[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Need to authenticate non-existent users.

To: sigurbjartur@ejs.is
Subject: Re: Need to authenticate non-existent users.
From: Marcio Scheibler <mds@smail.ufsm.br>
Date: Thu, 03 Nov 2005 11:28:02 -0200
Cc: OpenLDAP-software@OpenLDAP.org
In-reply-to: <6E896FCF0A8C9B43B2BB1D2BAE0A25E086DB89@ejsmail.ejs.is>
Organization: UFSM
References: <6E896FCF0A8C9B43B2BB1D2BAE0A25E086DB89@ejsmail.ejs.is>
User-agent: Mozilla Thunderbird 1.0.2 (X11/20050817)

Hello...

I have other problem that seems to be related to yours...
I'm also dealing with back-sql. I have to access a legacy
database for person objects.

In this other scenario, users (person objects) already
exist but they still don't have a "uid" attribute (there will
be an external process for assigning "uid" later).

Since I need persons in directory even before they get their
uid (they are DN-referenced by other objects), I generate their
RDN using other numerical attribute (a legacy ID).

However, I think it's not feasible use that ID-built DN for
users bind/log-in (in fact, a internal database ID should not
be exposed to users). Users should be able to bind using a
uid-based DN, once they get an uid assigned for them. And
as long as I have references pointing to ID-built DN, modifying
DN through MODRN or removing and reinserting does not look a good
choice.

Regardless SASL id-mappings, I'm looking for other ways (back-meta rewrites, alias objects (can I bind as such ?)).

Regards.

sigurbjartur@ejs.is escreveu:

Hi everyone,

   I'm faced with an interesting problem.

   I'm using OpenLDAP to authenticate users.  For reasons I won't go
into much detail about, I need to make OpenLDAP return objects, that do
not exist, as if they did.

   For example, if I do a query with the following search filter:
(&(objectClass=person)(uid=foobar)) I need to make OpenLDAP return a
LDAP result with the attributes and values from the search filter if the
directory returns 0 matches.  If, on the other hand, the object does
exist, it would return the object from the directory.

Currently I'm using back-sql as the back-end.

My resolution was to either modify the backsql_srch_query function to
use a stored procedure, which could return the required result from the
given parameter to make it look like the user exists in the database or
use back-perl, which would enable me to intercept the request on it's
way to the SQL database.

I'd like to know if anyone has any good ideas to make OpenLDAP function
like I've described.

Thanks in advance,

   Sigurbjartur Helgason

--
---------------------------------------------------------------------
Marcio Scheibler
UFSM - CPD - Divisao de Suporte
=====================================================================

References:
- Need to authenticate non-existent users.
  - From: <sigurbjartur@ejs.is>

Prev by Date: group acl permissions
Next by Date: 2.3.11/BDB bdb_cache_find_id deadlock
Index(es):
- Chronological
- Thread