[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: How do you have LDAP Setup for Apps

To: criderkevin@aol.com
Subject: Re: How do you have LDAP Setup for Apps
From: Dan White <dwhite@olp.net>
Date: Thu, 29 Sep 2011 09:10:25 -0500
Cc: openldap-technical@openldap.org
Content-disposition: inline
In-reply-to: <8CE4CC55AE04172-2580-2C16@webmail-d027.sysops.aol.com>
References: <8CE4C5583E4D4F0-1D40-C3773@webmail-d093.sysops.aol.com> <8CE4CC55AE04172-2580-2C16@webmail-d027.sysops.aol.com>
User-agent: Mutt/1.5.21 (2010-09-15)

On 29/09/11 09:46 -0400, criderkevin@aol.com wrote:

Having users duplicated is a problem for password reset, as someone has
just pointed out to me...so then how do you setup your LDAP to allow
access to one application and not others?

Say I want to allow a user access to Email but not Network...how is your
LDAP setup to handle this? Maybe a bad example...I suppose you'd do this
with the deliviered schemas...OK but what about access to Email ON and
access to a homegrown app OFF? Perhaps using an attribute from a custom
schema?


In my experience, authorization is not at all consistent across devices and
applications. Those that are LDAP aware usually provide an LDAP filter as
one component, in which case you can typically do:

(&(uid=$1)(someAccessAttr=email))

Some devices/applications provide for RADIUS authentication, which you can
backend with LDAP to authenticate based on group membership, or
the existence of a specific attribute.

Another approach is to configure your applications to use PAM
authentication, and then make use of an ldap pam module.

--
Dan White

References:
- How do you have LDAP Setup for Apps
  - From: criderkevin@aol.com
- Re: How do you have LDAP Setup for Apps
  - From: criderkevin@aol.com

Prev by Date: Re: How do you have LDAP Setup for Apps
Next by Date: Re: pwcheck module for slapo-ppolicy
Index(es):
- Chronological
- Thread