[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Configuring a relatively simple translucent proxy to override/add group memberships.
- To: <openldap-technical@openldap.org>
- Subject: Configuring a relatively simple translucent proxy to override/add group memberships.
- From: Jeff Wiegley <jeffw@csun.edu>
- Date: Sat, 22 Oct 2016 17:55:40 -0700
- Authentication-results: spf=none (sender IP is ) smtp.mailfrom=jeffw@csun.edu;
- Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mycsunemail.onmicrosoft.com; s=selector1-csun-edu; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=REZlYhn9ArKCK3AHUjEcsJnIkvvzYSaPd8uPPs6t6qY=; b=Vjk6aSsz5pdhKXStLN+/z4130QBB3la6L/roxSmvBfQ8olzaJjl3X5bpoCmv0G/XBEZP0xy1673mQzVKlazjMbMD1iMEaNhIQuh72GLFe8eNTX4+bE/dcB+4zZHWk7xlh6naqrNWQt1OJoRp9GiQ+N4sRvuZcONGpv0HBq0N1x8=
- Spamdiagnosticmetadata: NSPM
- Spamdiagnosticoutput: 1:99
- User-agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:45.0) Gecko/20100101 Thunderbird/45.3.0
Hopefully somebody can help as I am new to OpenLDAP and I've spent the
whole day being overwhelmed
and totally confused by the configration of this beast. (How did it get
"Lightweight" as part of its name?)
The problem I have is that I have a group of computers in my research
lab at a university that I want
to allow login to for campus users. I want to authenticate the logins
against the campus LDAP server
but I want to augment/add group-membership to the results.
So for instance the campus LDAP server might authenticate a user named
"bob" and a unix groups command
for bob when logged in would show {"users", "student", "webuser"} but I
want my machines to log him with
his same campus credentials but see his group membership as
{"users", "student", "webuser", "research", "cloud"}.
From what I've read I can do this with the translucent overlay. The
problem is that I have no idea how to
get this working, let alone interface with the campus LDAP mess.
So far I can get users authenticated and logged in with authentication
solely against the campus LDAP
server but nothing about the local translucent proxy is even
understandable yet testable.
I have Ubuntu 16.04 and I installed ldap/slapd do by essentially doing:
apt-get install ldap-auth-client slapd ldap-utils
I see both /etc/ldap/slapd.d and /usr/share/slapd/slapd.conf installed.
And, as I said, I've got the machine configured via ldap.conf to
authenticate against the campus
LDAP server odir.csun.edu. But none of that even requires slapd
installed. . I realize I'll eventually
need to configure/understand slapd in order to allow it to authenticate
against my local server
but I'm totally lost in trying to figure that part out.)
Couple of questions to start:
1) Should I be making configuration changes in
/usr/share/slapd/slapd.conf or should I be using the
dynamic config thingy and ldapadd/ldapmodify?? Several things I read say
use ldapmodify but then
EVERY example about translucent proxies that I can find demonstrate with
slapd.conf. In fact almost
every tutorial I've read is entrenched in slapd.conf.
2) How do I set up translucent overlay to proxy to the campus ldap
server without making any
changes to the results? If we could start there than maybe I could start
getting a handle on at least
a little understanding of how this starts to work.
Thanks for any help,
Jeff