[Date Prev][Date Next] [Chronological] [Thread] [Top]

OpenLDAP bespoke schema to use 'ismemberof' to restrict user access to hosts


I sent this from my work email but its not appeared in the mailing list, am trying it from my hotmail acct to see if it's mroe successful.

Newbie post, let me know if you need any other info, inside leg measurement, blood type etc.

I wanted to restrict users to logging onto specific hosts, I.e. to keep developers away from Production hosts etc. I managed to do this on thread http://www.linuxquestions.org/questi...-users-789466/ using Sun's SDSCC.

We're now migrating to OpenLDAP and I need the same functionality. I found the 'ismemberof' attribute does not appear to be part of the default schemas that come with Redhat 5.3 RPM's, Openldap is V 2.3.43.

I found an interesting article at http://forums.devshed.com/ldap-progr...te-191444.html on how to create your own schema's. So I created a filcalled /etc/openldap/schema/memberof.schema and put in the following text:

# The isMemberOf attribute associated with an entity is a
# collection of values each of which identifies a group to
# which that entity belongs.
attributetype (
NAME 'isMemberOf'
DESC 'identifiers for groups to which containing entity belongs'
EQUALITY caseIgnoreMatch
SUBSTR caseIgnoreSubstringsMatch

Then I added this schema to the slapd.conf and restarted ldap.

In the client, I've used the same 'ismemberof' line from my previous thread, so it says:

nss_base_passwd ou=people,dc=ldn,dc=sw,dc=com?sub?isMemberOf=cn=access,ou=auth,dc=ldn,dc=sw,dc=com

Having tried MANY combination's of ?, ( and ) it won't work.

So, can anyone comment on my schema, it right? is it complete sh!te?
Does the nss_apsswd line need changing now I've moved to Openldap?

Comments on a postcard please.

BTW - I've been looking at LDAP books to cure my insomnia, and found http://www.amazon.co.uk/LDAP-Directo...2282151&sr=1-1. The books.google.com site had some useful pages from this book but the review on amazon is not great.



Get a free e-mail account with Hotmail. Sign-up now.