[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: User restriction

> Date: Sat, 5 Jun 2010 11:39:22 -0700
> From: hyc@symas.com
> To: bgmilne@staff.telkomsa.net
> CC: openldap-technical@openldap.org; jonathan@phillipoux.net; stuart_cherrington@hotmail.co.uk
> Subject: Re: User restriction
> Buchan Milne wrote:
> > On Friday, 4 June 2010 13:47:42 Jonathan Clarke wrote:
> >> On 04/06/2010 11:49, Stuart Cherrington wrote:
> >
> >> As far as I know, "nss_base_passwd" is not a valid keyword in ldap.conf
> >> for OpenLDAP clients.
> >>
> >> If you're configuring this on a Linux server, I think you'll find the
> >> equivalent configuration in /etc/libnss_ldap.conf or similar.
> >
> > Upstream default is /etc/ldap.conf, libnss-ldap.conf is an unnecessary Debian-
> > ism.
> The upstream default has been an endless source of confusion for the better
> part of a decade. Renaming ala Debian is the right answer.

OK - Thanks for all your comments so far, the whole LDAP structure is starting to become clearer but not as simple as I'd like. As Aron suggested, I used the ldapcompare command to see if I could pull the 'member' information from the schema but it fails.

An ldapsearch shows the following:

ldapsearch -x -b 'ou=auth,dc=ldn,dc=sw,dc=com' -h -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxxx
# extended LDIF
# LDAPv3
# base <ou=auth,dc=ldn,dc=sw,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL

# auth, ldn.sw.com
dn: ou=auth,dc=ldn,dc=sw,dc=com
ou: auth
objectClass: organizationalUnit
objectClass: top

# access, auth, ldn.sw.com
dn: cn=access,ou=auth,dc=ldn,dc=sw,dc=com
objectClass: groupOfNames
objectClass: top
cn: access
member: uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
member: cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com
member: uid=rpratt,ou=people,dc=ldn,dc=sw,dc=com
member: uid=jason,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pstuart,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pfield,ou=people,dc=ldn,dc=sw,dc=com
member: uid=nereelot,ou=people,dc=ldn,dc=sw,dc=com
member: uid=scolebro,ou=people,dc=ldn,dc=sw,dc=com
member: uid=bpower,ou=people,dc=ldn,dc=sw,dc=com
member: uid=ihunt,ou=people,dc=ldn,dc=sw,dc=com
member: uid=emoreton,ou=people,dc=ldn,dc=sw,dc=com
member: uid=lcable,ou=people,dc=ldn,dc=sw,dc=com
member: uid=pmurray,ou=people,dc=ldn,dc=sw,dc=com

# search result
search: 2
result: 0 Success

You can clearly see the first Member line is myself. If I now try:

ldapcompare2.4 -v -x -h -D cn=proxyagent,ou=profile,dc=ldn,dc=sw,dc=com -w xxxxxxxx "ou=auth,dc=ldn,dc=sw,dc=com" member:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com

ldap_initialize( ldap:// )
DN:ou=auth,dc=ldn,dc=sw,dc=com, attr:member, value:uid=stuart,ou=people,dc=ldn,dc=sw,dc=com
Compare Result: No such attribute (16)

Any pointers here would be useful.



Get a new e-mail account with Hotmail - Free. Sign-up now.