[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Question on best way to partially disable users



Dan,

On 11-09-02 12:55 PM, Dan White wrote:
On 02/09/11 12:38 -0700, Ski Kacoroski wrote:
I have an openldap server that several applications use for
authenication. What we need to do is when a person is disabled, we
need to disable access for that user for all applications but one
(employeeonline). My first thought was simply to move the disabled
person to a different OU (e.g. ou=eoonly,dc=... instead of
ou=people,dc=...). The problem I am running into is that
employeeonline is windows/vbscript that uses SASL to bind which means
that I cannot just move the user to a different OU as they are always
coming in as sasl-realm OL.NSD.ORG. Does any one have a good trick for
how to do this? So far all I have come up with is:

1. Bind as a admin user and then check the user's password instead of
binding as the user.

2. Figure out someway for vbscript to bind as a different SASL realms.

Use a search based mapping like:

authz-regexp
"uid=([^,]+),cn=([^,]+),cn=auth"
"ldap:///dc=example,dc=net??sub?(uid=$1)"

which should (sasl) authenticate the user regardless of which subtree they
exist in, underneath dc=example,dc=net.


Dan,

Thanks so very, very much.  This worked perfectly.

ski

--
"When we try to pick out anything by itself, we find it
 connected to the entire universe"            John Muir

Chris "Ski" Kacoroski, Unix Admin, NSD
206-501-9803, ski98033 on IRC and most IM services