[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: local/global userPassword
At 04:45 PM 9/1/00 +0200, Arvid Requate wrote:
>I have a few seamingly related questions:
>- how can I have identical userPasswords on different DN's
The simple answer is to add them separately. Don't expect your
(off the shelf) LDAP server to do it for you.
>- how do I transparently realize a kind of subset structure for
> userprofiles?
Sounds like relations
>Background Information:
>
>I'm deploying openLDAP in an environment where on user can have
>several homedirectories on different machines.
>
>We want do have a global user profile with a mailadress as DN:
>mail=<user@domain>,ou=people,o=<org>
>which stores inetOrgPerson information and holds a default userPassword.
>
>We also need local profiles for every account with the DN
>uid=<user>,ou=<domain>,o=<org>
>which stores uid etc.
>
>What we also want to do is:
>use pam_ldap which searches for uid=<user> under DN: ou=<domain>,o=<org>
>
>Now, pam will not find a userPassword there. Problem.
See below for solution...
>Is it possible to get the server to chase a kind of symbolic link to
>the userPassword attribute of the global profile here?
No. That's basically an attribute-level relational database concept.
You won't likely find such in an LDAP server.
>(optimal would be if it does this only if there's no local userPassword)
>I can't figure out how to implement this using referrals or aliases
>(btw. are aliases automatically chased down by openLDAP?
Aliases and referrals are entry level mechanisms, not attribute level.
>what are they
> good for?), what I would like to have is a symbolic link which the
> server automatically replaces by the attribute/value pair pointed to.
They are good for making references at the entry level.
>Or a kind of subset mechanism, where the local entry inherits the attributes
>of another.
So LDAP servers, not OpenLDAP, support what are called
collective attributes... but I never heard of a server
using a collective attribute for authentication purposes.
>The only way I can imagine this would be to modify pam_ldap to chase
>down "seeAlso" attributes.
Now you're on the right track...