[Date Prev][Date Next] [Chronological] [Thread] [Top]

ldap (openldap) dynamic subtree combination for responses

LDAP Server: OpenLDAP 2.4.24

Linux Distro: Fedora 15

(I believe this question is generally about returning properties in subentries, when performing searches on a parent entry, in a way that's transparent to clients making the requests. However, I have worded my question to be based on my specific usecase.)


I have successfully configure the Linux sssd service to fetch user loging information from an LDAP directory service (which happens to be in the same machine). The file to configure for this lives at /etc/sssd/sssd.conf

I have tested that I can create a linux user account in the LDAP directory, by creating an entry under the relevant DN. That node includes the objectClass 'posixAccount'.

   - uid=1000 # This entry has the objectClass 'posixAccount'

performing a:

getent passwd | grep the-ldap-based-linux-username

yields correct information.

Now, for my problem:

I'm trying to configure the LDAP directory such that credentials information is not duplicated. I would like to define the entries like so:

   - uid=1000 # No possixAccount objectClass
     + cn=contact-info # contact stuff ...
     - cn=account      # contains subtrees for account related stuff.
       - cn=credentials     # Fields: uid, userPassword, uidNumber, gidNumber
       - cn=linux-account   # Fields: homeDirectory, loginShell, ...
       - cn=windows-account # Fields: winHomeDirectory, sambaServerUrl, ...
       - cn=samba-account   # Fields: space-quota, ...

The point of what I'm trying to accomplish is that when ldap clients, such as the Linux sssd deamon, perform an account info search/fetch, they do so at the following node (not at it's subnodes):


And that, somehow, the OpenLDAP server would know to combine the info contained in the relevant subentries of cn=account, and return those to the client, as if those extries existed at cn=account.

This would work, of course, if I were to place all the info at the cn=account node. But, that's what I'm trying to avoid.

I've try a few things, which have all been unsuccessful.

Is it possible to do this with OpenLDAP (or LDAP in general)? If so, how?




A trick that I've found useful, and which can help in the final solution to the problem, is that the sssd deamon allows one to configure the name of the 'posixAccount'-like objectClass that it should use to locate account info. I noticed that I can tell it do look for a certain class, say c-linux-account, which I then define as an empty auxilary class. The daemon will successfully find entries, which contain this class. Then, if those entries contain properties named uid, userPassword, homeDirectory, etc, it will use those properties for their values. So, I can add that property to cn=account, and the deamon will find that entry correctly. I just now have to tell OpenLDAP to combine the entries below that node, and return them in the query.