[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Need help on ACL



On Mon, Sep 03, 2012 at 03:05:50PM +0200, Alexis GÜNST HORN wrote:

> dc=example,dc=com
>    ou=Users
>       uid=user1
>       uid=user2
>       ou=Foo
>          uid=user3
>          uid=user4
>    ou=Groups
>       cn=...
>       cn=...

> What I want :
> 
> * if i'm "Ou=Users" member, for example "user1", with pam_ldap
> suffix : "dc=example,dc=com" :
> 
> $ getent passwd
> user1
> user2
> 
> 
> * if i'm "Ou=Foo" member, for example "user_b", with pam_ldap suffix
> : "dc=example,dc=com" :
> 
> $ getent passwd
> user3
> user4
> 
> 
> Is it possible to do so without modifying the DIT structure ? (only
> with ACL ?)

Rather unlikely, as 'getent passwd' is a Unix/Linux command that
gets to LDAP via NSS. The LDAP server will not know the identity of
the end-user, so cannot return different results to different
people.

Further, most systems that use NSS LDAP have a cache/proxy process
between the getent API and the LDAP client library. That means that
the LDAP client library sees *all* requests coming from the same
process and thus the same user ID.

If your 'Foo' users and your 'Users' users are on separate machines
then you could do something: move ou=Foo up alongside ou=Users and
configure NSS/PAM on each machine to access just the relevant
subtree.

Andrew
-- 
-----------------------------------------------------------------------
|                 From Andrew Findlay, Skills 1st Ltd                 |
| Consultant in large-scale systems, networks, and directory services |
|     http://www.skills-1st.co.uk/                +44 1628 782565     |
-----------------------------------------------------------------------