab at answering anyway.

Although my question may not be as clear as I would
have liked it to be, my objective it not poorly
conceived although I must admin your psychic abilities
are to be commended :D  I was thinking of something
like Sendmail's Milter API but I only need it to be
read-only and not modify.  So I could hook the bind
request on the server and extract and IP upon
successful authentication.

> >   For example, when a user
> > logs in, would it be possible to configure the
> > OpenLDAP server to obtain things such as the IP
> and
> > store them in one of the user's attributes?  I
> wanted
> > to do this so that I can integrate OpenLDAP with
> > iptables or any other service (perhaps a proxy
> > service).  Thanks for your time.
> Since you are talking about iptables it appears
> you're interested in 
> what happens after a user logs into a Linux system.

The client can also be a windows machine, not just a
Linux client.  Integration with iptables is but one

> The fact that LDAP 
> is used to verify the user's authentication to Linux
> is incidental. In 
> this scenario, what you're looking for is purely an
> application-level 
> concern. I.e., the module that performs the Linux
> authentication using 
> LDAP should be responsible for squirreling away
> whatever other 
> information you're interested in maintaining. Note
> that in this scenario 
> it is impossible for the LDAP server to *gather* any
> useful information 
> about the *user's* IP address; the only thing the
> LDAP server sees is 
> the IP address of the Linux machine requesting the
> authentication. Only 
> the Linux machine knows the actual IP address of the
> user. 

I don't quite see the difference between the two.  If
user A sits on a machine with IP and uses
it to connect, all I'm looking for is so that the LDAP
server can add / initialize an attribute when user A
successfully logs in and store  If the
LDAP server could register callbacks in the same way
that the Sendmail milter does, that would be even
better as the application in question (iptables in
this question) could be updated immediately without it
having to query the LDAP server for information.

> Also, even if 
> the LDAP server could somehow divine the necessary
> information about the 
> user, the information is of no value to the LDAP
> server itself. It is up 
> to your application-side code to query the
> attributes anyway. So all of 
> the development required to implement this feature
> you desire rests on 
> the application side.
> When you take the time to think through the actual
> flow of information 
> and steps needed to process it, it's all pretty
> obvious. No need to wonder.
> -- 
>   -- Howard Chu
>   Chief Architect, Symas Corp.  http://www.symas.com
>   Director, Highland Sun       
> http://highlandsun.com/hyc
>   OpenLDAP Core Team           
> http://www.openldap.org/project/

Start your day with Yahoo! - Make it your home page!