Re: Roles in OpenLDAP with back-sql

[Dan White <dwhite@olp.net>]

On 09/07/12 17:20 +0200, David Rose wrote:
> On 09/07/2012 05:15 PM, Dan White wrote:
> > On 09/07/12 17:02 +0200, David Rose wrote:
> > > On 09/07/2012 04:17 PM, Dan White wrote:
> > > > On 09/07/12 15:59 +0200, David Rose wrote:
> > > > > Hi everyone,
> > > > >
> > > > > Is anybody know if it's possible to define roles in OpenLDAP using
> > > > > back-sql?
> >
> > How do they 'log in'. Do they bind using user credentials directly to
> > the LDAP server, or do they log in to a website? If the latter, then see
> > if your webapp supporting binding *using the user's credentials* when
> > querying the ldap server. Or see if it supports binding with an authz
> > identity matching the user.
>
> Website loggin and LDAP binding are separate.
> Our goal is to access the same data from either the website and LDAP server.
> So, for LDAP queries, they bind using credentials directly to the LDAP
> server.

I think I see now. You have both user credentials and authorization (roles)
stored in a postgresql database, which you want to use in a new ldap
installation?

With direct ldap binds, then either the user's DN, or their authc identity
(in the case of SASL binds) will be available for ACL restriction. If you
also have group definitions, then you should try to shoe horn them into
ldap entries with objectClass 'groupOfNames', or a similar structure, that
will allow you to apply ACL restrictions to.

--
Dan White