[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication via Groups ?

To: openldap-software@OpenLDAP.org
Subject: Re: Authentication via Groups ?
From: Andreas Grosse <openldap-sw@majestyk.de>
Date: Mon, 7 Jan 2002 13:46:31 +0100
Content-disposition: inline
In-reply-to: <Pine.LNX.4.33.0112201159150.31937-100000@lnx01688.morrison.iserv.net>; from adam@morrison-ind.com on Thu, Dec 20, 2001 at 12:01:20PM -0500
References: <20011220175447.A2248@dawn.majestyk.de> <Pine.LNX.4.33.0112201159150.31937-100000@lnx01688.morrison.iserv.net>
User-agent: Mutt/1.2.5i

Adam Williams <adam@morrison-ind.com> [04:01:02 18:59] wrote:
> > We have one group "employees" containing every user (as a
> > posixAccount), and another group which splits into different
> > organisationalUnits (marketing,development etc.).
> > Now we try to authenticate based on the groups:
> >         [slap.conf]
> >         base ou=marketing,ou=groups,dc=mydomain,dc=de
> >         pam_filter objectclass=posixGroup
> >         pam_login_attribute memberUid
> > Those groups are posixGroups and have a memberUid which is a valid
> > uid
> > from the "employees" group.
> > Is that going to work? Would 'uniquemember' better suit our needs
> > than
> > 'memberUid'? Grateful for every comment,
>
> If you want to restrict access to a service on a PAM enabled OS, I think
> it is better to let pam_ldap auth the password and restrict groups, etc...
> using the PAM module intended for that purpose, pam_listfile

Thanks for your help. But in our case, this would not suit our needs.
The ultimate goal would be that every group can administrate itself,
because if you want user X to access your marketing stuff, you just
have to give user X a memberUid entry in the 'marketing' group, and
he can log in with his unique standard password entry he has in all
groups, because the data is stored in his entry in the 'employees'
group.
So the Data itself is stored in one place, where it can be safely
backup'ed and only be modified by IT professionals (which control the
'employees' branch), but every organisationalUnit (like marketing) has
its own 'autonomy' to decide which user has access on what.

Now the problem is that this should be possible tweaking the options
like in the snippet above. Running slapd in debug mode (-d 256), we see
that we get a search with the standard filter, which must succeed that
our customized filter is used in a second search.
Because of our base set to the groups ou, this first search never
succeeds, so our search filter is never used.

A logfile snippet:
conn=0 op=1 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
        filter="(&(objectClass=posixAccount)(uid=agrosse))"

which _should_ read like that (or shouldn't it?):
conn=0 op=1 SRCH base="ou=groups,dc=mydomain,dc=de" scope=2
        filter="(&(objectClass=posixGroup)(memberuid=agrosse))"

What do I get wrong ?
Many thanks for your help,

                Andreas

References:
- Re: Authentication via Groups ?
  - From: Adam Williams <adam@morrison-ind.com>

Prev by Date: Password Problem
Next by Date: Ganymede
Index(es):
- Chronological
- Thread