[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Roles in OpenLDAP with back-sql

(CCing the list)

On 09/07/12 17:02 +0200, David Rose wrote:
On 09/07/2012 04:17 PM, Dan White wrote:
On 09/07/12 15:59 +0200, David Rose wrote:
Hi everyone,

Is anybody know if it's possible to define roles in OpenLDAP using

Here's the thing, we need to prevent some of our users to see
"everything".  We need to filter results for some groups of users. But
we need these rules in the database (Postgres) to be able to change
them dynamically.

Consider using the dynamic slapd-config backend instead. See chapters 5
and 8 of the OpenLDAP Administrator's Guide.

We have a WebApp that stores all its data in Pg and we'd like to access
it using LDAP without having to replicate the database. And AFAIK
slapd-config and back-sql aren't compatible.

I don't know.

Problem is that, currently, when a user send a search query, OpenLDAP
does not include in any way the DN of the user who made the query.

That seems counterintuitive. Are your users binding anonymously? If so,
don't do that.

None of our users are bind anonymously. They're logged in, LDAP knows
who's logged in, but doesn't tell Pg when a search query is passed.

How do they 'log in'. Do they bind using user credentials directly to the
LDAP server, or do they log in to a website? If the latter, then see if
your webapp supporting binding *using the user's credentials* when querying
the ldap server. Or see if it supports binding with an authz identity
matching the user.

Dan White