[Date Prev][Date Next] [Chronological] [Thread] [Top]

Can access be granted to an entry reached via a referral?

To: openldap-general@OpenLDAP.org
Subject: Can access be granted to an entry reached via a referral?
From: "Chris Garrigues" <cwg-oldap-gen@DeepEddy.Com>
Date: Mon, 03 Jan 2000 17:23:46 -0600

Am I trying to do something that's against the rules.

I'm using openldap 1.2.7 (as an aside, is there a 1.2.8 RPM available?).

I'm setting up a "remote" LDAP site that inherits certain entries from my main 
site.  This includes entries like:

dn: uid=cwg,ou=People,dc=vircio, dc=com
modifytimestamp: 20000103184751Z
modifiersname: cn=Manager, dc=vircio, dc=com
uid: cwg
cn: Chris Garrigues
objectclass: account
objectclass: posixAccount
objectclass: top
objectclass: shadowAccount
userpassword: {crypt}$1$Elf5GcPP$sKmNU/AT83efeHl.Vu8zG.
shadowlastchange: 10798
shadowmax: 99999
shadowwarning: 7
shadowinactive: -1
shadowexpire: -1
shadowflag: 134538436
loginshell: /bin/bash
uidnumber: 500
gidnumber: 502
homedirectory: /net/backstroke.deepeddy.com/home/cwg
gecos: Chris Garrigues

It seems to work well to create an access group like this:

dn:cn=adminstrators,dc=vircio,dc=com
cn: adminstrators
objectclass: groupofNames
objectclass: top
member: uid=cwg,ou=People,dc=vircio,dc=com

and then by having an access group like this, I have access

access to *
	by group="cn=adminstrators,dc=vircio,dc=com" write

However, I'd like another system to let me in using the same entry.  If on the 
remote site, I have a referrer entry like this:

dn: ref="ldap://ldap.vircio.com/ou=Group, dc=vircio, dc=com", ou=Group, dc=deepeddy, dc=com
objectclass: referral
ref: ldap://ldap.vircio.com/ou=Group, dc=vircio, dc=com

I can't seem to create an access group on that system like this:

dn:cn=adminstrators,dc=deepeddy,dc=com
cn: adminstrators
objectclass: groupofNames
objectclass: top
member: uid=cwg,ou=People,dc=deepeddy,dc=com

and get it to work.  I can log in as cwg on that system, so the referral is 
working.

So, am I trying the impossible or maybe merely the unimplemented, or am I just 
being dumb at how I'm trying to do it.

Chris

-- 
Chris Garrigues                 virCIO
http://www.DeepEddy.Com/~cwg/	http://www.virCIO.Com
+1 512 432 4046                 +1 512 374 0500
				4314 Avenue C
O-				Austin, TX  78751-3709
                                

  My email address is an experiment in SPAM elimination.  For an
  explanation of what we're doing, see http://www.DeepEddy.Com/tms.html 

    Nobody ever got fired for buying Microsoft,
      but they could get fired for relying on Microsoft.

Attachment: pgpZ0WtWz1ZaP.pgp
Description: PGP signature

Prev by Date: ACL of external objects
Next by Date: web2ldap.py 0.6.2: WWW gateway for accessing LDAP servers
Index(es):
- Chronological
- Thread