Am I trying to do something that's against the rules. I'm using openldap 1.2.7 (as an aside, is there a 1.2.8 RPM available?). I'm setting up a "remote" LDAP site that inherits certain entries from my main site. This includes entries like: dn: uid=cwg,ou=People,dc=vircio, dc=com modifytimestamp: 20000103184751Z modifiersname: cn=Manager, dc=vircio, dc=com uid: cwg cn: Chris Garrigues objectclass: account objectclass: posixAccount objectclass: top objectclass: shadowAccount userpassword: {crypt}$1$Elf5GcPP$sKmNU/AT83efeHl.Vu8zG. shadowlastchange: 10798 shadowmax: 99999 shadowwarning: 7 shadowinactive: -1 shadowexpire: -1 shadowflag: 134538436 loginshell: /bin/bash uidnumber: 500 gidnumber: 502 homedirectory: /net/backstroke.deepeddy.com/home/cwg gecos: Chris Garrigues It seems to work well to create an access group like this: dn:cn=adminstrators,dc=vircio,dc=com cn: adminstrators objectclass: groupofNames objectclass: top member: uid=cwg,ou=People,dc=vircio,dc=com and then by having an access group like this, I have access access to * by group="cn=adminstrators,dc=vircio,dc=com" write However, I'd like another system to let me in using the same entry. If on the remote site, I have a referrer entry like this: dn: ref="ldap://ldap.vircio.com/ou=Group, dc=vircio, dc=com", ou=Group, dc=deepeddy, dc=com objectclass: referral ref: ldap://ldap.vircio.com/ou=Group, dc=vircio, dc=com I can't seem to create an access group on that system like this: dn:cn=adminstrators,dc=deepeddy,dc=com cn: adminstrators objectclass: groupofNames objectclass: top member: uid=cwg,ou=People,dc=deepeddy,dc=com and get it to work. I can log in as cwg on that system, so the referral is working. So, am I trying the impossible or maybe merely the unimplemented, or am I just being dumb at how I'm trying to do it. Chris -- Chris Garrigues virCIO http://www.DeepEddy.Com/~cwg/ http://www.virCIO.Com +1 512 432 4046 +1 512 374 0500 4314 Avenue C O- Austin, TX 78751-3709 My email address is an experiment in SPAM elimination. For an explanation of what we're doing, see http://www.DeepEddy.Com/tms.html Nobody ever got fired for buying Microsoft, but they could get fired for relying on Microsoft.
Attachment:
pgpZ0WtWz1ZaP.pgp
Description: PGP signature